Chip and PIN was designed to prevent fraud, but it also created a new opportunity for criminals that is taking retailers by surprise. Known as “forced authorisation”, committing the fraud requires no special equipment and when it works, it works big: in one transaction a jewellers store lost £20,500. This type of fraud is already a problem in the UK, and now that US retailers have made it through the first Black Friday since the Chip and PIN deadline, criminals there will be looking into what new fraud techniques are available.
The fraud works when the retailer has a one-piece Chip and PIN terminal that’s passed between the customer and retailer during the course of the transaction. This type of terminal is common, particularly in smaller shops and restaurants. They’re a cheaper option compared to terminals with a separate PIN pad (at least until a fraud happens).
The way forced authorisation fraud works is that the retailer sets up the terminal for a transaction by inserting the customer’s card and entering the amount, then hands the terminal over to the customer so they can type in the PIN. But the criminal has used a stolen or counterfeit card, and due to the high value of the transaction the terminal performs a “referral” — asking the retailer to call the bank to perform additional checks such as the customer answering a security question. If the security checks pass, the bank will give the retailer an authorisation code to enter into the terminal.
The problem is that when the terminal asks for these security checks, it’s still in the hands of the criminal, and it’s the criminal that follows the steps that the retailer should have. Since there’s no phone conversation with the bank, the criminal doesn’t know the correct authorisation code. But what surprises retailers is that the criminal can type in anything at this stage and the transaction will go through. The criminal might also be able to bypass other security features, for example they could override the checking of the PIN by following the steps the retailer would if the customer has forgotten the PIN.
By the time the terminal is passed back to the retailer, it looks like the transaction was completed successfully. The receipt will differ only very subtly from that of a normal transaction, if at all. The criminal walks off with the goods and it’s only at the end of the day that the authorisation code is checked by the bank. By that time, the criminal is long gone. Because some of the security checks the bank asked for weren’t completed, the retailer doesn’t get the money.
The retailer is generally blamed for this fraud, for example the UK Cards Association said that “it’s important for a retailer to remain in control of the card terminal throughout a transaction”, or Worldpay telling retailers that they “should no more consider leaving a shopper in control of the terminal than they would leaving them with an open cash drawer.” But that doesn’t sound compatible with the other instructions the UK Cards Association gives retailers, such as:
“Make sure that you look away when they enter their PIN, and check that they are not overlooked by other staff or customers.”
Customers get the same advice:
“When entering your PIN at a cash machine or in a PIN pad in a restaurant or shop, use your hand or body to shield it from prying eyes. If the PIN pad is on a flexible cord, pick it up and hold it so that you can’t be overlooked.”
The root cause of the problem is having a single device for both security-critical steps (confirming to the bank that the extra referral security checks were performed) and steps that the customer completes (entering the PIN). Prior to Chip and PIN the terminal stayed in control of the retailer at all times: customers hand over their card and sign a piece of paper to prove their identity so the referral process was designed with this scenario in mind. However now, with Chip and PIN, the terminal is under control of the customer while the transaction is being authorised, opening retailers up to fraud.
Moving to a separate PIN pad fixes the problem because then the terminal (often integrated in the point-of-sale system) never leaves the control of the retailer. All the customer has access to is a PIN pad — known as a “PIN Entry Device” or “PED” — that lets the customer enter their PIN and which may also be where the card is inserted. Any request from the bank for a referral will show up on the terminal and so cannot be bypassed by a criminal. However, a separate PIN pad costs more and takes up space, so isn’t without its own problems. For cordless terminals used by restaurants, a separate PIN pad would be very inconvenient too.
So another approach is to require that the retailer enter a password into the terminal before it will accept a referral authorisation code, as described in UK Cards Association Standard 70:
“Some terminal types, where the control of the transaction is passed to the cardholder, for example portable or hand-over devices, are vulnerable to the cardholder fraudulently completing the referral process before returning the terminal to the card acceptor. To combat this, the card acceptor may be required to take an additional action, for example input a pass-code into the terminal, before the transaction can be completed by entering the authorisation code.” [Book 1, Section 6.10.3]
Some terminals do indeed have this feature as an option, but even though the above quote was from 2009, there are clearly still widely used terminals that either don’t support referral passwords, or don’t have the feature enabled.
If a merchant asked me to “answer[] a security question” during a transaction I’d tell him/her to go jump.
No more would I answer such a question over the phone from (someone purporting to be) a bank employee, unless I’d initiated the call using a phone number I’d looked up and keyed in myself.
You’re right, the referral process has other problems too. Situations where someone calls up a person pretending to be a bank is a big problem now, and one where fraud victims generally don’t get refunded.
In these cases often the criminal does ask the customer hang up and key in the bank’s number from the back of the card, but because the criminal never hung up their phone the original call remains connected for up to two minutes. So the customer confidently thinks they are talking to the bank but are not.
Is it too much to hope that the pin pad sends the entered authorisation code to the Bank so they can see it matches the code they just gave out before then authorising the payment?