26/4/2010

By John Colley, managing director, EMEA, for the (ISC)2 non-profit security organisation

Have the computer scientists at Cambridge University, who last month found a flaw in Chip and PIN so serious that they think the whole system needs a rewrite, got the financial services industry thinking the same thing? John Colley, CISSP, managing director, EMEA, for the (ISC)2 non-profit security organisation, investigates

This isn't the first chip and PIN vulnerability to be revealed by the Cambridge University Computer Laboratory team. Two years ago they concluded cards could be cloned based on tapped information from communications between the terminal and the card. This latest discovery could undermine the system altogether yet I suspect many in the financial services sector consider it a low priority, despite the media-fuelled alarm.

Those in the banking industry who take the time to assess this vulnerability, and I speak as ex-head of information security at RBS, may not be so alarmed. The Chip and PIN system has been proven to be not as secure as we thought (those of us working in security are always prepared for such an eventual discovery). Despite this, Chip and PIN has made significant strides in curbing fraud. It is questionable how many people will make the effort to steal a card, and risk the merchant seeing a conspicuous wire running up his sleeve and into the required backpack that holds the trickster machine and stolen card. While it is probably only a matter of time before somebody figures out a way to do this wirelessly; there is still the risk of being caught on surveillance cameras. The criminal losses that keep bankers awake at night come from more lucrative, high-volume fraud that is perpetrated anonymously online. I believe the technical competency required for this trick up the sleeve is beyond the grasp of criminals that continue to operate at this level - this is a new twist on old-fashioned crime.

In the customers mind, however, this incident represents another example of big business and the banks not taking enough care. Their concern is greater than the commonality of the occurrence because people are alarmed by the enormity of potential loss to them, rather than the likelihood of it happening. Reports of emotional distress over the incident and those few occasions when banks have refused to cover the loss because of their own confidence in the Chip and PIN system are damaging customer confidence generally.

Banks and their merchant customers could well be facing a crisis of confidence in the overall information security posture. Years of investment in cashless, highly convenient ways of transacting may well have produced comprehensive and effective security measures, but this will matter little if people don't trust them. When you think about it, Chip and PIN has made merchants less vigilant: The social grace is to look away when asking a customer to enter their PIN, which makes it easier to hide a wire up your sleeve. There might have been more fraud with signatures but at least people could see an effort being made to check them, and this instilled confidence.

Of course the problem must be addressed. A review and analysis of the design of the entire system is in order, not just for this vulnerability though. The risk to confidence of having yet another problem found externally is too great. Clearly the system designers allowed this to happen. They may well have been aware of it - I suspect the task of satisfying many organisations in the definition of the specifications has left too many options available in its implementation. The software, despite meeting secure code and encryption standards, has allowed someone to circumvent the system, by taking advantage of these options. An obvious effort now to get the system design right will quite likely produce agreement on recommendations to simplify the system. A review of the security measures protecting the specifications and protocols may also be warranted - indeed, it is always a good idea to have a security 'audit' anyway as systems age. However, as we know full well, it is also better that these reviews are in the public domain and available for public scrutiny, rather than just relying on 'security by obscurity'.

The financial services sector has traditionally been the leader, chief investor and innovator in information security development: You have largely written the rule books. Confidence in financial services competency has allowed banks to push society into using the now widely accepted online and cashless transactions, and despite nervous objections, they've smoothly migrated us all to Chip and PIN. Care is now needed to preserve this confidence and reassure consumers.

• John Colley, CISSP, is managing director, Europe, Middle East, Africa (EMEA) for (ISC)2, a non-profit professional organisation and training body that represents 68,000 information security professionals worldwide, over 10,000 of which reside in the EMEA region. John has held posts as head of risk services at Barclays; group head of information security at the Royal Bank of Scotland Group; director of information security at Atomic Tangerine; and was head of information security at ICL. He can be contacted at jcolley@isc2.org or via http://www.isc2.org.