Announcement illustrates advantage over video based systems
The news follows an independent review by security consultancy, SureCloud.
This puts them at a significant advantage over video-based monitoring systems at or near card terminals in retailers and banks, which have the ability to display keypad images.
As many as one in four adults in the UK have been affected by card fraud. The Payment Card Industry (PCI) Data Security Standard was created to increase controls and build compliance around all aspects of cardholder data. It applies to all organisations that handle cardholder information for the major plastic card providers.
One area of concern is the proliferation of video cameras in retail and banking environments that are used, not only for security, but to monitor queue lengths and count the number of shoppers. Those used in queue monitoring are of particular concern as they are often positioned near retail tills where PIN numbers are input.
SureCloud found that compliance was not an issue with thermal-only systems, such as those from Irisys. However, “There are issues with recording visible light video frames where either the keypad or the arm/hand movements of individuals using the keypad could be seen.”
With high resolution video, noted SureCloud, “it is possible to see PIN entry in reasonable detail.”
But even at low resolution, “it may be possible to reconstruct the PIN from hand/arm movements if the Chip and PIN device is visible in frame.”
To comply with PCI standards, SureCloud urged that organisations using video cameras install an algorithm to blank out the area around the Chip and PIN terminal.
However, Dr Ian Wilcock, Irisys Chief Operating Officer, doubted whether this would provide much consumer protection.
“It’s certainly possible to produce a blanking or blurring algorithm for key areas in a video scene,” he said. “But policing the many thousands of existing video systems would be almost impossible.
“A policy to ensure that the installers actually implemented the blanking would be needed; that the blanking couldn’t be removed at a later date to reveal the PIN numbers; and that the blanking positions were reviewed regularly.”
It would be particularly difficult to police the use of mobile keypads, he added.
One Irisys camera, the IRC3030 ‘DualView’, has an embedded web browser to allow live video and thermal views to be observed simultaneously. Dr Wilcock emphasised that, to remain PCI-compliant, this device – like any other video camera – should not be installed near tilling areas where PIN terminals are used.
Note to editors
As long ago as 1996, Andrew Stone, a UK computer security consultant, was convicted of stealing more than £1 million by pointing high definition video cameras at ATMs from a considerable distance and recording users’ PIN numbers being entered. By also recording the card numbers and expiry dates from the embossed detail on the ATM cards, he was able to produce clone cards. In court, it was shown that he could withdraw as much as £10,000 per hour by using this method. Stone was sentenced to five years and six months in prison.
By contrast, a newer high-tech method of operating called card skimming involves the installation of a magnetic card reader over the real ATM's card slot and the use of a wireless surveillance camera or a modified digital camera to observe the user's PIN. Card data is then cloned onto a second card and the criminal attempts a standard cash withdrawal. The availability of low-cost commodity wireless cameras and card readers has made it a relatively simple form of fraud, with comparatively low risk to the fraudsters.
The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.
The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure.
1. ^ Stephen Castell. "Seeking after the truth in computer evidence: any proof of ATM fraud? — ITNOW". Itnow.oxfordjournals.org. Retrieved 2011-02-11.