Chip and PIN Fraud: Can a PIN be Faked?

TL;DR

While technically possible to manipulate chip and pin transactions, it’s extremely difficult for criminals due to security measures built into the cards, terminals, and transaction process. Successful fraud usually relies on obtaining the real PIN or using compromised card data online.

How Chip and PIN Works

Chip and PIN (EMV) technology is designed to be more secure than traditional magnetic stripe cards. Here’s a simplified breakdown:

• The Chip: The chip stores encrypted card data.
• Transaction Process: When you insert your card, the chip communicates with the terminal.
• PIN Verification: You enter your PIN on the terminal. This is sent to the bank (not stored by the retailer).
• Dynamic Data Authentication (DDA): The chip generates a unique code for each transaction, making it difficult to clone cards.

Can a Criminal Fake a PIN?

Yes, but it’s very hard. Here’s how they might try and the problems they face:

1. Keypad Manipulation (Skimming & Overlay Devices)

1. The Attempt: Criminals attach fake keypads or overlays to legitimate terminals. These capture your PIN as you enter it.
2. Problems:
   • Physical Security: Terminals are often secured, and tampering is noticeable.
   • Data Retrieval: Retrieving the captured PIN data without being detected is difficult.
   • Encryption: The PIN is encrypted immediately, making it useless to the criminal without decryption keys (which they won’t have).

2. Man-in-the-Middle Attacks

1. The Attempt: Intercepting communication between the chip, terminal and bank to alter transaction data or PIN information.
2. Problems:
   • Encryption: Communication is heavily encrypted using protocols like SSL/TLS. Breaking this encryption in real-time is extremely challenging.
   • Mutual Authentication: The chip and terminal authenticate each other, making it hard to insert a fake device into the communication chain.

3. Relay Attacks

1. The Attempt: Using two devices – one near the cardholder (to read the chip signal) and another near the terminal (to relay the transaction). This attempts to trick the system into thinking the card is present during a legitimate transaction.
2. Problems:
   • Distance Limitations: Relay attacks require close proximity to both the cardholder and the terminal, making them difficult to execute discreetly.
   • Signal Jamming & Detection: Banks are implementing measures to detect unusual signal patterns associated with relay attacks.

4. Software Exploits (Rare)

1. The Attempt: Finding vulnerabilities in the terminal software that could allow manipulation of PIN entry or transaction data.
2. Problems:
   • Rigorous Testing: Terminal software undergoes extensive security testing.
   • Patching & Updates: Security flaws are quickly patched with updates.
   • Secure Boot Processes: Terminals often have secure boot processes to prevent unauthorized software from running.

What Criminals Do Instead

Because faking a PIN is so difficult, criminals focus on easier methods:

• Phishing: Tricking you into revealing your PIN through fake emails or websites.
• Smishing: Similar to phishing but using text messages.
• Card Data Theft (Online): Stealing card details from compromised websites and making fraudulent online purchases.
• Shoulder Surfing: Watching you enter your PIN in public places.

Protecting Yourself

1. Cover the Keypad: Always shield the keypad when entering your PIN.
2. Check Your Statements Regularly: Look for any unauthorized transactions.
3. Be Wary of Suspicious Emails/Texts: Never click links or provide personal information in response to unsolicited messages.
4. Use Strong Passwords: Protect your online accounts with strong, unique passwords.