Credit Card Frauds: Shell Chip and Pin - Case Study Example

Credit Card Frauds Case: Shell Chip and Pin Submitted by: XXXXX XXXXXX Number: XXXXXXXX of XXXXXXXXXX XXXXXXXX Subject: XXXXXXXX Subject Code: XXXXXXX Date of Submission: 26th June 2009 Total Number of Words: 3270 words (Excluding Abstract and Bibliography) Abstract The report aims at detailing the ' 1 million Shell Chip and Pin fraud that took place in 2006, within months of the introduction of the Chip and Pin payments. The case was considered critical, as the consumers started losing trust in the new system. The necessity of the system was questioned especially because the costs were bore by the public and the retail merchants. The report details the investigation results and the identified system weaknesses and vulnerabilities are analyzed. The major vulnerabilities include the increased exposure of Pins, tampered PEDs (Pin Entry Device) and lack of globalization. The legal perspectives are also explained with specific reference to UK Computer Misuse Act of 1990, UK Data Protection Act of 1998 and UK Regulation of Investigatory Powers Bill 2000. Table of Contents Abstract 2 Table of Contents 3 Introduction: 4 Credit Card Fraud - Shell Case: 4 Vulnerabilities: 5 Laws and Regulations: 8 Conclusions: 17 Bibliography 19 Introduction: In February 2006, the United Kingdom made it a requirement for all Point of Sale card payments to utilize Chip and Pin payments. This step was taken as a counter measure to reduce the credit card frauds which accounted for almost ' 439.4 million in 2003, which is a steep increase of 30% when compared to the figures of 2000. The card market of the UK is relatively the largest in all of Europe, accounting to at least ' 408 billion in transaction value per year (DataMonitor, 2006). Hence, the accounted fraud levels are high and create issues for the retail merchants who rely on Point of Sale card payments for more than 60% of their transactions. This led to the introduction of Chip and Pin payments. However, in June 2006, Shell reported a credit card fraud of ' 1 million due to the use of Chip and Pin payments. Credit Card Fraud - Shell Case: The UK trade payment association APACS (Association of Payment Clearing Services) took steps to reduce the rising credit card fraud and introduced the Chip and Pin system to safeguard the merchants against fraudulent payments. The APACS emphasized on upgrading and adhering to the EMV technology (Euro Pay, Mastercard and Visa) as the UK had the oldest and least sophisticated payment systems at the time. Within months after the introduction of the Chip and Pin payments in the UK, the Shell Corporation, one of UK's largest petrol station chains, reported fraudulent activities arising from the use of Chip and Pin payments in some of its outlets. Shell Corporation has about 1,000 outlets in the UK and about 400 of them are held and operated by franchisees. The customers of Shell reported rapid unauthorized withdrawals from their accounts. The investigation carried out pointed at the Shell outlets, the customers used. It was found that the card information of the customers, along with the four- digit PIN (Personal Identification Number) was copied in the reader and this was used to make withdrawals from their accounts. Shell reported that a total of ' 1 million has been missing from its customers' accounts and the investigation on the system was conducted immediately to identify the vulnerabilities. Meanwhile, Shell suspended the use of Chip and Pin payments in its 600 outlets and reverted back to taking authorizations for payments using customer signatures. However, the 400 franchise outlets continued to use Chip and Pin payments (Sturgeon, 2006). The vulnerabilities of the system identified are discussed in the sections below. Vulnerabilities: Increased Exposure of Pins: The ' 1.1 billion Chip and Pin system was rolled out with the promise that it will help curb the credit card fraud and the costs were bore by the public and the retailers. However, the system also opened up a number of back doors for the criminals. Though the system was secure, it increased the amount of Pin exposure. Earlier, the customers had to enter the Pin only to make ATM withdrawals. However, with the Chip and Pin payments, their Pin was entered every time a transaction is made. The main issue was that the Chip and Pin system is not globalised and hence, the cards also needed to have magnetic strips. This was to enable the use of card in other countries where the Chip and Pin system was not in place. The magnetic strips had the card information which was easy to copy and replicate (Leyden, 2006). The presence of the traditional magnetic stripe and the increased exposure of the Pin provided a window for the criminals. Tampered PEDs: The case of Shell exposed that some of the terminals used to take Chip and Pin payments were tampered. This indicated a major security lapse in the use of the Chip and Pin systems, which relied on these terminals, known as PEDs (Pin Entry Device). The readers, which were identified to be Ingenico and Diane were supposed to be tamper resistant. Most of the Chip and Pin readers installed in Shell and other outlets, are 'hybrid terminals', i.e., they read both the magnetic stripes and the embedded microchip in the card. The common criteria set down by APACS indicate that the terminals are tamper resistant and the security functions should resist any physical attempt on tampering. The anti-tampering mechanism installed in the PED includes lid switches and sensor meshes which shutdown Chip and Pin terminal once opened. The evidence of tampering of the terminals in the Shell case indicated that the security functions were easily overridden and compromised the customers' cards (Clark, 2006). Lack of Global Standards: The tampered terminals were used to copy the card information from the magnetic stripe and also the Pin for the card. This information was then used to clone the cards with jus the magnetic stripes. These cards were then used overseas, in countries such as United States to withdraw cash from the ATMs. The magnetic stripes were acceptable and sufficient for authorization in the other countries and hence they did not require an embedded microchip in the card (Leyden, 2006). Researchers' Perspectives: The vulnerabilities were also pointed out by Ross Anderson, Professor of Security Engineering at Cambridge University who stated that there were a number of bad implementations and issues with the new design. He and his fellow researchers, Steven Murdoch and Saar Drimer published an article demonstrating that the Chip and Pin is not a secure system for the consumers and the banks should not shift the liability to them. David Wray, a principal consultant with independent security firm Sec - Tec indicates that the system is vulnerable to cross - a border forgery until it is standardized and accepted globally (BBC News, 2006). The ' 1 million fraud for Shell led to a number of technological advances to ensure that the PEDs are tamper resistant. The criminals were apprehended and Shell re - introduced the Chip and Pin payments after four months. APACs claimed that this was an isolate incident and that it will not have an impact on the consumers anymore. The Government assured the safety of consumer payments and amended a number of laws. The following sections indicate the laws and legal perspectives involved in the credit card frauds and safety of consumers. Laws and Regulations: With the increased usage of computers and the Internet, there is a lot of movement data and personal information. This is one of the biggest causes for the increase of electronic crime. E crime is treated very seriously and is every country has its own laws relating to the Internet usage. A few activities that are treated as crimes everywhere are: Manipulations of computer records for fraudulent activities, Unauthorised access to information, Modification of data by software cracking or hacking, Piracy of software, Spreading viruses, Service attacks being denied hence causing website slowing down or crash of the website and Identity theft, which is mainly for the cause of fraudulent transactions including the misuse of credit cards and the card details (Computer Crime Research Centre, 2005). In the Shell case the suspects are punishable under three acts, under which these individuals have broken the law of the country. These acts include, UK Computer Misuse Act of 1990 (CMA), the data Protection act of 1998, and the UK Regulation of Investigatory Power Bill of 2000. These have been discussed further in the paper. Issues of Computer Law: Over the past few decades technology has grown to great heights and is still improving. Technology is shaping our world. It has become a part of everyone's lives and it rules almost every action of ours. However, every new development has some merits and demerits. In this essay we focus on how technological developments have helped the growth of fraudulent activities like Identity theft, credit card frauds and many more. It has been noted that the usage of internet has increased a lot over the last few years and the use of the different facilities like the online bill payment; money transfers, online banking, etc have also seen a rise. All these benefits have helped a lot in speeding up processes; however it has opened up a pathway for risk of identity theft (Consumer Reports, 2008). The Parliament has introduced two acts which have been mainly to deal with the advances in technology and the new criminal activities that relate to the same. A brief discussion of the Data Protection Act of 1998 will also be included. This is because there has been a sudden surge in the need to ensure higher data protection. With the technological developments, it has been noted that almost every office tries to ensure that they have a paper free office, which means that all information including the sensitive information is now held in computers (Coates, 2007). Also details of the UK Computer Misuse Act of 1990 and UK Regulation of Investigatory Powers Bill 2000 will also be discussed to gain an insight on the laws that have been set down by the government to overcome the grave problem of frauds like identity theft and credit card frauds (Kelly, 2008). UK Computer Misuse Act 1990: The population of the United Kingdom is as around 60, 363, 602 as of 2007. With a population as many as this, the internet usage of the country is pretty high at a total of almost 38,512,837 (Internet World Stats, 2007). This totals to as much as 68.3% of the population and this is one of the highest for any country. In 2004, the country was seen to have: 59% of the homes had a PC, 52% of the homes (i.e. 12.8 million) had Internet and almost 68% of the small businesses had internet access in the offices. The figure below provides a clear picture of the average number of internet users. Figure 1: Number of Internet Users (Engadgeteer, 2008) Figure 2: Number of Internet Users (in a graph format) (Engadgeteer, 2008) With this increase in the use of the concept of Internet, the businesses and the government has been noted to also have used the internet to a great extent. This has also lead to the increase of the computer crimes like hacking and many more identification frauds. In 1988, the UK government introduced the Computer Misuse Act of 1990. This was as a response to the case of R v Gold & Schifreen in 1988. These frauds have been noted to be there since 1984, where a hacker got the access into BT Prestel Computer Network and also complete access into the personal mailbox of Prince Philips. Post this event there was a number of other hacking that had taken place during this period. This act was passed to ensure that any individual misusing the computers or trying to hack or intrude into the computer system of others was duly punished and serious action taken against them (OPSI, 2009). The scope of the act covers all including the unauthorized access of computer material, unauthorized access with or without the intent to commit or even facilitate any further offences and also any modifications of programs on the computer without the authority. In the case of Shell's fraud, as discussed above, the case was of a well planned and calculated fraud. Here the accused had a clear knowledge of the unauthorized entry into the accounts of the victims via the Pin Entering Device (PED). The individuals would be punishable under this act as the fraud that has been conducted is not unintentional and the suspects were aware of the unauthorized access to the information. It is also noted that the Computer Misuse Act 1990 is the most common and most convictions are made under this section of the act. This section deals with the cases that relate to the alteration of data, removal of data, or even the addition of external parts to the components of the Pin Entering Machines or any other tracking machines. This is applicable for all and it is essential that the accused do not have knowledge of accessing the unauthorized data or even using it for any other purposes. UK Data Protection Act 1998: The Data Protection Act of 1998 has become one of the most complex and stringent laws in the country. This act was passed to ensure that the details of the public are not shared or lacked out from a company. On one particular day, an average person in the UK would provide personal identification information at least once during the day. This information includes details of the Name, Address, and Contact numbers and in the case of employees, medical health records, any criminal convection records and even discrimination records (Business Link DPA, 2009). The main aim of this act is to provide the public with the rights of privacy of their information and this is not only for individuals but is also applicable to businesses and other organizations as well. This act mainly applies to the personal information and anyone violating this act can be faced with some very serious charges against themselves. The act is based on eight principles on which the information is collected and utilized, these include, 1. "Processed fairly and lawfully. 2. Obtained for specified and lawful purposes. 3. Adequate, relevant and not excessive. 4. Accurate and up to date. 5. Not kept any longer than necessary. 6. Processed in accordance with the "data subject's" (the individual's) rights. 7. Securely kept. 8. Not transferred to any other country without adequate protection in situ" (The Data Protection Act, 2004). The act also provides for circumstances when the personal information can be used and this is only when there is complete 'Consent' from the individual. The reason for the high level of strictness is due to the fact that the act mainly deals with personal information which includes all information including the discrimination information as well as the health records. The Data Protection Act defines personal information to be: "Data which relate to a living individual who can be identified:- * from those data; or * from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual" (The Data Protection Act - Definition, 2004). The main principle of the law that needs to be kept in focus at all times by all is that the information provided is used and processes fairly and lawfully. This however has not been the case for the fraudulent act at Shell. The suspects / criminals, who had a hand in the fraudulent activity, have overseen this principle and have thereby broken the law. There use of any equipments to tamper with the Pin Entering Device (PED), and accessing of the information of the customers, and misusing this information in other places to gain the funds out of the customers accounts falls under violation of the law. It is up to the management of organizations to ensure that the staff comply with the laws and do not misuse the information. Also in the case of Shell it is the duty of the management of the company to send out regular and surprise checks to each petrol station to ensure that the machines are not being tampered with and the employees are not in any manner violating the law. The impact of this fraudulent activity is not only on the criminals but it also affects the company and also affects the brand image of the company. Shell would also be testified under the three acts. UK Regulation of Investigatory Powers Bill 2000: Since there have been a number of technological advances and a high leap in terms of the communication, the Interception of Communication Act of 1985 has now being replaced by the UK Regulation of Investigatory Power Bill 2000. This act will consider not only the communications devices like the phones, but will also take into account the details of emails, mobile phones and most of all the Internet. The main reason for mention of this act within the paper, is to understand that the credit card frauds can be traced back and there are laws which pertain to the cards. The main aim of the act has been explained as, 'To make provision for and about the interception of communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed; to provide for commissioners and a tribunal with functions and jurisdiction in relation to those matters, to entries on and interferences with property or with wireless telegraphy and to the carrying out of their functions by the security service, the Secret Intelligence Service and the Government Communications Headquarters' (Guardian, 2009). In the case of the victims of the Shell fraud, the act will provide a chance to gain complete information of all the expenses and the illegal activities that the suspects have committed. This will allow provide justice to the customers as the fraud rounds off to almost ' 1 million. Thus any information gained from tapping the phones ort tracking down the credit card usage will allow for the victims to get justice. Conclusions: With the increasing cyber crime, and cyber criminals being able to steal within a matter of seconds, there is only one solution to prevent theft. The solution has been backed by the major companies like Goldman Sachc, Byers, Kleiner Perkins etc. LifeLock is one of the best and most relied on solution to prevention of identity theft. LifeLock is a company that was started to help customers prevent identity theft. The company is head by some very professional, best, and most experienced people. George Reyes, CFO Google, has recently become agreed to be a part of LifeLock Board of Directors. LifeLock is a service which is provided at very lo costs to help prevent fraud and ensure that no personal information of the customer is secure (LifeLock, 2008). There are a number of steps that individuals can take to ensure and keep themselves safe from the identity frauds. Simple steps like monitoring the bank account regularly, opening even junk mails from banks will help individuals do their bit to ensure no one has stolen the identity and opened new accounts with the individual's identity (Coates, 2007). The computer crimes do not only involve the Internet, but may also be caused due to breach in data security or computer security. It is essential that individuals are informed and are always in the process of learning about and prevention methods of identity crime. It is essential that individuals take up the responsibility of securing their information to help the government's efforts to remove this crime completely. It is seen that the crime rate has increased a lot over the years and there are very simple steps that can be taken to protect one self. Despite the technological growth and advancement banks and other institutions are trying their best to ensure complete safety against credit card frauds, identity thefts or any other forms of fraudulent activities. It is important that each one of us understands the seriousness of this crime and ensures our safety. Together with them and the government and a little diligence from the customers end, it would be quite possible to completely remove this crime from society. We need to ensure that technological developments are used in productive ways rather destructive. Bibliography BBC News, 2006, 'Petrol firm suspends chip-and-pin', 6th May 2006, Accessed on 24th June 2009, Retrieved from http://news.bbc.co.uk/2/hi/uk_news/england/4980190.stm Business Link DPA, 2009, 'Comply with data protection legislation', Accessed on 25th June 2009, Retrieved from http://www.businesslink.gov.uk/bdotg/action/layer'topicId=1074412952 Clark, L. (2006), How safe is Chip and Pin Technology', 13 June 2006, Accessed on 24 June 2009, Available at http://www.computerweekly.com/Articles/2006/06/13/216347/how-safe-is-chip-and-pin-technology.htm Coates, N., 2007, 'Misguided Fears', The news Media and The law, 2007 Computer Crime Research Centre, 2005, 'Types of Computer Crimes', 26 November 2005, Accessed on 25th June 2009, Retrieved from http://www.crime-research.org/news/26.11.2005/1661/ Consumer Reports, 2008, 'ID leaks', September 2008, Consumers Union of United States DataMonitor (2006), Data Monitor Research: Shell Chip and Pin Re-introduced, 14 September 2006, Accessed on 24 June 2009, Available at http://www.datamonitor.com/store/News/shell_chip_and_pin_reintroduced'productid=21431E49-1C49-4D50-8FB5-DDCC8E8C5F8A Engadgeteer, 2008, 'Top 20 Countries with the Highest Internet Users', 28 November 2008, Accessed on 25th June 2009, Retrieved from http://www.engadgeteer.com/2008/11/top-20-countries-with-highest-internet.html Gaurdian, 2009, 'Regulation of Investigatory Powers Act 2000', 19th January 2009, Accessed on 24th June 2009, Retrieved from http://www.guardian.co.uk/commentisfree/libertycentral/2009/jan/14/regulation-investigatory-powers-act Internet World Stats, 2007, 'United Kingdom - Internet Usage Stats and Market Report', Accessed on 25th June 2009, Retrieved from http://www.internetworldstats.com/eu/uk.htm Kelly, B., 2008, 'The new Crime Wave', Finweek, 10 July 2008, p51 Leyden, J., 2006, 'Shell suspends Chip and PIN after '1m fraud', 8th May 2006, Accessed on 24th June 2009, Retrieved from http://www.theregister.co.uk/2006/05/08/shell_suspends_chippin/ LifeLock, 2008, 'How LifeLock works', 2008, Accessed on 24th June 2009, Retrieved from http://www.lifelock.com/lifelock-for-people OPSI, 2009, 'Computer Misuse Act of 1990', Accessed on 25th June 2009, retrieved from http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm. Sturgeon, W. (2006), Shell's ' 1 m Chip and Pin Fraud 'an inside job', 8 May 2006, Accessed on 24 June 2009, Available at http://www.silicon.com/research/specialreports/idmanagement/0,3800011361,39158743,00.htm The Data Protection Act - Definition, 2004, 'Definition', Accessed on 24th June 2009, Retrieved from http://www.dataprotectionact.org/2.html The Data Protection Act, 2004, 'The Eight Data Protection Act Principles', Accessed on 25th June 2009, Retrieved from http://www.dataprotectionact.org/1.html Read More