Tag Archives: PCI compliance

The fallibility of chip and pin

It was introduced back in 2004 and heralded as a fraud-smashing new approach to safely paying for goods and services. Like an impenetrable rock.

The swish-swoosh of elaborate signatures – because we all thought the more complex the style, the harder it would be to forge – became a traditional gesture. The strip on the back of cards for our names still exists, but the signature we put on it, is to some extent, redundant.

By 2005 it was viewed as a groundbreaking step forward, evidently doing its job and doing it well. The UK Payments Administration Ltd, which was then known as the Association for Payment Clearing Services, reported that chip and pin had cut plastic card fraud by 13 per cent.

It was validation.

However, flaws in the system have been identified. Last year seemed to be a particular milestone in changing perceptions. The conversation in the information security and risk management industry about the shortcomings of chip and pin was becoming louder.

Chip and pin was meant to do away with skimming – where cards are swiped. In March of this year, Italian specialists explained that EMV (Europay, MasterCard and VISA) cards “talk to” payment terminals, which fraudsters can now read if they install skimming devices on such outlets.

They can even do this on a pin terminal, after which a “clone card” can be produced. The myth that chip and pin is a rock of security has been broken.

More worryingly, researchers at Cambridge discovered that it was possible for perceptive criminals to commit fraud without needing a pin.

They dubbed this the man-in-the-middle attack. Naturally, they didn’t release too much information, but the basic premise follows.

For one, the fraudsters are au fait with the intricate details of the chip and pin system – call it insider knowledge if you will. Secondly, they must have external hardware capable of pulling off such a scam – which can be done remotely.

“Essentially what it does is to exploit a flaw in the chip and pin system,” Dr Saar Drimer, who was part of the research, told the BBC at the time.

“It makes the terminal think the correct pin has been entered, and the card thinks the transaction was authorised with a signature.”

Of course, like any security system, nothing is absolutely fool proof, but chip and pin was brought in to be a radical alternative. In some ways, with the weaknesses identified, it has lost its ability to sit smugly at the top of the security tree. It’s now just another payment system, prone to attack.

What do you think? Post your comments below and let us know.


How easy is it for us to find your CV?

Search for advice on writing a CV and one of the first things you will read is that it should be no more than two pages long.  The last thing a hiring manager wants to do is read through reams of paper detailing your every project and anything else you’ve ever done or thought about doing in your life; brevity is encouraged, you must engage your reader to keep their attention.

Much of this advice is good. CVs should be succinct, on-topic, and objective. Follow the old mantras about CV writing down to the line though and you are left with a document that will look pretty uploaded on your favourite job boards, but will often see you overlooked for roles for which you are perfectly suitable. A CV is no longer a record of your most worthwhile achievements; it is now a digital resource, a way of indexing your experience.

Ask most jobseekers what they do with their CV once they have finished writing it, and I doubt many will tell you that they print it off, read the advertising section of the newspaper, and then start sending out copies in the post. Typically you will upload it to your favourite job board or send it across to a trusted recruiter. That’s the hard part done, you’ve ‘got yourself out there’, now it’s just a waiting game until the right role comes along, right?

Wrong. Too many candidates fail to consider how life is on the other side of the fence, how we engage with their CVs. This is particularly true when recruiting information security and risk management professionals, who can have very niche skills and responsibilities. So here it is…

Whether it be sat on Monster.co.uk or a recruitment database, it is important to consider how it is accessed. I can tell you that if I know you as a information security candidate, I might search for you by name, but otherwise your suitability for the roles I am working on depends completely on your CV’s ability to match my search. Any recruiter with a little training will understand Boolean search strings, and now in order to ensure you are considered for the most relevant jobs, candidates must too.

CV writing should now be seen as SEO. Consider the meta keywords that will bring you up in the searches for the roles you’re interested in and consider the search hits that will display your profile above your competition. It’s also important to understand the value of your skills, too often I learn about a candidate’s experience with an in-demand technology only when I have invested the time to speak to them.  All recruiters know those calls when a candidate will phone in and enquire as to why they haven’t been contacted about a role for which they believe they are perfect, considering the above, the reason for this becomes quickly apparent.

CVs aren’t telling us enough.  For example, a candidate might simply mention ‘security monitoring’ in one of their roles, when actually they have good knowledge of IDS, IPS, and SIEM systems – which are highly sought at the moment as they tick a few of the required boxes for PCI compliance. Or what about the information risk hot topic of the day, application security, expertise in this area can see some candidates command impressive increases in their salary. Whilst ‘application security expert A’ gets his pay rise, ‘expert B’ is failing to get interviews. I bet you know by now which candidate has written their CV with search terms in mind, who has discussed their experience in a way that makes it clear what they have been doing, and who details their specialisation most effectively.

Ultimately, your hiring manager or recruiter only knows what you tell them, and your CV is your primary form of communication. Your job search may end up a success but think about the exciting opportunities you might have missed out on due to an inability to consider what happens to your CV once it leaves your hard drive. Whilst a strong understanding of the market is going to help, overcoming this is relatively easy – technical skill profiles or project overviews are certainly one way to progress yourself up the search results, particularly in product heavy roles such as IT security engineering. For some, particularly technical security contractors, you might consider writing a version of your CV that is considerably longer than you would normally like, with a simple disclaimer that it is a keyword-optimised document. Another useful measure to take when uploading your CV to a job board is to utilise ‘personal summary’ or ‘about me’ sections to search optimise your profile.

It’s time to stop thinking about how your CV looks, but rather how people will find it.

– Ryan Farmer