Tag Archives: Chip and Pin

Who Benefits from Tesco Self-Service Tills?

Consumer group Which? recently issued a warning over the self-service tills now available in 320 branches of Tesco, highlighting the whopping great security hole in the whole process, that they don’t use any sort of validation on the payment card at all – no Chip and PIN or signature, you just swipe the magnetic strip on your card an you’ve paid. With the moves to Chip and PIN for most transactions, it is a countrywide opportunity for people to use old style skimming techniques at stores countrywide. Interestingly Tesco have said that they are starting to introduce Chip and PIN to the machines – however the new terminals that went into our local branch last month are still swipe terminals rather than Chip and PIN.

The interesting question is who do these terminals really benefit? I tend to use them if I’m buying a small number of items, mainly because the express checkouts at Tesco are always so badly policed. There have only ever been two 10 items or less checkouts at our local branch, and often one other checkout with a sign saying for baskets only, and there is always a significant queue at each. The four self-service checkouts have replaced two normal checkouts, and since most people are reluctant to use them, generally don’t have much of a queue.

The interesting thing though is that the actual process is slower than if you were at a regular till with a properly trained staff member on the checkout. The tills use voice instructions to talk you through each stage of the process – to the point of ‘take the next item’, ‘scan the item’, ‘put the item in the bagging area’ – which is very slow. There are also detectors of some sort in the bagging area in an effort to stop fraud (it detects items being bagged if they haven’t been scanned), however the sensors are not foolproof and in my experience regularly have problems with light items like newspapers. I expect that they also would have problems if you didn’t want to bag something, for example if you were just buying a sandwich. I have discovered that it is possible to force the system to work faster though – whenever it starts on a voice instruction, the scanner and sensors are all set up for the next stage of the process, but it is still a generally slower process.

However the advantage to Tesco is obvious, to run the four self-service tills they need only one staff member, whereas to run another four express checkout tills they’d need four staff members. This also explains why the fraud issue at the tills doesn’t seem to be much of a problem to them – what is a few cases of fraud, all of which are limited at most to a few hundred pounds compared to the savings of only having to have a quarter of the number of trained staff for those tills?

Tesco Sign picture originally uploaded by Nosbig.

Filling You With Confidence

You may have spotted on the news at the weekend that Shell have suspended the use of Chip and Pin following discovery of a £1,000,000 fraud where money was being syphoned out of customer accounts. Of course, the report is pretty non-specific as to what the problem was, with only a statement from a spokeswoman at APACS, who are behind Chip and Pin, about how the pin pads are supposed to be tamper resistant.

However, today the BBC News site posted an item containing advice from Frank Abagnale, whose exploits were immortalised in the film Catch Me If You Can, on how to avoid ID theft. Alongside his advice to not use cheques – they have all the information on them that an ID thief needs, he also laughs at Chip and Pin, highlighting that the fraudsters at Shell got their information from the un-protected magnetic strip on the back of the card. As I mentioned way back in January last year, whilst APACS will tell you how wonderfully secure the chip is, they always skip over the fact that in order to remain compatible with older terminals and cash points, all the relevant information is still in the magnetic strip on the back. I’m just surprised that it’s taken someone this long to pull off a big scam in that way.

The Abagnale article also highlights some other security loopholes with the new system. Take those snazzy wireless terminals that you often see in restaurants, those helpfully decode the information off your card, and then send it over an unencrypted radio connection back to base. Not surprisingly he has little confidence in the governments supposed foolproof ID card system – he gives it six months before someone replicates it perfectly, and with that, everything you need to pretend to be someone else is in the one place. Fills you with confidence really.