When will NZ banks start taking card security seriously?

By Steve Biddle, in , posted: 28-Dec-2008 08:38

It's been revealed today that yet another case of ATM card skimming has occured. This time National Bank machines in Queen St, Vulcan Lane and Parnell all fitted with "anti skimming" devices had card skimming attachments fitted and card details taken.

It's well known in the security world that both NZ and Australian banks have some of the most lax card security in the world. This is the reason that New Zealand is now being hit by card scammers - it's becoming increasingly difficult to skim card details in Europe due to enhanced security measures in place. There are also numerous reported cases of European retailers now refusing to accept NZ or Australian credit cards due to the risk of fraud.

So what can we do? New Zealand banks should immediately be replacing all credit and EFTPOS cards with chip cards which offer a significantly higher level of security compared to existing magnetic stripe cards which are very easily cloned. PIN numbers should also be required on all credit card transactions as is the case in the UK and very soon all of Europe. Chip cards are not entirely foolproof however - there has been a case in the UK where EFTPOS terminals have been phyically altered to capture card details and send details via Bluetooth to capture equipment nearby due to a fundamental flaw in the architecture of the 3DES security for terminals that doesn't encrypt PIN numbers between the pinpad and the terminal.

So why don't NZ banks do something? Like everything banks do it's all about risk management. Replacing cards and upgrading infrastructure to replace mag stripe cards with chip cards costs money. Large amounts of money. It's obvious right now that these costs exceed the amount it costs backs to refund customers for fradulent transactions. Due to our lax security New Zealand is now turning into a prime target for scammers and skimming is a problem that is now going to become progressively worse until the tide turns and banks start taking security seriously.

So what can you do? Ensure that your credit card never leaves you sights.


* Hand over your card at a service station if they want to hold onto it when pumps are on prepay.

* Hand over your credit card at a cafe/restaurant for payment. Take the card to the counter yourself.


* Ask your bank what THEY are going to do to step up their security measures. In particular when THEY will be introducing chip cards for EFTPOS and credit cards issued by them. Remember YOU as a customer are in effect paying for fradulent transactions as its's simply part of their cost of doing business and reflected in the charges they pass on to you.

* Check your bank statements carefully. Report any suspcious transactions immediately.

* Be aware of any suspicious activity near ATM's.

Other related posts:
CCTV exposed. Why understanding network security is so important.
Anker make some of the best USB chargers and powerbanks available. Now you can get their products shipped directly to New Zealand
United Airlines pulls out of New Zealand for Southern Hemisphere Winter – AKL/SFO becomes seasonal.

Comment by juha, on 28-Dec-2008 14:06

In case anyone thinks Sbiddle is being alarmist, remember that EFTPOS transactions are extremely hard to dispute unless there's an apparent pattern of fraud.

Comment by barney knox, on 28-Dec-2008 16:01

Most interesting. I must admit a few times now whilst at the check out I have stopped when about to enter my pin number and turned to stare at the person behind in the queue who is peering over my shoulder.

Myself i always step back when the person in front is carrying out their transaction, but some really are intimidating whether they mean to be or not.

Comment by CJ, on 28-Dec-2008 22:57

What banks issue Chip cards. ASB has just launched their Platinum card which has a chip but most retailers struggle to use it. Banks should make it compulsory - set a dead line so all equiptment and cards start getting upgraded.

Comment by Dave, on 29-Dec-2008 07:56

RFID chips are more likely to be misused and abused and is a absolute violation of your private details when someone standing 100ft away can access your information, just like your passport you can use readers to see your cards details. Those chips have transmitters in them, even though the power is low as long as you can read the signal your home and away and yet another problem arises.

Frankly I'm opposed to what you said, without card protection sleeves your absolutely more vulnerable to fraud. There's other ways to protect yourself against fraud, surely the banks can adopt better systems than jumping onto unproven and unsafe technology.

Comment by Se7ensyns, on 29-Dec-2008 09:30

Not sure if any of you remember but ANZ released a chip card quite some years ago but the take up was so bad and retailers didnt understand how to use it that it was pulled. I had one and it was kinda cool but a little too early for the market. You even got a USB card reader for home for secure web transaction. it was called the ZED card and had the ads with Brains from thunderbirds. ANZ Australia have released chip cards for the second time and I think those a re doing a bit better but it comes down to ease of use, cost and ultimately consumer choice.

Comment by Luo Ge, on 29-Dec-2008 09:33

How does all this affect the security of online credit card transactions, that simply involve the passing of the credit card number and expiry date? Will this become a deprecated activity?

Author's note by sbiddle, on 29-Dec-2008 09:57


You obviously need to read up a little more on the topic. Chip cards are not RFID and are not contactless. They require a chip reader and they cannot be read from a distance like RFID can be.

There have been trials of contactless cards overseas but this is not what I am talking about here.


Yes Zed cards were a product that was launched far too early and there were such a small number of retailers with chip capable terminals that you ended up swiping the card everywhere anyway! Now with the new 3DES requirements all terminals are chip capable so there are no such issues. I actually found my Zed reader a few weeks ago!

Comment by tstone, on 29-Dec-2008 10:00

Your do's and dont's are very sensible and good advice. Unfortunately the body of your logic is flawed. Have other country's banks completely eliminated fraud of this type? The criminals will always find a way around the security and the only way to prevent this is to stop using cards. By far the majority of card transactions are safe and if people follow your do's and dont's there is reduced risk.

Author's note by sbiddle, on 29-Dec-2008 10:12


Chip & PIN in the UK significantly reduced UK credit card fraud levels by 25% almost instantly. It doesn't solve the problem of CNP (card not present) transactions which is still a major issue. Use of CVV codes can help minimise this but it's still something that is not as common as it could be.

Chip cards aren't the overnight solution to all fraud, they have however significantly reduced fraud levels and most fraud that is occuring is CNP (card not present) or skimmed cards being used internationally.

Comment by HairyOne, on 29-Dec-2008 14:42

Having been involved in the privacy and security industry for over 20 years, Can someone please EXPLAIN to me - HOW A CHIPPED CARD (RFID or not) offers better protection than what's available now?! The only reason to use chipped cards at present - the fraudsters, haven't bothered to figure a way around them - YET! In two years time, having a DNA reader at the bank terminal will be shown to be the best protection, because so many people are now getting stung with RFID frauds. It's not a hardware change that's needed, it's a political one! Stop the PC (political correctness) garbage, and give the offenders a penalty that discourages them. Stop blaming the poor innocent guy that owned and used his card as required and make the penalty for abusing the 'normal' persons trust, - HARSH!

Comment by Lance Wiggs, on 29-Dec-2008 16:05

Rubbish. The skimmers last time were caught forthwith and deported. These guys will hopefully have the same fate. ATM skimming is not an issue in NZ - this is the second instance only, and the media and banks react quickly. Please back up your assertions about NZ cards being refused. And are they refused becasue they are NZ, or just non-EU, or just non-Chip/PIN? How much did the Chip/PIN transition cost? How much of that 25% drop still remains? When I was in the EFTPOS game (early 90's) NZ had the toughest security going. The requirement for a PIN on unattended transactions, the PIN reader physical security, PIN reader session key requirements and so forth - the often painful security the banks insisted on all contributed to a fantastically secure system overall. Meanwhile in the USA they simply copped a higher fraud rate, and they still do. I agree - no matter what system is used, the basic laws of card transactions still always apply - don't let your card out of sight, don't ever disclose, write down or let anyone see your PIN (cover your hand when you enter it) and report card loss immediately. And if you see anything strange on an ATM then stay well clear.

Comment by Dratsab, on 29-Dec-2008 16:09

Unfortunately in this country security actually means nothing to the banks.  They won't put up proper security screens to protect their own staff, so do you think they're really going to be bothered by skimming or other such fraudulent activity?  I don't.

It's my belief that changes to security will only start to occur when the banks insurers start saying they won't pay out unless decent security measures are implemented.

Author's note by sbiddle, on 29-Dec-2008 18:39


I've had several friends travel around Europe lately who have all had trouble with NZ or Australian cards. Many retailers in the UK will now refuse to accept non chip cards and they also encountered the same issues in parts of Europe. The suggested solution from the bank was to to take one one of the prepaid chip cards if they wanted to use a credit card.

Comment by nzbnw, on 29-Dec-2008 20:25

Don't Visa and MasterCard merchant agreements require the merchant to accept international Visa / MasterCard Credit Cards with no chips (i.e. a New Zealand Issued Visa being used in the UK?)


Comment by AJ, on 30-Dec-2008 10:00

Retailers refusing to accept chip cards is just retailers being dumb, and is nothing to do with fraud in my experience. I travel a lot and never have an issue in UK & Europe with my non-chip-cards being accepted, although I occasionally have to remind retailers in the UK they *can* accept them. I'm not convinced that chip cards will do much to enhance ATM security, as it will just shift the problem (either to people skimming the chip, or to people with "legacy" cards being the one impacted, e.g. tourists.) I seem to recall a big announcement in 2005 by Visa APAC that all Visa cards (including NZ) would be EMV/Chip enabled by 2006 - that fell a bit flat! Interestingly, despite living off my credit cards and traveling to 3-4 countries a month, the only cases of card fraud I've had have been related to taxis.

Comment by adamj, on 1-Jan-2009 09:16

I'm in the US at the moment. When I hand my card over here they simply swipe it through a machine. No PIN, no signing. Some retailers ask for ID with the card, but most don't bother.

How's that for card security?!

Comment by Simon, on 3-Nov-2009 04:24

Your information "anti skimming devices had card skimming attachments fitted to scan the card details" is really helpful to protect our selves from becoming ATM fraud victims.. atmsecurity.com

sbiddle's profile

Steve Biddle
New Zealand

I'm an engineer who loves building solutions to solve problems.

I also love sharing my views and analysis of the tech world on this blog, along with the odd story about aviation and the travel industry.

My interests and skillset include:

*VoIP (Voice over IP). I work with various brands of hardware and PBX's on a daily basis
  -Asterisk (incl PiaF, FreePBX, Elastix)

  -xDSL deployments

*Structured cabling
  -Home/office cabling
  -Phone & Data

*Computer networking
  -Mikrotik hardware
  -WAN/LAN solutions

*Wireless solutions
  -Motel/Hotel hotspot deployments
  -Outdoor wireless deployments, both small and large scale
  -Temporary wireless deployments
*CCTV solutions
  -Analogue and IP

I'm an #avgeek who loves to travel the world (preferably in seat 1A) and stay in nice hotels.

+My views do no represent my employer. I'm sure they'll be happy to give their own if you ask them.

You can contact me here or by email at stevenbiddle@gmail.com