A PIN to go with that stolen card sir?

Just back from my jollydays in Paris and, whilst standing in a queue to buy Metro tickets at the Louvre, was surprised to be offered a packet of 10 Metro tickets for 10.50 euro - about 10 per cent less than the going rate - by the inevitable dodgy geezer.

I ended up buying the tickets, rather than wait another 10 minutes for the inevitable Japanese tourists at the front to work out how to buy their Metro tickets using a JCB card.

I was, however, surprised to see the dodgy geezer staying in the queue, clutching a Visa credit card.

After chatting with the geezer, it seems the card was stolen and the PIN derived from the card using a Russian PC program called Bergamot.

Regular readers of this column will recall that I first encountered this program - apparently coded by the Russia Mafia - when chatting with a pal about the private ATMs installed at pubs and clubs.

Article continues after advert

At the time, I thought that Bergamot decrypted the data stream from the ATM to the transaction processing centre. It now appears that the package also derives the PIN from the card details, using data accessed across the Internet.

I would have discovered more about the program if two Gendarmes hadn't sauntered into view. The dodgy geezer melted into the background and disappeared.

Does the geezer's claims hold water? Yes, as you need a PIN to get tickets from the Metro machines. The tickets also represent an easy way to convert stolen cards into real money with minimum risk.

I'm also guessing that the Metro machines don't apply the same levels of security as an ATM would, meaning that a lot more tickets than dosh could be `withdrawn' before the card issuer suspects anything.

Of course, you've got to take claims like this with a pinch of salt, but the kid mentioned Bergamot by name, which is just too much of a coincidence.

I leave you to draw your own conclusions, but my confidence in chip and PIN has now been utterly eroded, I'm afraid to report...