| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to vulnerabilities in Chip and PIN payment terminals has happened again at the same organization, specifically with the Chip and PIN system. The incident involves a security flaw in chip and PIN terminals that allows thieves to download customers' card details [Article 13124]. This indicates a recurring issue with the security of the Chip and PIN system.
(b) The software failure incident has also happened at multiple organizations, as the article mentions that criminals can use second-hand devices purchased on eBay to load fake cards with malicious software, infecting readers used in shops and restaurants [Article 13124]. This implies that the vulnerability in chip and PIN terminals is not limited to a single organization but can affect various businesses using these terminals. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase is evident in the articles. The security flaw in chip and PIN terminals that allowed thieves to download customers' card details was a result of a vulnerability in the software installed in the terminals. Criminals could use second-hand devices purchased on eBay to load fake cards with malicious software, infecting the readers and storing transaction details [Article 13331, Article 13124].
(b) The software failure incident related to the operation phase is also highlighted in the articles. Criminals could exploit the flaw in chip and PIN terminals by using second-hand devices to download stored data, including card details and PINs. This operation-based failure allowed thieves to access sensitive information from unsuspecting customers [Article 13124]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident related to the chip and PIN terminals being vulnerable to hackers and malicious software is primarily within the system. The articles [13331, 13124] highlight how the security flaw exists within the terminals themselves, allowing criminals to infect the readers with malicious software that captures customers' card details during transactions. This vulnerability is a result of the software installed in the terminals being highly vulnerable, making it possible for thieves to exploit the system and steal sensitive information.
(b) outside_system: The software failure incident also involves contributing factors that originate from outside the system. Criminals can use second-hand devices purchased on platforms like eBay to load fake cards with malicious software, which are then used to infect the chip and PIN terminals in shops and restaurants [13124]. This external factor of obtaining and introducing compromised devices into the system contributes to the vulnerability and exploitation of the terminals, showcasing how threats can come from outside the system to compromise its security. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
- The articles report that criminals can use second-hand devices purchased on eBay to load fake cards with malicious software, which then infects chip and PIN terminals, leading to the storage of customers' card details [Article 13124].
- Thieves can hack PIN terminals with a malicious smartcard, allowing them to record both the PIN and PAN of cardholders, with the ability to retrieve this information over Wi-Fi, Bluetooth, or phone lines [Article 13331].
(b) The software failure incident occurring due to human actions:
- The articles mention that criminals can use second-hand devices purchased on eBay to load fake cards with malicious software, indicating that human actions in selling and using these devices contribute to the software failure incident [Article 13124].
- Thieves can physically compromise PIN terminals by slipping in a 'Trojan card' that accesses the payment terminal, leaving malware within the terminal, showcasing human actions in executing such attacks [Article 13331]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident occurring due to hardware:
- The articles report that criminals can use second-hand devices purchased on eBay to load fake cards with malicious software, infecting chip and PIN terminals used in shops and restaurants [Article 13124].
- Thieves can hack PIN terminals with a malicious smartcard, allowing them to access the payment terminal and leave malware within the terminal [Article 13331].
(b) The software failure incident occurring due to software:
- The software installed in the chip and PIN terminals is highly vulnerable, making them open to various forms of attack [Article 13331].
- Researchers discovered a security flaw in chip and PIN terminals that allows thieves to download customers' card details, indicating a software vulnerability [Article 13124]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the articles is malicious in nature. Hackers are exploiting vulnerabilities in chip and PIN machines used in shops and restaurants to steal customers' card details by loading fake cards with malicious software [13331, 13124]. Thieves can access the payment terminals, leaving malware within the terminal to record customers' PINs and card details, which are then retrieved over Wi-Fi, Bluetooth, or phone lines [13331]. Criminals can use second-hand devices purchased on eBay to infect readers and store the details of transactions, including card details and PINs, for later retrieval [13124]. This malicious activity is aimed at stealing sensitive information for fraudulent purposes. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident described in the articles is related to poor_decisions. The incident involves a security flaw in chip and PIN terminals that allows thieves to steal customers' card details by hacking the terminals with malicious software. The vulnerability in the software installed in the terminals makes them highly vulnerable to attacks, leading to the compromise of card details including PINs and Primary Account Numbers (PANs) [13331, 13124].
The incident highlights the consequences of poor decisions in the design and implementation of the software in the terminals, as it exposes millions of customers' banking details to potential theft. Additionally, the use of second-hand devices purchased on eBay to load fake cards with malicious software further emphasizes the security risks introduced by poor decisions in the software development and deployment process. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident occurring due to development incompetence:
- The articles highlight a security flaw in chip and PIN terminals that allows thieves to download customers' card details due to a vulnerability in the software installed in the terminals [13331, 13124].
- Criminals can use second-hand devices purchased on eBay to load fake cards with malicious software, infecting readers and storing the details of transactions [13124].
- VeriFone, the company that makes most of the terminals used in Britain, is working on an update to fix the flaw in the software [13124].
(b) The software failure incident occurring accidentally:
- The articles do not specifically mention the software failure incident as being accidental. The focus is more on the deliberate exploitation of the security flaw in the chip and PIN terminals by criminals [13331, 13124]. |
| Duration |
permanent |
(a) The software failure incident described in the articles seems to be more of a permanent nature. The vulnerability in the Chip and PIN terminals allowed thieves to hack into the terminals, load fake cards with malicious software, and steal customers' card details [13331, 13124]. The flaw in the software of the terminals enabled the storage of card details and PINs, which could be retrieved by criminals at a later time [13124]. The incident highlighted a serious weakness in the Chip and PIN system, indicating a long-term vulnerability that needed to be addressed through reprogramming thousands of terminals [13124]. The fact that criminals could use second-hand devices to exploit the software flaw and steal banking details suggests a persistent issue with the software security of the terminals [13124]. |
| Behaviour |
omission, value, other |
(a) crash: The articles do not mention any instances of a crash where the system loses state and does not perform any of its intended functions.
(b) omission: The software failure incident described in the articles involves a security flaw in chip and PIN terminals that allows thieves to download customers' card details. This can be considered a failure due to the system omitting to perform its intended functions of securely processing and protecting card information [Article 13124].
(c) timing: The articles do not mention any instances of a timing failure where the system performs its intended functions correctly but too late or too early.
(d) value: The software failure incident involves criminals using second-hand devices to load fake cards with malicious software, infecting readers, and storing the details of all subsequent transactions. This can be seen as a failure due to the system performing its intended functions incorrectly by allowing unauthorized access to sensitive card details [Article 13124].
(e) byzantine: The articles do not mention any instances of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions.
(f) other: The other behavior observed in the software failure incident is the compromise of the chip and PIN terminals, leading to the potential theft of card details and PINs. This can be categorized as a failure due to the system behaving in a way that compromises the security and integrity of the payment processing system [Article 13124]. |