Benefit cards showing Pins stir security fears

00:46, Oct 23 2012

The lax safeguards of payment cards issued to teenage beneficiaries - with the personal identification number (Pin) printed on the card - have been widely criticised.

The cards, which are being rolled out to about 2600 young people, also require a signature, but that is hardly secure, a security expert says.

Restricted payment cards were introduced as part of the Government's sweeping welfare changes.

Serious questions have now been raised because the Pin for each card is the last four digits of the card number, which is imprinted on the front.

A security expert spoken to by Fairfax Media said signature identification was generally not regarded as enough of a safeguard these days.

The international payment card industry data security standard has strict rules on how Pins should work. A basic rule is not having the number related to anything on the card.


A spokesman for the Social Development Ministry said the Pin enabled the electronic transfer to occur.

Identity was verified via signature - "with the customer's signature being matched by the vendor with the signature on the card, in the same way that a credit card works".

If the cards were made available to more beneficiaries, the ministry would look at having Pins that could be changed by clients, he said.

The cards can only be used in supermarkets, to pay bills, or where Work and Income quotes are accepted. Alcohol, tobacco and fast food cannot be bought using the cards.

Banking expert David Tripe said the verification methods used on the payment cards would not be considered appropriate for bank cards.

"From the perspective of the banking code of order, for example, it is completely out of order to be doing something like this."

The potential financial loss was reasonably small given beneficiaries were in a weak financial position and most of them would spend their income the morning it arrived, Dr Tripe said.

However, it would be a lot of money to a beneficiary.

"If you're a senior manager at MSD [the Social Development Ministry] on $130,000 a year, you don't care that much about $50 or $100.

"I wonder whether MSD have really thought through the implications of this."

Labour's social development spokeswoman Jacinda Ardern said it was "sloppy" that the Government had not put greater security protections around the cards.

"They've transferred a payment that would normally be on a secure bank card to a payment on an insecure government-administered youth payment card, so they've lessened people's security."

It again showed a cavalier approach to personal information by the ministry, she said.

The security risk comes as an independent review into the ministry's information systems is conducted after a major breach.

Blogger Keith Ng was able to access the ministry's secure servers from public kiosks in Work and Income offices.

Figures provided in answer to Labour's written parliamentary questions show a fall in the number of IT staff at the Social Development Ministry.

In June 2008 there were 382 permanent and temporary IT staff, by June last year the number had fallen to 312.

Fairfax Media