A Finextra member 01 December, 2009, 09:11 0 likes

"Even though passwords aren’t all that secure to begin with, a signature is even less secure, unless of course we provide the signature some credibility by implementing image-based fraud detection system-wide, or putting guys like Bob in a booth in every business district on the planet to review the legitimacy of the signature. That ain’t happening. Yet we have plenty of coffee shops on every corner. Seems like our priorities are a bit skewed."

Static Passwords/Passcodes/Pin-codes offer a convenient factor not only to cardholders but more so to card fraudsters and card thieves.

I found this out the hard way when in 2002, 4 thieves entered my house and stayed with me for almost an hour asking me for the pin-codes of my U.S. issued cards and while they took what they wanted. As I am no hero, I told them that my U.S. issued cards are not issued with pin-codes but here is my french card and its pin-code and they can take it. They left without taking my U.S. issued cards.

Later, the gendarme told me that thieves often assaulted cardholders for the cards and their pin-codes.

Gerald Levin's (CNN's former CEO) son, Jon Levin was tortured and murdered by one of his students for the pin-code of his ATM card.

The cambridge people were not being dramatic when they recalled the murder of two french students in the UK.

Although your signature can be copied, it is the presentment of the actual card and a signature that makes this combination safer than a static pin-code. The merchant is supposed to check if the signature is similar to the signature at the back of your card. I seldom sign the back of my cards and these cards were refused when I paid with them until I signed them and showed the merchant another ID Photo with the same name and signature.

Card Fraudsters consider skimming Cards without static pin-codes more trouble than its worth, so they don't bother. 

John Dring - Intel Network Services - Swindon 01 December, 2009, 17:31 0 likes

Hmmm- I took a medium size amount of cash out from my UK high street bank at a local branch.  I had my bank card and cheque book and took my passport for additional photo-ID (because I am European, we almost all have a Passport).  I had filled out a cheque, but waited to sign it in front of the cashier. 

But no - she wasn't interested in the cheque.  She wanted my Chip+PIN card and my PIN.  Couldn't care less about the rest as far as I could tell, although she did wander off with all the above and photo-copied it to be stored with a huge form she filled in.

Basically, she triple counted the cash (machine and by hand) and got multiple authorisations from me, but the one she relied on was the PIN+Card.

Stephen Wilson - Lockstep Consulting - Sydney 01 December, 2009, 22:32 0 likes

Marite: Are you actually advocating the use of handwritten autographs instead of PINs for payment cards?  If so, what do you advocate for Card Not Present authentication?

A Finextra member 02 December, 2009, 09:04 0 likes

Stephen : As you can see, I responded to a specific context of Robert's concerning signature versus a static password/pin-code.

As far as what I advocate, you may recall that I have previously commented on the usage of one-time pin-codes as an improvement to the static pin-code.  While the usage of OTPs is under evaluation, indeed some European Issuers have expressed their intention to issue EMV with signature.

For Card-Not-Present security, I also advocate giving cardholders the ability to TURN OFF their card accounts when they are not using their cards to pay for a card-not-present transaction, as well as the ability to TURN ON their card accounts before doing a CNP.

Have a nice day.

Stephen Wilson - Lockstep Consulting - Sydney 02 December, 2009, 10:16 0 likes

Marite: All I got from your comment was the idea that thieves can assault customers to force them to divulge their PINs, and the implication that autographs cannot be obtained by duress.  If that's your position, I am still not sure where that leaves CNP.  I know your idea that cardholders should turn their cards on and off, but that leaves an authentication weakness.  What is the authentication mechanism used when someone requests that the bank turn their card on and off?  It cannot be a remote autograph.  So don't you come back to PINs no matter what?

A Finextra member 02 December, 2009, 11:05 0 likes

Stephen : That thieves can assault cardholders to force them to divulge their PINs is not an IDEA. Unfortunately, it is a FACT.

That cardholders should turn their cards on and off is also not just an IDEA. This is also a FACT proven by a pilot system used by real cardholders.

During the pilot, electronic certificates stored in a card-size cd-roms (this was in 2001/2002) were used to authenticate the cardholders.

My work since 2000 enabled me to come to the conclusion that static pin-codes are not secure. Therefore, in order to secure access to this Switch system, the preferred authentication mechanisms I advocate would be a combination of caller ids / one-time pass-codes; or combination of voice authentication / caller-ids for the phone/mobile interface; or combination of PC Forensics + one-time pass-codes sent via out-of-chanel links. Of course, banks may dictate the usage of static PINs. But that's not what I would advocate.

What I recommend most is to establish a direct link between cardholders and their banks' authorization systems in order to enable cardholders to Turn ON or Turn OFF their card accounts. Fraudsters have benefited from this link that's been left wide-open for all these years.

Cedric Pariente - EFFI Consultants - Paris 02 December, 2009, 11:52 0 likes

Hi Roberto,

Thank you for this blog.
Just to mention it, we still have kings and queens in some countries of the world. :-)

Concerning the signature, you are criticizing a monument in our culture. The John Hancock (as called in the US) is still a very powerful way of giving evidence of:

• The provenance of a document (Identity)
• The intention of an individual with regard to that document (Will)

In France, specifically, it is the strongest way of identifying yourself. As we are not using it to pay (except with cheques) but mostly to sign official papers, I think it kept all its strength and meaning to us.

As every authentication system or device, it has its strength and weaknesses.

I would give a vote to signature in a face to face against static PIN codes.

My point of view might change if we were talking about one-time passcodes.

Concerning the idea of Marité, I think that you completely missed the point Stephen.

You focus on the authentication when she is talking about something much more powerful, authorization!!!

As a cardholder, it gives you much more power and control to be able to TURN OFF your card than to have the most complex authentication in the world.

Robert Siciliano - Safr.me - Boston 02 December, 2009, 14:07 0 likes

Cedric:

I must compliment you on your "way" Youre cool calm and collected.

"kings and queens in some countries of the world. :-)" Yes, to me, old school and antiquated. Not enough checks and balances in that system. I was more focused on the wizards and dragons smoke and mirrors myths of magic and threats. A wizard, who was the first "black hat hacker" would cause a problem and tell you how to solve it, if you paid him in status and allegiance.

"Concerning the signature, you are criticizing a monument in our culture."

YES! Its existing level of security is non-present in every day transactions. Its time to either abandon it or secure it. Thats where image-based fraud detection comes in. It provides a level of authenticity to the handwritten signature. Otherwise the honor system is no longer is sufficent. The idea of all sheep and no wolves.

"The John Hancock (as called in the US) is still a very powerful way of giving evidence of The provenance of a document (Identity) The intention of an individual with regard to that document (Will)"

Maybe. Only to the point of forgery. Which is where the honor system comes in. Its the "8 track tape" of security. I have no use for it.

"In France, mostly to sign official papers"

The French must be very honest. Or the wolves havent moved in yet. But they will.

"I would give a vote to signature in a face to face against static PIN codes."

They both suck. Unless backed up with effective authentication.

"My point of view might change if we were talking about one-time passcodes."

Yes. Not effective for the limited human brain. But thats where technology producing them comes in. But the transporting of little keyfob devices has its own set of problems.

Finextra blogs needs a spell check. Please.

Stephen Wilson - Lockstep Consulting - Sydney 02 December, 2009, 16:27 0 likes

Someone is going to have to explain this idea of turning on and off my credit card, like I'm six years old.

If I can contact my bank over the network, prove to them that I am Stephen B. Wilson, holder of card no. 4000 1234 5679 0123, and ask them to turn that card on, then I must be authenticating myself pretty well, yes?  If so, why not use that same authentication mechanism to prove to a merchant that I am Stephen B. Wilson, holder of card no. 4000 1234 5679 0123?  Then I could leave my card on all the time!

Enough already with the stop gap fixes!!  Turning cards on and off because they're not really trustworthy when they're on seems very odd to me.  Let's tackle the real problem -- which is that digital ID data presented online can be replayed -- without introducing more and more layers of complexity between buyer, seller and their banks.

Cedric Pariente - EFFI Consultants - Paris 03 December, 2009, 10:28 0 likes

This discussion about the ON/OFF system should not take place here.

It's a lack of respect for the blog of Roberto and the topic he decided to debate. Please feel free to create another blog and I'm sure a lot of people would like to debate with you on this topic.

To close this discussion, turning ON/OFF might seem too complex for you because you blindly believe in cards (that have proven to be not so smart) and authentication.

Fraud rates all over the world prove that the current authentication methods are really not efficient and things must change, but as long as banks choose short term benefits as a primary goal (in place of quality of service), we'll have crapy systems + the insurances that can be sold to fill the gaps.

Stephen Wilson - Lockstep Consulting - Sydney 03 December, 2009, 20:12 0 likes

I'm sorry Cedric that you don't like the way this conversation has evolved, but it was Marite who moved us this way, by suggesting turning cards on and off is an answer to the security problems raised by Robert.

I don't care where we discuss it.  But instead of insulting my "blind" belief in smartcards, and ignoring my extensive writings on the topic here and elsewhere, perhaps you could answer the question: If there is a reliable means to authenticate the request to turn a card on and off, why isn't that means sufficient to authenticate the presentation of the card to a merchant?

Cedric Pariente - EFFI Consultants - Paris 04 December, 2009, 10:14 0 likes

Hi Stephen,

My sincere apologies if you felt offended. I often get carried away as I'm a passionate person and it's absolutely not my intention to insult you in any manner.

Concerning the ON/OFF system, I think you are using a sledge hammer to kill a fly here.

Can you perform a transaction with this ON/OFF system?
The answer is NO.

It works like a "Read only" system.

Aaron Patzer, CEO of Mint.com, explains it so well that I'll use his words to describe what this means in terms of required level of security

http://www.youtube.com/watch?v=qDMG1BA6EnE

In a few words it can do no harm, but it might bring something new to the table. Not only in terms of ON/OFF but also in terms of budgeting. And I've heard that lately it might be something interesting, especially in the USA.

Is there a good authentication system out there?
There are certainly plenty but not a single one is universal. Meaning secure, cheap enough to deploy and widely accepted by consumers, merchants and banks.

Besides, even if it arrived today, I'm not sure that banks & payment networks would let it take their slice of the cake without a fight.

I truly believe the discussion about the best authentication system is not over yet...

A Finextra member 04 December, 2009, 10:31 0 likes

Stephen : You asked what I would advocate for card not present authentication, which prompted my response as to what I advocate for card not present security. 

You asked, "If there is a reliable means to authenticate the request to turn a card on and off, why isn't that means sufficient to authenticate the presentation of the card to a merchant?"

Stephen, I think that a replayable factor is not sufficient to authenticate the presentation of the card to a merchant. I also think that a non-replayable factor is sufficient to authenticate the presentation of the card to a merchant if one can be sure that he is giving this non-replayable factor to a legitimate merchant. Note that I used 'a merchant'.

What makes the scheme (that you advocate) weak is the FACT that while you are giving a non-replayable factor to a legitimate merchant, others who have knowledge of your card details can use your card account to pay with many other merchants that will accept the payment without requiring this level of authentication.

Think of money in an open safe in a castle with 1000 windows and a door. Each window is guarded by a different person. What you advocate is to impose your security solution to all the 1000 windows and the door when what really matters most is to give the owner of the money in this safe the ability to Close or Open the safe. 

In real world terms, these 1000 windows are hundreds of millions of POS/ATMS/Merchants but you'd still have only 1 SAFE/card account.

This analogy (which I think a 6 year old can understand) shows that there is a huge difference between enabling the owner of a SAFE to use a reliable means to authenticate his closing or opening of his safe as opposed to authenticating anyone who tries to go through the windows or the door to get to the open safe.

Marite

"True wisdom is less presuming than folly. The wise man doubts often, and changes his mind; the fool is obstinate, and doubts not; he knows all things but his own ignorance. (---Akhenaton)"

Cedric Pariente - EFFI Consultants - Paris 05 December, 2009, 15:28 0 likes

That's a beautiful Sales Pitch, where is the contract form???

:-)

Fun put aside, any solution that has to be installed on the merchant side can not solve the problem of fraud.

Put yourself in the shoes of the consumers!

If your system is not installed with all the merchants, consumers are not protected all the time! You are forcing them to buy only with the merchants that use your system. You need to be a bit more realistic here.

A Finextra member 05 December, 2009, 20:40 0 likes

If one reviews the history of law associated with western civilisation and predominantly stemming from English laws you will see that 'Common Law' established the rules in relation to signatures, legally binding agreements and contracts.  A contract can come into being by a 'handshake' between the parties supported by the evidentiary package.

A document can be signed by a person making their mark, signed with an X.  Again it is supported by the evidentiary package--witnesses.

In relation to digital and electronic signatures for a very long time now people have walked up to an ATM and placing their debit card into same and inputing their PIN number.  By this process cash is dispensed and the account debited.  This being a contract in regard to the account.  An evidentary package is retained in relation to the 'dry signature' of the customer.

It is imperative to establish beyond repudiation the engagement, the agreement, the contract.

In Australia the Digital/Electronic signature Act of 1999, takes the 'Common Law' and enshrines it in legisaltion.

The 'evidentiary package' supporting a dry signature as opposed to a wet signature.

The business nirvana would be to have mobility, security, auditability with compliance to this type of legislation--so providing the evidentiary package.  Out of band authentication of a transaction via the mobile phone using data interaction is one answer as it can automate the situation where a call centre may ring to confrim a transaction or business interaction---to costly.

Please contact me directly if anyone would like to discuss this further as the Finextra rules of engagement prohibit me to 'advertise'.     

Stephen Wilson - Lockstep Consulting - Sydney 06 December, 2009, 01:19 0 likes

Cedric wrote:

Any solution that has to be installed on the merchant side cannot solve the problem of fraud.

I disagree.  The vulnerability that is responsible for almost all digital identity fraud is the replayability of IDs.  CNP fraud occurs simply because merchant servers cannot tell genuine card numbers from copies and fakes.  So the merchant side is precisely where the best solutions should be focused. Any other approach is a patch.

If your system is not installed with all the merchants, consumers are not protected all the time! You are forcing them to buy only with the merchants that use your system. You need to be a bit more realistic here.

This is not an unrealistic or unusual approach.  In most jurisdictions, online merchant security is very lightly regulated.  In the US and Australia for example, website security is almost totally discretionary.  And some banks famously say they wish to compete on security. 

So security is bought today in a free market.  Different merchants invest in different levels of security for different reasons. SSL certificates, EV SSL certificates (for an extra $1000), trust and privacy seals, and ISO 27001 security certification are all optional.  I happen to agree that we should have more regulation to counter cybercrime, but Cedric, if you want to be "realistic", think about the fact that most of the crime fighting effort today goes on consumer education.  We already have a situation where some merchants are more secure than others, and consumers are expected to choose between them.

Even the centrally mandated security measures like PCI DSS compliance have a huge discretionary component.  Merchants have free choice of PCI-compliant software and QSAs.  We all know that you can spend the bare minimum to pass a PCI audit, or you can invest more if you like in a comprehensive security solution. 

So I just don't understand your objection to merchant-side solutions. Especially when most other suggestions introduce new processing intermediaries, and/or changes to the four party model, and/or changes to cardholder agreements.

Cedric Pariente - EFFI Consultants - Paris 07 December, 2009, 13:56 0 likes

The anti-fraud solution can not be implemented on the merchants' side.

You are trying to cure the symptoms, not the cause.

By approaching the problem via the issuing banks' side you are protecting your clients at the source.

Suppose we live in wonderland and you have the best system on earth installed with every merchant on the planet. It takes a single new merchant that does not use your system for fraud to happen.

Trying to educate clients is a noble but useless approach.

Our kids would still be educating them before you change their behavior. Besides why should they be educated? They go on the internet to use their hardly earned money. They should not have to follow a 10 000 steps procedure to buy, otherwise they will go back to real life stores with real life peoples to buy with real life money (cash).

The digital experience has to be a pleasant alternative. You should not need a doctorate in computer science to be able to buy.

A Finextra member 07 December, 2009, 14:33 0 likes

A wonderful educational thread of comments - differences of opinions are what makes a horse race interesting!  The motivation of the card industry, our varying national laws, technological approaches, acceptance by consumers and retailers, creativity of scammers, etc., all add to the complexity of the problem.  

   I am reminded of my conversation with one of the world's largest credit and debit card institutions re the consumer's explicitly stated and often repeated desire to have a single card rather than having to carry a dozen branded cards.  The card issuer doesn't care about the consumer's wishes - period. 

     It's all about money for the card issuers.  Losses are a cost of business and as long as it is more profitable to have losses than a secure card system, they will not make the change.  The winning solution will be the system which is more cost effective than the present business plan, including the cost of change.

Stephen Wilson - Lockstep Consulting - Sydney 08 December, 2009, 18:45 0 likes

Marite,

I'm going to have another go at highlighting some fundamental differences between your ideas and mine.

I'm sure we all agree that changes are needed at one or more points in the payment system to address card fraud. It's important to look at the broader impact that different approaches have on business rules, legal arrangements, customer behaviour.

I favour digitally signing payment transactions at the browser to make them non-replayable.  This is essentially how DDA EMV security works, and now we can replicate these techniques in browsers for CNP transactions.  If the digital signature is created using a private key in the customer's chipped device, then the merchant is assured that the transaction is genuine, original and cannot have been replayed by an attacker. Once validated, the merchant server can push the transaction into their regular acquiring interface where cardauth etc. occurs as normal via the established four party model.

I believe it's important to leave the four party payment processing model unchanged. While some proclaim that the traditional model is broken, I say it's fundamentally sound but it suffers from one specific vulnerability in the digital environment: merchant servers have great difficulty telling genuine card data from copies.

Digitally signing payment transactions at the browser fixes that vulnerability; it stops replay attack at participating merchants.  This is a more elegant approach not just technologically - it's legally and contractually elegant too. There is no change to merchant acquiring relationships, or to customer behaviour.

Cedric and I have debated the pros and cons of installing security at merchants.  He hasn't answered my point that most e-commerce security today is in fact optional and is focused at merchant sites.  Examples include SSL, EV SSL, ISO 27001, PCI, TRUSTe and the like.  Online shoppers are told to look out for padlocks, trust seals, reputable payment gateways, privacy policies etc. so it makes sense that some merchants should elect to adopt more secure payment measures, like accepting non-replayable digitally signed card transactions.

The alternative is to mess with the four party model, which generally introduduces untold legal risks and cost implications.  Many approaches (e.g. CAP and tokenization) entail brand new intermediaries, with added costs, processing overheads, and contractual complexities.  Look at 3D Secure and its novel requirement that the cardholder authenticate themselves directly to the card issuer in real time. That step alone could be one of the biggest changes to the four party model ever seen.

The idea of cardholders turning their cards on and off seems to me to involve deep changes to systems and customer behaviour. There will need to be new backend software at the issuers (I guess?) to turn accounts on and off and adjust limits up and down, new user education programs, new user interfaces to request these changes, and above all, new rules.

Today nobody needs to think about their cards being on or off.  So what sort of changes to the cardholder agreement will be required? Will you still have to pore over your statements every month in case a fraudster has turned your card on without you knowing? Why should users even have to think about all this, when there are technically simple ways to stop replay attack?

My experience is that the legal analysis and contractual impacts can be fatal when making these sorts of changes. When we're fighting fraud we should address the actual technical problem (replayability of cardholder data) instead of papering over this vulnerability with more ad hoc measures. For sure, the less change to business rules the better.

John Dring - Intel Network Services - Swindon 09 December, 2009, 15:31 0 likes

Just about the ON/OFF again.  (its fine to discuss it wherever it arises...)

I think its a simple idea and you can choose to use it or not. You can enable/disable it via your e-banking (or via old fashioned telephone call if you want to go through the pain of 101 questions).

Personally, I'd just be VERY happy if I got a text message to a registered mobile number WHENEVER my card is used.  I don't make so many card payments every day that a few SMS alerts would bother me - its somewhat reasuring that the cogs are working when your pocket buzzes.  But banks failed to provide this simple service in the past because they write off the CNP fraud instead of investing to stop it and provide a nice feature to boot.

Ainsley Ward - CGI - Glasgow 10 December, 2009, 09:55 0 likes

SMS advising does seem a nice feature, although it shifts responsibility to the cardholder for security - a nice avoiding step by the banks in the name of empowering cardholders  - it's your choice blah blah blah and if you don't contest it don't say I didn't tell you blah blah blah. All forgetting of course that SMS is not a guaranteed delivery messaging system and the whole system stops working at 12:01 on January 1st for around 3 hours...

Switching the cards on and off is very possible - in fact MasterCard announced their InControl platform not so long back which has a feature to do exactly this. Again though it shifts the burden of responsibility for security to the cardholder. You have the power ergo if you don't do it, it's your fault that you were defrauded.

I strongly agree with Stephen that using the power of the existing model has got to be the way forwards for CNP. Not only have we as an industry invested heavily in it, it also replicates the approach of retailers - where Clicks&Mortar businesses rival even the biggest web-only players. Additionally if you start anywhere talking about changing any physical infrastructure, then you are talking of a 10-15 year project. Realistically, how long has EMV taken to rollout? SecureCode/VbyV?

Cedric Pariente - EFFI Consultants - Paris 10 December, 2009, 10:21 0 likes

The notification by SMS is yet another interesting feature. Of course where is the benefit for the bank? :-)

Regarding the ON/OFF, MasterCard is not the only one interested in this project. But I happen to know that Marite is the inventor of the system and has been granted a patent for it.

Anyway we all know how it works and I'm happy to see that the "big ones" are copying. It's a validation that the idea is good.

There is an expression that describes exactly what "Merchant-Side implementation" is compared to "Issuers-Side":

"Peeing against the wind"

You are giving the fraudsters the perfect weapon to defeat you.

Especially if you provide the list of Merchants that have signed with you.

It's in the Fraudster For Dummies manual.

You just need to defraud the card with any merchant that has not signed up with you.

A Finextra member 10 December, 2009, 10:28 0 likes

What is it with handwritten signatures and magnetic stripes on this site?  Why the emotional attachment?

I am sorry that there have been cases where there are victims of crime where their PIN-codes have been obtained by force.

PIN-codes are a necessary evil – they enable a Bank to Authenticate POS and ATM transactions.  If your PIN is compromised (knowingly) you, as the Cardholder/Account holder, are responsible for notifying your Issuing Bank in order for them to be able to Block the Card Internationally.  Granted – if you are mugged next to an ATM this is impossible to do so before the thieves gain access to your account, however most ATM’s are covered by one or more CCTV monitoring and are becoming less popular for muggings, statistically speaking.

In Europe Issuers are tending to adopt SMS Notifications to alert Cardholders to transactions occurring on their account – this enables Cardholders to identify Fraudulent activity on their account quickly – not a preventative measure but does limit impact and exposure.

Signature fraud is reduced due to the fact criminals are targeting Customer Not Present (Mail-Order/Telephone Order and e-Commerce) and, as you rightly point out, Card and PIN theft to enable Cash Withdrawal.  Criminals will favour cash over anything as this is immediately liquid and doesn’t need to be fenced with a third-party.

If you are suggesting that Banks and Issuers around the world should abandon PIN-based authorisation would you mind sharing your ideas for a replacement technology and how this can be rolled out globally during a time of economic “complication”?

Stephen Wilson - Lockstep Consulting - Sydney 10 December, 2009, 11:31 0 likes

Cedric,

I wish you'd answer some of the plain technical questions instead of speaking in riddles all the time!

If you don't think addressing security at the merchant side is sensible, then what do you make of SSL EV? Why should anyone invest that extra $1000 to improve their site integrity?  Or invest in any other discretionary security measure like ISO 27001?

Are you seriously saying that no merchant should take steps to better secure their own site, because that would make other merchants more attractive targets for fraudsters?  Whose problem is that exactly?

And you haven't explained how changing customer behaviour with this on/off idea, introducing yet more user interfaces, and changing cardholder agreements, is worth all the trouble, when the basic problem is that payment cards today aren't safe when they're left turned on! Forcing this onto users is just another patch.

Cedric Pariente - EFFI Consultants - Paris 13 December, 2009, 14:31 0 likes

Stephen,

Where is the riddle?

I'm saying clearly and loudly that:

A solution implemented at the merchant level is useless.

Yes, Useless!!!

Worse, it's not worth more than the fraud itself, when BY DEFINITION any new merchant not using the solution is a hole in the system.

Whereas a solution implemented at the issuing bank level is covering the card wherever it is used. Any new merchant is automatically covered.