Keeping ahead of the Fraudsters

Somehow just the thought that some 'best guess' software is supposedly protecting me from all those fraudsters doesn't fill me with warm fuzzies.

I've mentioned before that if it wrongly guesses that you aren't making a transaction - it's not exactly a positive experience. More likely to make you switch card providers than inspire confidence - especially when it get's the guess wrong.

Internal marketing hype being believed by the bank, obviously without asking the right questions in the real world - or the consumers.

A guess isn't security or service - it's just the tactic of an underperformer trying to reduce the obvious risk in a poorly designed and executed system.

There's 'one' born every minute - luckily for some snake oil salemen (and fraudsters), many of them appear to have got themselves jobs as bankers. Chip and PIN was a billion pounds wasted, but that's nothing these days is it?

There have been alot of articles on here over the last week about the weaknesses of Chip & PIN. I have yet to see one though that actually points to the Chip being compromised. The articles I have read all point to Mag Stripe & PIN fraud being committed.

The weakness is the legacy mag stripe, not the Chip. If there is proof out there that the EMV Chip has been 'hacked' and used for fraud I would appreciate the link...

I can agree with you there Dean, false positives can alienate the customer when they keep being contacted to validate a transaction and could lead to them going elsewhere. False positives are being minimised however as transaction profiling becomes increasingly sophisticated drawing upon data from a variety of sources. 

But as to it being a guess? Hardly!  

Why use 'sophisticated' risk scoring tools when you can enable the cardholder to enter his own user limits? Unless the cardholder sets it, it can only be a guess. 

Joe Pitcher said : "The weakness is the legacy mag stripe, not the Chip. If there is proof out there that the EMV Chip has been 'hacked' and used for fraud I would appreciate the link..."

You might want to google 'SDA', 'DDA', 'chip', 'yes card' and see that SDA chips are vulnerable. Funny thing is that in order to bypass this vulnerability, one thing that can be done is to program the terminal accepting the chip and pin card to ignore the chip instructions and force an online authorisation of the card transaction which then leads us back to the inherent process used by a mag-stripe - which is online authorisation.

My comment is that each (chip and pin vs. mag-stripe) has its own strengths and weaknesses. There is absolutely no reason why the market should pick one or the other when the existence and usage of both actually strengthens security and usability.

The industry should concede that not all the fraud problems can be solved by chip and pin. Actually, they are now starting to accept the fact that user (cardholder) limits checked during online authorisations can close the security hole (see article about VISA Inc. offering SMS notification to cardholders based on thresholds set by cardholders).

Claims of patent 6931382 USPTO (which VISA actually referred to in their patent application they filed after the filing of 6931382) are being realised by such an offering of VISA Inc. The only slight twist that VISA offers is that the blocking of the card account can occur after a notification which is based on a threshold set by the user (cardholder). This means that the 'first' fraudulent transaction can go through, or first 'few' fraudulent transactions can go through in cases where the cardholder turned off his portable phone. Patent 6931382 claims that online authorisation can check the threshold and immediately reject the card authorisation request, thereby, not allowing even the first fraudulent card transaction.

It remains to be 'seen' if the slight twist allows VISA to circumvent 6931382. But the bottom-line is that this current VISA Inc. offering admits to the security strength of allowing cardholders to set their own user limits and checking these limits during online authorisations.

Marite,

SDA is vulnerable you are correct, not as vulnerable as the Magnetic stripe though. In the ideal world all transactions would be Online but at the moment that is not the case due to telecoms costs and reliability in remote areas. For this reason the Chip (even with SDA vulnerabilities) is a much better option than a mag stripe. Why would a fraudster waste time and money to hack a Chip when they copy the mag stripe so easily?

Hi Joe,

I'm glad you mentioned telecommunication costs. Note that a certain country in Europe used this reason as the main driver for chip and pin. This country's telecommunications company was actually owned by the government at that time. In addition, it was the cartel of banks in that country that decided to implement chip and pin and were successful in implementing it nationwide as each bank charged a hefty annual fee for the cards that they issued. Therefore it was the cardholders that paid for chip and pin. They still charge these annual fees.

In comparison, U.S. telecommunication costs were lower. Most importantly, business practice in the U.S. is such that unless you have bad credit, the bank will not charge you for the card they issue. Thus, it's more difficult for U.S. card issuers to transfer the cost of chip and pin to the cardholders.

Since 1999 (when the first version of EMV was published), the cost of telecommunications have decreased exponentially.

How would chip and pin secure all types of card transactions such as card-not-present transactions? As I said, each has its own weakness and strength. There is no good reason to choose one over the other when they can co-exist and both their presence will ensure wider usability and security. Also, sooner than later, fraudsters could find a way to bypass a DDA just as they did with SDA.

Smartcards can also be stolen after the pin-code is ascertained by the fraudster (shoulder surfing then pickpocketing). I've heard so many cases where cardholders themselves write the pin-code at the back of the cards since they can't seem to remember so many pin-codes. I've also heard of scenarios wherein the chip is unusable, thus, we have the EMV fall-back.

This tells me that smartcard or mag-stripe, the weakest point is really the authorisation point. Given the different types of card transactions, the best security method is to secure the authorisation point by giving cardholders the ability to 'lock' their own cards  by enabling them to set their own user limits which are checked during the authorisation process. 

Marite,

The first EMV spec was EMV 3.1.1 or EMV96 after the year it was published, not 1999.

Chip & Pin secures internet and MOTO by using CAP.

Of cardholders are stupid enough to write down their Pins are they going to be intelligent enough to use your system and remember to block/unblock their card?

I'm not here to sell a product just to look at the basic facts, you seem to be missing a few in the pursuit of leads....

http://en.wikipedia.org/wiki/EMV - "The first version of EMV standard was published in 1999"

As far EMV and CAP is concerned (card reader), I'm sure you're aware of its progress.

You seem to be in the smartcard consultancy business - perhaps thats where your bias is coming from. There are no leads in FINEXTRA. At least not for me. LOL. Last time I checked, we can provide our comments. As you can also see from my comments, I have no problems with EMV.

Are cardholders intelligent enough to use my system? Well the initial pilot which lasted 18 months from 2002 till 2003 showed that over 92% of the pilot users wanted the system and an independent study done in 2002 showed that more than 68% of cardholders of smartcards do want the ability to control their own cards.

These 'stupid' people as you stated in your post are mostly old people that do have a hard time remembering.

Cheers.

http://www.emvco.com/specifications.asp?show=31

If they are too old to remember their PIN they will be too old to remember to contact their bank to block/unblock their card.

Opinions are great, thats exactly why I read these blogs, its just a tad frustrating when all the blog refers to is the solution that a given company owns. Generally these are held up as the solution to end the worlds ill's but rarely (never) has anything been posted to substantiate these claims.

Read anything with the word mobile in it and you'll see my point.

All these points lead me to the conclusion that it just might be better to have the customer involved in the transaction somehow, instore or internet and in real time (not visa after-the-fact-time).

I have been observing the stakeholders and have come to my own  conclusions.

Everyone should realise that consumers want convenience - period. They don't like inconvenience whether it's caused by fraudsters, system breakdowns, remembering too many details or difficult security processes. The system must cater for young and old, vision and hearing impaired, multiple languages and it has to work with all types of transactions.

I don't think the answer is a card or a token, and no-one has expressed a desire to carry a reader...and even though I realise a lot of iphone users are in the market for a new phone, most consumers don't want to have to buy anything.

Consumers indicate they'd like a range of features including pre-set limits, by amount and geography or purchase method, on classes of goods and services, and to authenticate, or not authenticate, be notified, or not, and even have different authentications to the n'th degree if they wish. They'd like to be anonymous, have aliases or use their real name and not have it affect their security, identity or their vulnerability to inconvenient fraud. They'd like to do the same thing to buy in-store, on the net, from TV and radio and get cash from ATM's and merchants...and it must be easy and cost as little as possible.

Many banks would like their customers to be able to transact with merchants, and each other, anywhere, and for banks to be able to settle those transactions more profitably (possibly without using the existing card networks).

Merchants would like lower transaction fees, lower losses and easier transaction processes for staff* and customers alike and reduce their risk of liability. Consistency of fees across banks and payments would be welcomed - why should any particular payment method cost more for the merchant?

... preferably there shouldn't be any interference from cloners, donglers, hackers, insiders, men-in-the-middle, phishers, pharmers, shoulder-surfers, skimmers, smishers and all manner of fraudsters.

Does anyone else have a single solution that can deliver?

*the references here were to the additional identity checking, ie drivers licences etc, which many merchants have resorted checking in an effort to reduce fraud losses. This increases transaction times beyond those claimed by card processors and in the case of TJX, keeping the data can significantly increase liability. Merchants must still rely on the expertise and honesty of casual staff checking identity, and we all know how much attention they pay to signatures. Customers may not want the clerk knowing their identity and details, especially women, and carrying more identity documents to counteract fraud just increases the risk of fraud.