For Finextra's free daily newsletter, breaking news and flashes and weekly job board.
An article relating to this blog post on Finextra:
Hundreds of Chip and PIN terminals in shops and supermarkets across Europe have been rigged by criminals and used to steal shoppers' card details, according to US national counter-intelligence executi...
13 Oct 2008
Every use of the PIN exposes it, and the exposure has a cost attached. For small value transactions, say less than 50 Pounds, it is probably not economically justified.
Moreover, establishements where most of the transactions are low value could probably use much cheaper terminals, that do not have PIN pads at all.
No PIN used, no PIN stolen.
Chip and PIN is being well and truly forced down our throats here in Britain.
the BBC reported that a man is considering taking Tesco to court for discrimination after it refused to let him pay by chip and signature.
Tim Arnold has a brain disorder which means he struggles to remember numbers - like PINs.
Tesco refused to let him sign for his payments on two separate occasions despite the fact its tills are capable of accepting signature cards.
I remember the PIN issue being discussed on the radio a couple of years back, it was alleged the banks were keeping a bit quiet about Chip and Signature cards.
Here's some info on the issue from the RNIB site.
I was taken aback this morning when I paid by debit card in Pret and they didn't need a PIN or anything. Just my card.
I bought some sushi from Itsu canary warf today. Bill GBP 3.5, Paid by card.... no pin required. When I asked why, I was told for purchases below 5 GBP no pin is required. Sounds sensible... is this is only shop following this or have i never noticed.
1. Tesco have no right to refuse chip and signature if the card and the terminal are agreed that this is acceptable. It is absolutely nothing whatsoever to do with the checkout people! However, it is Tesco, Tesco is big and Tesco can generally do what
it wants. Rules, what rules?
2. Banks don't generally have a problem with chip and signature cards. All of the implementations I have done have always included them.
3. Chip only for low value items is NOT allowed, by the issuers, by the acquirers or by the card schemes. However, it would appear that some smaller shops think they are like bigger shops and can do what they like. Rules, what rules?
1. Under the current scheme, shops are indeed required to get the PIN if the card indicates so, but may waive the requirement at their own risk. Doing so is not going against any rule.
2. I was suggesting that the rules ought to be changed, and a floor limit established for using the PIN. The EMV specifications do allow this, but the brands and the banks chose not to use this feature.
At the risk of being shown up to be a fool ...
I have looked through the EMV specs, and I can't find any references to a value driven PIN requirement. I can see PIN Bypass, but that's not the same thing.
ANyhow, the problem is that after 25 years of mag stripe and PIN, where magstripe cards were easy to copy, PINs were difficult to obtain, as their only use was at ATMs. The strength of the system was in the PINs, proven by the fact that the ATM card issuers
never lost a case.
Chip and PIN has turned that model upside down, and now PINs are easy to get hold of, but the cards are secure. The strength is now in the card.
It is therfore, I believe, inappropriate to look at ways of reducing the transaction risk by reducing the PIN requireent. It gives the public the wrong message regarding PIN (Saftey in Numbers, and all that good stuff) and begins to pass the responsibility
back to the cardholder.
The real weakness is not in the PIN, it is not in the chip, it is in the way that chip and PIN has been implemented by the issuing banks. Implementing iCVV in the first place would have completely eliminated the possibility of cloning a chip card onto magstripe;
upgrading to DDA on the first re-issue would have eliminated the possibility of cloning SDA cards (which we are all aware of, and some of us can do!!).
PIN is not the issue - there is safety in numbers.
There is no safety in allowing the accountants to drive security policy.
In the EMV specifications, see Book 3, clause 10.5, Cardholder Verification, and appendix C3, Cardholder Verification Rule Format. There are X and Y amounts, and a condition code that says how they are to be used.
I think the main problem is not the PIN as well but the rather how easy it is to hack a terminal or to put a fraudulent terminal in the market. There is a very easy way to make sure that the terminal is genuine - very similar to the process that happens
with the card. This way the terminal will need to go through a key exchange process which might not solve this issue (which I agree there needs to be harder rules around the way the terminal vendors ship out their terminals) but will solve many other issues
that a terminal will have a fake applicaiton and just read the card data.
There are two aspects for this.
One would be improving the setup i.e card, terminal, transaction (only online transaction allowed) to the maximum security level possible.
Second will be to educate the customers will necessary information and advice about how to be alert during the card/pin usage particularly at POS terminals. Also if the card issuer does not charge for pin change transaction customers can be advised to change
pin once a week or when transaction has been done at un-familiar locations.
And when the customer is doing transaction at an completely unfamiliar location it's always an risk, customer needs to be aware about this that a simple use in case can expose him to a fraudsters net. The card issuer needs to put this to customer notice. With
this info then customer I believe will always make an informed choice about unfamiliar location card usage.
PIN is not always required for low value transactions. PayPass and Visa Paywave are designed for low value no CVM transactions.
Pin requirement all depends on the POS system. Some merchants require pincodes because their POS only accepts card payments authenticated with pincodes.
CHIP and PIN has made cards more vulnerable than ever. The proliferation of standalone terminals that accept chip and pin is a bonanza for card fraudsters. It's like cherry-picking time for them. Cash is king and cloned cards are usually used to do cross-border
ATM. With the chip and the pin, all fraudsters need to do is to skim the magnetic stripe and record the pin-code (or sometimes even implant a card with a chip that registers a valid pincode no matter what numbers you enter) and make a new card using a WHITE
card (thus, its called WHITE PLASTIC fraud). They don't even need to create authentic-looking laminated cards. They also don't need to forge new identity cards to match the information on the clone cards.
So, wake-up Bjorn Soland. You also might wish that you have not advertised Norway as the leader in chip and pin. That's more cherry trees for card fraudsters.
Its the mag stripe that is the weak link not the chip. The cloning, as you rightly point out, is the mag not the chip so how can Chip & PIN make this situation worse? Once Chip is accepted everywhere or (as UK banks are doing) mag stripe transactions declined
the problem diminishes. Not saying it goes completely as it won't, there will always be a weak link somewhere for fraudsters to exploit, all we can do is try to make it as difficult and costly for them to do so as possible.
The market knows. You can't force the U.S. market to implement chip and pin when the costs outweigh the benefits.
"Brian Triplett, a security executive for the biggest payment network, Visa Inc. of San Francisco, said the company's
statistics also show low levels of fraud, roughly one in every 10,000 transactions.
Rather than replacing all the 12 million card readers in the United States with ones that could handle the Chip
and PIN standard, Triplett said the money would be better spent on other fraud-fighting technologies. "
What I'm saying is that it's the PROLIFERATION of standalone chip and pin terminals that created the bonanza for fraudsters.
A static pin-code is also weak.
It's just a matter of time until hackers overcome DDA cards as they have done with SDA cards.
To share a personal anecdote, in 2002, 4 men broke into my house in the early morning and started asking me the pincodes for my cards. Since my cards were all issued in the U.S., they had no pincodes. When I said "U.S. cards, no pincodes" - they left my
wallet with my cards alone.
I didn't realise cards were issued in the US with no ATM access...you learn something new everyday.....
OK, so I am a fool ...
Have looked at the EMV reference, and after having quick "conference" here, we are of the opinion that it might just work, although no issuer (in our experience) has even got close to doing anything so creative with the CVM list. So, no PIN for <£50 is
possible, but not exactly sure how the rest of the CVM logic would work in other circumstances (like ATM), and haven't got time to think it all through at the moment.
But, my argument is that the PIN (compromise) is a bit of a red herring, and the safety is actually in the chip (idiot issuers accepted), and this I still stand by.
If iCVV and DDA were implemented, there would be no cloning fraud (unless you could get hold of the card and actually swipe it, but that isn't what's going on in the iffy terminals).
The only transaction players that are going to loose out as a result of cloning fraud are the issuers, and who cares, it's their fault.
The CVM logic works fine, you can restrict the usage of a particular method to certain terminal types i.e. unattended cash, purchase with cashback etc.
EMV allows it, whether or not card schemes do is a different matter...
QSM Programming Ltd.
08 May 2006
This post is from a series of posts in the group:
A community to discuss the future of financial services and any other interesting trends, strategies, ideas, views.