Blog article
See all stories »

CHIP and PIN or No PIN Will Lead to Less Trust in Banks

I have a few issues with CHIP and PIN or No PIN.

1. It is a security failure of the system which renders the PIN unusable, and turns it into a weakness rather than a strength.

2. The system now relies on the NFC CHIP, which communicates by radio frequency and can be cloned, not necessarily as a card, but as a radio frequency signal transmitter/receiver. It would be possible to clone a customer's card and merely wave a facsimile of the card near the reader whilst providing the right radio communications responses, meaning that there is no need to clone the chip as such. They're doing it already with CHIP passports and I don't think we'll have to wait long to see it happening to CHIP cards in the wild.

3. With no PIN required on purchases under £50 , the incentive is certainly there to do so. How many £45  bottles of wine could you buy before the actual real card was canceled? Does this mean that cloning your card is now an almost guaranteed free £400 or so? What about cash out? Surely the intention isn't to have CHIP and NO PIN ruled safe for a £45 purchase and unsafe for a £45 cash withdrawal? Won't that confuse customers and undermine credibility?

Happy days for fraudsters?

I'm not sure I could hold my breath until we find out CHIP card cloning is happening in the stores, but I'll bet it is happening already somewhere in a hackers lab and I am sure we'll all see it soon.

Customers are already confused with the CHIP, no CHIP, PIN/no PIN, signature or not no chip, and generally perceived card transactions as unsafe, but are only willing to use them if the bank or card issuer covers the fraud. With customers suing retailers because they get different levels of service and terms and conditions and procedures from different retailers, the card is doomed. That is a court case that the card industry loses, even if the customer does not win.

Ultimately the message that the PIN isn't safe will just be another issue contributing to further loss of trust, a fragile thing at the best of times but currently in very short supply with both customers and shareholders in the financial sector.

Governments owning banks or propping them up with public funds may not be as willing to put up with fraud and neither might their now more discerning shareholders.

Customers are becoming very sensitive to trust issues and I see a great opportunity for mobile transactions to sweep the field against this sort of fiasco. The current strap-on NFC CHIP approach to mobile transactions suffers the same woes and potential disasters as the card based CHIP transaction.

Card based transactions certainly appear to have a growing number of serious hurdles to overcome if they are to remain trusted and relevant in a mobile world. Given the inadvisability of gambling with shareholders funds in the current climate the future of a global NFC roll-out is in serious jeopardy.

Mobile transaction systems should make it easier for customers and merchants and end the happy days for fraudsters, wthout the expensive roll-out and endless consumer education necessary to cater to the flaws of NFC.

3393

Comments: (12)

Jonathan Rosenne
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv 20 October, 2008, 06:21Be the first to give this comment the thumbs up 0 likes

If the transaction is online, the card cannot be cloned.

With the present state of the technology there is no justification for offline any more.

And the "track 2" information from the chip should be useable magnetically. This has been known and possible for many years.

 

A Finextra member
A Finextra member 20 October, 2008, 15:08Be the first to give this comment the thumbs up 0 likes

First, online transactions do not mean cards can't be cloned.  Look at the growth in foreign ATM fraud based on the harvesting of track 2 data and PINs from POS terminals.

Second, if the systems had been implemented properly, offline would be fine. 

If EMV has a fault it is probably its tendency to be overcomplicated.  There are a number of "could do better" areas, but that's the nature of the beast.

It's begining to sound like a rant, but the weaknesses are the result of poor issuing strategies, and not poor technology.  It's the iCVV and the SDA/DDA argument.  The issuers didn't bother with iCVV, and even though it's now mandated, they still don't; the bean counters coudn't see the business case in moving to DDA, because the fraud wasn't happening, but it is now.

Yes, it is possible to clone SDA cards, and to fool the POS into smiling whilst being ripped off, offline.  Even in cases where the transactions are delivered to the issuer for authorisation, it is questionable whether they actually check anything important, like the cryptogram!!

THe thing that prevents cloning is DDA, and DDA is a requirement for proper contactless cards.  Recording the radio transmission between the card and reader, therefore, wouldn't provide any useful cloning data.

I think that we are in danger of blaming the technology and burying our heads in the sand, or am I looking down the wrong end of the telescope? 

A Finextra member
A Finextra member 20 October, 2008, 19:37Be the first to give this comment the thumbs up 0 likes

I'm sure optimism in the newest cards is as strong as it was in the old cards, however it'll take more than optimism to keep them secure.

E-Passports were secure, browsers were secure, internet banking was secure, PINS were secure, yada yada yada. I haven't seen anything I think is secure, and as for managing risks, historical data would suggest you may as well guess, because there is insufficient data to come to any conclusion, other than that the risk is getting bigger everyday.

There are other issues. I won't do a repeat rant, or give away all my sources but I have the luxury of knowing, not guessing and I have been 100% right in what I have 'known' so far, despite the best efforts of the spin doctors to claim otherwise.  Some of the claims I have made were probably thought to be extreme, but very shortly were conveniently proved accurate by credable 3rd parties. I am more interested in accuracy rather than helping competitors understand their weaknesses, and I won't be providing criminals with another means to rob them. They're doing that all right by themselves.

The card can't evolve or change, only be replaced.

Mobilisation is much more flexible than that, it can evolve to meet new threats. Sure everything can be cracked (almost) but maybe not en masse, or remotely or without a lot of expensive hardware and attracting a lot of attention to oneself.

If correctly designed, the only way someone will succeed with a fraudulent mobile transaction is likely to be by overpowering the real customer and forcing their co-operation. That could be a tad dangerous for the thief too, because the transaction provider may incorporate some form of duress detection.  A correctly designed system should prevent even bank or merchant insider attacks.

It'll be easier to rob someone else.

It's not about security, it's about making it easy for the customers and ensuring they feel safe.

The main reasons mobile transactions are better is because they're easier for the customer and you don't have to roll out all that hardware, or cards to start transacting. The number of other uses are endless, all are profitable and the security and privacy are just the icing on the cake. It opens up a whole new world of new types of interaction, and the merchant transactions are only a very small part of it, albeit a very nice and potentially profitable part. What can be done with mobiles (and lead to a transaction) can never be done by cards, so they aren't even in that race, they're only in the payment race.

The potentially low cost of mobile transactions might just cause a few heart attacks too. It may be impossible to compete on convenience or price. The cost of card or chip based infrastructure is too high, especially when compared with no infrastructure.

I'm sure there'll be many transaction solutions, but I think that only a global mobile one is likely to succeed.

 

Jonathan Rosenne
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv 21 October, 2008, 01:32Be the first to give this comment the thumbs up 0 likes

"We're mobile phone salesmen, you can trust us".

Why do you think the mobile phone, which uses the same technology as EMV but with less robust crypto, would provide better security?

A Finextra member
A Finextra member 21 October, 2008, 04:28Be the first to give this comment the thumbs up 0 likes

Possibly because I see telcos somewhere between the water board or the electricity company, I have no affiliations nor have I had any discussions with mobile manufacturers, mobile marketers, or carrier networks (except one which wanted to buy a company I am involved with). 

I fancy solutions which are handset and carrier agnostic, adaptable enough to take advantage of advanced features if available, but relying on well thought out and tested methodology in order to achieve the outcome.

My mantra is trust no-one. That is why I'd prefer a solution which has very few participants in the core process, and is designed from the ground up assuming no-one can be trusted, not even the participants, and that nothing is secure. Then I'm free to trust everyone.

As you correctly point out, many mobile transaction aplications do not fit that criteria, and as soon as they say 'trust us' I'll be among the first to debunk them.

Joe Pitcher
Joe Pitcher - Irrelevant - Wirral 24 October, 2008, 11:25Be the first to give this comment the thumbs up 0 likes

I'm intrigued. How does the mobile model you have/envisage work? What makes it so much better and more secure than the current system of EMV?

A Finextra member
A Finextra member 25 October, 2008, 09:10Be the first to give this comment the thumbs up 0 likes

Nice try Joe.

My recipe is good design, a more than rudimentary knowledge of the components and a focus on the actual objective and, in this case, without feeling the need to monetise it for telcos, card brands, banks or anyone else really.

That is not to say they aren't involved or that they might not profit both directly and indirectly from some new system. After all everyone needs a mobile phone and a bank account don't they? They do need some sort of account. The marketing people are keen on avoiding the word bank, something about a possible image problem.

It the 21st century, anything is possible, recession or not.

A Finextra member
A Finextra member 25 October, 2008, 12:25Be the first to give this comment the thumbs up 0 likes

I've been reading about the shunning of credit post-depression 1930's. Apparently it was quite a while before it regained popularity.

I wonder if post 'adjustment' there might be some connotations on both the words credit and bank - for marketing purposes.

Joe Pitcher
Joe Pitcher - Irrelevant - Wirral 26 October, 2008, 17:43Be the first to give this comment the thumbs up 0 likes

Dean,

Well avoided, I thought for a minute you might have a solution that works. We can all criticize existing technologies and proclaim to have the solution - the proof as they say is in the pudding..

"Snake oil salesman" - wasn't that your term??

A Finextra member
A Finextra member 26 October, 2008, 22:46Be the first to give this comment the thumbs up 0 likes

I haven't offered to sell anything to anyone, and I've pointed out some very relevant issues with some approaches to 'security' and security perceptions for free. Talk about ungrateful.

I suppose you want me to show everyone how to fix it all for free too, or perhaps you expect that by appealing to my no doubt uncontrolled ego or questioning my motives I might just blab the 'golden' words. Hardly.

I remember back in 1995 when Microsoft (courtesy of Intel) had video the size of postage stamps and watching video on a Mac was still like an out of synch TV with half the frames jammed. When CD's only played in cd players and internet music downloads had the record companies reaching for the garlic necklaces. I said I'd make full-screen full motion video work off an audio CD when you put it in a PC - a 486 budget laptop no less. MS, Mac and Intel couldn't do it, and they never even thought of enhancing music CD's with video and weblinks nor did the record companies who were all in a daze.

Within months I had full-screen full motion hi-fi stereo (better  than MP3) video's and internet linked CD's. Then Bertelsman asked if I could do it on a Mac. I said why bother, nobody owns one, but nevertheless did it anyway delivering 72 frames per second full-screen on a Mac - in 2 weeks. Intel was somewhat alarmed as they had just invested all that money in MMX and asked if I could make it only work on their new PC's. Lucky for them the record companies were hiding in the closet playing tinky winkies at the thought of the internet and didn't catch on.

I'm sure some of you due diligence types out there have seen the references in the newspapers.

Downloading music sure caught on with those college students though - didn't it? You'll now hardly find an artist without multi-media in their product today. I did the video thing just to make it attractive to put into your PC and connect to the artist...

Fixing identity and security is much more important than that and I've given it the level of thought it requires, no less.

I only bothered because we wanted both trust and reliable transactions for our own business and nobody else could deliver with the problem just getting worse and worse.

As far as I can see I'm holding all the cards and everyone else has an empty hand - and you want me to show or fold without you even placing a stake on the table?

As I've said before - the transaction/payment is only a little part of what we're about. It's just so you can pay us. The other bit is the really interesting part - it's why you'll pay.

My ego is just fine.

Joe Pitcher
Joe Pitcher - Irrelevant - Wirral 27 October, 2008, 14:38Be the first to give this comment the thumbs up 0 likes

Dean,

Apologies, I must have misread:

 'Here's a deal for you, I'll prevent it all (for all UK banks) and even the card present fraud for the token sum of £145 million and I'll indemnify all users of our system against any fraud losses.'

I interpreted that as a sales pitch

https://www.finextra.com/blogs/fullblog.aspx?blogid=1430

A Finextra member
A Finextra member 28 October, 2008, 06:06Be the first to give this comment the thumbs up 0 likes

Touche Joe!

I must have let that one slip when I became concerned that more  billions for ID cards on top of the billion for CHIP and PIN might be too much for the economy of the UK to bear. I blurted it out as more of a public service announcement, I am from good English stock after all. To be fair I'd say that at that price it definitely qualifies as philanthropy or charity rather than business, when compared with the other possibilities, or facing the continuing losses.

It might cost a little more now but probably less than the £300+ million lost in the first half of this year.

That's peanuts compared with bail-outs so if there's a little left in the kitty..otherwise we'll see if we can arrange a little more philanthropy.

Retired Member

Member since

19 Mar 2009

Location

Blog posts

6,023

Comments

6,224

This post is from a series of posts in the group:

Whatever...

A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.


See all