Following a report in The Telegraph earlier this month that described the international scale of what is known as a “supply chain attack” powered by Chip-and-PIN readers across the globe (http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html),
it does make me question again just how secure POS payments are. My previous post about the evolution of mobile payment processes describes how voice signatures can make on-the-go payments secure and the same principles would work at a POS level as well.
According to the report, the POS authorisation machines, unlike rigged ATMs, look identical to their legitimate counterparts as they are tampered with during the manufacturing process. At one plant, a production line operator was apparently heard singing,
“One chip for MasterCard, one for Visa and one for me”! As Chip-and-PIN authorisation machines are becoming the standard method for authorising physical purchases in the UK , we can only hope that this practice has not become widespread; although similar problems
are now appearing in advanced stages within e-commerce (http://www.theregister.co.uk/2008/10/23/vbyv_password_reset/).
Within the current financial climate, the whole question of who we trust has become a serious issue on a global scale. This lack of trust is heightened through the issues of fraud with POS and e-commerce payments and impacts heavily on the reputation of
financial organisations and merchant authorisers. Consumers may even try to avoid paying for products with cards out of fear that their details will be cloned and then sent to fraudsters abroad on a regular and systematic basis. This is a risk that banks and
card manufacturers cannot afford when consumer confidence in the financial services industry as a whole is at an all time low; in fact, in a recent Harris poll, well over 50% of UK consumers said that they no longer trust chips, pins and bank passwords.
Security systems evolve either just behind or for a short period just in front of fraudsters. Perhaps rather than develop a new range of Chip-and-PIN terminals or paying a large sum for ramped-up security at manufacturing plants, adding the ability to concurrently
authorise transactions with a voice signature might work. It could even be offered as a value added service to consumers who could opt in to sign? After all that's exactly how banking used to work when we all had to sign cheques!
Using voice signatures, it’s easy to change the existing single solution - single security fix paradigm and fix and simplify many issues. Giving control for signing transactions back to the consumer really is the logical step, after all its their money!