19 October 2017

44975

Retired Member

3,170Posts 11,343,726Views 3,405Comments
Information Security

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Chip and PIN - not perfect, but the best we have

15 February 2010  |  5519 views  |  8

Cambridge University computer scientists’ discovery of a way to carry out transactions without knowing a card's PIN hit the headlines on Friday; however consumers should not lose faith in credit card security. Chip and PIN is by far and away the most secure way of protecting payment transactions currently available.

No security system can claim to be completely bulletproof - there is always a three-way trade off between cost, ease of use and security and the industry is constantly looking for improvements. Consequently, the aim of security systems is not to make security unbreakable but to make it unprofitable for criminals to attempt to break it. The benefits of Chip and PIN are proven. Once the UK adopted Chip and PIN in 2003, losses on UK high street transactions reduced by 55 per cent by 2008. However, not all countries have followed suit and the US, for example, still use magnetic stripe cards with signature verification.  Verification by signature remains an option even for EMV cards, and it is the availability of this weaker security that has been exploited by the attack highlighted by Cambridge University.

These recent findings should be discussed. However, the bigger problem lies not with Chip and PIN technology itself, but rather with the differing levels of adoption of advanced security technologies and procedures across the industry.  The Cambridge scientists’ research provides interesting insight and could be an important input to future revisions of card security technologies.

 

TagsSecurityPayments

Comments: (17)

Cedric Pariente
Cedric Pariente - Racine Alpha - Paris | 15 February, 2010, 10:22

Do you have the fraud figures for the US compared to the UK?

I'm not sure there's a business case for the US. At least that's what they claim most of the time. And they seem to be right.

Regarding the UK, it's true! Local transaction fraud has gone down, but Card Not Present and Cross-border went up.

That's a very well known effect of EMV. Local transaction goes down, but CNP and cross-border go up.

It's true that EMV is a good compromise, but the business case is not that obvious for everybody.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 15 February, 2010, 10:46

Thanks for your comments Cedric.

Increases in CNP fraud may not necessarily be correlated with EMV introduction, as of course CNP transactions themselves have grown massively year on year as e-commerce transactions have grown. On the other hand, obviously CNP remains a softer target which criminals will inevitably move to exploit as face to face transaction fraud becomes more difficult to perpetrate.

I do have some fraud figures for the US - see my post "How to cut US Merchants' card fraud costs by 50 billion".

The business case for EMV in the US is complicated as I highlight in this post.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 15 February, 2010, 16:50

Fair play to the boffins at Cambridge.  After twenty five years of security research, they have happened upon a weakness within EMV that looks like it cold be a promising exploitation.  Maybe that will mean that we have seen the last of the headline-grabbing Tetris-enabled POS devices.

But ... the crim has still got to nick the card, and has only got until it's reported as lost to run the scam (maybe with the exception of a couple of below floor limit transactions).  The thing is, having gone to all the trouble of nicking the the card in the first place, there are probably more interesting things that could be done with it than to strap it to a backpack.  Give 'em another 25 years!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Cedric Pariente
Cedric Pariente - Racine Alpha - Paris | 15 February, 2010, 17:32

Don't get me wrong, I think EMV is a very good thing. But I also think that we need to know its strengths and weaknesses.

I'm french, so I am born 100% full EMV compatible. Actually it's the only mean of payment I've known until I started to travel out of the country.

I was asking you if you had any reliable figure because you certainly know as well as me that fraud figures are extremely hard to get. Banks are not very transparent on this point.

I think the real US figures would surprise more than one person. But you need to look at them in percentage of total transactions otherwise anyone can already predict the conclusion. US is certainly the biggest market in the world, so figures and especially fraud figures need to be analyzed in percentage.

France is also not a very good student as it is very hard to get reliable figures. From what I remember (I'm not in the security business anymore), UK was one of the most transparent.

I'm convinced that the rise of CNP fraud is not due to a rise in terms of 'internet purchases'. As you highlighted, the 'online target' is an easy target. With the EMV, fraudsters are 'moving' from their usual fraud, to online fraud.

I completely join you on the fact that the US business case is very complex.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Steven Murdoch
Steven Murdoch - University College London - London | 15 February, 2010, 19:53

The US case is indeed very interesting, because the country is an outlier in several relevant dimensions.

In fact, I'm currently in Philadelphia, PA, having been invited to give the keynote at a Federal Reserve conference on payment system security. I'll be talking about this vulnerability, and others, but I hope to also learn a lot more about the US market.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 15 February, 2010, 20:48

In terms of card-present transactions, the usage of cloned mag-stripe and signature is very much limited to attended terminals. Being that they are attended, the cloned mag-stripe and signature will need to be manufactured in a very credible looking plastic card. In addition, the terminal attendants are also advised to ask the cardholder for an ID card to match the name and the signature. 

In terms of card-present transactions, fraudsters favor the usage of cloned mag-stripe with a pin-code with unattended terminals, specially with ATMs since there isn't another party to witness the crime and because fraudsters do not need to manufacture credible looking plastic cards and corresponding ID cards.

The reason why fraud is low in the United States  (compared to EMV countries) is because cards in the U.S. are rarely issued with pin-codes. Thus, fraudsters are not as motivated to skim mag-stripe with no pin-codes.  

However, fraudsters have targeted chip and pin cards in countries where there is the proliferation of stand-alone, unattended terminals. The skimming/recording is usually done in chip and pin countries and the usage of the clones is usually done out-of-country, which has resulted into an increase in cross-border fraud.

A good way to decrease skimming of mag-stripe and pin-codes of EMV cards is to install dual slots in unattended terminals. One slot should be for mag-stripe cards and the other should be for chip cards. The slot for chip cards should not have to take in the entire card but just take the card partially so as to read and process the chip, thereby making it quite difficult for fraudsters to skim the mag-stripe of EMV cards. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 15 February, 2010, 21:21

The growth in CNP fraud over the Internet may be driven in part because organised crime have migrated away from Card-Present (signature fraud, skimmed cards, cloned cards).  But let's recognise that CNP fraud would have blossomed regardless of EMV, simply because it's soooo easy.  'Hacking' into bank accounts with real time MITM attacks is hard; replaying stolen credit card numbers and CCV2s is childs play, and can be conducted on an industrial scale with tens of millions of stolen accounts available on the black market.  So let's not blame EMV. Rather, let's apply the smarts in EMV cards to knock off CNP fraud as well, with one convenient familiar form factor.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 16 February, 2010, 06:57

I share the same opinion with author, EMV is proven secure enough. Issuers and acquirers should use a lot of  technical parameters during the transaction processing. Fraud data for EU shows that crime is moving into the areas which are not protected. By the way, friends of mine told me that in USA anytime you are using credit card you have to identify yourself with driver license or other document. They are living in California- anybody knows is this manner generally used all arround USA? It is not the same in the Europe - maybe in some situation as far as I know in Sweden and France (depending on the transaction amount). But, in general, you insert your PIN and that's it. No extra documents needed.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 16 February, 2010, 07:03

"By the way, friends of mine told me that in USA anytime you are using credit card you have to identify yourself with driver license or other document. "

Absolutely confirms what I say about how attended POS transactions are done in the U.S.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Lachlan Gunn
Lachlan Gunn - BenAlpin Ltd - Perth | 16 February, 2010, 09:19

I agree that reliable fraud stats are hard to come by - since 2004 the European ATM Security Team (EAST) has been reporting at a European level on ATM related fraud and losses (including cross-border). 

An extract from their press release on a report published in October 2009 and covering January to June 2009 states (when compared to the period July to December 2008):  "....While card skimming incidents are down by 19% (from 5,693 to 4,629 incidents)........Losses due to card skimming are down by 30% (from €222 million to €156 million)........This indicates that the EMV rollout at ATMs in Europe (now 92% complete) is helping to reduce skimming losses, and also that fraud counter-measures, fraud monitoring capabilities and fraud detection are improving." 

As over 95% of Europe's nearly 400,000 ATMs are now EMV compliant, the pattern of cross-border losses has shifted considerably over the past 3 years from primarily in Europe to primarily outside of Europe.  A report covering the full year 2009 is likely to be published by EAST in late March/early April. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 16 February, 2010, 09:53

"...the pattern of cross-border losses has shifted considerably over the past 3 years from primarily in Europe to primarily outside of Europe. "

In fact, actually the biggest problem for the European banks is how to reduce fraud on EU EMV cards outside EU, in the parts of world where no liability shift exists, such as USA and Australia. This is still more burning question because of S€PA mandate: all general purpose cards has to be EMV compliant on 1.1.2011.  Banking system in the EU invested a lot of money in EMV infrastructure in last 10 years with scope to build safer environment and to protect clients. The main problem is, that there should be disproportion between EU ON US transaction and fraud attacks on EU cards outside EU (there are nearly 97 % EU ON US transactions). As well, it seems that there is strong VISA and MasterCard resistence to mandate EMV liability shift all arround the world even there are more and more news from USA about skimming - crime is moving there because of mag stripe.

How to jump this problem? It sounds very unusual but I've heard many times during discussions with EU colleagues, very simple: to issue the EU only cards (many people are not travelling outside EU at all). If you wish to travel outside EU ask your bank for extra, World interoperable card :) However, banks can protect their clients with more sophisticated mechanisms, e.g. interactive user security profile, where internet, MO/TO, USA, Africa, etc. transaction could be blocked in time period or even as a whole.  So, EMV is substantial, but only a part of very complex system. 

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 16 February, 2010, 10:02

"How to jump this problem? It sounds very unusual but I've heard many times during discussions with EU colleagues, very simple: to issue the EU only cards"

I think that this has been discussed ad nauseum. 

Like I said, A good way to decrease skimming of mag-stripe and pin-codes of EMV cards is to install dual slots in unattended terminals. One slot should be for mag-stripe cards and the other should be for chip cards. The slot for chip cards should not have to take in the entire card but just take the card partially so as to read and process the chip, thereby making it quite difficult for fraudsters to skim the mag-stripe of EMV cards. 

This will in effect also isolate the skimming done in Europe to mag-stripe only cards. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 16 February, 2010, 12:52

One way to reduce the skimming problem is for the banks to work on their fraud detection algorithms.  

Isn't it annoying to think that an ATM transaction in Bangkok can be authorised two and a half minutes after the same card (!) was used in Bradford, but attempts to withdraw cash whilst on holiday in Barbados are all declined.   

All of the card-issuing banks have clever fraud-prevention systems, all of which cost a lot of money - all they need now are some clever people to make them work!

But let's not forget that this skimming thing ISN'T actually a chip and PIN fraud. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Cedric Pariente
Cedric Pariente - Racine Alpha - Paris | 16 February, 2010, 13:43

I'm not sure they care.

Put yourself in the shoes of a bank.

Say you are losing $100 millions in fraud + fraud detection.

But you are making $250 millions in selling insurance to your customers to fight against fraud.

Would you really be motivated to act in the best interest of your customers?

ps:

I'm going to write a post about it. I'm interested in having the opinion of all the experts of the Finextra community on it.

Thank you David for raising this issue.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Trevor Jenkins
Trevor Jenkins - Maylands Consulting Ltd - Ilkley | 16 February, 2010, 17:24

<!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:0cm; margin-right:0cm; margin-bottom:10.0pt; margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;} p.MsoNoSpacing, li.MsoNoSpacing, div.MsoNoSpacing {mso-style-priority:1; mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;} .MsoPapDefault {mso-style-type:export-only; margin-bottom:10.0pt; line-height:115%;} @page Section1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.Section1 {page:Section1;} -->

In 2008, the most recent year for which figures are currently available (www.ukpayments.org.uk), losses due to counterfeit card fraud for UK-issued cards were £170m, 18% up on 2007.  Of this, £37m was done in the UK and £133m abroad.  Total card fraud committed abroad amounted to £230m, 11% up on 2007.  The top 5 countries where UK-issued cards or card details were used fraudulently were:

 USA                      £31.7m

Canada                 £10.8m

Australia              £10.8m

Spain                     £10.1m

Italy                       £8.3m.

 

As EMV rolls out in Canada and Australia the losses in the USA are bound to increase.

 

Marite, I am not convinced about putting dual card readers on unattended terminals.  The ATM industry is regularly advising the public to look out for false card readers and PIN pads at ATMs to prevent card skimming.  A proliferation of additional card readers on ATMs will cause customer confusion.  I’m interested in your comment about US retailers requesting additional identification before accepting credit cards, but that should be a separate blog …

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Trevor Jenkins
Trevor Jenkins - Maylands Consulting Ltd - Ilkley | 16 February, 2010, 17:27

Many apologies for all the formatting information in my previous comment.  I pasted from Word and didn't realise all that would be published!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 16 February, 2010, 21:01

"Marite, I am not convinced about putting dual card readers on unattended terminals."

Perhaps a sign like this will help ?  

In anycase, here in Europe, most attended POS terminals (ex. supermarket, stores) already have slots that take in the chip and pin card only partially.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3119 posts3,405 comments
What Retired reads

Who's commenting on Retired's posts

Ketharaman Swaminathan
Dharmesh Mistry
Nicola Cowburn
Michael Wright
Charmaine Oak
Francis Chlarie
Raymond Lee
Deepthi Rajan
Melvin Haskins
Jo&#227;o Bohner
Bob Lyddon
Urs Meier