Blog article
See all stories »

Chip and PIN: Good but not good enough

This week marked the anniversary of when chip and PIN came into force in the UK. Five years’ on, there are apparently more than 140 million chip and PIN cards in issue in the country and more than one million chip and PIN card terminals in place, not to mention the fact that many European countries have now rolled out EMV. As a result, great strides have been made in the fight against fraud with the National Fraud Authority (NFA) recently revealing that the financial services industry last year saw a reduction in its losses to fraudsters due to improved fraud prevention methods involving plastic cards.

However, at £3.6 billion a year, the amount of money the industry is at deficit is still excessive and while chip and PIN has been effective in face-to-face fraud it does not protect against card-not-present (CNP) attacks. In fact, the NFA statistics show that there was a 14% rise in online banking fraud with losses climbing to £60 million a year. This increase has been attributed to fraudsters using more sophisticated methods to target their victims through malware and a spike in phishing incidents. With e- and m-commerce becoming ever more popular, it is therefore of paramount importance that more stringent security measures are put in place to combat the threat.

In addition to being thorough, any fraud prevention system also needs to take into account the customer’s needs and therefore must be as convenient and user-friendly as possible. One issue with chip and PIN has been users’ propensities to forget their unique PIN, which has resulted in countless new PINs being produced and sent to customers at an additional cost for banks. Equally, the current security schemes for online banking such as Verified by Visa (VbV) and MasterCard SecureCode similarly require passwords to be memorised by their customers, which incurs the same forgetful problem.

Instead of the current scenario involving multiple passwords, it is clear that technologies that marry convenience and security need to come to the fore. One model that is gaining traction in the fight against fraud, specifically identity fraud, and that meets these disparate requirements is biometric technology. In verifying a person based on the electronic identification of that card presenter using their body features, impersonation is almost impossible and the need for additional hardware or passwords is eliminated. Only with such technology – whether hand in hand with chip and PIN or not – can fraud levels see a real dip.  

5702

Comments: (6)

Nick Collin
Nick Collin - Collin Consulting Ltd - London 16 February, 2011, 12:36Be the first to give this comment the thumbs up 0 likes

Nick

I know you're in the business of selling biometric authentication, but to do so by attacking chip and PIN is misleading to say the least.  Here's the facts as I see them:

- As you point out, chip and PIN has been tremendously effective in reducing face-to-face fraud in the physical world.

- But chip and PIN is also the best solution for tackling fraud in the virtual world via Remote Chip Authentication (RCA - what MasterCard calls CAP and Visa calls DPA): ie inserting your card in a reader, entering your PIN, and generating a one-time-password OTP).

- RCA is widely used to reduce online banking fraud.  Barclays PINSentry for example has been quoted as reducing Barclays' online banking fraud to zero.  A key point about this solution is that because the reader is physically separate from the PC, malware and phishing are not effective.

- Increasingly, RCA is starting to be used to tackle Card-Not-Present (CNP) fraud, by the simple expedient of treating the OTP as a MasterCard SecureCode or Verified by Visa code.  In other words the user only has to remember the one PIN which they already use in the physical world.  All the Belgian banks have rolled out this solution.

Tackling card fraud is difficult and takes years of effort.  The global migration to EMV chip started 15 years ago and is still evolving through RCA and 3D Secure, but it's the best solution we've got and a magnificent achievement.   There are undoubtably niche markets for voice authentication and other biometric solutions, but the card payments market is I fear not one of them.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 17 February, 2011, 11:42Be the first to give this comment the thumbs up 0 likes

Since we're seeing biometrics being proposed as an alternative to VbV and MasterCard SecureCode, it follows that the context is CNP / online. That being the case, are we to assume that webcam for iris scanning, fingerprint scanner for capturing fingerprint impressions, and all other types of biometrics authentication equipment are part of basic hardware? Otherwise, I'm not sure how biometrics will work without any additional hardware.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 21 February, 2011, 12:30Be the first to give this comment the thumbs up 0 likes

Can you please quantify what is meant by "impersonation is almost impossible"?  What is the demonstrated False Detect rate?  What is the corresponding False Reject rate and what are the conditions of testing?

 

Mathew Stewart
Mathew Stewart - Explundish - London 21 February, 2011, 15:06Be the first to give this comment the thumbs up 0 likes

RCA has made great strides, and should be supported, but I think Nick O still has a point.  In the future, won't users of tablets and smartphones find card readers too clunky to carry around?  In which case, couldn't biometrics provide an alternative, and very portable, means of authentication?  

Both tablets and smartphones can capture sounds and images for biometric verification, and these can only get better with time.  The question is, how long do we have to wait?   It's down to the vendors to demonstrate whether this provides a serious alternative authentication method at this time, with the devices and bandwidths currently available. 

 

Keith Appleyard
Keith Appleyard - available for hire - Bromley 23 February, 2011, 16:13Be the first to give this comment the thumbs up 0 likes

Still not a fan of CHIP and PIN - I feel happier providing some evidence of who I am, such as Signature which could be verified and challenged if too different - a PIN is just too personal.

Also I can't remember more than 1 PIN, so either have to write them all down (which could be lost/stolen), or have the same PIN for everything, which provides a weak link, so in the end I went for CHIP and Signature instead.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 23 February, 2011, 22:00Be the first to give this comment the thumbs up 0 likes

Hello Nick.

Just checking if you saw my questions:

Can you please quantify what is meant by "impersonation is almost impossible"?  What is the demonstrated False Detect rate?  What is the corresponding False Reject rate, and what are the conditions of testing?

Cheers, Stephen Wilson, Lockstep.

Nick Ogden

Nick Ogden

Founder and Director

RTGS.global

Member since

17 Sep 2008

Location

London

Blog posts

47

Comments

51

This post is from a series of posts in the group:

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.


See all