21 October 2017
Nick Ogden

71326

Nick Ogden - ClearBank

45Posts 171,056Views 31Comments
Online Banking

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

Chip and PIN: Good but not good enough

15 February 2011  |  5409 views  |  6

This week marked the anniversary of when chip and PIN came into force in the UK. Five years’ on, there are apparently more than 140 million chip and PIN cards in issue in the country and more than one million chip and PIN card terminals in place, not to mention the fact that many European countries have now rolled out EMV. As a result, great strides have been made in the fight against fraud with the National Fraud Authority (NFA) recently revealing that the financial services industry last year saw a reduction in its losses to fraudsters due to improved fraud prevention methods involving plastic cards.

However, at £3.6 billion a year, the amount of money the industry is at deficit is still excessive and while chip and PIN has been effective in face-to-face fraud it does not protect against card-not-present (CNP) attacks. In fact, the NFA statistics show that there was a 14% rise in online banking fraud with losses climbing to £60 million a year. This increase has been attributed to fraudsters using more sophisticated methods to target their victims through malware and a spike in phishing incidents. With e- and m-commerce becoming ever more popular, it is therefore of paramount importance that more stringent security measures are put in place to combat the threat.

In addition to being thorough, any fraud prevention system also needs to take into account the customer’s needs and therefore must be as convenient and user-friendly as possible. One issue with chip and PIN has been users’ propensities to forget their unique PIN, which has resulted in countless new PINs being produced and sent to customers at an additional cost for banks. Equally, the current security schemes for online banking such as Verified by Visa (VbV) and MasterCard SecureCode similarly require passwords to be memorised by their customers, which incurs the same forgetful problem.

Instead of the current scenario involving multiple passwords, it is clear that technologies that marry convenience and security need to come to the fore. One model that is gaining traction in the fight against fraud, specifically identity fraud, and that meets these disparate requirements is biometric technology. In verifying a person based on the electronic identification of that card presenter using their body features, impersonation is almost impossible and the need for additional hardware or passwords is eliminated. Only with such technology – whether hand in hand with chip and PIN or not – can fraud levels see a real dip.  

TagsSecurityPayments

Comments: (6)

Nick Collin
Nick Collin - Collin Consulting Ltd - London | 16 February, 2011, 12:36

Nick

I know you're in the business of selling biometric authentication, but to do so by attacking chip and PIN is misleading to say the least.  Here's the facts as I see them:

- As you point out, chip and PIN has been tremendously effective in reducing face-to-face fraud in the physical world.

- But chip and PIN is also the best solution for tackling fraud in the virtual world via Remote Chip Authentication (RCA - what MasterCard calls CAP and Visa calls DPA): ie inserting your card in a reader, entering your PIN, and generating a one-time-password OTP).

- RCA is widely used to reduce online banking fraud.  Barclays PINSentry for example has been quoted as reducing Barclays' online banking fraud to zero.  A key point about this solution is that because the reader is physically separate from the PC, malware and phishing are not effective.

- Increasingly, RCA is starting to be used to tackle Card-Not-Present (CNP) fraud, by the simple expedient of treating the OTP as a MasterCard SecureCode or Verified by Visa code.  In other words the user only has to remember the one PIN which they already use in the physical world.  All the Belgian banks have rolled out this solution.

Tackling card fraud is difficult and takes years of effort.  The global migration to EMV chip started 15 years ago and is still evolving through RCA and 3D Secure, but it's the best solution we've got and a magnificent achievement.   There are undoubtably niche markets for voice authentication and other biometric solutions, but the card payments market is I fear not one of them.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 17 February, 2011, 11:42

Since we're seeing biometrics being proposed as an alternative to VbV and MasterCard SecureCode, it follows that the context is CNP / online. That being the case, are we to assume that webcam for iris scanning, fingerprint scanner for capturing fingerprint impressions, and all other types of biometrics authentication equipment are part of basic hardware? Otherwise, I'm not sure how biometrics will work without any additional hardware.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 21 February, 2011, 12:30

Can you please quantify what is meant by "impersonation is almost impossible"?  What is the demonstrated False Detect rate?  What is the corresponding False Reject rate and what are the conditions of testing?

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Mathew Stewart
Mathew Stewart - Explundish - London | 21 February, 2011, 15:06

RCA has made great strides, and should be supported, but I think Nick O still has a point.  In the future, won't users of tablets and smartphones find card readers too clunky to carry around?  In which case, couldn't biometrics provide an alternative, and very portable, means of authentication?  

Both tablets and smartphones can capture sounds and images for biometric verification, and these can only get better with time.  The question is, how long do we have to wait?   It's down to the vendors to demonstrate whether this provides a serious alternative authentication method at this time, with the devices and bandwidths currently available. 

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Keith Appleyard
Keith Appleyard - available for hire - Bromley | 23 February, 2011, 16:13

Still not a fan of CHIP and PIN - I feel happier providing some evidence of who I am, such as Signature which could be verified and challenged if too different - a PIN is just too personal.

Also I can't remember more than 1 PIN, so either have to write them all down (which could be lost/stolen), or have the same PIN for everything, which provides a weak link, so in the end I went for CHIP and Signature instead.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 23 February, 2011, 22:00

Hello Nick.

Just checking if you saw my questions:

Can you please quantify what is meant by "impersonation is almost impossible"?  What is the demonstrated False Detect rate?  What is the corresponding False Reject rate, and what are the conditions of testing?

Cheers, Stephen Wilson, Lockstep.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Nick

Negative Interest Rates - UK banks introduce plans to charge their customers

04 February 2016  |  3071 views  |  0 comments | recomends Recommends 0 TagsRetail bankingTransaction banking

Competition probe, your views count!

18 July 2014  |  2715 views  |  1 comments | recomends Recommends 0 TagsPaymentsRetail banking

Birth of a new Currency?

16 July 2014  |  2660 views  |  0 comments | recomends Recommends 0 TagsPaymentsRetail banking

Non Bank, Business Bank Accounts?

22 April 2013  |  3738 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Politics, Payments and DNA

05 February 2013  |  2669 views  |  0 comments | recomends Recommends 1 TagsPaymentsTransaction bankingGroupInnovation in Financial Services

Nick's profile

job title Executive Chairman
location London
member since 2012
Summary profile See full profile »
I am passionate about business change and have been fortunate to have had some success with my various start up ventures. I am also fortunate to be a director of the UK Faster Payments Scheme.

Nick's expertise

Member since 2008
45 posts31 comments
What Nick reads

Who's commenting on Nick's posts