23 May 2018
Pat Carroll


Pat Carroll - ValidSoft

79Posts 355,202Views 40Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Chip and Skim Cards: Renewed Need for Layered Authentication

03 June 2014  |  4241 views  |  0

In the ongoing game of one-upmanship between hackers and payment fraud prevention technology, new research presented at the 35th IEEE Symposium on Security and Privacy suggests that the fraudsters have yet another vector to utilize, exploiting new vulnerabilities within existing implementations of EMV/Chip and Pin.

The new research suggests that cryptographic weakness in some devices implementing EMV (Chip and PIN) standards and potentially a flaw in the EMV design, could now provide hackers with yet another avenue to compromise card transactions and cause massive headaches to consumers and potential losses for financial institutions and card issuers.

In the whitepaper Chip and Skim: cloning EMV cards with the pre-play attack” prepared by a team at University of Cambridge, researchers identified two observed weaknesses in deployed Chip and PIN terminals. First, terminals with poorly designed random number generators can create non-random or predictable numbers when “chipped” cards are used to produce a transaction-specific authentication code. With physical access to the devices, or via a compromised network (such as was the case in the Target breach), these terminals can also be tampered with to influence the random number generator. Second, researchers identified the ability to tamper with the Chip and PIN terminal’s communications back to the bank.

Given the increasing sophistication of today’s criminals, we need to change our approach. As I and others in the payment authentication industry have long advocated, any single technology approach to preventing fraud can be circumvented, by-passed, or exploited, given time and the will to do so. That is why we cannot simply rely on any particular method (putting all our eggs in one basket as some would say) – when what is really needed is a layered approach.

Multifactor authentication is the key, and it is ready to be deployed in the field. State-of-the-art multi-factored authentication solutions to fight card fraud can now employ “low friction” techniques such as voice biometrics and real-time, invisible checks, such as proximity correlation (the ability to determine in real-time whether or not the legitimate customer is present at the time the transaction is being performed). With this combination of technology, payment processors, financial institutions and others within the transaction payment chain can query the authenticity of the customer who is performing the transaction BEFORE the transaction is completed. All that is required is that the customer simply needs to have their cell phone or mobile device with them and turned on. If the genuine customer is not carrying out the transaction, then the transaction will be aborted BEFORE the fraudster can make off with the goods or money.

While the fraud cost itself is significant, the lost revenue and frustration of customers as a result of False Positives (when a legitimate customer is rejected from making a transaction) also costs the financial institution. Legacy security solutions tend to focus on trying to prevent every fraud rather than ensuring no legitimate customer gets rejected. By using proximity correlation, it is possible to virtually eliminate fraud, achieve an enhanced customer experience and reduce costs substantially. All in all, it’s a win, win, win situation.

Importantly, this technology works for all card transactions (credit and debit) and is privacy compliant as the genuine customer’s location is never revealed (it can be used in an opt-out model as well). Suitable for all types of card skimming with mag stripes today as well as future technologies including RFID, NFC and EMV, infrastructure investments are protected and strong ROIs generated. Furthermore, with the right privacy compliance in place, the Mobile Operators can provide the infrastructure to enable such advanced fraud prevention, thereby generating good recurring revenues in return for access to their signalling.

If the expectation of the industry is that EMV is infallible then as this article highlights, the fraudsters are only a step away from compromising EMV, in more ways than one. We surely cannot place all our trust in any single fraud prevention technology, and proximity correlation is the ideal complementary technology to move the fight against fraud to a new level. Countries that have already implemented EMV can protect their investment and inject a high level of future proofing into the fight against fraud, whilst countries such as the US can press ahead with the implementation of proximity correlation today pending their implementation of EMV. Who knows, in the US alone, the largest single target in the world for card fraud, the savings over the next couple of years may even pay for EMV!




Comments: (0)

Comment on this story (membership required)

Latest posts from Pat

Security by Obscurity is the key!

27 January 2015  |  4240 views  |  0 comments | recomends Recommends 0 TagsSecurityTransaction bankingGroupInformation Security

Chip and Signature, a Paradise Lost

28 October 2014  |  5516 views  |  2 comments | recomends Recommends 1 TagsCardsPaymentsGroupDisruption in Retail Banking

Payment Card Data Theft At The POS - Time To Knuckle Down

13 October 2014  |  5298 views  |  1 comments | recomends Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

More Channels, More Payment Options, More Fraud

23 September 2014  |  2583 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  3972 views  |  1 comments | recomends Recommends 0 TagsSecurityPaymentsGroupInformation Security

Pat's profile

job title Founder/Executive Chairman
location London
member since 2011
Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisations on industry bodies and leading participation in industry initiatives. At ValidSoft, he leads the R...

Pat's expertise

Member since 2011
79 posts40 comments
What Pat reads

Who's commenting on Pat's posts