A Finextra member 26 October, 2015, 14:34 5 likes

Given that EMV & NFC are one and the same, 'has he earned the right to give us advice?' 

James Bell - IBM UK LTD - London 26 October, 2015, 14:44 3 likes

haha yes I was going to say the same - unless he is talking about other non card types of payment enabled by NFC technology overall but I doubt it as there is no specific reason for them to take off now compared to in the past 5 years

Bill Trueman - Riskskill.com - London 26 October, 2015, 15:01 4 likes

Indeed - and the worrying thing for me, is why there was no-one in the audience that knew enough about the payments industry to explain to him and to the audience that he did not know enough about the issues to make such statements; and maybe even moreso, that he was talking complete twaddle. Either that or the reporting of what he said has been misheard, mis-reported and/or boiled down to something completely different.

Which is it?

Maybe someone, shoudl have simpy asked him whether he could explain how NFC could run securely without EMV; and did he realise that what he was saying was the same as: "Railroad tracks are so oldfashioned and restraining; trains should just take the routes that get the passenger there in the quickest way - i.e. along the roads or rivers or through mountains - whichever would help the customer in the bet way.

It sounds very exciting....... and that is what we have and need entrepreneours like this for - to keep us entertained.

He would have been better placed to explain that EMV was fantastic as it would:

a) give businesses the inate ability to build really valuable solution now like the rest oft he world

b) Allow merchants to speed up the customer journey

c) Reduce fraud and processing costs that will feed into teh customer massively

d) Allow the NFC solutions to be implemented faster and more securely

e) Present the platform for exponential growth in innovation and idea.

 

That woudl have been exciting.......

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 26 October, 2015, 15:17 1 like

Glad I'm not the only one who believes that VbV reduces conversion. Without getting into the debate about the similarities / differences between EMV and NFC, I too suspected if EMV was really of much value in USA.

Mitigating Fraud Does Not Pay The Bills

A Finextra member 26 October, 2015, 15:32 1 like

Two points:

1) Near Field Communication (NFC) is just a wireless communication protocol.  It's meant for short distances.  Of course the distance is dependant on sending and receiving antenna and power.  But, my point is that NFC is just the radio.  What is communicated by the radio is what we need to talk about.  I think normally it is a challenge and response.  I would encourage you to listen to https://www.grc.com/sn/sn-372.htm, or read/listen to Charlie Miller's "Don’t stand so close to meAn analysis of the NFC attack surface." (https://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_Slides.pdf)

2) EVM is a intended to do the normal credit card challenge and response, but in a way that is more secure and more difficult to falseify.  EVM is touted as "highly resistant to fraud".  A team at Cambridge proved five years ago that EVM is not a strong as the credit card companies lead us to believe.  https://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf

Let me quote their last paragraph:

"We have discussed how this protocol flaw has remainedundetected; not only are the public specifications complex,but they also fail to specify security-critical details. Finally,we have discussed ways in which this vulnerability maybe fixed by issuer banks, while maintaining backwardscompatibility with existing systems. However, it is clear thatthe EMV framework is seriously flawed. Rather than leavingits member banks to patch each successive vulnerability,the EMV consortium must start planning a redesign and anorderly migration to the next version. In the meantime, theEMV protocol should be considered broken. We recommendthat the Federal Reserve should resit pressure from banks toallow its deployment in the USA until it is fixed."

Bill Trueman - Riskskill.com - London 26 October, 2015, 15:47 4 likes

The team in Cambridge discovered nothing of any value, nothing that has been reproduced or caused any real risk with the payments systems or to EMV. This Cambridge research gets unloaded often, so causes me to regularly read it 'for a laugh', albeit it is actually too dry to get interest in, except to see how it is a set of theoretical theories that woudl NEVER happen in reality and cannot ever be applied to the real world; and even if it could, the measures that everyone has would stop any exposures.

Rather than having a quick look at a theoretical laboratory Cambridge research, it is probably better to see the millions of transactions being undertaken by EMV every second around the world. Practical, real and happenning. World 1,000,0000,000 actual goals: Cambridge : 0 real goes, jut a theoretical one. 

Get in touch with me if you would like help understanding the Cambridge issues; but of course please do read them, and note who sponsored the research and why too!

@Ketharaman - you will see that EMV is of great value in the USA and saves $billions/millions, makes people more secure, makes the customer journey better and the retailer processes easier. The next and key step though is to get EMV with a proper CVM - rather than implementing it without one.

 

@ALL - this is NOT an article revisiting

a) EMV - Yes or no?

b) PIN vs SIG

The issue was whether NFC will replace EMV - which is nonsence as they are different things as the anonymous contributor quite eloquently showed above with the definitions (but spoiled it a litlle with the quotes from a rather discreditable Cambridge research piece).

 

 

 

A Finextra member 26 October, 2015, 15:52 0 likes

EMV broken - the Cambridge attack needed a stolen and unblocked card to be destroyed by wiring it to a PC that would fool the card to believe that the correct PIN was enetred and give ago ahead to the terminal. And also that the issuer did not implement all the EMV recommended security checks... which was the base in the Cambridge attack. Not a very likely scenario since most issuers do implement the missing security checks... and most stolen cards get blocked soon.

A Finextra member 26 October, 2015, 16:00 0 likes

Mr. Truman, really?  Did you read the recent article about the $680K fraud that used the Cambridge method?  The mode of attack took advantage of the flawed way the credit card scanner interacts with the card when it asks the card if the pin is correct.

http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pin-card-hack/

"Five French citizens (whom the researchers didn’t name in either their paper or an interview with WIRED) were arrested in 2011 and 2012 for using a clever workaround to spend nearly 600,000 euros (about $680,000) from stolen credit cards in spite of the cards’ chip-and-PIN protections."

A Finextra member 26 October, 2015, 17:28 3 likes This is the kind of ill-informed tripe I'd expect to read in the Daily Mail - not on Finextra. I would suggest this guy reads the facts and re-evaluates his comments.

Bill Trueman - Riskskill.com - London 26 October, 2015, 18:14 5 likes

@ Matt - you could have given some specifics - but I guess, with something so wrong, so inacurate and ill-informed, it is difficult to know where to start; and I am beginning to regret diving in at all.

 

@ Anonymous 16-00 - I know the cases well. And I am not going to start teaching everyine here the detail - and start compromising the industry further. However, I woudl say that the French case:

- Proved nothing - and especially not the Cambridge case

- It was a spoofing solution that was (seemingly) very hard to do, whereas it was not necessary - and would work on any card with or without a chip - so why bother

- There are much easier ways to defraud

- These folk got caught and sent away - as this is easy to find.

- There were only attempted frauds, and the losses to the banks would have been £0

- The fraud will have been found very early on (or should have been - if the banks were doing things properly and had the righ parameters set),

 

The real problems here were associated with bigger / easier breakdowns and not the CHIP issue - but as an industry representative, I am happy to let people think whatever they like. People in the industry know that it is all nonsense.

Again, quoting a fraud that nearly happenned in a waythat was stoppable, understood, known about, with no actual real loss (in spite of what was reported), and wrongly attributed to a technology that works in $billions transactions every day; and without real details (only journalistic innacuracy and theoretical extropolation), on a different topic to the one that the article is showing, .... and anonymously; does not take anything forward - so I am signing-off here!

Anthony Pickup - Capgemini Invent - Manchester 27 October, 2015, 10:22 0 likes One needs to be careful here. Yes I agree the title is misleading and the debate has focused on some points. The key issues are that classic EMV is based on contact Smartcards a standard that is old and requires a physical connection between the payment card and the acceptance device. nfc is based on contactless EMV to link the payment device to the acceptance device. Therefore contacless & nfc devices enable new ways to complete the payment transaction and easier ways to make payments. One issue is the age of the current EMV protocols and difficulties moving these standards forward to address new vulnerabilities being exposed as technology moves on from the early 1990's.

Nick Collin - Collin Consulting Ltd - London 27 October, 2015, 17:02 2 likes

Please keep diving in Bill - you're absolutely right!  This Vinod Khosla is clearly an imbecile.  As several people have pointed out, NFC is enabled by EMV.  And although Ross Anderson and his Cambridge people have been scaremongering about EMV security for years (decades?) the number of actual EMV security breaches in the real world is as far as I know zero.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 28 October, 2015, 09:29 0 likes

Not sure how much of an expert Vinod Khosla is about EMV and NFC but, as an early investor in SQUARE, he seems to know a thing or two about what works in the payments business in USA. He's not alone in believing that EMV is not one of them. Low Fraud/Revenue ratio, far greater demand and supply of CX, unnecessary incremental friction imposed on consumers who can get fraudulent transactions, if and when they occur, reversed with a single telephone call - these are at least three reasons why EMV, at least in its present non-contactless form, has a bleak outlook in USA.

Bill Trueman - Riskskill.com - London 28 October, 2015, 09:51 2 likes

@Ketharaman - I am not sure which way you are arguing; but what I think you are saying is that for the list of reasons that you have given, EMV seems to be something that will not work for the USA.

This is however really weird, as these are all very strong benefits of EMV for the USA that will all make the solution a big market - saver for US. They are also reasons (Myths) that are propogated in the US without and substance or evidenced.

For instance, in an EMV environment the friction is much improved - and especially so if the retailer community insists on a proper CVM and demands that the card industry removes the responsibility of being the card industry fraud policemen and make sure that the terminal does ALL the checking of the customer for them.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 28 October, 2015, 10:14 0 likes

@BillTrueman: Not sure why there should be any doubt in my position: In my above comments and in my cited blog post and in my comments to a few other articles on Finextra, I've questioned the value of EMV in USA (though not in ROW). Let me not go into the reasons again other than to observe that factors like "terminal does all checking of customer" are exactly the source of the problem, not solution, and miss my points about dynamics of USA retail behavior being very different from ROW viz. greater demand / supply of CX, lower tolerance to friction of longer transaction time and risk of EMV card being left behind in the terminal.