On the day of the first anniversary of chip & PIN, which happened to be Valentine’s Day, I was quoted in one newspaper as saying Chip & PIN is completely useless. Not the best way to endear yourself to the banking community but, in retrospect, not far off the truth. Why?
Because it’s only secure for as long as the PIN is secure. The Chip is fine. It’s just the PIN that’s useless.
Think about it as being like your most secure password. In fact, there are some close analogies between PINs and passwords.
For example, think about your online banking password. Now then, what happens with that password? According to most surveys, you use the same one everywhere.
For example, a survey by Get Safe Online finds that over half of UK Internet users use the same password for more than one Website and 17% use personal information about themselves in passwords, which opens them up to all sorts of easy hacking options. You know, the hacker thinks: “I know his middle names are James Murgatoyd, so let’s try Murgatoyd … wow, it worked”.
Now the importance of Get Safe Online is that it is an initiative combining the efforts of the UK Government, the Police, HSBC, BT, eBay, Microsoft and SecureTrading. Their report, which can be found at Get Safe Online
, has a range of facts and stats relating to consumer use of the Internet and security precautions.
My favourite figure in this report iss the fact that only 24% of people think they should be primarily responsible for their own online safety. In other words, 76% think they’re not responsible for their own safety when shopping, banking or doing stuff online? They must be nuts. After all, it’s their PC, their keyboard and their system that is exposed – no-one else’s. So why should it be someone else’s fault if they get defrauded online?
Anyways, back to the point which is that folks are not that bright. Ask them to use a password and most of them – over half – will use the same password for everything. Ask them to use a different one, or to change it every month and never use the same one twice, and what do they do? They write it down on a post-it note and stick it on their PC or the top drawer of the desk.
So, passwords are not secure. That’s why we’re trying so many other ways of introducing online security through random number generators and other things.
Which brings me back to PINs, and Chip & PIN's greatest advocate: Apacs, the UK Payments Association.
Apacs has lots of good stuff on its Websites about secure payments, including advice on shopping online. For example, Cardwatch
provides these top tips for safe Web shopping:
- Sign up with Verified by Visa or MasterCard SecureCode.
- Don’t give away your PIN or password to cold callers or in response to unsolicited emails.
- Use a computer protected by up-to-date anti-virus software and a firewall.
- Keep your cards and card details safe when you are shopping in the real world as most internet fraud happens because card details are stolen in the real world and then used online.
- Only shop at secure websites and make sure that the security icon - the locked padlock or unbroken key symbol - is showing at the bottom of the browser window before sending your card details. Also check that the beginning of the retailer’s website changes from http:// to https:// when a purchase is being made with a secure connection.
- Make sure your browser is set to the highest level of security notification and monitoring.
- Always check your bank statements. If you find a transaction on your statement that you did not make, contact your bank or card company immediately.
- Destroy, or preferably shred, any documents that contain information relating to your financial affairs.
- Use one credit card specifically for internet transactions so you can monitor transactions at a glance.
- When shopping online make sure you get a hard copy of both your order form and the retailer’s terms and conditions.
In particular, the comment about looking for https:// and the padlock is interesting as I’ve recently started asking folks: "Do you look for this every time you shop online?” and, strangely enough, I haven’t found anyone yet who does this religiously, including yours truly if I’m honest. As I said, folks ain’t that bright …
Anyways, Aapcs has loads of research and other good stuff about the Internet, cards, fraud and advice. Go visit the main Website for more, www.apacs.org
So why did I copy all of this advice into this month’s column, apart from the fact it’s worthwhile reading?
I’ll tell you.
Apacs introduced Chip & PIN to the UK in 2004 and made it mandatory from 14 February 2006. They’ve talked about how great it is, how it’s working and how it’s made fraud and theft a thing of the past.
And I agree. It is a good programme. It has reduced fraud. It works.
So please don’t get me wrong here. It’s not Apacs I’m having a go at, or the idea of having a bit of added security.
I mean the fact that chip & PIN has reduced card fraud significantly must be a good thing. According to Apacs, chip & PIN helped to reduce card fraud by 24% in 2005, saving us all about £60 million.
Today, the chip & PIN figures are quite impressive with:
- 99.9 per cent of all chip & PIN card transactions now PIN-verified;
- 185 chip & PIN transactions being processed every second (125 a year ago);
- 97% (138 million) of all UK cards chip & PIN enabled; and
- 98% (900,000) of all shop tills upgraded to chip & PIN.
Cost us about £1.1 billion and is saving £60 million a year. So far, so good.
I should mention that we followed other countries that had success with chip & PIN, so it was a proven model. For example, France, Netherlands, Austria, Belgium and others experienced the same gains, with many of these countries operating over 90% of payments verified by PIN. In fact, the success is spreading worldwide with Canada introducing Chip & PIN this year and it can only be a matter of time before the USA and rest of the world follow suit.
Chip & PIN works.
Now, finally, to the reason I said chip & PIN is useless.
In the Apacs advice for online shopping, two of the top tips are:
- Don’t give away your PIN or password to cold callers or in response to unsolicited emails.
- Keep your cards and card details safe when you are shopping in the real world, as most internet fraud happens because card details are stolen in the real world and then used online.
OK, this is the bit that conflicts with chip & PIN.
You see, I hate PIN.
It’s one of those things where, when you’re standing at the merchant’s terminal, you feel completely naked don’t you? Maybe some of you are naked depending upon what you’re buying, but my PIN is the only security I have to protect me from rampaging hordes of criminals who will steal all my money.
That’s what my bank has drilled into me for years and I learned the message: don’t let anyone know anything about your PIN. Don’t ever breathe the PIN code. Don’t write it down. And, if anyone ever finds out your PIN, jump off the nearest tall building … or call your bank, whichever is easier.
I got the message. PIN is Fort Knox for consumers.
So when Apacs advises me to keep my PIN secret, don’t tell anyone about it, and keep your card details safe in the real world … why the hell am I tapping my PIN number for all to see every time I buy something in the real world?
And my PIN happens to also be regularly used in my passwords by the way. After all, when you’re forced to put in “secretword” and the Website says “your secret word needs some numbers too”, guess which numbers we use? Yep, nine times out of ten we use our PIN.
So, Chip & PIN completely contradicts what I thought the PIN was for, as in a secret code you only ever used discretely.
That is why we now have “shoulder-surfers” – the folks who look over your shoulder in stores to see your PIN number. That is why many stores now have signs saying “Please do not stand too near to the person at the till” so that you don’t see their PIN number being entered. This is why Shell petrol stations have a yellow line on the floor. Not because it’s pretty, but so that they can put up a sign that says “Please stand behind the yellow line so that you do not see the PIN number of the person at the till”.
Wow, this is so safe and secure isn’t it.
In fact, it is why the BBC has been on the case of Chip & PIN for sometime, and recently ran a programme about how banks are now blaming customers for losses if their card is used fraudulently as “you must have told the fraudster your PIN number mustn’t you, so it’s your fault you dumb schmuck.”
Apacs spokesperson Sandra Quinn countered these accusations by saying, “Chip & PIN was never going to eradicate fraud, but our cards are certainly much safer because of it. Decreasing card fraud figures prove this. Most critically, any innocent customer who is the victim of this or any other type of card fraud, is protected by the Banking Code, which means that they will not lose out financially"
Mmmmmm … this is going to be a long debate. Nevertheless, I agree with some of what Sandra says. Chip & PIN has made it significantly more difficult for a fraudster to use a lost, stolen card or a counterfeit card in the UK. In fact, it’s pushed people to start doing fraud in other ways, for example, online. That is why Card Not Present (CDP) fraud rose 21% in 2005, as internet, phone and mail order fraud increased by £32.4 million. Typical isn’t it? Chip & PIN helps to reduce fraud by 24% in 2005, £60 million, so the fraudsters just move elsewhere.
And another thing: why did we do Chip & PIN so late?
France and the Netherlands did Chip & PIN in the early 1990’s, and the UK finally gets there in 2005. What happened and weren’t there alternatives?
There were. Just that we went with Chip & PIN just as others were thinking about chip and biometric or something else. I’ve written about this a few times before, so I’m not going to expand here (see Who are you?
if you want more).
What is interesting though, is that I raised this question about why were we so late in getting to Chip & PIN with a bunch of senior anti-fraud leaders. The discussion went something like as follows:
Head of Fraud #1: ”Chip & PIN is a classic example of how the banking industry sat on its hands in this country for years. If you look at what had happened in France, there was good evidence that proved that technology worked but the investment was very long in coming through in the UK. By the time we got there, we’re in a position where the criminals are moving on and have made other plans.
Head of Fraud #2: “Yes, but the only real visionary investment the UK has made, rightly or wrongly, is Chip & PIN. Everything else has been tactical.”
Head of Fraud #1: “We should have done Chip & PIN years before, as the French did, but I guess the business case simply wasn’t there.”
Head of Fraud #3: “If we had gone looking for something else at that time, would there have been any suppliers or technology people playing in that space?
Head of Fraud #2: “I think there was or is stuff out there, but Chip & PIN was implemented on the basis that everything would be offline.”
In other words, in the typical speed at which risk-averse financial firms move, we took years to make a decision to do something. When we finally made a decision it then took a few more years to implement it and, by the time it was all done, everyone had moved to shopping in a different way such as online.
That’s why, in the first six months of 2006, UK online fraud increased 55% to £22.5 million, which provides an all-up estimate of £60 million for they year – about the same amount we saved in 2005 by moving to Chip & PIN.
Final thoughts here and then I’ll stop my rant.
If Chip & PIN is so good, why are we thinking of other ways to protect the poor defrauded consumer? For example, there are two new systems already being considered as an add-on to Chip & PIN.
One is produced by Gridsure. These guys overlay a pattern based approach so that, even if someone knew your pattern they couldn’t work out your PIN number. Another is Swivel which you can see in action by going to the Bank of Adelaide
, and clicking on the ‘login here’ picture.
What both of these systems are doing is trying to ensure you do not actually enter your PIN number, but you enter something else that correlates with your PIN number such as substituted numbers of words. This way, no keylogger or shoulder surfer gets to see your PIN, just a randomly generated code.
The key question for all of us though is to ask: “If Chip & PIN was that good, why do we need these additional systems?” My answer is that it is because Chip & PIN is not that good. But, once again, don’t get me wrong. It is not the chip that’s at fault. It’s the PIN. Therefore, I do have a solution. After all, if Chip & PIN is useless then the over £1 billion UK stores and banks have spent on this programme is a little bit of a waste isn’t it.
My solution is that chip will always be critical to payments. Therefore the chip reading infrastructures we have implemented are a worthwhile investment and will be used for the long term by retailers, merchants and banks.
Chips are the payments mechanism for the 21st century. Chips in phones, in cards, in jewellery and watches and inside people. Chips are key.
Therefore, we will stick with our crude Chip & PIN in 2007, but gradually move towards chip and patterns, such as Gridsure or Swivel. Shortly thereafter, we will maybe use chip and biometric, such as fingerprints, palmprints or ideally signatures. Yep, a biometric signature. Now then, returning to signatures – what a radical idea?
Eventually, as we all now know from the example of the Baja Beach Nightclub in Spain, we’ll get to chip in skin.
Whatever we use, it is only the authentication that changes though. The infrastructures for biometric chips and patterns are the investments we have now made and therefore, although there may be additional costs, it will be incremental rather than completely different.
Chips. Chips are the future, not PINs.
PIN is just our chunky, clunky out-of-date method to authenticate chips securely …
… blimey, I think I’ve said so much you could hear a PIN drop!Chris Skinner is CEO of Balatro and chairman of the Financial Services Club.
Web links: www.fsclub.co.uk
, and www.balatroltd.com
Author's email: Chris Skinner
The Finextra Columns are now also released as a book by Wiley, 'The Future of Banking in a Globalized World', which can be ordered from www.wiley.com