Re: smart card versus credit card

From: Daniel James (wastebasket_at_nospam.aaisp.org)
Date: 03/09/04 

Date: Tue, 09 Mar 2004 21:23:54 GMT

In article news:<471fc78e.0403080330.534c90dd@posting.google.com>, James
wrote:
> > What is the source of those figures?
>
> Sources: Card Fraud the Facts 2003 (www.cardwatch.org.uk - Media)

Interesting site - hadn't seen that one.

I note that it says: "If the chip and PIN system was not put into
action, forecasts show that UK losses would be in the region of £800
million by 2005" -- that's annual losses for 2005 alone. Makes the cost
of implementing the system seem quite cheap.

They also say: "Other crimes such as burglaries, muggings and car
break-ins are often motivated by the opportunity to steal payment
cards".

> For smart cards to be totally effective, every single ATM machine
> and point of sale terminal not only in th UK but world-wide must
> be capable of interrogating smart cards. Until that time Plastic
> Cards with Magstrips and Chips will still be subject to cloning.

To clarify: The magstripe component of the card will be subject to
cloning, the smartcard part will not. Retailers will presumably have to
decide for themselves whether to accept a card with a magstripe and no
(functional) chip, or whether to reject any card with no chip (or a
dummy chip) as unacceptable or whether to process it as a magstripe or
(more likely) paper slip transaction. If fraud then occurs, presumably
the retailer will be expected to bear the cost?

> The retailing position is that retailers who own their own
> terminals and decide not to upgrade to Chip & PIN type terminals
> by the end of this year will be liable for fraud that a C&P
> terminal could have prevented. This will be a commerical decision
> for them.

I imagine some will be early adopters, while others will delay the
upgrade until their POS equipment wears out. As you say - a business
decision.

> I wonder what the postion will be for a retailer or cardholder
> when someone acquires a genuine card and PIN, then uses it before
> it is reported lost or stolen.

One would hope that the retailer will not be liable in that case!

If it were up to me I'd say that the cardholder should be responsible if
he has not safeguarded his PIN adequately ... but the banks are actually
quite good at covering losses that their T&Cs do not require them to
cover (it's good customer relations and seldom costs them very much) and
will proabably continue to be so as long as the cardholder is not unduly
negligent in PIN management and is not thought to be party to the fraud.

> You are correct, you can use a Smart Card without a PIN. A Pin
> opt-out with a Chipped Card is an option but it is like pulling
> teeth trying to get this information from card issuers.

As I said, I have VISA credit and debit cards that contain chips. Many
retailers at which I have used these cards do use chip-readers rather
than magstripe readers to obtain the card details, but no PIN checking
at POS is yet being done (I'm not even sure whether these particular
cards are ready for chip-and-PIN use).

The most annoying thing about it is that the cards I have don't work in
unmanned French petrol stations - apparently the French chipcard system
predates the internationally agreed standards and many POS devices still
only recognize the older French cards.

That makes running out of petrol quite easy in France, except at peak
hours and on busy (e.g. autoroute) services!

> Banks in the UAE have upgraded their ATM terminals to include
> digital CCTV. Two reasons for this are to deter theft at ATM's
> and customer protection over disputed ATM transactions.
> Can you see UK retailers offering this added security measure
> at till points?

Yes, certainly, if they thought it would be worthwhile in terms of
increased security. Why not?

> Liability for Fraud. In all cases you are not liabile for any
> transactions after you report your card lost or stolen. Assuming
> someone has acquired your PIN how can you prove you didn't
> compromise your PIN or in banking words were not negligent
> with it? At the very least with a signature you can say
> - that's not my signautre nor are my prints on the shops copy
> of the till receipt.

If someone has acquired your PIN there are really only three possible
explanations:

1. You *were* negligent with your PIN and it *is* your fault.
2. The bank's system has somehow been cracked and the bad guys know
*everyone's* PIN.
3. Someone nicked your card and was incredibly lucky and *guessed* your
PIN before the card locked.

(2) will be rather obvious, and the bank will *have* to admit
responsibility. (3) *will* happen, once in a while ... not so very often
if we're allowed to pick PINs of more than 4 digits. I wouldn't worry
too much about it.

OTOH, my written signature never looks quite the same twice - my sister
can do it better than I can ... so, probably, can others. Sometimes I
sign a transaction slip and *I* think "that doesn't look like my
signature" ... but I've never had the signature queried. It currently
costs the banks a small fortune bearing the cost of fraud that *should*
have been detected and prevented by the retailer - it's high tike that
imbalance was redressed.

[Aside: My wife used to have a credit card with her photograph on the
back - good for security, you might think - but when the card was stolen
it was successfully used in a CARD PRESENT transaction by the thief, who
was of neither the same sex or race as she! Retailers don't check (and
aren't likely to argue, if the customer is large and aggressive-looking)
but electronic security doesn't have the same potential for laxity.]

> IMHO, a PIN with a credit card opens a window of opportunity
> for crooks. Opportunist theives ... Chances of catching them
> are less than before.

They have to be able to obtain both the card and the PIN - before they
only had to be able to obtain the card. I'd say that there are fewer
open windows with a PIN than without.

> ATM fraud climbed by 37% in the UK last year. (source Card Fraud
> the Facts 2003).

Most (all?) ATMs still use the magstripe. Most ATM fraud involves the
use of cloned magstripe cards. Smartcards will stop this. (This is not
an argument either for or against PINs, though.)

> PIN security. What PIN security. Shoulder surfing is easy,
> try it. One ATM in particular is sighted beneath an esculator
> - overhead surfing. Look at the new type PIN pads, you hold
> many of them in one hand a enter a PIN with the other. How do
> you shield your PIN?

I agree that's a problem. The people responsible for siting ATMs need
lessons in security. I have heard of a case of POS fraud in which a
retailer's own security systems were used to monitor customers entering
their PIN - something to look out for. I have seen PIN-pads with
physical shields fitted to prevent "shoulder surfing" (where? Can't
remeber. Australia?) - that sounds like a good idea and should be
adopted more widely.

> From the Chip and PIN website, The Norhamtpon Trial Report
> page 7, they say that; "The PIN proves coustomers are who
> they say they are." Sorry, but this is to say the least
> misleading or maybe just sPIN.

<smile> Indeed - it's not proof, but it is corroborative evidence.

> My preferred option is a Chipped card, with photo, signature
> and prompt given to shop staff that the cardholder (me)
> authenticates my signature with my print.

I agree that a photo and thumbprint on the card would offer worthwhile
improvements in security - but the evidence is that retailers don't
check these things, and that they are reluctant to turn away business so
will give the prospective purchaser the benefit of the (sometimes huge)
doubt. The great thing about a PIN is that it is checked
programmatically - which is quick, cheap, reasonably reliable, and can
be enforced by the bank. I certainly agree that any extra checks that
are implemented on top of that are still worth making.

> People who are harmed by PINS are: ...

Yes, it's a shame that it will make like harder for those people, too.
No system is perfect, and while this one seems better than many it
still leaves room for improvement.

The point is, though, that it will hurt criminals ... you left them off
the list.

Cheers,
 Daniel.
 

Relevant Pages

  • Re: smart card versus credit card
    ... > the card and PIN issuing process. ... If the bank feels that the security ... Card is sent a PIN without their knowledge? ... The banks may or may not ...
    (sci.crypt)
  • RE: PIN security policy / proof
    ... be able to verify the card. ... PIN security policy / proof ... I was engaged in a discussion about security of alternative payment ... encrypted hash-like via one-way encryption, ...
    (Security-Basics)
  • Re: smart card versus credit card
    ... it in two other discussions on chip-and-PIN security on usenet). ... To make any sensible comment one really needs to know *how* his PIN ... Did he write the PIN on the card, for example, or choose an easily ... the banks have absolved them from responsibility - for a long time; ...
    (sci.crypt)
  • Re: SDS PROM-100 software
    ... 2708 EPROM and to consistently read the content of another used 2708 ... card which worked great with Dave Dunfield's RAMless ROM monitor ... socket) with the IA 1010B the 2708 simulator has been a disaster. ... First the original IA 1010B used a weird and probably damaged 24 pin ...
    (comp.os.cpm)
  • Re: HELP, Vulnerability in Debit PIN Encryption security, possibly
    ... > not the case where PIN encryption had to be ... > derived from the card number because the card PIN was checked at the ... It is unlikely that the banks should have been able to hide such ... Smartcard terminals are used in environments over which the ...
    (sci.crypt)
Quantcast