Banks Undermine Chip and PIN Security

Uploaded on 2015-04-13 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Image result for chip and pin security

The Chip and PIN card payment system has been mandatory in the UK since 2006, but only now is it being slowly introduced in the US. In Western Europe more than 96% of card transactions in the last quarter of 2014 used chipped credit or debit cards, compared to just 0.03% in the US.

Yet at the same time, in the UK and elsewhere a new generation of Chip and PIN cards have arrived that allow contactless payments – transactions that don’t require a PIN code. Why would card issuers offer a means to circumvent the security Chip and PIN offers?

Chip and PIN is supposed to reduce two main types of fraud. Counterfeit fraud, where a fake card is manufactured based on stolen card data, cost the UK £47.8m in 2014 according to figures just released by Financial Fraud Action. The cryptographic key embedded in chip cards tackles counterfeit fraud by allowing the card to prove its identity. Extracting this key should be very difficult, while copying the details embedded in a card’s magnetic stripe from one card to another is simple.

The second type of fraud is where a genuine card is used, but by the wrong person. Chip and PIN makes this more difficult by requiring users to enter a PIN code, one (hopefully) not known to the criminal who took the card. Financial Fraud Action separates this into those cards stolen before reaching their owner (at a cost of £10.1m in 2014) and after (£59.7m).

Unfortunately Chip and PIN doesn’t work as well as was hoped. My research has shown how it’s possible to trick cards into accepting the wrong PIN and to produce cloned cards that terminals won’t detect as being faked. Nevertheless, the widespread introduction of Chip and PIN has succeeded in forcing criminals to change tactics – £331.5m of UK card fraud (69% of the total) in 2014 is now through telephone, Internet and mail order purchases (known as “cardholder not present” fraud) that don’t involve the chip at all. That’s why there’s some surprise over the introduction of less secure contactless cards.

Not only do contactless cards allow some transactions without a PIN, but the data can be stolen from the card and, by extension, potentially money from any account linked to it, just by brushing past someone near enough to trigger the contactless chip into transmitting.

Figures for UK card fraud reveal the effect Chip and PIN has had of forcing criminals to change tactics. So why are some banks issuing chip cards which don’t support PIN verification at all, leaving customers to sign for transactions instead? Why has the US been so slow to roll out Chip and PIN and why have UK banks actually decreased security for contactless cards? All three decisions are driven by, perhaps unsurprisingly, profit.

The share of transactions that card issuers take (the interchange fee) depends on the country and type of transaction. In the US, a lower fee is charged for PIN transactions than for those verified by signature. The fee are paid by the merchants to the card companies and banks and this explains why merchants upgraded their terminals to support Chip and PIN long before the US banks started issuing chip cards. Encouraging banks to start issuing cards is being handled the same way. And so from October 2015 if the merchant’s terminal, which accepts a fraudulent payment, supports Chip and PIN, but the card doesn’t, the card issuer pays for the cost of the fraud. If the merchant’s terminal doesn’t support Chip and PIN but the card does, the merchant pays.

Contactless cards are being promoted because it appears they cause customers to spend more. Some of this could be accounted for by a shift from cash to contactless, but some could also stem from a greater temptation to spend more due to the absence of tangible cash in a wallet as a means of budgeting.

Greater convenience leads to increased spending, which means more fees for the card issuers and more profit for the merchant – this is the real reason why the PIN check was dropped from contactless cards. The risk of fraud is mitigated to some degree by limiting transactions in the UK to £20 (rising to £30 in September), but it’s been demonstrated that even these limits can be bypassed.

Card fraud involves a very large amount of money, £479m in 2014 in the UK, and it affect many millions of people. In a EU-wide survey, 17% of UK Internet users said they had been the victim of credit card or online banking fraud, which was the worst in the EU. Some of the costs of fraud are borne by the merchants. Others are passed to the victim because the Payment Services Directive allows banks to refuse to refund customers if they can’t identify a more likely cause for the fraud than customer negligence.

However, even if all the costs of fraud was paid for by the card companies, the cost they would bear would only make up 0.075% of the value of card transactions. This sum they could comfortably pay for from the interchange fees they charge on these transactions, currently set at 0.7% of the transaction value – nearly ten times larger than the costs of fraud.

The Conversation

« Snowden Explains Exactly How the US Government Can Get Access to Private Images
Seeing Your Business Through the Eyes of a Hacker »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Tech Industry Forum (TIF)

Tech Industry Forum (TIF)

Tech Industry Forum is a not-for-profit, membership driven trade body. We bring together end users and some of the UK’s leading cloud, software, platform, infrastructure, and service providers.

CERT-IS

CERT-IS

CERT-IS is the national Computer Emergency Response Team for Iceland.

Trustlook

Trustlook

Trustlook's SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack.

DynaRisk

DynaRisk

DynaRisk helps companies protect their staff, clients and supply chain from cyber threats by enabling people to take action for themselves.

Fingerprint Cards

Fingerprint Cards

Fingerprint Cards develops and produces biometric components and technologies that verify a person’s identity through the analysis and matching of an individual’s unique fingerprint.

Honeywell Process Solutions (HPS)

Honeywell Process Solutions (HPS)

Honeywell's Industrial Cyber Security Solutions help plants and critical infrastructure sectors defend the availability, reliability and safety of their industrial control systems.

ENAC

ENAC

ENAC is the national accreditation body for Spain. The directory of members provides details of organisations offering certification services for ISO 27001.

iSolutions

iSolutions

iSolutions is an official reseller and engineering company of leading products and solutions for cybersecurity and information protection, optimization, visualization and control of applications

Beauceron Security

Beauceron Security

Beauceron's cloud-based platform gives employees a powerful personal cyber-risk coach empowering them to improve their cybersecurity practices and behaviours.

Loki Labs

Loki Labs

Loki Labs provides expert cyber security solutions and services, including vulnerability assessments & penetration testing, emergency incident response, and managed security.

LimaCharlie

LimaCharlie

LimaCharlie gives security teams full control over how they manage their security infrastructure. Get full visibility, build what you want, control your data, get the security capabilities you need.

Ipstack

Ipstack

Ipstack offers one of the leading IP to geolocation APIs and global IP database services worldwide. Protect your site and web application by detecting proxies, crawlers or tor users at first glance.

CDS

CDS

CDS is a strategic change agency enabling organisations and businesses to create and build better services to meet the evolving needs of customers, employees and citizens.

National Cybersecurity Agency (ACN) - Italy

National Cybersecurity Agency (ACN) - Italy

The ACN is the National Authority for Cybersecurity in Italy. the Agency promotes public-private initiatives to strengthen the national cybersecurity and resilience posture.

Phriendly Phishing

Phriendly Phishing

Phriendly Phishing offers phishing awareness training programs designed to ward off potential security threats and minimise the impact of cyber attacks.

PeoplActive

PeoplActive

PeoplActive is an IT consulting and recruitment services organization with leading capabilities in digital, cloud and security.