As I posted earlier (welcome if you’ve come here from boingboing by the way, please be sure to look around), Shell have stopped taking Chip & Pin payments at 600 petrol stations in the UK. It got me thinking about how these things work, and to tell you the truth it all looks a bit scary. Privacy Commission has some interesting notes on how these things work.
Chip & Pin, or the EMV Card Payments System to use it’s real name is a means of accepting electronic payments in a way that’s supposed to be more secure than the existing magstripe and signature system. Effectively you have the Pin replacing the signature (as I said earlier) and you have a chip (which in the UK isn’t necessarily always used, apparently the Pin can be used as a drop-in signature replacement, but I could do with some confirmation on this) which is a standard USIM-compliant chip, similar to the one used in a mobile phone.
Now there are at least two problems with this that I see straight from the off.
- The Pin is the same Pin used for making cash withdrawals. This means that someone with a Pin could withdraw cash as well as make purchases. Is that less secure? Well, do you put your signature into the ATM? So the problem is that you’re potentially giving away more than just the ability to acquire goods.
- The Chip part of the equation uses Triple DES. Why isn’t this AES? I can see why Triple DES would be chosen over say, Double-ROT13 but why for the love of god why not something less… broken? EMV obviously didn’t learn the lessons from GSM and A3/A8.
The fundamental problem with all this is that you can’t actually send the PIN over the Internet for on-line transactions. If that happened then there’d be no segregation between in-person and cardholder-not-present transactions (this is one of the reasons you have the CV2 number on the back of the card). I’d also bet that someone would find a way of getting all of the necessary information onto a blank card (a la regular card skimming) to take it into town and go shopping. The good folks at Chip and Spin have clearly spent some time on the theoretical problems and it looks like there are heaps of them.
Now of course, cloning a card with a chip on it is probably more difficult than skimming a straight Magstripe card, but providing we know the Pin it’s likely to be significantly easier than if we didn’t. The problem here is that whilst signatures (when checked) are quite difficult to forge, a 4-digit Pin number isn’t. At this point you’re reliant upon other forms of evidence to prove that the withdrawal wasn’t you, such as CCTV. This is all well and good as the bank should cover you for your losses right? Wrong. As pointed out on the Chip and Spin website, the voluntary banking code of practice has a clause on liability that says whilst the bank must show that the customer acted fraudulently or without reasonable care or be forced to reimburse the customer there are major get-out clauses for the lender. From the Chip and Spin site:
Firstly, Section 12.5 of the code of practice tries to define reasonable care, but it in fact includes the phrase “Always take reasonable steps to keep your card safe and your PIN, password and other security information secret at all times.” as one of the conditions. Reasonable care is not adequately defined.
Whoa there boy. So not only is Reasonable care not properly defined, there are specific steps required which are as clear as mud (what are reasonable steps anyhow?). To make things worse (or better, if you’re a bank) the code doesn’t state who the lender has to prove that the customer acted fraudulently or without reasonable care to. This means that the bank can simply decide arbitrarily that you were fraudulent or negligent and choose not to reimburse you. Great stuff eh?
In the previous post I noticed that there was a French commenter who mentioned that they’ve had Chip and Pin for decades and it got me thinking. If this is happening in the UK, what is happening elsewhere? Is Chip and Pin taking off stateside? How about the rest of Europe or further afield? I guess at the end of the day I’m left with the same question as I was in the last post: Will the people who lost their money due to the fraud be reimbursed?
Stateside? I can tell you nothing is brewing yet. But I will tell you per the “reasonable” question (stateside), if the bank can tell it’s counterfeiting (different area, ‘real’ card used somewhere else same time) it’s fraud and the customer is reimbursed. However, if your neighbor used your card and you attatched a sticky note the card with your pin (yes people do do that)- then you’re not reimbursed. Also, if the transaction happened in your local area, the police can check the video survellance…Good article.
Seems like you might be getting a better deal than us. I know one person who’s high street bank refused to refund him when his account was used in Scotland (about 600 miles from where he last made a withdrawal) because he “could’ve driven up there, made the transaction and driven back” – he was actually told this by his bank and lost over £250 (the maximum withdrawal limit at the time minus what he’d taken out for work that morning). Said high street bank lost a customer more or less immediately but I guess they didn’t care.
Your logic is faulty again. Yes, some banks are bastards at accepting liability. But it’s reasonable to expect that customers not taking care of security information (say by leaving their cards out lying on their car dashboard to pick an extreme example) shouldn’t be protected. However, this still isn’t a feature unique to Chip & Pin.
I don’t understand the problem that you lot in the UK have with this kind of thing. We’ve been using EFTPOS in the antipodes (Aust/NZ) since the late 80s, without anywhere near the amount of fraud encountered over there.
When I lived in the UK, I was horrified by the signature system, since 95% of the time no-one bothered checking signatures. I think using a PIN is much more secure, generally speaking.
It’s simple, really. When it comes time to pay, you got to the register and do it – no need to let the card out of your sight. If you’re so stupid to let someone whizz your card through some kind of black-box before running it through the proper machine, you deserve everything you get.
With internet banking, paying a bill has NOTHING to do with your bank card (or PIN). You log onto your account using the usual (hopefully decent) security there and make a account-to-account transation. In Australia, they use the BPAY system – you can either pay a bill via internet banking and a biller’s BPAY number, or you can call into a post office and BPAY there.
I also don’t see what your quibble is with “reasonable care”. That’s a common statement in the financial industry – you are supposed to take “reasonable care” of your insured goods as well. I certainly don’t agree that banks should contract out of any liability – but that isn’t the case here. What that regulation says is that the *burden of proof* of any negligence falls on the bank – they should reimburse you unless they have *good cause* not to. So, while some stupid bank officer may make a wrong decision, when you take them to the Small Claims court, the bank will have to pay up (unless of course you *have* been negligent, according to the magistrate). It’s not a get-out-of-jail-free card for the banks.
MartinB I think we’ll have to agree to disagree here. The shift in liability has everything to do with Chip & Pin. The changes in the banking code are specific to Chip & Pin so it is a feature, at least IMHO. The problem with all of that is that they don’t define reasonable care or where the burden of proof lies.
Not convinced. I once (pre chip and pin) used a card for 18 months with no signature on it. Why 18 months? That was when I was eventually asked why there was no signature on the back. I said ‘oops’ and signed it there and then in front of the cashier who proceeded to process the transaction for me. I’ll see your techno obsessed Triple DES / AES discussions and raise you dumbass checkout monkeys. Get a grip on reality.
The chip does at least make it a little harder to clone all the card info with the “false fascia on ATM” technique, at least for cash machine use, but as noted it’s just card number that you need for online shopping at the moment so people can still go on a spending spree. Banks are deploying systems to detect and check “suspicious” transactions, like suddenly spending £500 on something in a US webstore when that is not your normal purchase pattern, but these aren’t perfect and people are often annoyed that their legitimate purchases are delayed by the necessity to contact the bank by phone to authorise the payment.
As Mike said, the PIN does enforce better checkout security than often illegible signatures that are barely checked (I used to work a sales monkey and we were told not to bother querying signature irregularity).
The burden of proof quite obviously rests with the banks to prove negligence. The guy who got stiffed by his bank and the scottish withdrawal should have turned around and asked them to prove it or see him in court – very often financial insitutions will try it on (like insurers faffing for ages in the hopes you give up) and standing up to them often produces an instant reversal. If not, pursue them through the courts.
The “reasonable steps” is a potential issue if it comes to litigation, but the real question is not how they got your PIN, but how they cloned your card. I can pick up PINs standing in line at the supermarket as 90% of terminals don’t have good line of sight guards. Getting the matching card details is trickier without allerting the affected party (by stealing their wallet to get the card or similar) and thus having them cancel the card.
It’s not a perfect system, but it is an improvement on signatures and mag strips alone. Biometric confirmation would help, but only in combination with a PIN or similar to negate the false positives problem and when the 1st try match % rises to the 95%+ range. Premature deployment will just irritate customers and put more people in ques for bank tellers to get cash and cheque books.
I think you’re a little paranoid about banks, they’re regulated to the hilt so it’s hardly like they’ll decide “arbitrarily that you were fraudulent or negligent and choose not to reimburse you”. It wouldn’t be good for their own reputation or the industry.
There will always be cases where the wrong decision is made, but you can appeal or go to the banking ombudsman. The fact you said you know one guy who once got refused a refund doesn’t mean it’s widespread.
Reasonable, in UK law at least is a philisophical question. The question in court being “would a reasonable man x”, in cases that come to court where it isn’t clear what a reasonable man would do means the jurors have to decide what is reasonable in their opinion.
Although banks are regulated to the hilt there are certain things that they will fight tooth and nail about. In the UK they still refuse to accept that a ‘phantom withdraw’ can happen, i.e. one where there is supposedly no way the card can have been cloned and its PIN discovered, i.e. clones of cards that haven’t been delivered yet, and attempts to use credit cards for cash withdraws with a valid PIN when the card holder has never requested the feature.
See:
http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/
and
http://blogs.guardian.co.uk/technology/archives/2005/10/24/how_atm_fraud_nearly_brought_down_british_banking.html
The import things to note are
1. The banks claim to be infallible.
2. Bank computing/security staff went bad, and abused their system access.
The infallibilty of the UK banking system has never been effectively demonstated in court.
There is a really cheap and simple system that has been in use in Hungary for over five years that has got fraud down to less than one twentieth (1/20th) of the UK fraud rate, and it gets the card holder involved. The bank simply sends you a text message whenever the card is used (including amount and location details). If you didn’t make that transaction you simply reply ‘blk’ and the bank shuts the card down immediately stopping the fraud in its tracks. This works wherever your card is used including online. This approach has been succesfully copied by banks in Italy, Spain, South Africa, etc but not in the UK although the banks do know about it … guess the ~£500M cost of fraud they pass on to consumers is seen as the best they can do
otto – that sounds like a good idea but my UK bank has started charging me 2.50GBP / month for sending me weekly ‘mini statements’ that used to be free. I wouldn’t be surprised if they tried charging us for the service you describe too, even though it could save them millions in fraud.
As you said above in your article about being able to use video surveillance to check if the transaction was carried out by yourself I beleive there is a way of doing this if only the banks and stores would enforce it.
An organisation called NEC specialise in the leading technologies of Digital Identity Management soloutions and one of their services include NeoFace, face recognition software for video surveillance. (More on this in my article on our website)
Why can’t they work together in making Chip & PIN safer? Or are they wanting to see the service die out because it might just be a threat to both us and them?
Rose