Headline news: chip and PIN works

[Dave Birch] It is certainly a paradox as to why any of us pay any attention to anything in the newspapers at all. Whenever you read about something you know about, the newspapers always get it wrong. Yet we believe them on all the other stuff they write about. “Stop talking in sweeping generalisations” you say? “Give specific examples so that we can judge” you say? OK. This is from The Daily Mail, talking about chip and PIN fraud.

If your card has been stolen or cloned and a crook has either got hold of — or deduced — your pin, your world can turn upside down in an instant.

[From SAM DUNN: Chip and pin is not foolproof yet banks blame customers | Mail Online]

Well, this is certainly true. (Although chip and PIN cards can’t be cloned – the magnetic stripes on the back of them can be counterfeited, but this has always been true). But I particularly liked this take on the banks’ response:

It also turns a blind eye to a pin having been illegally read — most likely by high-tech software undetectable by the ordinary human eye.

[From SAM DUNN: Chip and pin is not foolproof yet banks blame customers | Mail Online]

Most high-tech software is, presumably, detectable by the ordinary human eye. I hadn’t realised that you needed an extraordinary human eye to detect some of it though, so I can see why criminals might employ this devious tactic and I share the Mail’s shock at this turn of events.

This is all, of course, nonsense. I might sneak my high-tech software into the POS terminal at your local supermarket, and that might help me to get your card number and PIN, but those details are insufficient to create a counterfeit card (or at least they should be for issuers who have set the chip ICVV correctly). If your card is stolen and the thief has your PIN, and you genuinely didn’t have it written on the back of the card, then it’s a pound to a penny that they got the PIN by looking over your shoulder in the Co-op or by having a camera at an ATM and then reproducing the magnetic stripe of for use somewhere that doesn’t support chip transactions (e.g., America).

The sophistication of criminals with respect to ATMs, by the way, is particularly impressive. When I last nipped in to the “banking lobby” at my local branch, so that I could use an ATM in the warm rather than in the Siberian Winter Bringing Britain to its Knees (© any British newspaper), I noticed something new: there was a sticker on the ATM telling me that the machine had been “fitted with a device to prevent card fraud”. This led me to wonder why they didn’t send me a sticker to put on my debit card telling me that the card had been “fitted with a device to encourage card fraud” (viz, a magnetic stripe).

I have no idea why my debit card has either a magnetic stripe or embossing either, and it’s not clear to me why it has my name and bank account number on it as well, and I don’t know why it has a signature strip on the back when I don’t want to use it for signature transactions under any circumstances. (Rather oddly, I also notice that the EMV configuration of my splendid payments watch says that it is configured to allow signature transactions, even though there is nowhere on the watch to put a signature strip.)

Let’s not panic. Whatever you think about chip and PIN, it works. In chip and PIN markets, like the UK, card present fraud is going down. The criminals aren’t giving up, naturally. The fraud is being transferred to card-not-present (CNP) and magnetic stripe fraud, particularly in the USA. I notice that Australia is on a similar trajectory

But fraud shot up on Australian-issued cards, from $12.9 million in 2010 to $16.4 million in 2011, the highest figure since APCA began publishing statistics six years ago.

[From Massive Payment Card Upgrade Has Mixed Results in Australia | PCWorld Business Center]

I know nothing about the Australian payment card issuing systems, but I’ll bet the rise in fraud is because stripe data is being used online and in the US, not because someone has figured out a way to counterfeit domestic EMV cards.

The U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash

[From U.S. Leads the World in Credit Card Fraud, states The Nilson Report | Business Wire]

Criminals from around the world are shipping card data to the US to make counterfeit magnetic stripe cards and then using them ti withdraw money from ATMs or hit retail stores. Amazingly, domestic American criminals can be rather conservative in comparison to these enterprising world fraudsters. In the US…

Criminals still target checks more than other types of payments.

[From Payments Fraud Remains High]

So why carry on using them? But that’s another point entirely. Card fraud is an industry and like any other industry subject to the disciplines of specialisation and mass production and these will inevitably push more and more card fraud beyond the borders of chip and PIN.

The gang was split into different cells, with certain groups responsible for stealing or modifying terminals, while others made large withdrawals from ATMs. Yet another group specialised in the installation of cloning devices and cameras on banking terminal overlays.

[From Finextra: Mounties bust C$100m card fraud ring]

Incidentally, the US isn’t the only country with a serious card fraud problem.

According to the Aite Group poll of 5223 people – around 300 for each country – Mexicans are the most likely to fall victim to fraudsters, with 44% hit in the last five years.

Chip and PIN-less America comes second, on 42%, followed by India on 37%. The UK ranks sixth on 34%, well above its European neighbours, Germany (13%) and the Netherlands and Sweden (both 12%).

[From Finextra: Global card fraud continues to rise - survey]

I have no idea why this should be, but I suspect that it may be because no-one in Germany or the Netherlands or Sweden writes cheques, uses credit card numbers online or uses magnetic stripe and signature cards very much.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

These are the personal opinions of Consult Hyperion and its guests and should not be misunderstood as representing the opinion of its clients or suppliers. To discuss how any of the technologies discussed in this post can benefit your business, please contact Consult Hyperion.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>