Chip 'n' Pin - A Quick Guide Discussion Area

MPH80

I need to add somethings here because my last post was finished in a hurry since my cooker was beeping at me and I didn't want my smoke alarm doing the same.

Point 1: I'm not saying this system is fraud proof. There are several major avenues for fraud to take place. Notably the point of adding the hand image to the chip and also the fact that the magstripe is still present.

Point 2: The existing system is still wide open to fraud while it is rolled out over the world.

Point 3: The ideal system would actually involve validating a unique biometric against a central database. However, since a lot of terminals have to be offline, that is impractical. It is also impractical at today's prices to roll out a unique biometric scanner.

Point 4: This system DOES NOT work for disabled people. An alternative would have to be found.

Point 5: The impracticality of having everyone present themsevles at a bank is noted and is probably, along with the need to roll out yet new terminals to the world, the death knell for the idea. (I'm a very practical guy - I can see why people wouldn't do it).

But what this solution does provide is extra security over and above what we have now.

Of course, this solution would never be implemented. The cost, even though it is cheaper than other biometric alternatives, is still too high and the impracticalities in it would put most implementers off.

Having said that, security wise it is still higher than we are today. And it removes the need for a human to verify the data, which James' solution does not.

M.

zincoxide

MPH80 & JAMES - Having read both posts, you have both come up with reasonably good ideas, but they both rely on new solutions which, as MPH80 admits, would not be implemented due to cost.

Can you think of a way for fraud to stop with the current systems in place?
I'm struggling to think of one that will create a win for the consumer as well as protection for retailers and banks?

MPH80

Hi Zincoxide,

I'm afraid, with the current system in place, the only solution is to get it rolled out as fast as possible.

The EMV cards have been in circulation for several years (2003?) now (I think the specification was originally released in 2000). They haven't been broken yet, which is longer than I expected.

The reality is that, at some point, someone WILL find a way to break the chips. But as long as someone in the world is willing to take a magstripe - there is a huge weak link in the chain.

The only option, right now, is to roll out as quick as possible.

M.

James

HI Zincoxide,

MPH80 offered a well thought out option, and I agree that the weak point in the present system is both Magstrip and PIN.

It's impossible to roll-out the current system as fast as possible - even in the UK retailers make a commercial decision whether to implement C&P or not, world-wide many countries are dragging their heals.

We in the UK have been used as the EMV (C&P) test bed and I expect others are watching closely.

Which takes me back to my original points:

Until the card industry can demonstrate that they can keep your PIN secret then surely at this moment in time and the forseeable future:

1. Cardholders should be made aware that Chip & Signature cards are an option.

2. Victims of PIN based fraud should not be denied access to their cash which happened in the following example:

http://www.leamingtonspatoday.co.uk/ViewArticle2.aspx?SectionID=691&ArticleID=1512103

The type of PIN pads reportedly rigged can be found here:

http://www.trintech.com/SmartPINPad.html

movieman

Not perfect, but good enough to prevent fraudsters from being able to randomly steal a card and pretend to be you.

If the only thing the thief needs is your card and your hand-print, they can just hack off your hand. Or will your scanner be able to tell the difference between a live hand and a severed hand?

And don't say that no-one would cut off their victim's hand for the sake of a few thousand pounds, because there are plenty of people who would, particularly in the poorer parts of the world where that amount of money would make them rich.

The same goes for other means of biometrics. If you think having your PIN stolen is bad, wait until iris-scanning or fingerprint scanning becomes popular.

James

Movieman,

When someone discovers your PIN (and it's easy) you maybe mugged for your card, or in most cases cards. Just lets hope that if you're carrying more than one card that you don't use the same PIN for each card.

It will happen.

lisyloo

When someone discovers your PIN (and it's easy)

How is it easy to get hold of your PIN?
I shread all paperwork.

James

“There are over 20 types of 'scamming' devices ranging from those that combine a mini-camera to record PIN numbers with a secondary device to retain cards for collection later to other more high-tech equipment which transmit card details to people located nearby""



http://worcester.standardtoday.co.uk/news.tvt?_ticket=XC3RN9KACK3SMLDEIOQNBP0DALOLQEHFURUSKONGASULBPOJEKRGUU21S0MAAQ6EAKLAEUTJTRRHVQN9ANVRELKACJ5U1QRFK1VI9NTHLF3NBHSJ7WQFIRY4X9SEAOY9CHYHTRRMLNNAHQSEARQ9CHZKTRRIT07MK&_scope=Flow/Websites/Worcester/News&id=2892

I should be able to present readers with a victims experience of this where a victim didn't divulge their PIN and their card issuer doesn't believe them. I await their permission before submitting the post. This has just happened.

student100

Hmm. MPH's idea about authenticating biometrics on the card gave me a bit of an idea.

How about "chip and PIN and signature" cards. BUT the signature doesn't appear on the card itself; instead a digital representation is stored on the chip.

Then at POS the customer would use Chip & PIN as normal, but also they would be required to sign an electronic pad (touch sensitive screen) with a stylus. The card, rather than a human, would do the signature verification.

I know electronic signature terminal things are used already (I believe in the US they are used for some debit cards, I've seen them in WalMart stores) but I don't think there is actually any computer validation of it.

I know there are probably technical limitations, especially as signatures can vary so much from one signing to another... I appreciate that digital image processing isn't by any means a straightforward task, but I would imagine the technology probably exists to cope with this sort of thing?


A couple of notes with this suggestion:

It would be completely backwards-compatible with EMV chip & PIN - which is on the one hand a major flaw, but there isn't going to be any other practical option in the foreseeable future.

The signature need not be a signature at all - in fact maybe a reasonably unique personalised "doodle" - a pattern you could draw reasonably similarly again and again - would be better.



Just a quick thought...

James

MHP80

The system I currently use with my Chip & Signature Cards suits me. This is a follow-on from the system I have in situ to protect myself from ID theft:

http://news.bbc.co.uk/1/hi/programmes/moneybox/3574779.stm

http://www.24dash.com/content/news/viewNews.php?navID=34&newsID=3685

Neil Munroe, a director at Equifax, said, "It is certainly one answer and makes a lot of sense."

The same system was recently introduced by the Car Hire Companies at Stanstead Airport - and before you hire a car you have to produce documents such as passports, licenses and use plastic to pay.

http://www.uk-airport-news.info/stansted-airport-news-010506.htm

So guess how I've signed the signature strip on my Chip & Signature cards?

Does the system work? Well here's some results when the system was used on a voluntary basis.

http://www.caithness.org/fpb/october2002/thumbprints.htm

Every single retailer where I've used my Unique Signature has been 100% supportive, this has included Shell Stations.


I have no financial interests, buy anyone wishing to use the system, a voluntary contribution to Cancer Research or St Catherines Hospice, Scarborough wouldn't go amiss.




Discuss.