Why Don't Banks Make Payment Cards Secure

MakeCardssecure

CHIP and PIN was resisted because the cost of implementation was thought to be prohibitive and people would object to having to remember a PIN Number. However credit card fraud was running as such a level that their was considerable political pressure to improve credit card security and the chip and PIN system was the industry response. Improving security and reducing fraud should not be about making "a business case" Im sure Sellafield could make a business case for dumping nucear waste in the sea as long as someone else pays the £250m clean up... I've yet to meet anyone who would object to having a way to use their payment card over the internet safely. I've used remote authentication systems... quite frankly there is nothing to object to, it's practically adds no more than 10 secs to completing a transaction. People seem to forget the dramatic 78% reduction in over the counter fraud that resulted from the introduction of chip and pin. So how can basically extending chip and pin to the internet be so wrong that I'm in a small minority?

coolesticeking

But even Chip & PIN is flawed:

http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html

MakeCardssecure

I agree... but so is a lock and key but it's no excuse for leaving your door wide open. The principle of the emue card is it gives a one time only pass codes so it could also eliminate pin sniffers as well. Here's how it works. Look at the emue card all the technology is built onto the card. To get your one time pass code you enter your pin into the payment card in return it gives you a pass code that you can enter into the payment card machine or cash point... You don't have to divulge your pin to anyone. The principle is your pin is a shared secret beween you and the bank and you never have to enter it into a machine or give it to anyone. The codes are generated by your card using a shared secret code that only the bank and your card knows, you don't need to know it all you need to know is that your pin will give you a code to verify a transaction. The transaction codes are different each time you use it and there is a less than 1 in 10,000,000 probability of guessing a code. Think about it... you can loose your card and anyone who finds it can't use it without your pin. No PIN no code... no code no transactions can be made either over the counter or internet or telephone. How can this be a bad thing? The technology exist now and yes it will take a slice out of the Bankers fat profit/bonuses to make it happen... and even though chip and pin has it's problems it did reduce fraud by a significant amount, this is just the next step to making payment cards more secure.

bert&ernie

Are you selling the Emue card?

Either that, or you are just astonishingly naive about the commercial issues that affect security in the payment card industry.

MakeCardssecure

Please enlighten us on the commercial issues that are so much more important than crime prevention.


Selling the emue card!

Who's being naive now :rotfl:

Please direct me to that store!

bert&ernie

Security enhancements require investment - Issuers, acquiring banks and merchants wont make this investment unless it makes commercial sense to do so.

The Emue card that you so love is a case in point - it costs significantly more than standard plastic before you even start considering how to implement the OTP protocol across they payment card industry. You will note that an Emue card has to remain backwardly compatible with existing scheme protocols (unless private label) and still has a standard EMV chip interface, magstripe track2 , PAN embossing etc.

Granted, its a nice piece of kit and I can see some value in convergence of standards compliant card with the functions of a PED/Reader. In answer to you original question about this - the reason why UK banks didn't touch it was that it was simply too expensive for the benefits that it would provide. This isn't to say that the technology is forever doomed, but that it just doesn't make any business sense at the moment. Although it is standards compliant, the card itself is proprietary and I cant see it being able to complete on price with generic cards and readers.

I suppose we have established that you would like one of these cards, but may I ask if you would be willing to pay extra for one?

MakeCardssecure

VISA are up and running with dynamic CVV and able to offer this to an issuing bank if they want it. It's not the full ticket but nevertheless a step in the right direction. Perhaps the up front cost of proper security pound for pound doesn't stack up for the banks, but this is only because the real cost of trying to maintain security of all that card holder data is off loaded onto merchants through the PCI-DSS scheme... it cost me as a merchant over a £1000 a year to keep on top of this and I'm just one very small business, and If I don't play this ridiculous unnecessary game I'm liable for hefty fines payable to... yes you guessed it... the banks, it's called a protection scam by another name. Now multiply this by the number of merchants out there, 500,000+ and the likes of amazon etc are undoubtedly having to set aside £10'000's of pounds every year to security companies etc to maintain IT systems upto date etc... so conservatively £500,000,000 being spent trying to hold the water in a leaky sieve and failing badly... Of course all this money is spread thinly over millions of customer transactions so it's very easy to hide it under the carpet... it's just a few more pence on the cost of every transaction. The banks are basically pouring the pollution of fraud into society and hoping the dilution is weak enough that no one notices. Well if you're standing at the end of the pipe where is pouring from it smells rotten and no amount of hand wringing "but we only wanted to avoid making a loss"... come of it.

Russe11

MakeCardssecure wrote: »

Identity theft is a serious problem and every year millions of people have their Payment Card Details stolen or copied and used fraudulently. The Banks would have you believe that the problem is caused by everyone else and they are doing everything they can to protect cardholder data... utter tosh, the problem IS caused by the Banks and I've spent over two years trying to get an answer to a simple question.
Why don't the banks implement remote authentication for cardholder not present transactions?
The vast majority of payment card frauds are perpetrated by criminals using stolen or copied card holder information and this is only possible because whenever we make a telephone or internet purchase we quite literally have to hand over everything that a criminal needs, our name, address, card number, cvv number etc... Isn't this utterly ridiculous?
On the internet we now occassionally get "verified by visa" and "mastercard secure"...fine words, but hold on "Please enter your password now". Ok so we've handed over our details and now we hand over our password as well. This is not secure as bogus/hacked sites could skim your password.
This is the system that is IMPOSED on society by the banks and is the root cause of payment card fraud that costs society hundreds of millions of pounds every year. If the banks were a chemical factory that was causing this much damage to the environment I'm sure laws to stop this polution would be quickly put in place!
There is the alternative and it is available now. Instead of handing over all card holder data we can:
Give our name, address, card type, last four digits of the long card number and a one time only authentication code.
The one time authentication code is generated by a remote device that we put our card into and enter our PIN to generate the authentication code.
This code can then be given on the internet or over the phone and does not need to be secure as it will only be valid for that one transaction and cannot be used again.
search for "PIN Sentry" or "Emue Card" on google for examples of this type of system.
I contacted VISA about the emue card, they say they offered it to UK banks but none of them took it up! WHY?
Please contact your payment card provider and ask to speak to someone about payment card security. When you get someone ask them why they are not providing remote authentication to secure cardholder not present transactions.
Make that call and let us know what they say... I suspect the excuses or lack of cogent responses will make for amusing reading.

How old are you, over 40 I would assume/ , prob 50 plus, of could why don't we all just use cheques because of course cheque fraud never happens does it!

Joe_Bloggs

The question was:-

Why Don't Banks Make Payment Cards Secure

Your answer was

How old are you, over 40 I would assume/ , prob 50 plus, of could why don't we all just use cheques because of course cheque fraud never happens does it!

I don't think you have given the topic the thought that it deserves or read the previous posts.
J_B.

bert&ernie

MakeCardssecure wrote: »

VISA are up and running with dynamic CVV and able to offer this to an issuing bank if they want it. It's not the full ticket but nevertheless a step in the right direction. Perhaps the up front cost of proper security pound for pound doesn't stack up for the banks, but this is only because the real cost of trying to maintain security of all that card holder data is off loaded onto merchants through the PCI-DSS scheme... it cost me as a merchant over a £1000 a year to keep on top of this and I'm just one very small business, and If I don't play this ridiculous unnecessary game I'm liable for hefty fines payable to... yes you guessed it... the banks, it's called a protection scam by another name. Now multiply this by the number of merchants out there, 500,000+ and the likes of amazon etc are undoubtedly having to set aside £10'000's of pounds every year to security companies etc to maintain IT systems upto date etc... so conservatively £500,000,000 being spent trying to hold the water in a leaky sieve and failing badly... Of course all this money is spread thinly over millions of customer transactions so it's very easy to hide it under the carpet... it's just a few more pence on the cost of every transaction. The banks are basically pouring the pollution of fraud into society and hoping the dilution is weak enough that no one notices. Well if you're standing at the end of the pipe where is pouring from it smells rotten and no amount of hand wringing "but we only wanted to avoid making a loss"... come of it.

Right, I get where your beef is now. You're upset that the payments schemes and their member banks insist you take reasonable care of your customers payment credentials and you want them to implement a more secure system so you don't have to worry about it. Fair enough, I suppose, but nobody forces you to accept card payments. The cost of fraud is not externalised as you imply with your pollution metaphor - it always falls on one of the parties to the transaction.