Learning from the UK EMV deployment

[Dave Birch] There's a great podcast here if you're interested in learning lessons from the U.K.'s "chip and PIN" rollout...

With Chip & PIN in full well established across the UK, fraud figures are painting an interesting picture of its impacts. Is it really making a difference when it comes to the never-ending battle against fraud? Consult Hyperion's Richard Allen discusses card fraud in an EMV world with AVISIAN Executive Editor Chris Corum.

[From re:ID Podcast]

Richard makes the point that the rise in fraud on the cards here is not "chip and PIN" fraud, it's "PIN" fraud. Since criminals can use data from the chip to make counterfeit magnetic stripe cards (not for too much longer, hopefully), fraud is still going up.

Once again, it's "PIN fraud" not "chip and PIN fraud"

[Dave Birch] Well that was dull. I got all excited about this...

Whatever you buy in the shops, you probably pay with a chip and pin card, tonight Newsnight has exclusive evidence that they are vulnerable to fraudsters. The implications could be huge for millions of shoppers. We'll be asking what are the banks going to do about it?

[From BBC NEWS | Talk about Newsnight | Tuesday, 26 February, 2008]

But it turned out not to be an exciting breach of chip and PIN security, using (for example) liquid nitrogen to extract keys or something similar, leading to "chip and PIN" fraud, but "PIN fraud" as usual. The allegation -- which is, as far as I know, wholly true -- is that track 2 data and PINs are being stolen from compromised terminals and then used to create counterfeit magnetic stripe cards. Sandra Quinn from APACS, who was being tortured by Paxo (it's a peculiarly British bloodsport), said -- again, wholly true -- that ICVV has been introduced from 1st January 2008 to mitigate this particular fraud. For the uninitiated, ICVV replaces the CVV in the Track 2 (equivalent) data stored in the EMV chip. Thus, if a bank host sees a magnetic stripe transactions with the ICVV in it, they know it's a counterfeit stripe. The ICVV varies from CVV by replacing the PAN Sequence Number with 99 instead of the actual value when deriving the code.

I must point out, in the spirit of shared openness and truth seeking, that we just checked the three cards we could find in our office that were issued after 1st January 2008 and we found that the Barclaycard and the Nationwide card do have ICVV, the other unnamed large U.K. issuer's card doesn't have ICVV. So, on balance, Sandra wins!

Don't panic!

[Dave Birch] Just a note to assure everyone that the sky isn't falling in, despite the rash of press reports about contactless payment card security over the last few days. A number of articles have pointed to Adam Laurie's recent demonstration that American Express "ExpressPay" chips work exactly as per their specification and in line with the relevant international standards:

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible. As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer's card. Laurie said that American Express told him: "We are comfortable with the security of our product." Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing. However, Laurie noted that the captured account number could still be used for online transactions.

[From The hands-free way to steal a credit card | Defense in Depth - computer security, hacking, crime, viruses - CNET News.com]

Adam is a great guy and he does excellent work, but on this one he's wrong. You cannot use the alias PAN (ie, the PAN given up via the contactless interface, not the one printed on the card) in anything except a contactless transaction and you cannot use it to make a bent contactless card because you need the Amex security keys in order to generate the right digital signature. If you attempt to use the alias PAN in an online transaction, the Amex host will decline it.

Don’t worry, it still works fine

[Dave Birch] There are lots of fraud stories around today, including the one about the fraudster who managed to con high street bank Barclays out of £10,000 in a credit card scam by posing as the bank's own chairman, Marcus Agius. It seems as if the card fraud meme has been spreading. I don't know if you saw this wonderful story in The Guardian back in December, but it was about the English town of Letchworth (the world's first garden city) and the essence of the story was that card fraud is so out-of-control that a kind of panic has set in. I won't reproduce all of the details here, but I wanted to pull out a few key quotes from the story in order to make a couple of points and to reflect on the conclusion of the story, which is that whole communities are losing faith in payment cards and are turning back to cash-only transactions. The meme has been spreading through various channels and there are more and more stories about the failure of chip & PIN (ie, failure to eliminate fraud), the rise in ATM fraud, CNP fraud and so forth. But I'm getting ahead. In the Letchworth story, the reporter found many people "boycotting" outdoor cash machines, and, in some cases, abandoning the use of payment cards at retail POS.

Shoppers at the Shell petrol station told us they will never use their bank cards to pay for fuel again, after witnessing the chaos caused to friends who have had bank accounts plundered by fraudsters. Outdoor ATMs are strangely quiet, while inside banks there are queues of customers taking out cash.

The story says -- and I'm not questioning it -- that in the town (of 33,000 people) virtually everyone the reporter met had either been the victim of card fraud or they knew of someone who has had money illegally taken from their bank account. Usually the illegal withdrawals take place in Australia. This is a novel twist (it's usually Italy or Bulgaria) suggesting a specific gang at work. Several people said they were now only using cash. Almost all said they would no longer use cash machines unless they were inside the bank. One specific problem identified was -- hello 2006 -- the petrol station. Card-reading equipment at the Shell garage, on the main road in and out of the town, was compromised. Another was the bank. An ATM at a bank branch had a skimming device fitted The local paper reported the stories with additional coverage when it emerged the problem had spread to another Shell garage in nearby Hitchin. I'm not trivialising the issues: the stories involve real people, such as

Hilary Gibson defaulted on her mortgage because thieves stole the £700 she had deposited to cover the payment the following day. Leisa Virgo from Hitchin was another victim. When the bank called to check a payment, she immediately cancelled the card - but not before £300 had been withdrawn.

Hertfordshire police also reported that CCTV monitoring had foiled another attempt to install a skimming device at another ATM and four people were arrested. Nevertheless, residents such as Peter Merrigan are concerned:

To be honest, I have stopped using bank cards... I now prefer to go into the bank and get out my money the old-fashioned way - I certainly wouldn’t use a cash machine.

The reporter found the ATM outside the Barclays branch with wires hanging out. It had clearly been attacked. The staff were sanguine:

Don’t worry, it still works fine.

I'm not sure that the residents have been doing their risk analysis homework, because (and here I agree with the APACS spokeman) carrying around wads of notes is (I'm sure) more likely to lead to loss than carrying around a card: if I lose a tenner, it's gone for good, but if my card is skimmed I'll get the cash back from the bank. Sorted. Since I never, ever, use my debit card except at ATMs, I feel fairly comfortable. But then I don't live in Bicester, where fraudsters tried to attach a skimming device to every ATM in the town, or Houghton on the Hill, where the local garage was compromised so that everyone's card details were stolen.

Technorati Tags: ATM, banking, EMV, fraud, risk analysis

Horses for courses

[Dave Birch] I wonder if 2008 will be the year of the contactless card? Trevor Pavey, Contactless Payments Manager at Texas Instruments has a nice turn of phrase: he says that contactless payments this year will be about three Ms: merchants, mobile payments and multi-applications. That sounds plausible, but I'm sure that in the immediate future it is the merchant take-up that is the dominant driver. While the roll-out of contactless payment cards around the world has been steady, it hasn't been a tsunami. One reason might be that lack of customer awareness is impeding the usage and adoption of contactless payment systems. According to the research cited (by Aberdeen), 63% of Best-in-Class companies that have already adopted contactless payments at retail locations are responding to the challenge of customer awareness by defining a set of return-on-investment (ROI) objectives and goals surrounding contactless implementation. I'm not entirely sure what that means, but I think I understand the big picture they outline: two-fifths of the Best-in-Class companies have implemented a contactless solution, and another two-fifths are considering implementation, which means that only a fifth are not looking at it for the time being. Of those who have implemented contactless technology, 91% have improved their total number of transactions, and ALL (my emphasis) have 80% or more of their customers extremely satisfied. Those seem like encouraging figures to me even if there is a lack of awareness.

Technorati Tags: contactless, credit cards, debit cards, EMV, payments

It was a cunning plan

[Dave Birch] It's amazing to me -- no, not amazing, more kind of quaint, reassuring and comforting -- that in this high-technology e-money world, there are crooks who still try to rob banks the old fashioned way. Not the modern way (by working for them as traders) but the old fashioned way. There are still people out there who rob banks with shotguns. And there are still people out there who make dodgy banknotes. An example being the gang of Chinese counterfeiters currently on trial in London for attempting to defraud the Bank of England of more than TWENTY EIGHT BILLION POUNDS. Yes, that's right. They tried to cheat the Bank of England out of more than FIFTY BILLION DOLLARS by swapping 360 "special-issue" £500,000 notes and and 28 million £1,000 notes for lower denominations. Unfortunately, there were two tiny flaws in their masterplan: the Bank of England has never issued a £500,000 note and £1,000 notes were taken out of circulation in 1943 (and there are only 63 of them not accounted for). The criminal geniuses tried to get the Bank of England to accept £1,000 notes with the signature of Jasper Holland, the chief cashier in 1963. Now, far be it from me to criticize -- I know virtually nothing about counterfeiting -- but c'mon guys. Didn't anyone think that the Bank of England might double-check if someone turns up with twenty eight billion pounds in used notes? The only way to get away with this kind of thing is to skim off a small amount from each legitimate note in circulation (like the Chancellor of the Exchequer does).

Technorati Tags: credit cards, debit cards, EMV, fraud, retail, security

EMV USA

[Dave Birch] EMV migration in the UK is complete, as you all know, and the fact of the matter is that it went pretty smoothly and on the whole, worked rather well. According to APACS cards and fraud control manager of operations, Martin Lewis, and head of cards technical unit David Baker, there are now 133 million chip and PIN cards in operation, supported by 900,000 sales terminals and more than 61,000 ATMs. The migration is spreading around the world, all the way up to the U.S. border. When even Canadian and Mexican migration is complete, will the U.S. then be forced to issue EMV? Probably not, because of on-line authorisation. Besides, who knows what new technologies will be dominating the retail payments space by then?

Technorati Tags: EMV, fraud

Ten more years of technology

[Dave Birch] I was asked to write something about the next ten years of technology in retail e-payments, so I thought it might be a good idea to begin by looking at how things have changed over the last decade.  Thinking about, the answer is not much.  All of the technologies that the payment card industry are focusing on today were already in use ten years ago (with one exception, and that is NFC).  Ten years ago, we (the payment card industry) had already started to plan for EMV migration, which it has to be said went remarkably smoothly in the first country to move, the UK.  Ten years ago there was a biometric ATM installed (in Swindon, my home town and the payment city of tomorrow).  Ten years ago we had already started using credit cards on the Internet.  Ten years ago we were already talking about mobile payments and the strength of the customer proposition around the GSM handset: many people thought that would be the next big thing, remember?  Well, the EMV roll out is continuing and in many countries the members are now moving their plans on to the next phase of smart card evolution, the development of chip-based value-added services for customers and for merchants. We might have liked to see things move faster with respect to chip migration, but on the whole it is proceeding well.  By comparison, I think payment cards have performed poorly with respect to the Internet. Back in 1997, cards supported almost all e-commerce.  Next year, they will account for less than half of all online purchases (despite increasing their share of total consumer spend).  The false start with Secure Electronic Transactions (SET) and the slow take-up of 3D Secure have led us to the point where, in the UK at least, CNP fraud is now as big as total card fraud was when we began the EMV journey.  Clearly this is going to change, and change soon.

Technorati Tags: banking, EMV, mobile, nfc, payments

Comforting phone call

[Dave Birch] There are some strange things going on in the world of chip and PIN. First of all, the Scottish Grocers' Federation (SGF) Retail Crime Survey for 2006 shows that card fraud in Scotland's convenience stores has gone up by 54% since the introduction of chip and PIN, an increase for which they can provide no explanation, which is even more odd considering that card fraud is continuing to fall at other kinds of retailers. I'm really, really curious to know if anyone has any theories. Second of all, the issuer of one of my UK credit cards called...

Technorati Tags: credit cards, EMV, fraud, security

Alternative to what?

[Dave Birch] I heard the phrase "alternative payment technologies" at a meeting today. I wonder what it means? Payments News noted a report out from Pelorus about alternative payment technologies in the US, predicting 15-fold growth over the next five years. The alternatives they look at include contactless (which I would argue shouldn't be seen as alternative any longer), smart cards (which are what contactless payment cards are, even in the US), SMS (which is about as mass market as you can get, although I just can't see taking hold for payments in the developed world), biometrics and NFC. But I'm wondering what they are an alternative to.

Technorati Tags: biometrics, contactless, emv, internet, mobile, nfc, payments, predictions

Threats and threats

[Dave Birch] I have had a few calls from journalists about the chip and & PIN "Tetris stunt". Basically, some guys at Cambridge took the innards out of a chip & PIN terminal and replaced them with something else. I didn't think this was terribly interesting, but then I don't know anything about marketing and publicity! As I've mentioned before, I do find it odd when journalists call about something like this: they're effectively saying "hey, is it true that banks, retailer, suppliers -- and their consultants of course!! -- are so dumb that it's never occurred to them at any time in the last decade that criminals could build a device that looks like a POS terminal but really isn't in order to get customers PINs."

Technorati Tags: emv, retail, security

Cultural learnings of Kazakhstan for make benefit glorious nation of America

[Dave Birch] I was at a meeting yesterday -- for reasons not germane to this thread -- where I discovered something very interesting* about Kazakhstan. A couple of things, actually.

* to people who read blogs about digital money.

Technorati Tags: emv, joke

One millionth POS terminals in UK

[Dave Birch] According to APACS there are now more than 140 million plastic cards in use in the UK, with almost 68% of spending accounted for by debit cards. This year, total plastic card use is expected to top £320 billion, against a predicted £277 billion of cash payments. One of the reasons for the growth in cards is, naturally, the growth in POS terminals and (insert fanfare sound effect here) the UK's one millionth POS terminal has gone online (well, the one millionth TID has been issued, which may not be the same thing). As of August 2006, APACS say that of the 900,000 "face to face" (ie, attended) POS terminals in the UK only 50,000 are not chip and PIN.

Technorati Tags: credit cards, debit cards, fraud, payments, retail

Taking a punt

[Dave Birch] I went to Cambridge to hear a couple of talks on the state of payment card security. David Ware from RFI Global concentrated on contactless security. With the imminent start of contactless payment trials in the UK, this is important to us and our clients right now. Mike Bond from Cryptomathic gave a good overview of EMV security. This is a hot topic in the UK because of the media reports of the "Shell" breach and card cloning.

Technorati Tags: contactless, credit cards, debit cards, security

No more fraud

[Dave Birch] I've got a very simple, and absolutely foolproof, plan to reduce payment card fraud (much in the news recentlyk) to zero. It's based on the observation that there are two ways to cut crime: cut the number of crimes or cut the number of offences. The latter means that society's focus is to concentrate on policing: to try and both prevent crimes from occurring and to improve the detection rate should crimes still occur. The former means society's focus is to reduce the number of types of crime. Maybe the latter deserves to be explored further in the context of credit card fraud.

Technorati Tags: banking, credit cards, debit cards

Divided by a common standard

No-one (at least no-one reading this blog) can have failed to have noticed the story that's been running in US on the apparently industrial scale card-skimming that's been going on there. It's so bad that Citibank has blocked ATM withdrawals from some MasterCard accounts after a series of fraudulent cash withdrawals in the UK, Russia and Canada. Wells Fargo, similarly, blocked ATM withdrawals in the UK. Gartner say that this is the “largest PIN theft to date”. While it's difficult to determine exactly what has gone wrong, the general opinion seems to be that it is not bank systems but third-party systems (a processor or a retailer) that have been compromised (yet again), enabling criminals to manufacture counterfeit cards on an large scale and then distribute them for use at ATMs.

Technorati Tags: credit cards, debit cards

Prepaid and contactless

MasterCard made a couple of interesting presentations to the Smart Card Club in London yesterday.   Bruno Carpreau was explaining the OneSmart MasterCard Paypass product.  This combines EMV with a contactless interface: the cards will work at any PayPass terminal in the US (operating in magnetic stripe mode) as well as any EMV terminal elsewhere (they also have magnetic stripes on for backward compatibility).  Chris Reddish was explaining the range of MasterCard prepaid products and was generally very positive about the European prepaid market, predicting it to be around 80-85 billion euros in 2008.   I gave a bullish talk on the combination of contactless and prepaid at the same event.

Technorati Tags: contactless, prepay

Phish and chips

I was interviewed by Louisa Bojesen on CNBC (aka “the fastest growing pan-European TV channel, with daily viewers up 37% to 703,000 according to the latest European Media and Marketing Survey”) today, the subject being Internet banking in general and the security of same in particular. I was there to focus on security, a guy from Forrester in the Netherlands was there to focus on the general. He made a very good point, I thought. If customers aren't going into branches, banks find it hard to cross-sell to them. I agree. Banking is, essentially, boring so once you've paid the credit card bill and cancelled a direct debit to British Gas, then you immediately click your way to somewhere more fun.

Technorati Tags: authentication, banking, credit cards, debit cards, internet

PIN watch

Yesterday, February 14th, was the day that use of PIN rather than signature at the point of sale became 'obligatory' in the UK. Or rather, liability for all non PIN verified transactions shifted to the retailer. So it was a good day for a confirmed signature sighting: Rymans, Tottenham Court Road - no Chip and PIN installation, signature in full use, one rather irritated and embarrassed sales assistant. Is Rymans a fraud magnet, I wonder? I doubt that anyone is going to risk prison for a nice multi-pack of polythene folders but they do sell mobile phones...