Fighting fraud with chip & PIN

The popular but precarious signature-based magnetic strip credit card system is on its last legs, globally.

Today, it’s practically obsolete in Europe and the UK following a surge in counterfeit fraud; replaced by what’s deemed to be the more secure EMV chip technology, aka ‘chip and PIN ’.

Formed in February 1999, EMV is the technical specifications group that outlines the interaction between chip cards and terminals to ensure global interoperability, created by Europay International, MasterCard International and Visa International.

According to James Turner, advisor at analyst firm IBRS, the EMV standard presents a means of strong authentication: “By combining the chip and the PIN I have given two factors of authentication: something I had (the chip) and something I knew (the PIN).”

Aesthetically, a chip card mirrors that of a magnetic strip card, except it data is stored on an embedded encrypted microchip rather than on the magnetic strip. This in turn makes it allegedly difficult to defraud.

“The chip itself is designed to make the credit card harder to counterfeit,” explained Mike Bond, security director at UK-based Cryptomathic, a provider of e-security software including e-banking, two-factor authentication and EMV card issuing.

“The chip contains some secret information, a secret key [cryptography] that’s shared just between the chip and the customer’s bank, and that means that if you copy it you can’t get at the secret and so you can’t make a perfect copy.”

Peter Roeleven, general manager, Working Capital Services Transaction Products at National Australia Bank (NAB) – set to begin its roll-out of chip cards soon – explained that the nature of the way the chip interacts with the terminal, means that the ability for someone to use a counterfeit or copied card is virtually non-existent.

“I’ll never say absolutely non-existent because there’s always the game of staying one step ahead, but it makes it extremely difficult; then some would argue impossible for someone to counterfeit the card.”

Today, chip cards are prevalent in 45 countries, according to self-regulatory body the Australian Payments Clearing Association (APCA). In its 2007 annual review APCA reported that the United Kingdom alone has more than 100 million chip cards on issue.

According to Visa Asia, Europe is the most advanced region for EMV migration in the world where the UK, France, Spain and Italy committed to migration by the end of 2004.

Surprisingly, the US is just starting to get on board. Furthermore, as of June 2006 Japan had more than 30 million Visa EMV chip cards whilst more than 90 percent of terminals in Taiwan were EMV compliant; Singapore had 80 percent and still growing.

Fraud

Mass adoption of chip cards in Europe and especially in the UK has caused a dramatic decline in card present fraud rates instances where the card and the card holder are present for the transaction, in that region.

Financial institutions were worried about the rising instances of fraud, particularly of card counterfeiting, explained Cryptomathic's Mike Bond, while delving into UK’s fraud problem.

“A big organised crime industry has its own production lines, like black-market production lines, of counterfeit goods that you hear all about in China – except for credit cards.

"So they were churning out made-up credit cards using details that had been captured and then having people spending money on these counterfeit cards,” he said.

That was one problem with signature and magnetic strip credit cards, the other was the common typical incident of people using stolen cards to make purchases and payments.

“Steal someone’s handbag and go on a spending spree when signatures were not verified properly – people could actually do quite a lot of damage on a stolen credit card,” said Bond.

According to Card Fraud Facts and Figures from APACS – the UK Payments Association, in 2006 total card fraud losses fell by three percent in the UK to £423 million (A$905 million); ‘face-to-face fraud continued to drop’; ‘lost and stolen card fraud showed an overall decrease on 2005; ‘counterfeit card fraud increased by just three percent to £99.6 million (A$ 213.million), showing a further fall in growth rate from 2005”.

The same effects are taking place in Asia, especially in Malaysia, where the country’s domestic counterfeit fraud has virtually disappeared in the first quarter of 2006 from US$677,000, according to Visa Asia.

“The rate of fraud has halved in the past five years in APAC and if you look at somewhere such as Malaysia they’ve had an extensive chip program and fraud there has nearly been eliminated,” said Andrew Woodward, director of communications for Visa Australia.
However, compared to the UK, Australia’s fraud rates are low, according to Chris Hamilton, chief executive officer at APCA.

“Relative to overseas jurisdictions that have introduced chip, Australia doesn’t have anything like the fraud problem. The debate in Australia has always been whether it’s coming in the future and we need to prepare for it rather than reduce it.”

Moreover, chip and PIN is a slightly complicated term because the Australian proprietary debit card system has always been fully PIN, he added.

Furthermore, most transactions [in Australia] are online real-time, according to Roeleven. “In other markets [such as the UK] a lot of transactions are actually offline. They don’t get that real-time message or check whether the card has been reported stolen and you don’t get that real-time check available balance,” he explained.

“Combined with the fact that the Australian market is a reasonably remote market by world standards you’ll find that we’ve experienced growing but low levels of fraud and we’ve been able to hold it fairly well.

“This is the classic security dilemma,” explained Turner. “If the risk is low, is the cost of a new security measure cost effective? But of course, this is only a dilemma for the banks.”

While 44,651 instances of credit card skimming for the financial year 2006-07 does not sound significant, that translated to nearly $27 million worth of fraud, according to Turner.

“For the people who had to go through the process of proving to the financial institutions that they were blameless: the inconvenience factor is through the roof. These consumers don’t want to hear about risk analysis and feasibility, they want the pain taken away.”

Local adoption

Australian card issuers have tentatively begun the process of transitioning to chip cards, despite low fraud rates. Perhaps it’s the global market pressure driving the trend or the fear that fraudsters will turn their attention to Australia since Europe and Asia have tightened their belts.

According to Visa APAC, Australia joined the one million-plus chip card club at the end of 2006, alongside Japan, Korea, Taiwan, Malaysia, Hong Kong and Thailand.

The Commonwealth Bank of Australia became the fourth bank, alongside ANZ, Westpac and Macquarie, to commence the phasing in of EMV chip cards by September 2007.

As mentioned earlier, NAB has signalled that its roll-out will commence soon, having already released chip-capable terminals to its customers. NAB is not alone in this case as many terminals from selected financial institutions in Australia have been upgraded to accept chip, much to the relief of northern hemisphere holiday makers.

“Since 2003, any new terminal that has gone into the market has had to be chipped,” said Woodward, insisting chip cards will be commonplace in Australia by the end of the decade.

“I have to say that if we have a look at adoption in Australia, increasingly at various outlets the terminals can actually deal with both smart cards and the regular magnetic devices,” said Leon Oelofse, payment sales executive at Unisys.

“[It is] pressure from the people who are all smart card-enabled saying they all want that level of protection; and an increasing number of people no longer feel comfortable handing their card over with the signature as the only form of authorisation.”

However, the local roll-out has been relatively slow. At the moment there is no set timetable for the shift to chip in Australia. According to Roeleven, when and if a timetable is set there will be variations depending on the merchant and the motivation, he predicted.

The interesting issue for Australia and other markets is that not all the terminals are owned by banks, explained Roeleven.

“So you’ll find major retailers will own their own terminals and because they own their own terminals they have to make the investment in software and infrastructure,” he said.

In addition, every shop around Australia would need to change their terminal. Not only is there an explicit cost in this, but there is also the issue of logistics, as well as the number of terminals required, added Turner.

Interoperability is also a factor, according to Hamilton, as each new issuer comes on stream with its chip program, it needs to make sure those cards are going to work in every acquirer’s terminal. That requires interoperability testing and [APCA] can facilitate the industry process so it doesn’t waste people’s time and effort.

“There are still a lot of smaller issuers out there who haven’t come to grips with the chip issue yet; some acquirers are well skilled up and they’ve got terminals out there that are chip capable, and others don’t. So it comes to a co-ordination issue and managing the process,” said Hamilton.

A similar process took place in the UK, claimed Carl Clump, CEO of Retail Decisions – a UK-based payment card issuer specialing in prevention and payment processing. Banks in the UK had the intention of introducing chip and PIN in 2001.

“It actually went live in 2005 and the reason for that is there is an awful lot of discussion which needs to be held between retailers and the banking community,” said Clump.

From Visa’s point of view, Woodward said: “There are 12 million Visa cards in Australia so it takes a while to swap them over. But you do it progressively, you don’t do it in one hit. So it will take some time.”

Benefits

Australia is at a disadvantage not to be chip and PIN, explained Roeleven. “A lot of [foreign] customers are so used to chip and PIN that the magnetic strip and the signature base is something foreign to them.

“You can imagine when a person from the UK travels to Australia, they’re used to chip and PIN, so from our perspective it made sense to enable our merchants to accept chip and PIN cards as a way to facilitate them to service these customers.”

Further benefits include peace of mind in the instance of stolen or lost cards – an unfortunate circumstance that has forever been a security fear, and often a major long-term annoyance if the card is unlawfully used. But the advent of chip and PIN has made stealing a credit card no more than a waste of time.
“The credit card will become as useless to a thief as though they were trying to take money from an ATM without knowing the PIN,” said Turner.

“APCA recorded more than 58,000 instances of lost or stolen Australian issued credit cards last financial year. Those 58,000 instances resulted in more than $16 million of fraud. The impact of using EMV smartcards will be that the rate of fraud per lost or stolen card will drop sharply,” he said.

Bond explained that chip and PIN also fixes another problem: the situation of a collusive merchant.

“This is where there’s a merchant, say a store owner, who is known to crooks to accept dodgy cards. The merchant lets the crook make a payment, doesn’t check the signature properly and then claims a cut of the money,” said Bond.

“In the instance of chip and PIN, if a stolen card comes along the machine will ask for the PIN. If you don’t get it right the transaction can’t go through.”

Other areas of business can benefit from chip and PIN as well, according to Turner. “Education and familiarity that consumers will gain from using smartcards for their everyday transactions [is huge].

“Hopefully, this will help take the fear away from a few of the individuals who are terrified of the prospect of a smartcard to access government resources such as Centrelink and Medicare,” said Turner.

Side-effects

Secure purchasing, authentication, and financial institutions can greatly benefit from popular use of chip cards, but as with all good things there is more than one down side to chip and PIN as explained by Clump. Fraudsters haven’t suddenly turned over a new leaf, instead they have found other mediums of attack.

“It has the interesting side effect that it promotes other forms of fraud,” warned Clump. Fraud will move to what’s known as card-not-present (C-N-P) environment – online, money order or over the phone transactions. About two years prior to chip and PIN in the early years of this decade C-N-P fraud took off and it now accounts for more than 50 percent of fraud in the UK.

He added: “It’s a major source of fraud. Fraudsters have business plans as well and they anticipate change; so they’ve anticipated change and adopted their business plan. That’s what one can expect with introduction of chip and PIN.”

According to Unisys, an area of card fraud expected to rise in 2006 in the UK was C-N-P fraud. It rose by 16 percent compared to figures for 2005, and although it is increasing at reducing rates, at £212.6 million (A$453 million), it now accounts for half of all losses.

At a time when the popularity of online shopping is steadily growing, how can chip and PIN help minimise fraud in this channel? In reality it doesn’t, said Clump.

“Chip and PIN was never really designed to do that, because it was developed in the mid-nineties before online shopping had taken off. In the UK there’s a big rush to look after the problems to do with online shopping or the C-N-P instances.

“What has been levelled as a criticism by some people toward the European banks is that they spent massive amounts of money – in the billions – deploying chip and PIN and in the short term it simply moved all the fraud to C-N-P,” said Bond.

Without global interoperability, European banks have detected another fraud problem emerging out of the popular use of chip and PIN. Chip card details are being copied and used abroad where chip is not yet common.

“Millions and millions of pounds are being stolen that way now. It’s more lucrative of course because instead of getting goods you’re getting clean money out,” said Bond.

Patrik Bihammar, senior analyst of software at IDC fears the introduction of PIN in Australia on credit cards can put card holders at physical risk as it makes the PIN code even more valuable to fraudsters.

“It can become both a usability as well as a security problem if the card owner has difficulty remembering their PIN. It could drive the card owners to write down their PIN on a piece of paper in their wallet, or on their mobile phone. Users also need to be wary of people looking “over their back” when they put in the PIN number just as at the ATM,” he said.

Debate surrounding the physical security of card holders has been prominent in the UK, with concerns that violent crime may go up.

“As crooks decide, ‘well if I need to get the PIN it’s better I mug them just after I’ve seen them use the cash machine’,” said Bond.

In the case of liability with chip and PIN there is the potential that the retailer will be held liable in cases of fraud. It was about 1 January 2006, two years after chip and PIN was introduced in UK that a liability shift occurred, explained Bond.

“Negotiations between the bank and the merchants found that if a merchant hasn’t got a chip and PIN terminal and therefore can’t read the chip then the merchant must take the risk that the transaction is fraudulent. That drove nearly everyone forward to chip and PIN, but of course some industries which experience very low fraud rates –restaurants and cafés – are slim so those guys stick to their magnetic strips.”

Chip cards are here to stay, despite the possible side-effects. As Turner explained, it’s not possible to devise an unhackable payment system because the value in hacking it is too high. So what he confirmed and what most experts agreed with is that EMV is a favourable smartcard system and want it to be deployed in Australia as soon as possible.