Fighting fraud with chip & PIN

“The credit card will become as useless to a thief as though they were trying to take money from an ATM without knowing the PIN,” said Turner.

“APCA recorded more than 58,000 instances of lost or stolen Australian issued credit cards last financial year. Those 58,000 instances resulted in more than $16 million of fraud. The impact of using EMV smartcards will be that the rate of fraud per lost or stolen card will drop sharply,” he said.

Bond explained that chip and PIN also fixes another problem: the situation of a collusive merchant.

“This is where there’s a merchant, say a store owner, who is known to crooks to accept dodgy cards. The merchant lets the crook make a payment, doesn’t check the signature properly and then claims a cut of the money,” said Bond.

“In the instance of chip and PIN, if a stolen card comes along the machine will ask for the PIN. If you don’t get it right the transaction can’t go through.”

Other areas of business can benefit from chip and PIN as well, according to Turner. “Education and familiarity that consumers will gain from using smartcards for their everyday transactions [is huge].

“Hopefully, this will help take the fear away from a few of the individuals who are terrified of the prospect of a smartcard to access government resources such as Centrelink and Medicare,” said Turner.

Side-effects

Secure purchasing, authentication, and financial institutions can greatly benefit from popular use of chip cards, but as with all good things there is more than one down side to chip and PIN as explained by Clump. Fraudsters haven’t suddenly turned over a new leaf, instead they have found other mediums of attack.

“It has the interesting side effect that it promotes other forms of fraud,” warned Clump. Fraud will move to what’s known as card-not-present (C-N-P) environment – online, money order or over the phone transactions. About two years prior to chip and PIN in the early years of this decade C-N-P fraud took off and it now accounts for more than 50 percent of fraud in the UK.

He added: “It’s a major source of fraud. Fraudsters have business plans as well and they anticipate change; so they’ve anticipated change and adopted their business plan. That’s what one can expect with introduction of chip and PIN.”

According to Unisys, an area of card fraud expected to rise in 2006 in the UK was C-N-P fraud. It rose by 16 percent compared to figures for 2005, and although it is increasing at reducing rates, at £212.6 million (A$453 million), it now accounts for half of all losses.

At a time when the popularity of online shopping is steadily growing, how can chip and PIN help minimise fraud in this channel? In reality it doesn’t, said Clump.

“Chip and PIN was never really designed to do that, because it was developed in the mid-nineties before online shopping had taken off. In the UK there’s a big rush to look after the problems to do with online shopping or the C-N-P instances.

“What has been levelled as a criticism by some people toward the European banks is that they spent massive amounts of money – in the billions – deploying chip and PIN and in the short term it simply moved all the fraud to C-N-P,” said Bond.

Without global interoperability, European banks have detected another fraud problem emerging out of the popular use of chip and PIN. Chip card details are being copied and used abroad where chip is not yet common.

“Millions and millions of pounds are being stolen that way now. It’s more lucrative of course because instead of getting goods you’re getting clean money out,” said Bond.

Patrik Bihammar, senior analyst of software at IDC fears the introduction of PIN in Australia on credit cards can put card holders at physical risk as it makes the PIN code even more valuable to fraudsters.

“It can become both a usability as well as a security problem if the card owner has difficulty remembering their PIN. It could drive the card owners to write down their PIN on a piece of paper in their wallet, or on their mobile phone. Users also need to be wary of people looking “over their back” when they put in the PIN number just as at the ATM,” he said.

Debate surrounding the physical security of card holders has been prominent in the UK, with concerns that violent crime may go up.

“As crooks decide, ‘well if I need to get the PIN it’s better I mug them just after I’ve seen them use the cash machine’,” said Bond.

In the case of liability with chip and PIN there is the potential that the retailer will be held liable in cases of fraud. It was about 1 January 2006, two years after chip and PIN was introduced in UK that a liability shift occurred, explained Bond.

“Negotiations between the bank and the merchants found that if a merchant hasn’t got a chip and PIN terminal and therefore can’t read the chip then the merchant must take the risk that the transaction is fraudulent. That drove nearly everyone forward to chip and PIN, but of course some industries which experience very low fraud rates –restaurants and cafés – are slim so those guys stick to their magnetic strips.”

Chip cards are here to stay, despite the possible side-effects. As Turner explained, it’s not possible to devise an unhackable payment system because the value in hacking it is too high. So what he confirmed and what most experts agreed with is that EMV is a favourable smartcard system and want it to be deployed in Australia as soon as possible.