The Bankwatch

With this quote the security of chip cards debate is opened.

CHIP-AND-PIN systems introduced to foil credit and debit-card fraudsters are making it easier to commit certain types of financial crime, a reformed con man warned last week.

And the evidence is mounting to support his contention.

Chip and pin ‘makes fraud even easier’ – Money – Times Online

He does not believe that chip-and-pin technology, which requires transactions to be verified with a four-digit number rather than a signature, will prove much of a challenge for professional fraudsters.

The information sent out by the hand-held card reading devices used in restaurants is not encrypted, for example. Any criminals nearby with an information receiver can therefore capture the data, including the pin entered — actually making it easier for them to commit certain types of fraud.

The details on the earlier Shell fraud is outlined here.  This fraud resulted in cloning of the card data into mag strip cards.

His concerns about the vulnerability of chip-and-pin were reinforced last week by news that 600 Shell petrol stations have suspended use of chip-and-pin terminals after more than £1m was stolen from customers’ accounts. Fraudsters masquerading as engineers sent to test the equipment instead fitted the keypads with memory chips that logged customers’ card numbers and pin codes.

They then used the information to plunder accounts by making counterfeit cards and using them to withdraw cash from cash machines. Fraudsters were only able to clone the cards’ magnetic strips, rather than the chips, but many ATMs are not yet fitted with chip readers and therefore still use the strips.

The predominant method used by the criminals remains card not present fraud.

Another unfortunate side effect of chip and pin has been to boost internet and telephone credit-card fraud, known as “card-not-present”, for which criminals do not need to know your pin. The cost of this kind of card crime leapt from £151m in 2004 to £183m last year.

It is still being predicted that chip cards can be copied, but this isn’t proven yet.  However it may be possible to circumvent the card security in other ways.

Fears are growing, though, that identity cards will simply make life even easier for fraudsters. Abagnale said: “Within six months the new identity card will have been replicated perfectly. And because it condenses all the information on an individual in one place, the fraudster won’t have to find it.”

Relevance to Bankwatch:

The underlying question remains.  Can the criminals gather chip card information, and close the chip cards.  More research to come, including the relevance of card security schemes (DDA/ SDA).

Technorati Tags: chip+cards, security

The claim here is that certain merchant terminals (not ATM’s as earlier claimed) are not capable of recognising cloned chip cards.

Millions at risk from chip and Pin | This is Money

Security experts say there is a one in five chance that a terminal in a shop or garage will not spot a ‘cloned’ card. It means criminals who copy people’s cards can go on shopping sprees and spend thousands of pounds. The alarming gap in security is being blamed on the issuing banks, for choosing the cheapest version of the new cards. Banks in France and some other countries are already using a more secure system.

The cloning seems ridiculously easy.

Some experts warned soon after the launch of the system in February that criminals could clone the new cards using equipment readily available over the Internet and costing only some £300 or £400.

And the results are horrendous!

Last month the Daily Mail revealed that criminals had stolen more than £1m after using copied cards to withdraw money from cash machines abroad.

This is because repeated transactions at these terminals no longer register with banks’ head offices as a suspicious pattern of withdrawals.

The root cause appears to lie in the choice of technology by certain banks.

Now it emerges that there may be a similar absence of protection on transactions in this country. The reason is that more than 140m credit, debit and charge cards issued in the UK over the last few years use a technology known as SDA, which stands for ‘static data authentication’.

This is the cheapest option that could have been chosen by the big five banks, which made profits of £33bn last year, and other card issuers. Banks abroad, however, prefer the safer option of the DDA system, which stands for ‘dynamic data authentication’.

Relevance to Bankwatch:
Nothing is simple.  The criminals are very capable, and shortcuts in this space will be devastating.

Technorati Tags: chip+card, fraud, DDA, SDA

Real or not, there is an evolving thread questioning the infallibility of chip and pin.  We know that the card not present issue is a contributor, but this comment regarding ATM’s having difficulties is a new one to me, and will require further investigation.

We have to understand this dynamic, and both individual banks, and industry groups need to get on top of it.

MoneyExpert.com – Financial news article

“Chip and pin security is fallible,” a spokesman for credit payments association Apacs, which conducted the survey, told the Times. Recent research has suggested that cash machines are not always able to discern the difference between genuine cards and cards that have been cloned.

Relevance to Bankwatch:
Its been assumed as part of the business case for chip that fraud could be successfully managed down.  So while enormous cost has gone into the introduction of chip, yet consumers remain sceptical.

This is a matter that North American card acquirers, such as Moneris, and Paymenttech must consider otherwise the merchant experience will be terrible, and that would translate into consumer confusion.

Card Technology, The Smart Card News Source

Three of Japan’s largest convenience store chains are reportedly in talks to accept multiple brands of contactless credit and electronic purses on the same card readers. Without interoperable readers, consumers would be confused about where they could use a particular brand of contactless payment and merchants would have to install multiple readers.

If you need to know where this is all going, then look to Japan & South Korea.

Japan, South Korea lead world in contactless payments : Contactless News

In Japan, FeliCa has created innovative businesses such as Suica (East Japan Railways’ transit card) and Edy (BitWallet’s e-money service), through which credit card and financial services, transportation and mobile service companies have aggressively adopted FeliCa-based smartcard payment solutions.

Furthermore, FeliCa has been installed in mobile handsets, so called ‘Osaifu-Keitai’ and ‘Mobile FeliCa’, allowing them to be used in a wide variety of contexts: as credit card, pre-paid e-money, transit card, and as identification for entrance management.

Read the rest of this entry »

Every bank is somewhere on the pace of conversion to chip /smart cards, even if they are just thinking about it.  Well, we had better be including the conversion to contactless in that plan as phase 2, and using a cell phone as phase 3;  according to ABI Research and others I have seen lately.

Contactless Payment To Shift from Cards to Cell Phones, Says ABI Research | Tekrati Research News

“Contactless commerce is on a steep growth curve, but cards are only an intermediate step,” says Erik Michielsen, director of ABI Research’s RFID and M2M practice. “By 2010, more than 50% of cellular handsets–some 500 million units–will incorporate NFC capabilities that will be used not only for payments at points of sale and remotely, but also to access information from ‘smart objects.’

Imagine, for example, seeing a poster advertising a concert you want to attend. Hold your phone near the poster, and it connects you to a website where you buy your tickets, download them to the phone, and tap the phone at the turnstile to enter the show.”

Relevance to Bankwatch:
Its probably true that most banks have the chip card strategy in the ATM group, but it would be a mistake to exclude your technology strategists, and online banking people who probably see more of where this is really going.  Most are basing their chip strategy on fraud reduction.  The real meat, and consumer expectation will be more of a mobile / wireless / ecommerce play.

Technorati Tags: smart+cards, chip+cards, ecommerce

Hitesh Patel, KPMG Forensic talk about the escalation of fraud despite the introduction of chip and pin. The criminals are able to move to the weakest point in the system.

Why chip & Pin won't stop fraud | This is Money

The fastest growing area is 'cardholder not present' fraud. According to the  clearing banks' association Apacs, it shot up 29pc to £90m in the first six  months of 2005 and accounted for more than 40% of total card fraud losses.

Its worth noting the fraud escalation is not an intrinsic weakness in chip and pin. In fact we are not intruducing chip and pin, and will not be until circa 2015 at the earliest. Only then will the entire world be on chip and pin, and then we will see the strength of the technology.

Far from it. KPMG's latest Fraud Barometer found that it had rocketed to  nearly £1bn in 2005 – the highest level for a decade. The battle is far from  over and none of us can afford to relax.

The truth is that as antifraud measures evolve, so do the scams. Fraudsters  have moved on from stealing or skimming cards. Now their emphasis is on  identity fraud – obtaining your personal details and making remote purchases  over the internet or by phone.

Technorati Tags: chip_cards, fraud, identity_theft

Lloyds notes the increase in fraud in non chip countries, such as Canada, and USA.

Bank says overseas card fraud on the rise – Money – Times Online

Lloyds TSB has reported a leap in the number of fraudulent withdrawals from overseas ATMs. The bank says criminals are increasingly using cloned debit or credit cards in countries where chip and pin technology has not yet been introduced.

The weakest link theory applies here.  Those countries that lag moving to chip and pin, will suffer increased fraud.

Lloyds TSB has reported a leap in the number of fraudulent withdrawals from overseas ATMs. The bank says criminals are increasingly using cloned debit or credit cards in countries where chip and pin technology has not yet been introduced.

Nearly all UK ATMs have chip and pin technology which would leave fraudsters empty-handed if they tried to make a withdrawal with a fake card.

Technorati Tags: chip_cards, smart_cards

ATM’s across the world are being used for new and innovative services, that keep customers satisfied.  North American ATM’s just provide the basics.

WSJ.com – The Envelope-Free ATM

In Russia, a consumer can put rubles into an automated-teller machine and get U.S. dollars in return. In Brazil and Venezuela, the machines print checks. And banking customers in Indonesia can use an ATM to schedule and pay for the ritual sacrifice of a goat.

However something as simple as envelopeless cheque depositing which sounds cool, is not necessarily a good use of investment.

Unlike traditional machines that swallow an envelope and require the customer to key in the deposited amount, the new versions read checks and count cash themselves. They can display an image of the check on the screen, and also print an image of the deposited check on a customer’s receipt. Bank executives literally “oohed” and “aahed” when a representative of ATM maker NCR Corp. demonstrated the technology at an industry conference last fall.

The costs of the cameras and cheque handing, to achieve this are significant, and given cheques are going away, does this make sense?  Perhaps the North Americans have this part right.

Relevance to Bankwatch:
The ATM manufacturers find it easy to wow Bank Executives in the ATM space because those folks generally haven’t been engaged in the online banking space.  The online bankers know innovation, and understand the importance (now, post dot com crash) of not getting caught up in the technology, and remaining focussed on the customers needs.

Read the rest of this entry »

In a move by the criminals they highlight the weakness in combo chip / mag stripe cards. These are cards that have chip and mag stripe on them. This is the primary transitional approach taken by banks, to circumvent issuing separate chip cards, and mag stripe cards. Customers would require mag stripe for usage abroad where chip has not been implemented yet.

Guardian Unlimited | UK Latest | Eight held over chip and pin fraud

The scam works by criminals implanting devices into chip and pin machines which can copy a bank card's magnetic strip and record a person's pin number.The device cannot copy the chip, which means any fake card can only be used in machines where chip and pin is not implemented – often abroad.

Relevance to Bankwatch:
As predicted in an earlier 'relevance' I remain convinced that combo cards could be the death of chip, and the better approach would be to issue chip cards only with no mag stripe. If customers need a mag stripe for travel or other purposes, then they can get those. The problem is the transition of merchants to chip, so customers desire to have chip only cards is the best impetus for them.

Technorati Tags: chip_cards, debit_cards, credit_cards

Read the rest of this entry »