(Copyright © 2006 T Bruce Tober)
"The days of the signature are numbered," warns Streamline, one of the biggest UK Credit Card processing companies. "In the fight against card fraud, which has increased significantly over the last six years, the banking industry introduced Chip 'n; PIN (C'n'P). However, the full effects of this initiative will not be seen until we remove the option for PIN bypass, which was a temporary function to allow retailers and cardholders to get used to using PIN.
That deadline (for no longer allowing customers to sign for their card purchases) is set for St. Valentine's Day, 14 Feb, 2006.
I for one, won't be using my PIN for purchases. Rather I'll revert to good old-fashioned cash or cheques.
WHY?
Simply because in the more than a year since the banking industry decided to deceive us again (remember their claim that there's no such thing as "Phantom withdrawals" from ATMs?) that use of C'n'P will cut down on fraud, I've been observing just how incredibly insecure the use of PINs is.
But even if they are correct and such fraud will be cut or at least not increase significantly, an even bigger problem is that the banks and other card-issuers are shifting the cost of fraud from themselves to the consumer. This is because the PIN is supposed to be secure and because you have no evidence to prove your innocence in the case of fraudulent or incorrect charges being made to your card. In other words with a signed receipt you can challenge the signature, but if someone has used your PIN fraudulently, you can't, there's nothing really to base your challenge on. Thus it transfers the cost of fraud (millions of pounds a year) from the banks and other card issuers to the consumer or small business/shop.
But, before I provide you with the Tips and Tricks the fraudsters will (or could) use, a bit of information from experts in the field of security (and I don't mean.the banks):
"According to delegates at today's Retail Fraud Conference in London, chip and PIN may cut down some card fraud for retailers but it may actually boost crime in other areas." So said Silicon.com on Tuesday 01 February 2005 in its article, Could chip and PIN make society more violent?
For example, the article continued:
"Adrian Sherry, security solutions manager, said he expected the crime transference would mean a rise in card not present and telesales fraud.
"Criminology Professor Martin Gill said: 'We know offenders adapt very quickly. If you
look to the European example... don't think [criminals] won't find a way round it.' He added that ATM robberies
are likely to become attractive to thieves after the advent of chip and PIN.
"For all the claims of the death of fraud that will result from the introduction of the signature-replacement
technology, some analysts warn that retailers are looking in the wrong place if they want to protect their assets.
John Davison, VP and research director at analyst house, Gartner, said retailers should be looking elsewhere if
they want to stymie the fraudsters. ... However, with ecommerce continuing its steamroller growth, that might be
about to change. Davison added the internet is now the "most popular" method of committing card not present
(CNP) fraud and 12 times the amount of fraud exists on the internet than in store.
The C'n'P industry's own propaganda site, says, "after Valentine's Day 2006 cardholders must use their PIN to be sure of being able to pay with their chip and PIN cards. If shoppers don’t use PIN, their card may be declined and the option of signing can no longer be guaranteed....
"This follows a reduction of £36 million in counterfeit and lost and stolen fraud on plastic cards in the six months January to June 2005 compared with the same period last year. This reduction of nearly a third (29%) - from £126.6m in the first six months of 2004 to £89.9m in the same period in 2005 - is due to the new chip and PIN system and shows the huge effect that using PIN is having on fighting fraud. This represents a fall of 31 per cent in counterfeit card fraud and 27 per cent in lost and stolen card fraud."
Actually what it shows is that the fraudsters, having seen how easy it is to cheat with this new technology, were busy trying to convince the industry that it works, so that when it's mandatory, they'll simply come in and share the wealth.
The Register, in an article on 17th January 2006, reported that, "During the second half of 2005, the number of fraudulent transactions in high-street shops fell by 25 per cent compared to the first six months of the year, data from fraud detection specialists Retail Decisions (ReD) shows."
But then the article added a statistic which shows the other reason for that fall, "The ReD study revealed that, as the amount of high-street counterfeit card transactions decrease, the number of fraudulent card-not-present (CNP) transactions is rising. Attempted CNP fraud through mediums such as mail order, telephone order, interactive television and the internet increased by six per cent in the final quarter of 2005 compared to the same period a year before. Activity was particularly strong in the run-up to Christmas, a peak time of year for retail websites."
Ian Miller, of Singularis Ltd, Cambridge, England, is an IT industry security consultant with 30 years expertise
in IT, since 1976. As early as April 2004 (and he stands by the comments today, having just spoken with him), he
wrote regarding the deceptiveness of the banking industry's fraud statistics, "There are several reasons to
be concerned that this may be showing an artificially rosey picture. "Fraud", in the UK at least, only
occurs it the bank or the merchant is out of pocket. If the account-holder is out of pocket it is a "dispute"
or "query". Without also being told the statistics for "disputes", the "fraud" statistics
are potentially highly misleading. i.e. Is this a real reduction in crime or merely shifting responsibility."
Echoing one of my points, he continued, "We may only be looking at a transitional effect.
That is Chip&Pin fraud is only low because it is co-existing with the more familiar magentic strip cards that
the fraudsters already know how to break. For the moment it is cloning magentic strip cards is very easy, by comparison
with chips. Only when there is only Chip&Pin will criminals have the necessary incentive to break it."
"...We should look at two entirely different changes in the security system that are being entirely unnecessarily conflated," he warned. "1. Moving from storing the card details in a chip rather than on a magentic strip [and] 2. Moving from identifying the customer by written signature to by Personal Id. Number.
"I think that the first of these is uncontentious and an entirely positive contribution to credit card security," because at that point (2004) cloning a magentic strip is, "with the right (widely available) equipment, trivial" but cloning chips is not. "However there has to be doubts as to how long chips will remain unclonable."
But, he asserts, "The second of these is dubious in the extreme as an improvement in
security. The impossibility of post hoc validation and the claims of infallibility suggest on past form that defrauded
account-holders are going to have a much harder time trying to get their money back with this means
of customer identification. This will reduce 'fraud' and corresponding increase 'disputes'. There is the suspicion
that this is the real motivation for the change."
And then there's Paul Vigay, a veteran IT consultant and security activist, who a year ago put together a list of "Ten reasons Chip 'n' Pin cards are bad".
On his list of ten are:
"1. They're not secure - For a start, there are infinite subtle variations of personal
signature, which are all unique. There are only 10,000 (10x10x10x10) combinations of PIN code due to using a four-digit
number. From a technical point of view," this is roughly 9 times less secure (13bit encryption vs 128bit encryption
used in eBanking and shopping on the internet.
"2. They create sloppy security - Because all cards are moving to C'n'P, and many people have several cards,
it's highly likely that most people will use the same PIN number for all their cards." And that's simply because
it's too difficult for most people to remember multiple PINs, one for each of their cards. "This means that
if someone loses their wallet containing more than one card, they can all be compromised."
"3. They will lead to higher crime - As mentioned above, because of the insecurity of the PIN code, they will be an easy target for pick-pockets or muggers. Some more muggers may also threaten people with violence until they reveal their PIN code.
"4. They shift the cost of fraud from the bank to the consumer - Because the PIN code
is deemed to be secure, and because it's digital, you have no evidence to prove your innocence in the case of fraudulent
or incorrect charges being made to your card. This is one of the main reasons for the banks implementing Chip and
PIN cards." In other words with a signed receipt you can challenge the signature, but if someone has used
your PIN fraudulently, you can't. Thus it transfers the cost of fraud (millions of pounds a year) from the banks
and other card issuers to the consumer or small business/shop.
So how is your C'n'P more vulnerable than your old, "please sign here" card?
The simple answer is, if I steal your sign here card, I have to take the time to learn to forge your signature. That process could possibly be done in a few hours.
But those few hours are enough time for you to realise the card has been lost or stolen and report that fact to police and your card issuer. Fraudster foiled.
Tips and Tricks
Well, actually there's only one and it's so simple even the stupidest thug could handle it. All he has to do is stand in any queue (especially at a small local post office branch or neighbourhood market) and observe (through sight or in some cases sound) those ahead of him entering their PINs on the terminals.
While many of these terminals are held in a frame from which they can be removed and held close to the customer for some amount of security while he enters his PIN, most customers don't know of this option and even staff who know of it (and not all do) will bother to let the customer know this, let alone advise him to do so.
Just watch as the customer enters his PIN. Many will:
1. Enter the PIN so openly that you can see and jot down their numbers.
2. Enter the PIN while saying aloud the numbers so that you can hear and jot down their numbers.
3. Enter the PIN while checking the PIN which they've written on their hand or a piece of paper in their wallet/purse so that you can see and jot down their numbers.
Now all you (the thug) have to do is follow them outside, mug them, take their card and use it to your heart's content. No worrying about practicing their signature, you already have the combination to their bank account.
