Written by The latest fraud figures from APACS show that chip and pin has done what it was intended to and counterfeit, lost and stolen fraud is plummeting. Moving equally fast but in an upwards direction is card not present fraud.
I’m about to start working on an article on this subject for European Card Review magazine. Last time I tackled the subject, in 2004, the talk was all about token based authentication but nearly two years on, there’s certainly no sign of a card reader or pin pad on my desk (not even after I tidy it). Presumably UK banks are still arguing about who is going to pay for such a thing. In 2004, the country that seemed furthest ahead with TBA was the Netherlands, albeit in a proprietary way. Would anyone like to comment about progress over the past two years in Europe with this technology?
There is a lot of work going on at the moment around authentication/authorisation to overcome the new threat model of the meccano trojans (my name, the info is still being kept secret) in the Internet online finance environment.
Smart cards aren’t on the radar for that task. They are simply too expensive, and too small a part of a security system to make economic sense. Nobody has ever come up with a compelling scenario where a one-purpose token that costs $10-$100 is going to work when rollout costs also have to be covered. (Multi-purpose systems won’t work for normal competitive reasons.)
What is likely to happen is that this area — online banking — will be covered by dual authorisation over SMS on the cell/mobile phone. So in a sense, the smart card / sim in the phone becomes a part of the security model; but that’s really missing the point as this model will work without any smart card, it’s the separate uncompromised channel that is key.