Written by Once again Ross Anderson has got the BBC all excited. If there was real hole in Chip and PIN, the boffins at Cambridge would have spotted it, and the the BBC could then really get excited. The reality is that Professor Ross Anderson has huge technical resources at hand, is surrounded by some very clever people, but they haven’t cracked the system – not even com close. They have, as we were told, found some vulnerabilities, but they have not found any that the banks were not aware of.
In banking terms, card fraud is not huge. It is growing generally as a result of card issuer sloppiness (I do love the card issuers, but they do have to accept their own responsibilities in this current fraudfest) and of course, developing criminal abilities – the crims are clever too.
As was pointed out in the Newsnight broadcast (though not very well) the use of the iCVV would have prevented all mag stripe cloning attempts originating from the chip, and we would not be seeing this reported on the BBC. Dave Birch was right in his assesment of iCVV (if hazy on the mechanism and calculation), iCVV = no chip to Magstripe cloning = job done! The iCVV option has been available as long as EMV, it isn’t new. The issuers, however, chose not to implement and are now reaping what they previously sowed. Eventually, the card schemes felt there was no option but to step inand mandate the use of iCVV. They mandated the adoption of iCVV from 1st January 2008 – though they had given the issuers two years notice.
The DDA card (one of the the new technologies that was mentioned) has also been available from day one, but originally cost twice as much as the SDA alternative. Considering that the crims would take a few years to catch up (which has been shown to a true assessment), decisions were made to issue SDA in the first instance and follow up with DDA on re-issue. The banks’ mistake (which has resulted in growing overseas ATM fraud) was to wait too long to issue DDA cards (which are now much cheaper) because their security people and "bean counters" couldn’t justify spending the extra money on fraud that wasn’t yet evident. It’s a bean counter thing! They call it cost / benefit analysis, and it’s nothing to do with trying to make the cardholders carry the can! That’s a seperate customer service issue.
The banking industry has "chosen" not to adopt all anti-fraud measures that are available to them, usually because the cost does not necessarily justify the benefits, or more usually because the "bean counters" can’t show a cost benefit if the fraud isn’t already happening!!!
The issue here is that the banks should, when dealing with cardholder fraud, recognise their own limitations and give the benefit of the doubt (within reason) to the customer. This is where they are really failing, and this is the customer service issue.
My daughter was the obvious victim of card fraud a couple of weeks ago – the banks first response was that it was her fault, and she should go away. I thought the onus of proof was on the bank (Paxo and Sandra discussed the Banking Code on Tuesday night), but the bank simply told my daughter that the PIN had been used, and it was therefore her responsibility. It was, however, clearly fraud, but it took a "threatening" phone call from me, with over 20 years of card experience, to get the money back. They told me it was a training issue, and they would make sure the person who had made the original decision went on a refresher course.
Banking Code – what Banking Code? Customers would feel more comfortable with card fraud if the Banks didn’t jump to the conclusion that it must be the cardholder’s fault!
Spin it like it is – we’ll get there in the end.
Indeed. My partner had the misfortune of filling up at a Shell Garage in March last year. A few days later and a counterfeit card was used to withdraw cash out of an ATM in London – three approved withdrawls around midnight, and technical fallback, before the fourth was declined.
An obvious fraud you would think.
The issuer (I’m tempted to name and shame) upset my partner and made her feel guilty until they noticed that I was the primary cardholder. Then, they laid into me. Some of it was quite funny: “Call us if you remember making the cash withdrawls”. Now, let me think …
It took several weeks and several stressy phone calls before they admitted it was a genuine fraud and adjusted my statement, accordingly.
As you say, we get there in the end. Ask Egg.
These details show that fraud crimes will continue to grow until banks exploit proposed ID KEY system.
Reports on fraud show that the government and banks should realise that their data protection and Chip and PIN systems are failing to deter fraudsters.
This shows that fraud will continue to grow until they exploit ID KEY system described on website http://www.xwave.co.uk to make signature and PIN systems reliable and foolproof.
Fake documents have made our signature system unreliable while skimmers and pin-hole cameras etc. have made PIN system unreliable. We have option to make signatures reliable by personalising them with ID stickers and option to use Card Key Code to make PIN system reliable to make use of stolen and skimmed cards meaningless. By ignoring to exploit this system banks are only letting fraud crimes grow.
ID KEY system will eliminate the need for us to protect our personal and card details since fraudsters will be deterred from misusing these stolen details.
Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals in any country.
I belive, backend fraud systems should also be evaulated as a proof-evidence in these kind of cases. If a fraud system can identify the patterns, behaviour of a consumer, txn volumes… these cases could be resolved in a more peaceful way.
Of course if the banks will agree on using fraud systems. Most of them do, again most of them based on rule based system, and nothing to do with pattern identification, statistic science.
I guess none of the people in these cases did not do cashwithdrawals – 4 txns in approx. 5 minutes, around midnight, in their lifetime ! or did not withdraw cash from credit card.
One thing could push these kind of techs to be used in banking area, could be mandating by a regulation.