Once again Ross Anderson has got the BBC all excited. If there was real hole in Chip and PIN, the boffins at Cambridge would have spotted it, and the the BBC could then really get excited. The reality is that Professor Ross Anderson has huge technical resources at hand, is surrounded by some very clever people, but they haven’t cracked the system – not even com close. They have, as we were told, found some vulnerabilities, but they have not found any that the banks were not aware of.
In banking terms, card fraud is not huge. It is growing generally as a result of card issuer sloppiness (I do love the card issuers, but they do have to accept their own responsibilities in this current fraudfest) and of course, developing criminal abilities – the crims are clever too.
As was pointed out in the Newsnight broadcast (though not very well) the use of the iCVV would have prevented all mag stripe cloning attempts originating from the chip, and we would not be seeing this reported on the BBC. Dave Birch was right in his assesment of iCVV (if hazy on the mechanism and calculation), iCVV = no chip to Magstripe cloning = job done! The iCVV option has been available as long as EMV, it isn’t new. The issuers, however, chose not to implement and are now reaping what they previously sowed. Eventually, the card schemes felt there was no option but to step inand mandate the use of iCVV. They mandated the adoption of iCVV from 1st January 2008 – though they had given the issuers two years notice.
The DDA card (one of the the new technologies that was mentioned) has also been available from day one, but originally cost twice as much as the SDA alternative. Considering that the crims would take a few years to catch up (which has been shown to a true assessment), decisions were made to issue SDA in the first instance and follow up with DDA on re-issue. The banks’ mistake (which has resulted in growing overseas ATM fraud) was to wait too long to issue DDA cards (which are now much cheaper) because their security people and "bean counters" couldn’t justify spending the extra money on fraud that wasn’t yet evident. It’s a bean counter thing! They call it cost / benefit analysis, and it’s nothing to do with trying to make the cardholders carry the can! That’s a seperate customer service issue.
The banking industry has "chosen" not to adopt all anti-fraud measures that are available to them, usually because the cost does not necessarily justify the benefits, or more usually because the "bean counters" can’t show a cost benefit if the fraud isn’t already happening!!!
The issue here is that the banks should, when dealing with cardholder fraud, recognise their own limitations and give the benefit of the doubt (within reason) to the customer. This is where they are really failing, and this is the customer service issue.
My daughter was the obvious victim of card fraud a couple of weeks ago – the banks first response was that it was her fault, and she should go away. I thought the onus of proof was on the bank (Paxo and Sandra discussed the Banking Code on Tuesday night), but the bank simply told my daughter that the PIN had been used, and it was therefore her responsibility. It was, however, clearly fraud, but it took a "threatening" phone call from me, with over 20 years of card experience, to get the money back. They told me it was a training issue, and they would make sure the person who had made the original decision went on a refresher course.
Banking Code – what Banking Code? Customers would feel more comfortable with card fraud if the Banks didn’t jump to the conclusion that it must be the cardholder’s fault!
Spin it like it is – we’ll get there in the end.