Written by Fraud is out of control in the UK. Identity fraud is half of all fraud in the UK. SME account takeover is one of the fastest growing categories of identity fraud. So if you are an SME and an identity fraudster gets hold of your bank account, you could be in trouble. Here's a current story from the UK press.
NatWest said AEV’s liability was based on the fact it breached terms and conditions of Bankline. It said that it had told the company via pages on its internet banking website and in emails that it would never ask for a Smartcard Pin, notwithstanding the fact users are expected to enter the Pin into the card-reader device.
[From Bankline fraud: NatWest business accounts hit by online scam | This is Money]
You can see their point. My bank is always telling me that it will never ask for my PIN. If a screen popped up asking for my PIN when I logged in to online banking then I would assume that I had been hacked and would shut down immediately and contact the bank. But I am an "expert", not a member of the public. If a member of the public sees a screen that they think is from their bank and it asks them for their PIN then they will give it, no matter how many times the bank has told them not.
Bank card fraud is at its highest level since 2009, despite investment by banks and retailers in better security features such as chip and pin devices.
[From UK bank card fraud increases as crooks dodge security – FT.com]
The fraudsters have become admirably more inventive since the advent of chip and PIN. For example, I imagine that banks have also told customers (repeatedly) not to hand over their cards and PINs to other people either, but that particular kind of fraud is booming.
"Courier fraud" involves criminals phoning victims pretending to be from an authority to extract pin details. The fraudsters then send a courier to pick up the victim's bank card. The Met Police said 143 people had been arrested on suspicion of courier fraud, since January 2011.
[From BBC News – London 'courier scam' victims lose £3m to conmen]
You can see why the public are easily hoodwinked by those phoney security calls when the real ones are so confusing. I get asked for all sorts of daft things when I'm trying to log in to do stuff or get some help on the phone. You know how it us: you phone up to sort something out on your cable bill and they guy asks you what your special word is and you can't remember if you had a special word, let alone what you might have told the cable company when they asked you twelve years ago. When I logged in to iTunes on my new iPhone the other day, I was asked for my favourite character on TV when I was at school! I must have chosen this as a "security" question at some point in the distant past, but naturally had no memory of such. I hazarded the guess of Sir Keith Joseph, but this turned out to be wrong, and I still can't buy anything from the US iTunes store.
So, yes, we can try and educate the public, but in the UK at least this is a waste of time, since a fifth of them are functionally illiterate. Alternatively, we could try and build a working identity and authentication infrastructure (and then manage the convergence of the infrastructure so that there is a single, shared experience when purchasing whether in-store or on-line). What's more, unless there is some serious work done in the industry in the near future, we have to face the fact that EMV is not that infrastructure and that chip and PIN is not going to save us.
Terry Dooley, senior vice president and CIO of EFT network SHAZAM noted that EMV implementation, as it is currently being done in the U.S., will not do much to prevent fraud unless it is coupled with PIN as opposed to signature authentication.”
[From Card Not Present.com CNP Expo: EMV Leaves CNP Out in the Cold – May 23, 2013]
We've already spent the money, so we have to keep working on chip and PIN. But if we hadn't spent the money yet, would we? Come on, be honest.
To prevent fraud, then, many companies are moving toward more identity-centered solutions and behavioral profiling to determine the level of risk for CNP transactions. Birch suggested that with the proliferation of mobile phones, the way forward will likely tie in to some form of mobile app payment, since customers’ phones already have chips, and customers are willing to put PINs into their own device.
[From Card Not Present.com CNP Expo: EMV Leaves CNP Out in the Cold – May 23, 2013]
Actually I said something slightly more controversial than that. I said that in the long run, EMV might turn out to have been a bad idea because it was a bad idea to train customers to enter their PINs into other people's devices (e.g., merchant terminals). It would have been better from an all round security point of view to have told people never to put their PIN into a device they didn't own and then issue everyone with a chip card reader!
Well, you might say, that's true from a purely academic security standpoint but in practical terms it would have been too expensive (I'm unconvinced about this, since it would have reduced CNP fraud and PCI costs as well). And, you might say, the personal device that you might put PINs into, the handset, is not secure anyway. Mobile malefactors and mountebanks the world over can send viruses and loggers and worms (oh my) into your handset to steal your PIN and other passwords and such like. Indeed, but there are two points to be made here that redress the risk analysis balance to make mobile use tolerable.
- Mobile has multiple protection factors (e.g., location) so even if your malware steals my PIN and your Eastern European hackers figure out how to make their mobile banking app look like my mobile banking app, they’ve still go to make their phone look like my phone and log in from a place where I might log in and so on.
- Mobile has a trajectory. I’ve written before about the move towards trusted processing in the handset and the evolution of the ARM Trusted Execution Environment (TEE) into “live” environments.
Now that handsets with trusted processing are wending their way toward to the market, they really should be on the roadmap for organisations interested in the secure electronic transactions in the retail marketplace. I’ll be down at the Global Platform TEE event in Santa Clara on 31st October 2013 to join in the conversation about mobile security and I look forward to seeing you all there.
[Dave Birch] I was speculating that if phones become more secure (because of TEE) and customers are told only to enter their PIN into their own phone, then the overall security of the system would me much greater than a system where PINs are entered into POS terminals and ATMs.
Since when has the fact you own a device made it secure? The security in EMV is based on the fact that it is the bank that owns security token – chip card and it is their risk and their responsibility to ensure that that have adequately tested it for vulnerabilities. Giving consumers the responsibility to keep their personal devices secure is doomed to failure – Who do they trust to do this and what responisbilities to they have if they fail?
Chip and PIN is two factor authentication so in theory compromising PIN without physically having the card gets you nowhere. The reality is that the world is not EMV so with card details and PIN you can bypasss EMV and go to a country that has not implemented it. The sooner that loophole is closed the better for everyone.
Hi Dave,
This is regarding asking a consumer to enter the PIN on their own phone.
While I’m not sure if this has been done in Cards, a mobile money operator in Africa has implemented this for Agent/Merchant initiated transactions. The payer receives a USSD push to either confirm the transaction and/or enter the PIN on their own device.
The flip side is that it results in high transaction failure rate and also consumer inconvenience in case there is a technical snag in the USSD push.