August 16, 2006

Fraudwatch - Chip&PIN one-sided story, banks and deception and liability shifts

First some good news from PaymentNews:

APACS, the UK payment association, has announced that six months after "PIN day" (Valentine’s Day 2006, February 14th), the UK is the world's first chip and PIN success story - with more than 99.8% of all chip and PIN card transactions are now PIN-verified and more than 150 chip and PIN transactions take place every second. (compared with 125 a second six months ago and 85 a second a year ago).

The UK’s banks and card companies have now issued 130 million chip and PIN cards representing 92% of a total of 141 million cards. Approximately 850,000 tills have been upgraded to chip and PIN, representing 87 per cent of all tills in the UK - and retailers have reported that "transaction times have become quicker with queues in shops shorter." In addition, in 2005 there was a reduction of nearly £60m in counterfeit and fraud on lost and stolen cards (a drop of 24%) compared to 2004.

Said Sandra Quinn of chip and PIN: “Britain is now a truly mature chip and PIN nation. Millions of people have adapted to the change with no problems at all. This means that we are all a lot safer when we go shopping, and that fraudsters have been denied millions of pounds of stolen money. Of course it hasn’t eradicated fraud, it never could, as fraudsters will continue to target us and our money. But it is a fact that chip and PIN has made our cards safer than they were two years ago and banks and retailers will continue to work together to keep it this way. Now we need to remain vigilant, as fraudsters will always try to find other ways to get hold of our money. That is why we are constantly reminding cardholders how to protect themselves from fraud.”

Now, readers will recall recent trouble when the new chip and PIN cards suffered some fraud. What we see above is the success story but only a mention of the failure story, leaving us unsure what to make of the numbers. Last year, APACS reported that Internet fraud now accounts for one quarter of all fraud losses in the UK, so they are certainly capable of reporting fraud.

Here's an older story giving some indication (again from APACS):

The Scotsman reports on the impact on card fraud from the introduction of chip and PIN technology in the UK, reducing credit and debit card losses by 13 percent in the first six months of 2005.

The figures showed counterfeit card fraud fell by 31%, fraud on lost or stolen cards dropped by 27%, losses on cards that went missing in the mail was 37% lower and identity theft on payment cards was down by 16%

Not quite as rosy as the chip&PIN story would have us believe, and others are skeptical. More tarnished image for the US banks for deceptive practices:

The Office of the Comptroller of the Currency has issued new guidance on disclosure and marketing issues associated with gift cards - focusing on "the need for national banks that issue gift cards to do so in a manner in which both purchasers and recipients are fully informed of the product's terms and conditions." ... Basic information that is most essential to a gift card recipient's decisions about when and how to use the card should be provided on the gift card itself, or on a sticker or tape affixed to the gift card. Disclosures should generally tell consumers:
  • The expiration date of the card (which should appear on the front of the card);
  • The amount or the existence of any monthly maintenance, dormancy, usage or similar fees;
  • How to obtain additional information about their cards or other customer service (for example, by providing a toll free number or website address).

The OCC's new guidance also advises national banks to avoid practices that could be misleading to consumers. For example, issuers should not advertise a gift card with "no expiration date" if monthly service or maintenance fees, dormancy fees or similar charges can consume the card balance. Similarly, if fees may consume the card balance before the stated expiration date, disclosures related to that expiration date should explain that possibility. Issuers should also avoid describing gift cards as if they are gift certificates or other payment instruments more familiar to consumers, or as products that carry federal deposit insurance.

This is bad news because it indicates that deceptive behaviour is prevalent in the gift card business. (Note that the pre-paid / gift card business is exploding, as Dave Birch reports and as I mooted last year in bull #4. E.g. this is a significant sector for financial cryptographers to track. From PN, see also WSJ and Teenage spending.)

One would expect that banks would not engage in such ... but the need for guidance suggests otherwise. Indeed, is the following deceptive behaviour by APACS, in the aforementioned press release?

The consumer continues to be protected from card fraud losses by The Banking Code. Nothing changes for the consumer. Just as now, cardholders do need to be responsible in protecting their cards and keep their PIN a secret.

Right. But what about the retailers and any liability shift in chip & PIN? And, to underscore the ability of the banks to shift liability:

The survey of 2,000 net users found that five per cent had fallen victim to scams and had lost out financially. Half of victims received no compensation from their banks while one in ten is still waiting for the matter to be resolved.

Here's more evidence on how easy it is to fool people when someone ran a random survey for ID theft bait:

  • More than 70% of respondents gave up their mother's maiden name
  • More than 90% of people provided both their date and place of birth
  • Nearly 55% explained how they devise their online passwords
  • Nearly 85% of respondents provided their full name, current street address, and email address

Is card fraud going up or down? Visa says down:

Visa says fraud accounts for about 7 cents of every $100 spent on its credit cards, an all-time low and about half the rate of 10 years ago.

And APACS says up:

Last year, credit card fraud was equivalent to £12 for every cardholder in the UK. The amount lost every year has jumped by a massive 600 percent over the last six years. Last year, the Which? survey had found that six percent of current account holders and five percent of credit card holders had been a victim of fraud at some point of time. The Association of Payment Clearing Services (APACS) says that UK card fraud hit over £500 million last year, a 20 percent rise from the figures in 2003.

CyberSource says up, for retailers (but original Yahoo source is lost):

CyberSource has announced the results of its 7th annual CyberSource Fraud Survey. Among the survey's findings, the estimate for ecommerce fraud losses increased to more than $2.8 billion for 2005, an 8% increase over the year before. Although the overall rate of fraud loss remained relatively constant at 1.6% of revenue, mid-to-large merchants selling $5-$25 million annually online reported fraud losses increasing from 1.5% to 1.8% of revenue while those selling over $25 million reported losses increasing from 1.1% to 1.2% of revenue.

So maybe we can suspect that the banks are becoming more successful in shifting the fraud losses away from themselves and on to consumers and/or retailers. JPM reports that it's ever present:

Retail operations have "slippage" (shop lifting) ... it is just built right in to the figures. They expect that slippage will be 4% on an ongoing basis, but 3% in video stores, but 5% in candy stores, 0.05% in petrol stations ("drive offs"), etc.

Plenty of room to shift out some bank liabilities then! The problem with shifting the liabilities is that the consumer pays in the end, regardless of how the cut is taken. So our objective should not be for any one party to just reduce their own liabilities -- they can always pass it on -- but instead to identify the most efficient place to accept and pay for the frauds.

Where is that place, then? And, where is the debate about how payment systems operators, retailers and consumers create that efficient sharing?

Posted by iang at August 16, 2006 09:04 AM | TrackBack

mention of IBM SDA chip&pin deployment for UK Safeway in 1997

not too long later the cloned "yes cards" appeared; a reference to counterfeit sda chip&pin "yes card" from 2002 (which also mentions that detailed information for building a counterfeit "yes card" was readily available from the internet)

then SDA chip&pin in 2006, vulnerable to the same "yes card" exploits from the 90s. a recent summary of some of the issues

subsequent news mentioned that replacement DDA chip&pin cards would be countermeasure to the 90s counterfeit cloned SDA chip&pin "yes cards". however, if it is still purely "something you have" authentication, ... see discussion

the infrastructure may still be vulnerabile to mitm-attacks (pairing a counterfeit "yes card" with a valid card).

in the SDA chip&pin dating back to the mid-90s, supposedly there is multi-factor authentication, the "something you have" card (based on the card being able to present static authentication data) and the "something you know" PIN entry.

for a "counterfeit" yes card, involves copying the static authentication data from a valid card ... which then becomes a type of replay-attack. the "yes card" presents the (cloned) static authentication data to the terminal and then after the PIN is entered ("something you know" authentication), the terminal asks the "yes card" if it is the correct PIN. Of course, "yes cards" (in part where they got their label), always answer "YES".

The assumption about multi-factor authentication being more secure is based on assumption that the different factors are subject to independent vulnerabilities and threats ... i.e. PIN as a form of "something you know" authentication is a countermeasure to lost/stolen ("something you have" authentication) card.

However, in the "yes card" scenario, the infrastructure is vulnerable because the succesful attacker doesn't actually need to know a correct PIN ... since terminal just relies on the card as to whether the PIN is correct or not. All the succesful attacker needs to do is load cloned static authentication data into a "yes card" ... or possibly (in the case of a DDA chip&pin card), pair an appropriately programmed "yes card" with a valid card for a MITM-attack.

back in the mid-90s, when the x9a10 financial standard working group was given the requirement to preserve the integrity of the financial infrastructure for all retail payments ... most forms of both replay-attacks as well as MITM-attacks were among the things considered for the x9.59 financial standard (in part because the same exact standard needed to work, at least, in both point-of-sale as well as over the internet).

for various reason, many replay-attacks and mitm-attacks that are well documented for the internet evironment are also possible in the point-of-sale environment ... but possibly not so clearly evident.

Posted by: Lynn Wheeler at August 16, 2006 02:23 PM

re: Fraudwatch - Chip&Pin one-side story

recent item somewhat related to earlier comments

Banks seek new fraud solutions

Posted by: Lynn Wheeler at August 16, 2006 08:22 PM

The alternative is the European approach: there is a court decision now that Vodafone must not expire the amount on the prepaid accounts of mobile phones! (This happened to me in Skype recently ...) (in German unfortunately)

Posted by: Best regards, Philipp Gühring at August 23, 2006 11:04 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.