October 16, 2009

Chip & pin fallacies

We often print numbers reported in the press and other places, because sometimes these are useful for dealing with the fantasies and fallacies common in this world. I wish they were more used! Stephen Mason and Roger Porkess have just published an article full of such numbers on British chip&pin, and done in a fairly scientific survey fashion:

The findings

Forty-six respondents had been contacted by their banks, many of them several times. Most of the transactions had in fact been authorised, but 11 of the 46 people had been contacted about unauthorised transactions. Of the 11 with unauthorised transactions, three could explain them as security lapses (typically losing the card) but nine could not (one person was in both categories).

The survey then went on to ask about unauthorised withdrawals; these cases had not been detected by the banks' detection software. Twenty-one people had had unauthorised withdrawals. Of these nine people could explain them as security lapses and 13 could not (again one person was in both categories).

What this article lays to rest is whether there is any possibility of fraud and breach of the security in the Chip & pin system. Clearly yes: depending on how you view the numbers, the possibility of a person experiencing an "unexplainable" breach is between a lower bound of 6% and an upper bound of 20%.

The total of 29 unexplained attacks were reported by 16 individuals from the 80 respondents. This would suggest a probability of one in five, that a randomly selected individual has experienced an attack.

There are two problems with this estimate. If all those who did not return the questionnaire had nothing to report, the probability would reduce to about one in 16. More importantly, the claimant is not a randomly selected individual but one of a very small group of people involved in such cases. However, the importance of this probability is not its actual value, but that it is not zero. Such attacks can happen, and so it is entirely possible that the claimant is telling the truth.

That is a stunning amount of fraud. Another observation made by the article is how efficacious are the bank's systems. Working backwards from the respondents' numbers, it is suggested that:

These figures show that the banks take measures to detect unauthorised transactions, but that their processes are still not very effective. They suggest that only about half of unauthorised transactions are detected in advance; however, to achieve even that level of success, a large number of transactions are investigated, about 90% of which are authorised.

That the banks are prepared to bear the considerable costs that are involved in the process of carrying out checks in this manner could be taken as an indication that they recognise that a security problem exists.

What is the point of all this? It is because of a rather stunning observation made in a court in a recent case:

In his judgment, Judge Inglis stated, at [20]: "...that the absence of a history of successful fraudulent attacks on online chip and PIN transactions, and the absence of any evidence of systems failure, as showing that these were transactions that can be taken at face value...are important pieces of evidence from which it is open to the court to draw the inference that these were transactions that took place using Mr Job's card and his PIN."

The authors suggest this as a case of the Prosecutor's fallacy: whether the event happened or not is the same question as whether the person holding the card is innocent or not. I'm not sure I quite follow what this means, but it seems to mean that there is a presumption being made that if the event happened, the cardholder was responsible. But, there are other possibilities:

A thief has stolen the money from the bank following a breach of the card's security.

A thief has stolen the money without a breach of the card's security.

The claimant is making a dishonest claim.

The bank has made an error.

And this is what the survey attempts to predict. So the bank in question, Halifax, successfully made the case that there was nothing in wrong with the security of their systems. If there was a fraud, it was caused by the cardholder, in some way or other.

I've worked in this field for a bank, doing smart card work, and I can offer the following observation. During my time there, a stunning piece of open academic work swept through the crypto world and destroyed the "perfect security" belief in the bank's systems. Yet, the bank did not respond, at all. I investigated this, and discovered that there were in fact two beliefs. The bank on the whole believed there was perfect security, but the core security team knew it was not true (and indeed knew about the research for some 5-10 years).

There was cognitive dissonance between a small core group of experts, and the wider bank. Every conversation between the two groups was characterised by careful choice of wordings to allow the beliefs to co-exist in harmony. So consequently, although the academic work was on the face of it highly threatening, it achieved nothing. The two beliefs separated briefly in the face of this evidence, then bypassed it, one each side, and rejoined on the other side. Harmony was restored.

So I would say that the Halifax believes its systems secure, and was able to present enough evidence or absence of evidence to sway the court. However the trick of asking the right person in the Halifax was probably not tried (and of course this is quite problematic, because you need to know who it is, and how to get them to open up, *and* get them to court). We in the security field know that there is a lot of fraud there in chip & pin, but it is only with serious evidence at hand -- this survey for example -- that we can start to attack the castle of convenient beliefs.

Another curious thought of mine: Chip&pin is more risky than cash! In fact, I'm trying to think when was the last time I heard of someone being robbed of cash. I don't mean the Swedish helicopter heist of September, I mean pick-pockets, muggings, etc. So far, I'm thinking zero risk, but maybe that's just cognitive dissonance?

Posted by iang at October 16, 2009 09:04 AM | TrackBack

You really should have spent 2 seconds typing in "ATM robbery" on google news:


Woman pistol whipped, robbed at ATM
WTHR - ‎1 hour ago‎ Entertainment News from AP Indianapolis - Indianapolis officers are investigating a robbery at a walk-up ATM Friday morning. It happened around 7am in the ...

Yes people do still get held up for cash, and old people occasionally die over $10 or less due to drug addicts caring more about their next hit than the sanctity of life...


Posted by: Anon at October 16, 2009 11:37 AM

Great stuff,

Your comment:

> However the trick of asking the right person in the Halifax was probably not tried (and of course this is quite problematic, because you need to know who it is, and how to get them to open up, *and* get them to court).

This is difficult. See my comments in the last para of this article to explain: http://www.stephenmason.eu/articles/banking-the-pin-and-the-atm/

Posted by: Stephen 16.x.09 at October 16, 2009 12:14 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.