Chip and PIN safety is just smoke and mirrors

I’m no expert on credit/debit card safety but I’m concerned enough to share my thoughts and experience based on recent “hacking” stories in the news and complacency of retailers when storing your card data.

Chip and PIN is not more secure

Chip and PIN Security abstract imageFrom 2004, Banks have been pushing the Chip and PIN “safety in numbers” campaign to encourage customers (and particularly merchants) to shift to the new Chip and PIN technology. Previously, a payment was authenticated using a signature on a receipt (either produced via swiping in a magnetic card reader or a physical imprint of the card details). This had a high rate of fraud due to the weaknesses in signature authentication and ability for cards to be cloned – the magnetic strip became a single point of failure.

On the surface, it appears more secure. France saw an 80% drop in fraud when switching to Chip and PIN. The two factor authentication of Chip and PIN (what you have, what you know) has significantly reduced card cloning; the user doesn’t have to hand over their card whilst worrying about double swiping and their PIN is shared with their ATM PIN so the usability was maintained. However, card fraud has increased in the years since, resulting in the movement of fraud attempts rather than their elimination.

Without considering the vulnerabilities, four immediate problems come to mind.

Firstly, if you don’t enter your PIN correctly, the merchant will invariably downgrade to a Chip and Signature transaction. To the consumer, this mirrors the older process of signing the receipt. The difference is that the merchant has specifically opted in to using the less secure protocol and assumes the risk of fraud. (Given the attention I’ve seen sales assistants pay to the validity of the signature, I wouldn’t put any confidence in this mechanism).

Secondly, CCTV cameras are routinely aimed at the tills, for good reason. But these also collect what users are entering in PIN pads. Of course, we’re encouraged to conceal our entry with our other hand, but we do live in a society and this creates an implication of distrust of your fellow customer. If the card is stolen or is cloned in some way by a compromised terminal, your authentication is compromised but your card is fine.

Thirdly, what confidence do we have that the terminal has not been compromised? Consider the new means of robbing a bank, from an apartment a few blocks away. Santander and Barclays were both targeted with inexpensive IT kit installed by supposed IT engineers which allowed direct access to banking systems. What’s to say the same technique hasn’t been employed, with a sales assistant being duped into allowing “upgraded systems” to be installed from “head office”? A man-in-the-middle device can trick a card into believing signature authentication was used even when an invalid PIN was entered, leaving the incorrect PIN count held in the card intact.

Finally, there is the competence of the merchant. Hotels and bars often hold cards “open” to allow for future drinks/etc. to be added to the account at the customer’s convenience. Theoretically, when the customer signs the receipt when the account is closed they would identify any anomalies (assuming they’re not drunk enough not to realise). I’ve managed to pay for two expensive cocktails in a 5-star hotel without entering my PIN or signing due to this account system being incompetently applied.

In these the weakest security is the person, and it is most often the merchant at fault. Then there are the known exploits in Chip and PIN such as man in the middle attacks (PDF), so-called “yes-cards”, offline authentication, card cloning for use abroad, electronic authentication downgrade and good old robbery.

Cardholder not present is still not secure

Cardholder not present (CNP) is a technique of authenticating the card when the merchant cannot guarantee the authenticity of the cardholder, typically when ordering online or over the phone.

There are various ways of “proving” the identity and validity of a card in this scenario.

Firstly, the Card Security Code (CSC) attempts to prove that the card is in the possession of the purchaser (note, not necessarily the cardholder) at the time of ordering. These are the three digits on the reverse of your card. The CSC is not encoded in either the chip or the magnetic strip on the card, therefore a cloned card would not contain the CSC, rendering the transaction invalid. This can authenticate the transaction (and by implication, the validity of the card, if not the purchaser) but relies on the competence of the merchant to avoid these values being compromised. For instance, the PCI standard mandates that the CSC must not be stored within a database following transaction authorisation, should the database containing card data become compromised. The recent case of StaySure having their CSC data being hacked shows that this is not guaranteed and the customer has no way of knowing. (Ask yourself, if the CSC is needed for an electronic CNP transaction, how can Amazon ask for this code only once and continue to bill your account.) This comes down to the reliability and trustworthiness of the web sites and the individuals running them. How does the company store your card data? Do they retain your data, and for how long? Are there opportunities for individuals within the company to access that data unencrypted? Are paper trails generated containing your card details? The web site is a sealed box into which you have no view of how your financial data is managed. Phone-based and mail-based orders may be written down and printed off and left in accessible piles on employees’ desks (which is why PCI mandates physical access security to cardholder processing areas).

Secondly, Visa’s “3-D Secure” authentication mechanism known under the brands “Verified by Visa” and “Mastercard SecureCode” whilst seemingly authenticating the cardholder by asking more pertinent questions directly related with the cardholder’s bank account, does not provide real assurance to the cardholder that it is indeed genuine. The technique used by the scheme requires a web commerce site to embed an IFRAME within their checkout process that acts as a “window” into the banking system, requesting extra verification data. However, the user does not necessarily know that the site within the window is genuine. A malicious web site may embed a false authentication site, the user’s computer may be infected allowing false authentication sites to be used or DNS poisoning may be used to redirect valid authentication sites to malicious parties.

The Chip and PIN programme does provide benefits to the consumer, without a doubt, though this is largely based on usability. Any argument for increased security is a smoke and mirrors marketing campaign by the card issuers. Fraud has increased, particularly in Cardholder Not Present scenarios (and coupled with weak IT security on the part of web sites) and attacks have merely shifted to alternative weaknesses as opposed to being prevented. The big winners are the banks, because they are able to transfer the risk of a fraudulent transaction from themselves to the merchant or the customer. Stringent merchant contracts allow the bank to transfer liability of fraud to the merchant should the merchant chose to downgrade their authentication or to the cardholder if it can be proved that fraud was attempted. Interestingly, if a PIN has been entered, the banks refused to accept liability until 2009 even if the user denied having used the card.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.