Just a brief update on the chip and PIN nonsense. Since I wrote that last page, I have asked Barclays, my bank, and Barclaycard, from whom I have a credit card, for `PIN suppressed' or `chip and signature' cards. (Briefly, the deal here is that the banks have somehow convinced the courts in this country that it is impossible for one person to know another person's PIN, and that therefore if a crook nicks your money by using your card, or a copy, and your PIN, your bank might well not refund you and might even have you thrown in jail.)
Anyway, Barclays (to whom I wrote) responded to my request by... sending me another copy of my PIN. So clearly they have a firm grasp of the technology.
Barclaycard, however, sent me a new `chip and PIN' card to replace my expired card, with a little note saying I should call them to confirm receipt. So I did, and explained that I wanted a non-chip-and-PIN card. After a couple of rounds of uncomprehending conversation, it was eventually explained to me that I could only get such a card if I was disabled (the point being that, e.g., many visually impaired people have trouble operating the PIN keypads and so can't be expected to use chip and PIN). ``Oh,'' I said (slightly unfairly), ``you're discriminating against me because I'm not disabled?''
Apparently they weren't, but didn't give any other credible reason for not giving me a PIN suppressed card. So I asked the chap to close my account. This provoked a slightly different tactic, viz., ``We could give you a chip and signature card, but shops wouldn't accept it if you're not disabled.''
Now, I've never run a shop, but it's always been my understanding that the aim of the game in retail is to separate the punter from their hard-earned cash. I shall be a little bit surprised if, having handed over my card and signed the slip, I am challenged as to my disability status, but we shall see. Anyway, and to my surprise, after I asked the Barclaycard chap, ``Have you asked them?'', he got bored of arguing this back and forth and (after a long pause during which he presumably consulted mission control) agreed -- on the proviso that it would be my own silly fault if shops refused my card -- to set my card up for chip-and-signature.
(As a brief comment, I'm not sure how this works. I'd understood that the chip was designed for offline verification, and hence it's not clear how it can be remotely enabled in this way. Perhaps during an online verification it can talk to Barclaycard and update its settings? Alternatively, the Barclaycard man may have been lying.)
If you're also unhappy with the idea of being screwed by the banks over chip and PIN, you might also want to read this. (I should say also that the chip and PIN scheme is marginally more `secure' than the signature scheme, in some vaguely useful sense, in particular because signatures frequently aren't checked, whereas the PIN is. But this fairly trivial technical advantage is nullified by the dishonesty of the banks and their success in hoodwinking the courts in this country over the supposed `impossibility' of fraud based on stealing a person's PIN.)
In other news: fine work by NO2ID on Wednesday, accompanied by a splendid own-goal by David Blunkett in the form of his comments about supermarket loyalty cards. (He's chosen not to have one, but thinks that they're more of a threat to privacy than his compulsory ID card scheme. Surely some mistake?)
Comments
Posted by Andrew Duffin, Friday, 19 November 2004 12:44 (link):
"shops wouldn't accept it if you're not disabled"
Oh yes they would.
I have a chip-and-pin card, and there are loads of places - even high-throughput sites like Motorway petrol stations - which have the PIN machines right there on the desk, but don't use them. They print out a slip and ask me to sign it, just as before.
I guess they have got fed up with people who can't be bothered remembering their PIN Numbers.
Posted by Alex Hayward, Friday, 19 November 2004 16:28 (link):
When an on-line verification is completed the issuer can send scripts (up to a whole entire 512 bytes worth if they want) back to the vendor. This is supposed to be passed to the chip and PIN device to be sent on to the card. Apparently, these can do things like change the PIN, block the card and enable/disable different applications on the card.
I'm pretty sure this can't happen until after an on-line verification has happened. It is indeed possible to do off-line verifications so presumably the settings won't change until after your first on-line one. There's also the Visa low payment thing in which a certain amount of credit is stored on the card itself, gradually run down and then refilled when the next on-line verification occurs.
Things might change after January. From January liability for fraudulent card transactions verified with a signature shifts from issuers to merchants. I don't know if this applies to disabled cardholders - but they may become rather less happy about your 'PIN barred' card come next year.
Posted by Chris Lightfoot, Saturday, 20 November 2004 00:50 (link):
The reason I don't expect to be challenged in shops is that I can't imagine any reasonable shop of having a policy to challenge people who have `PIN suppressed' cards as to their disability status. I'd expect a rational manager to conclude that the potential bad publicity from hassling people who have `PIN suppressed' cards because of a disability would likely be more costly than the (presumably very small) losses to fraud from non-disabled people who have chosen not to use `chip and PIN' cards. But I may yet be proven wrong.
Interesting question. Is such discrimination against the disabled prohibited yet? I'm sorry to say I don't follow this issue and so don't know.
Posted by Roy Badami, Friday, 19 November 2004 19:39 (link):
I'm confused. The Consumer Credit Act limits your liability to £50 for credit card fraud, and the Banking Code of Practise (which most banks have signed up to) similarly limits you liability to £50 for debit card fraud.
Has this changed?
-roy
Posted by Chris Lightfoot, Saturday, 20 November 2004 00:33 (link):
Not as far as I know. My concern is over the past behaviour of the banks over ATM fraud; I expect them to be equally dishonest over `chip and PIN' (for the same reason: admitting the possibility of fraud exposes them to much greater liabilities which they have so far managed to evade). The legal guarantees are no good if you have to sue an organisation which has already managed to hoodwink the courts successfully in many similar lawsuits.
Posted by Roy Badami, Saturday, 20 November 2004 12:08 (link):
Hmm, you're talking about phantom withdrawals from ATMs? I see your point, but if you have cards that can be used in ATMs then you're vulnerable to that already.
Do you think that chip and pin will increase the risk of fraudulent transactions? It might shift some of the fraudulent activity from ATM transactions to merchant transactions, but it's not at all obvious to me that it will significantly increase the level of fraudulent transactions...
-roy
Posted by Alex Hayward, Saturday, 20 November 2004 17:42 (link):
To make an ATM withdrawl the thief needs the magnetic stripe data, your PIN and access to an ATM with no chip and PIN reader (or your PIN and the chip and PIN card itself). Previously the only time you'd ever use your PIN would be when you are using an ATM. Now you're entering your PIN in to all kinds of devices in all kinds of environments. This opens up many new opportunities for a thief (especially one who works for a retailer) to obtain your PIN.
Also, because chip and PIN is supposedly highly secure, it's now a lot easier for a bank to stand up and tell the world that you're lying when you claim that a chip and PIN transaction was fraudulent. This is no laughing matter as the bank may well then turn round and prosecute you for trying to get a fraudulent refund.
Fraud without stealing the card and PIN wouldn't be an easy matter (it's certainly a big step up from the current situation) but I doubt it's impossible. How about a card reader which displays one amount on the screen but encodes a different one in its authorization request cryptogram? A thief wouldn't be able to just go and use the authorization to buy something at another retailer but maybe an insider could use it to 'pay' for a previous cash transaction whilst slipping the cash in to his pocket?
The software which does this has to be certified (and checked before a retailer's system goes live) - but how many consumers have even heard of 'EMVCo Level 2 Type Certification' never mind have some way to check that the device they are using hasn't been switched for one that doesn't have it?
Posted by Roy Badami, Sunday, 21 November 2004 03:43 (link):
Yes, the fact that you will have to expose your PIN more often is a good point.
Though the recent spate of (well publicised) skimming attacks that incorporated conceiled cameras attached to ATMs makes me suspect that courts will be reluctant to believe beyond reasonable doubt that a criminal couldn't have known the PIN. That's not enough to recover the money in a civil case, of course.
So, are ATM's going to use the chip rather than the magstripe (as you imply)? If so, that would be a major contribution to road safety...
-roy
Posted by Alex Hayward, Sunday, 21 November 2004 11:41 (link):
It certainly looks that way. There are quite a few pieces of ATM software on the list of level 2 approved application kernels on the EMVco site (http://www.emvco.com/) - including some belonging to British banks. There was less immediately obvious in the level 1 approval list - but maybe my search for 'ATM' was just too simple.
Level 1 type approval is what must be given to card reader hardware and level 2 type approval is what must be given to the software which talks to the card, runs the display and so on. The level 2 software can either run inside the chip and PIN device itself or it can run on a PC or till (which are mostly PCs anyway) and talk over (usually) a serial line. The PC sounds to me like a rather vulnerable point security-wise.
Posted by Chris Lightfoot, Sunday, 21 November 2004 12:15 (link):
Would it make much difference? Presumably there are going to be a lot of old ATMs around which use only the magnetic stripe for a while yet, so the cards will have to remain compatible with those, and so retain all the problems which that implies (mostly relating to the strip being copyable and alterable, AIUI). Specifically if you change your PIN a new PIN offset will have to be written to the stripe so that the new PIN works if the next ATM you use doesn't read the chip.
(I don't know what happens if you change one PIN and not the other. That's presumably not hard to with a card reader/writer, or perhaps by applying sticky tape to the chip on the card then using an ATM to make the change. But will ATMs detect that the card has been tampered with and retain it? I have no idea.)
I found some documents about VISA promoting a 3DES-based system (for generating natural PINs from account numbers, to replace the current DES scheme, I guess?), which they want to phase in around 2009, suggesting that we may be stuck with magentic strips for quite a while yet.
Posted by Roy Badami, Sunday, 21 November 2004 13:32 (link):
I didn't think Visa used the natural pin/pin offset scheme anymore. They don't have a naturual pin, but use an arbitrary (randomly generated or customer chosen) Pin, and record a Pin Verification Value (a keyed hash of the Pin and card number) on the card. Bit it amounts to much the same thing; the security of the system still depends on the security of the secret key.
Good to know they're moving to 3DES, though. That can presumably be deployed much more quickly than adding smartcard readers to all ATMs...
Post a new comment.
Comments copyright (c) contributors and available under a Creative Commons License. See also the comments policy.