Community

Join the Community

22,053
Expert opinions
43,987
Total members
381
New members (last 30 days)
184
New opinions (last 30 days)
28,690
Total comments
Join Sign in

Chip and PIN: Good but not good enough

  0 6 comments
Nick Ogden
Nick Ogden
Chairman
Ogden Research
Location
London
Followers
0
Opinions
47
Unfollow

This week marked the anniversary of when chip and PIN came into force in the UK. Five years’ on, there are apparently more than 140 million chip and PIN cards in issue in the country and more than one million chip and PIN card terminals in place, not to mention the fact that many European countries have now rolled out EMV. As a result, great strides have been made in the fight against fraud with the National Fraud Authority (NFA) recently revealing that the financial services industry last year saw a reduction in its losses to fraudsters due to improved fraud prevention methods involving plastic cards.

However, at £3.6 billion a year, the amount of money the industry is at deficit is still excessive and while chip and PIN has been effective in face-to-face fraud it does not protect against card-not-present (CNP) attacks. In fact, the NFA statistics show that there was a 14% rise in online banking fraud with losses climbing to £60 million a year. This increase has been attributed to fraudsters using more sophisticated methods to target their victims through malware and a spike in phishing incidents. With e- and m-commerce becoming ever more popular, it is therefore of paramount importance that more stringent security measures are put in place to combat the threat.

In addition to being thorough, any fraud prevention system also needs to take into account the customer’s needs and therefore must be as convenient and user-friendly as possible. One issue with chip and PIN has been users’ propensities to forget their unique PIN, which has resulted in countless new PINs being produced and sent to customers at an additional cost for banks. Equally, the current security schemes for online banking such as Verified by Visa (VbV) and MasterCard SecureCode similarly require passwords to be memorised by their customers, which incurs the same forgetful problem.

Instead of the current scenario involving multiple passwords, it is clear that technologies that marry convenience and security need to come to the fore. One model that is gaining traction in the fight against fraud, specifically identity fraud, and that meets these disparate requirements is biometric technology. In verifying a person based on the electronic identification of that card presenter using their body features, impersonation is almost impossible and the need for additional hardware or passwords is eliminated. Only with such technology – whether hand in hand with chip and PIN or not – can fraud levels see a real dip.  

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

6029
 

Share

 
 
 
 
 

Channels

/security /payments
 

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

Join group

204 opinions 63 members

Comments: (6)

Nick Collin

Nick Collin Director at Collin Consulting Ltd

Nick

I know you're in the business of selling biometric authentication, but to do so by attacking chip and PIN is misleading to say the least.  Here's the facts as I see them:

- As you point out, chip and PIN has been tremendously effective in reducing face-to-face fraud in the physical world.

- But chip and PIN is also the best solution for tackling fraud in the virtual world via Remote Chip Authentication (RCA - what MasterCard calls CAP and Visa calls DPA): ie inserting your card in a reader, entering your PIN, and generating a one-time-password OTP).

- RCA is widely used to reduce online banking fraud.  Barclays PINSentry for example has been quoted as reducing Barclays' online banking fraud to zero.  A key point about this solution is that because the reader is physically separate from the PC, malware and phishing are not effective.

- Increasingly, RCA is starting to be used to tackle Card-Not-Present (CNP) fraud, by the simple expedient of treating the OTP as a MasterCard SecureCode or Verified by Visa code.  In other words the user only has to remember the one PIN which they already use in the physical world.  All the Belgian banks have rolled out this solution.

Tackling card fraud is difficult and takes years of effort.  The global migration to EMV chip started 15 years ago and is still evolving through RCA and 3D Secure, but it's the best solution we've got and a magnificent achievement.   There are undoubtably niche markets for voice authentication and other biometric solutions, but the card payments market is I fear not one of them.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Since we're seeing biometrics being proposed as an alternative to VbV and MasterCard SecureCode, it follows that the context is CNP / online. That being the case, are we to assume that webcam for iris scanning, fingerprint scanner for capturing fingerprint impressions, and all other types of biometrics authentication equipment are part of basic hardware? Otherwise, I'm not sure how biometrics will work without any additional hardware.

Stephen Wilson

Stephen Wilson Managing Director at Lockstep Consulting

Can you please quantify what is meant by "impersonation is almost impossible"?  What is the demonstrated False Detect rate?  What is the corresponding False Reject rate and what are the conditions of testing?

 

Mathew Stewart

Mathew Stewart CEO at Explundish

RCA has made great strides, and should be supported, but I think Nick O still has a point.  In the future, won't users of tablets and smartphones find card readers too clunky to carry around?  In which case, couldn't biometrics provide an alternative, and very portable, means of authentication?  

Both tablets and smartphones can capture sounds and images for biometric verification, and these can only get better with time.  The question is, how long do we have to wait?   It's down to the vendors to demonstrate whether this provides a serious alternative authentication method at this time, with the devices and bandwidths currently available. 

 

Keith Appleyard

Keith Appleyard IT Consultant at available for hire

Still not a fan of CHIP and PIN - I feel happier providing some evidence of who I am, such as Signature which could be verified and challenged if too different - a PIN is just too personal.

Also I can't remember more than 1 PIN, so either have to write them all down (which could be lost/stolen), or have the same PIN for everything, which provides a weak link, so in the end I went for CHIP and Signature instead.

Stephen Wilson

Stephen Wilson Managing Director at Lockstep Consulting

Hello Nick.

Just checking if you saw my questions:

Can you please quantify what is meant by "impersonation is almost impossible"?  What is the demonstrated False Detect rate?  What is the corresponding False Reject rate, and what are the conditions of testing?

Cheers, Stephen Wilson, Lockstep.

Nick Ogden
Nick Ogden
Chairman
Ogden Research
Member since
17 Sep 2008
Location
London
Followers
0
Following
0
Opinions
47
Unfollow

The Start

How do Fintech entrepreneurs get help?

Negative Interest Rates - UK banks introduce plans to charge their customers

Competition probe, your views count!

Birth of a new Currency?

See all Opinions from Nick

More expert opinions

Kathiravan Rajendran

Kathiravan Rajendran Associate Director of Marketing Operations at Macro Global

How Liquidity Pools Transform Cross-Border Payments? An Analysis

1

Joris Lochy

Joris Lochy Product Manager at Intix | Co-founder at Capilever

From Days to Seconds: The Push for Instant Cross-Border Payments

Amr Adawi

Amr Adawi Co-Founder and Co-CEO at MetaWealth

Unlocking Real Estate: How Tokenisation is Democratising Property Investment

2

Kathiravan Rajendran

Kathiravan Rajendran Associate Director of Marketing Operations at Macro Global

Is a Seamless Cross-Border Payment Future Possible?

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,053
Expert opinions
43,987
Total members
381
New members (last 30 days)
184
New opinions (last 30 days)
28,690
Total comments
Join Sign in

Trending

Kunal Jhunjhunwala

Kunal Jhunjhunwala Founder at airpay payment services

How Cross-Border Payment Platforms Contribute to India's Global Trade Ambitions

Shiv Nanda

Shiv Nanda Content Strategist at https://www.financialexpress.com/

Unlocking the Potential: Exploring Property for Investment in Thailand and its Impact on Investment

David Smith

David Smith Information Analyst at ManpowerGroup

Best 5 White-Label Neobank Solutions in 2024

Konstantin Rabin

Konstantin Rabin Head of Marketing at Kontomatik

Why Cronos, Polkadot, and Avalanche Are Q4's Hidden Gems

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept