Community

"$4.00 per chip cost to the issuer" now that is what I call card fraud!

Where have you got that number from?

Marite,

The current implementation is to use OTP for Internet/MOTO transactions only, not at ATM's. 

As such I agree that the benefit of having the ability to generate the OTP on the card is not great, a separate reader is more attractive when you consider the costs.  

Ross Anderson is well known for his dislike of EMV and Chip in general. Read any of his articles on www.chipandspin.co.uk . He is clearly very knowledgeable and educated but the findings of a scientist in a lab are very different to the reality of deploying a system which balances cost against risk.
A Cambridge professor with expensive lab equipment and specialist training may find faults with a system, will the average fraudster? At the point that the type of attacks Anderson describes become real and widespread CAP will be redundant. Until then I don't see a viable alternative.
I do however agree with one statement he makes. "The basic principle behind CAP - a trusted user interface and secure cryp-tographic microprocessor - is sound". The faults Anderson has highlighted are either theoretical or due to specific implementations - not CAP itself. In the real world it's still the best solution I have seen. I'm sure better solutions exist in laboratories but at the moment they are not solutions in the real world. When/if they hit the street and are at a cost comparable to a CAP reader great, until then CAP is a huge improvement on CVC and address verification systems.

"One solution would be the development and sale of Faraday Cage credit card holders / wallets which will prevent most or all the RF energy reaching RFID cards until removed from the holder. This will just require a metal foil lining to the holder. To see an example of this in action look at the fine grid on the inside of a microwave oven window which prevents the microwaves escaping from the oven. Is this a potential business opportunity?"

To see another practical example of this look inside the schoolbag of countless children in Liverpool (and other cities i'm sure).... I moved to Liverpool 15 years ago and was stunned by the number of tin-foil schoolbags I saw - great for avoiding detection when shoplifting.

The loophole is possibly in a setting that states if the Chip is not able to be read, to allow the transaction to proceed. It is then up to the issuing bank to decide whether or not to honour that transaction.

In my (humble) opinion the banks should all be declining such transactions.

At the end of the day if the chip is not read/present the transaction relies on either terminal rules or the issuer to decision based on risk. The 'fault' seems to be a mag stripe transaction being approved on an EMV card.

Great idea, if only banks were actually lending money at the moment.

Isn't part of the current problem that banks are refusing (or making it incredibly difficult) to lend money.

"maybe we need to either go back to old-fashioned values and make these institutions collect and store signatures, or start using properly secure digital identification methods to effect changes like this"

The second option sounds good to me. There are many ways this can be done, its is secure and it is convenient. Why post a letter or go to a branch if you can facilitate the change online or via a mobile etc?

Dean. Happy to keep to the topic away from insider fraud. Merely challenging your opening statement that "most fraud is card based".

If you don't like being challenged maybe post blogs that you can substantiate.

EMV (and the card schemes) do allow for multi-application cards with more than 1 account on them. The issue, in regard to post issuance personalisation, from my perspective is not with EMV but with the rules of card schemes and issuing banks.

For example would HSBC allow me to add my new Barclays account to their Chip card? Would Visa allow me to add a Maestro application to my credit card?

The answer on these is no. EMV does not hinder this the schemes/banks do. The card is merely the vehicle for payment at the current time. I don't see this restriction changing if the payment is made via NFC/Mobile/some other technology. As a consumer I wish it would

Marite - I don't see how anyone can interpret the statement of fact from APACS (increase in global acceptance of EMV will decrease opportunity to clone mag stripes) can be interpreted as misleading or portraying Chip & PIN as the only solution.

Chip & PIN is currently the solution in force in the UK so they are merely reporting its percieved benefits. What else do you expect them to say?

Oh and thanks for the history lesson, I am well aware of the development path of smart cards though and the different implementations prior to EMV