Community

Visa also request that they have the option to not perform strong authentication, and instead accept liability for fraud. However this doesn't take into account that there are wider costs of fraud, that just refunding the customer will not deal with. Furthermore the draft regulations allow providers to keep the security audit of authentication systems secret, and so leave victims of fraud in a difficult position to argue that they were not negligent. I pointed both of these issues out in my own response to the EBA consultation.

@Peter When I've used my UK credit card in Belgian PoS terminals, I'm confident offline PIN and online authorisation was used because the PIN verification response was instantaneous but the transaction authorisation took a few seconds. I don't know the relative proportions of different transaction types, but offline PIN is almost certainly possible and is listed as the prefered option on the CVM list of UK cards I looked at. Even if only some terminals support offline PIN, criminals would have targeted them (they already would have had to identify terminals with a non-zero floor limit).

Yes, it was exploiting the same vulnerability as the original no-PIN attack. However there was an interesting twist: they also modified the application transaction counter (ATC) to make it seem as if the card had done fewer transactions than it really had. This, along with the fact that the cards were stolen in France and used in Belgium, made it more likely for the transaction to be offline and so keep the fraud working even after the genuine card had been reported stolen. I posted more details here: https://www.benthamsgaze.org/2015/10/14/just-how-sophisticated-will-card-fraud-techniques-become/

Thanks for sharing this report. I found it very interesting.

In the next survey, I'd really like to see which proportion of card fraud victims took a financial loss, how much this was, and whether it was a result of the bank refusing to refund them or due to other reasons. There are no good recent statistics here and it would address an important public policy question.

The current report gives customer satisfaction, which goes some way to addressing this issue (it's unlikely a customer will be very satisfied if they took a large financial loss), but it's hard to break down where dissatisfaction is coming from.

Does anyone know how this relates to Barclays Pingit? The two seem awfully similar but does Paym run over the Direct Debit rails too? There's some mention of PANs being processed, so maybe it's debit card.

I wonder what Barclays think about this. I could imagine they would either be pleased or upset that they've got competition in this space.

I see that the FAQ [1] says that "When you select or input your contact’s mobile phone number and the amount you want to pay, you’ll see a confirmation screen which shows the recipient name as registered to the mobile number on the central database."

This could be a great way of finding out who called me from this number :-)

[1] http://www.halifax.co.uk/aboutonline/why-bank-online/pay-a-contact/

You don't have to steal the card, just have temporary access to it. This could be achieved by asking the customer to use the card in a tampered Chip and PIN terminal. The cryptograms could be collected either instead of the legitimate transaction, or in addition to it. Then the cryptograms could be pre-played to a vulnerable ATM or point of sale terminal.

The attack could alternatively be done by stealing the card. For example, someone could take the card, collect cryptograms, then return it. In some situations this might work better, because the customer will take longer to notice the fraud and cancel the card.

If the criminal doesn't plan to return the card, then he might as well just use the genuine one rather than a pre-play clone.

$100 per unit (very approximately; for low quantities component cost can easily vary by a factor of 5 depending on supplier and how soon the components are needed).

Ben,

The hardware costs would be small. Its hard to put a number on it because it dramatically depends on how many of the devices are manufactured. My estimate is that if you wanted to manufacture 10, it would cost about $100, including labour. If you wanted to manufacture 100,000 it would cost about $10.

Steven.

Ross Anderson has written a blog post on this topic, which backs up some of the earlier commenters: "PINs and the burden on customers". In it, he also mentions a radio interview with an APACS spokesman, Mark Bowerman, who tells customers to change their PINs to the same number (contradicting the advice given by the same spokesman in the Which? article).

Stephen,

All very good points. There does seems to be quite a bit of selective use of numbers within the biometric industry. A major one, which you pointed out, is not differentiating between the one-to-one and one-to-many matching scenario. John Daugman (inventor of iris codes) has written a good description of the mathematical reasons of why this simplification is flawed.

You also pointed out that vendors are sometimes guilty of presenting false positive and false negative figures which cannot be achieved together. Fortunately the representative of Hitachi-Omron did not do this, but he did fail to discuss anything other than the zero effort impostor. In fact, I can't think when I have ever heard a vendor give figures for anything else.

The only biometric which is even close to being good enough for one-to-many matching is iris codes, and it does this rather well. It is used in Dubai for immigration and it can give zero false positive rates for one-to-many matching in country-sized deployments, while giving very few false negatives. There are customer-acceptance problems, however. In the same conference as the Hitachi-Omron presentation, Peter Michael Seitz from Erste Bank said that they prefer finger-vein detection because customers (mistakenly) believe that iris recognition could damage their eye.

In fact iris recognition is simply done with a webcam, preferably on the infrared wavelength. Even if customers could be persuaded as to the safety and security, there are still plenty of problems remaining. One is that many people depend on the ability to give their card and PIN to someone else, to act on their behalf. Currently banks turn a blind eye to such processes, but biometrics would force these to be formalized, which likely neither the bank nor customer would like. Also, the Dubai programme was for an attended scenario, so there is some question as to how it will fare if unattended.

Another interesting point was raised by the representative of a Nigerian bank. They wanted to know whether finger-vein detection could de-duplicate the biometric template database. This is because they are concerned about bank staff enrolling themselves onto a customer's account, and committing fraud. This turns a one-to-one match into a one-to-many, so while there wasn't an adequate answer from Hitachi-Omron, I think that finger-vein detection (or any biometric except the iris code), has no chance solving this problem.