Bryan,
When I first read Chip and Pin, I thought that this was a posh way of
eating your chips along Hove seafront ? unlike we lowly mortals who
use wooden forks to eat their chips with.
Now I fully understand your request, here?s my research on the
subject. If you need anything extra or beefed-up, do ask.
The introduction of C&P means that businesses are liable for card
present signatures for credit or debit card crime. The onus has
shifted from banks to shops if the fraud could have been prevented
using C&P. Losses on C&P is the responsibility of the banks or the
customer.
Similar systems have been underway in France and Holland for some
years, but not to the standard that is being undertaken in the UK.
These are the new global specifications known as EMV
(Europay/MasterCard and Visa). Reports indicate fraud dropped in these
two countries upon introduction of a similar C&P system.
I have found that the main concerns with new system are:
Cards not being introduced fast enough which leaves businesses having
to decide whether to accept signatures with the accompanying
liability.
Security of the PIN during the transaction.
Increased risk of theft from person.
Bogus retail outlets will continue to skim cards and then continue the
fraud abroad or at ATMs.
Card not present fraud will increase.
Card holder?s liability: removal of the signature leaves the card
holder in a difficult position when challenging apparent bogus
purchases.
These sites provide detailed information on the new system with facts
and figures. You will need to dig deep into each site as there is too
much information to post here:
Credit Card Watch published by APACS. 31 pages of facts and figures
on credit card fraud for 2004. Mentions C&P.
http://www.cardwatch.org.uk/pdf_files/cardfraudfacts2004.pdf
Site created specially for information on C&P. Advice for consumers
and business ? lots of information particularly the reference library.
http://www.chipandpin.org.uk/
This is a report of a trial in Northampton. Some of the concerns
mentioned above are detailed.
http://www.chipandpin.co.uk/reflib/northampton_trial_report.pdf
Useful guide for businesses on the technology involved in C&P.
http://www.tridentinfotec.co.uk/chip&pin/
EMV specifications (very detailed and technical). The UK is one of the
first countries to introduce chips on cards which meet new global
specifications known as EMV (Europay/MasterCard and Visa)
http://www.emvco.com/
UK?s Crime Reduction pages ? ?A similar domestic PIN based system in
France has seen an 80% fall in fraud since it came in ten years ago.?
http://www.crimereduction.gov.uk/business29.htm
That gives the background information. The main criticism is voiced by
Professor Ross Anderson , of Cambridge University. He has given
several statements to the press and these will be detailed below with
other news reports with quotes by spokespersons from other interested
associations and bodies.
Professor Ross Anderson?s - home page. His areas of research may interest you.
http://www.cl.cam.ac.uk/~rja14/
On his blog page he writes:
"19th December 2004 - There has been growing media interest in the
security of the chip cards being introduced by UK banks. There are
many problems. First, the banks are using the exercise to dump
liability for fraud on to merchants and customers. This will undermine
security by removing the incentives for banks to maintain the system
properly. Next, there are technical security problems, both with the
chip cards and with the back-end systems that support them. Finally,
the transition from mag strip to chip is being poorly managed. The
banks are training their customers to use PINs everywhere, so rogue
merchants can use false terminals to harvest PIN and mag-strip data -
cloned cards can then be used in ATMs overseas. This is a regulatory
failure; the government must hold banks liable for their system
security failures.."
http://www.cl.cam.ac.uk/~rja14/blog04.html
He makes links to these two documents.
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/SISW02.pdf
http://www.cl.cam.ac.uk/users/mkb23/research/API-Attacks.pdf
Further comments on another page from his site.
PIN vs. Signature and Liability ? safer for a signature
http://www.cl.cam.ac.uk/users/mkb23/media-coverage.html
Anderson discusses his fears in this Guardian article.
http://www.guardian.co.uk/g2/story/0,,1336570,00.html
Other relevant news articles:
Scotsman
http://news.scotsman.com/features.cfm?id=8972005
Register
http://www.theregister.co.uk/2004/12/20/pin_security_warning/
BBC
http://news.bbc.co.uk/1/hi/business/4108433.stm
Evening Telegraph
http://www.eveningtelegraph.co.uk/output/2005/01/05/story6690509t0.shtm
Belfast Telegraph
http://www.belfasttelegraph.co.uk/news/business_telegraph/story.jsp?story=599511
Daily Telegraph
http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2005/01/11/cnchip11.xml&menuId=242&sSheet=/money/2005/01/11/ixcity.html
Scotsman
http://news.scotsman.com/latest.cfm?id=3942784
Daily Telegraph
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2004/12/18/nchip18.xml&sSheet=/news/2004/12/18/ixnewstop.html
These message boards reveal some interesting comments from overseas
users. Most UK comments are on the bad design of the machine and
security of the PIN.
http://news.bbc.co.uk/1/hi/talking_point/4098331.stm
http://www.schneier.com/blog/archives/2005/01/easytoremember_1.html
Finally, I?m going to add my three-penneth from my experience. Years
ago we were told that signatures on the back of credit cards would
solve the fraud. The fraudsters soon learnt how to remove the
signature with chemicals. Next came skimming and counterfeit cards.
Then ATMs were tampered with - see:
http://news.bbc.co.uk/1/hi/uk/3157214.stm
Now we are told C&P is tamperproof. Tell me that in 5-10 years? time.
Fraudsters will find the way ? if only they put their brains to
legitimate business, they would do so well.
Once again, let me know if you need anything else.
answerfinder-ga |
