The UK Cards Association's Response to BBC Newsnight's item on Chip and PIN is broken
11 February 2010 - Statement provided to the BBC
"We believe that this complicated method will never present a real threat to our customers' cards. It requires possession of a customer's card and unfortunately there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal. This fraud is also detectable by the industry's systems.
“We will shortly announce fraud figures for 2009 that show that fraud committed on lost and stolen cards is at its lowest level for two decades.
“Card companies have a legal obligation to reimburse fraud victims, and the onus has always been on the card company to prove any negligence on their customer's part. This is a highly regulated field, supervised by the Financial Services Authority, with an independent appeals process available to the minority of customers who have their fraud claim turned down, via the Financial Ombudsman Service."
The industry strongly refutes the allegation made on Newsnight and in the University of Cambridge’s paper “Chip & PIN is Broken”. We do not accept the serious claim that the protocol behind one of the most successful anti-fraud initiatives is either broken or fatally flawed.
Chip & PIN has been the main factor behind a 66% drop in fraud at UK retail point of sale since 2004. The Cambridge paper suggests that there are growing reports of fraud on stolen cards, yet statistics show that ‘lost and stolen’ fraud is at its lowest level since industry records were first compiled two decades ago.
Cambridge claims that their latest attack is both a new discovery and undetectable; this is not true. The attack described is just a variation of what the industry terms as a ‘wedge’ attack. As a result, security measures to tackle such attacks have always been contained within both the global chip and PIN specification used in the UK (i.e. the EMV chip protocol) and the transaction process that surrounds it. The industry is confident that the forensic signature of such an attack is easily detectable within the data available at the time of the transaction. When a card company receives a claim about a fraudulent transaction from a customer, they will always rely on primary evidence to review the facts of the case and would never use a paper receipt (which in fact they could only see if the customer provided the copy) for evidence as suggested.
Neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks. Our research suggests that criminal interest in chip-based attacks is minimal at this time as they are unable to find ways to make sufficient amounts of money from any of the plausible attack scenarios.
The industry has a highly proactive approach to defending the underlying technology and protocol it relies upon for card payments. We conduct and commission independent research to determine the threat from criminals and to help us identify and assess the actual potential of vulnerabilities. In this regard we welcome certain insights within the Cambridge paper - as they show that there are additional variations of the “wedge” attack. The potential attack identified, and the signature that this attack would generate, are useful in helping us to detect it, should it ever be attempted in the live environment.
Our reputation rests on the integrity of the cards system and customer security. We endeavour to fight fraud on all fronts. To these ends we continue to fund a unique specialist police unit, the Dedicated Cheque and Plastic Crime Unit (DCPCU). We also continue to work with retailers to make them aware of latest fraud prevention advice so they can best protect their customers and businesses from fraud. And we continually work to raise cardholder awareness of security advice and how to protect themselves against card fraud. Of course there is no room for complacency and we will continue to monitor closely the situation and to take any necessary preventative steps to protect our customers.