Response to “Chip & PIN is broken”
The UK Cards Association’s response to BBC Newsnight’s item on Chip & PIN is broken (February 2010)
We believe that this complicated method will never present a real threat to our customers’ cards. It requires possession of a customer’s card and unfortunately there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal. This fraud is also detectable by the industry’s systems.
“We will shortly announce fraud figures for 2009 that show that fraud committed on lost and stolen cards is at its lowest level for two decades.
“Card companies have a legal obligation to reimburse fraud victims, and the onus has always been on the card company to prove any negligence on their customer’s part. This is a highly regulated field, supervised by the Financial Services Authority, with an independent appeals process available to the minority of customers who have their fraud claim turned down, via the Financial Ombudsman Service.”
Statement provided to BBC 11 February 2010
The industry strongly refutes the allegation made on Newsnight and in the University of Cambridge’s paper “Chip & PIN is Broken”. We do not accept the serious claim that the protocol behind one of the most successful anti-fraud initiatives is either broken or fatally flawed.
Chip & PIN has been the main factor behind a 66% drop in fraud at UK retail point of sale since 2004. The Cambridge paper suggests that there are growing reports of fraud on stolen cards, yet statistics show that ‘lost and stolen’ fraud is at its lowest level since industry records were first compiled two decades ago.
Cambridge claims that its latest attack is both a new discovery and undetectable; this is not true. The attack described is just a variation of what the industry terms as a ‘wedge’ attack. As a result, security measures to tackle such attacks have always been contained within both the global chip & PIN specification used in the UK (i.e. the EMV chip protocol) and the transaction process that surrounds it. The industry is confident that the forensic signature of such an attack is easily detectable within the data available at the time of the transaction. When card companies receives a claim about a fraudulent transaction from a customer, they will always rely on primary evidence to review the facts of the case and would never use a paper receipt (which in fact they could see only if the customer provided the copy) for evidence as suggested.
Neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks. Our research suggests that criminal interest in chip-based attacks is minimal at this time as they are unable to find ways to make sufficient amounts of money from any of the plausible attack scenarios.
The industry has a highly proactive approach to defending the underlying technology and protocol it relies upon for card payments. We conduct and commission independent research to determine the threat from criminals and to help us identify and assess the actual potential of vulnerabilities. In this regard we welcome certain insights within the Cambridge paper - as they show that there are additional variations of the “wedge” attack. The potential attack identified and the signature that this attack would generate, are useful in helping us to detect it, should it ever be attempted in the live environment.
Our reputation rests on the integrity of the cards system and customer security. We endeavour to fight fraud on all fronts. To these ends we continue to fund a unique specialist police unit, the Dedicated Cheque and Plastic Crime Unit (DCPCU). We also continue to work with retailers to make them aware of latest fraud prevention advice so they can best protect their customers and businesses from fraud. And we continually work to raise cardholder awareness of security advice and how to protect themselves against card fraud. Of course there is no room for complacency and we will continue to monitor closely the situation and to take any necessary preventative steps to protect our customers.
This guideline is intended to be used by retailers accepting or intending to accept face-to-face card payments and is designed to complement card industry rules and regulations and advice given by point-of-sale solution providers (including banks and third party suppliers). The advice and guidance offered should be considered when reviewing or developing security procedures and processes for the point-of-sale environment, particularly, but not exclusively, those relating to the acceptance of card-based transactions.