Fifth Third aims to prevent card fraud?

Addendum to previous post:

Perhaps my intention was not clear; I intended to make a general point; that it's time to move away from magstripe and manual transactions, and to move in unison.

I understand that magstripe will still be with us for a long due to the sheer number of participants and the costs involved with migration.

The world of payments is a slow and lumbering giant that does not move quickly... the majority of transactions still occur in hard currency, a technology more than 3000 years old...

The US indeed do not seem to have plans to roll out EMV, however I believe their hand will be forced, as the rest of the world is migrating, and EMV migration causes fraud to migrate and consolidate in non EMV regions. US travellers will systematically find their magstripe cards not being accepted in EMV regions, thus pure acceptance will also play a role.

The magstripe is dead. Long live the chip. :)

Tom,

My point is that the magstripe should go. The fraud counterfeit and foreign fraud in the UK is due to cloning of the magstripe, not the chip. Take away the magstripe, and there is nothing left to clone.

My second point was that manual transactions should go as well (even less secure than using checks), which your first video also made clear... they copied the data from the chip and used it to do manual transaction!

Let me be clear: There is nothing that man can make that man can't break. The trick is to make it more expensive to break, than the profit that can be derived from breaking it - criminals are also in business. There is no such thing as 100% secure - just because something is secure today, does not mean it is secure tomorrow. Security is a system wide concept, and not something limited to a single point or service.

Not everything in a chip is encrypted (you have to leave some room for the minimum data required for a transaction), and the terminal does not decrypt anything from the card; it does however validate signatures and checksums, but it does not have the keys to decrypt Dynamic CVC3 or dCVV. I agree with your view that the most secure approach will be to 100% end to end (card to issuer) encrypt everything on the card, however the current payment network protocols cannot support that, and it will require an entire overhaul of all payment networks, as well as all cards, and all terminals.

Phishing scams are typically internet fraud targeted at stealing login credentials to internet banking websites, and this is not directly attributed to cards, but rather due to the use of outdated username password credentials for accessing something so important as your bank account. Phishing can easily be counterfeit using SMS challenges, or using a personal CAP/DPA reader together with your EMV card.

There is something called the Liability Shift, which are implemented on national level and enforced by payment schemes (and some governments) around the world. The liability shift is not yet applicable to international transactions.

The liability shift is a nutshell states that if an EMV card is presented at a non EMV terminal, the acquirer will be liable for the fraud. In all other instances (generally) the issuer is responsible for the fraud. It is typical for the acquirer to shift fraud losses down to the merchant.

Here is a fun (sic) exercise for anyone with a magnetic stripe card: travel to the UK, and try to pay at main street shop with your magnetic stripe card. A few years ago I still had a magstripe card, and I've found that more often than not the cashier would not accept the card for payment, since there is no chip on the card, and they have been trained to not swipe the card, since the merchant didn't want to take the fraud risk...

The problem with statistics and mainstream media is there is no bandwidth for specifics, and generalisation is the rule. Your second video supported this, and the fear the payment schemes have regarding the security of older and outdated cards, that are still being made due to lower costs. Once again merchant and acquirers are protected against poor security on these cards, and the issuer will have to bear cost of fraud. As an Mythbusters fan I'm however sad that this episode never got made!

Just because something lives on a chip doesn't mean it's secure. It requires proper implementation, and unfortunately some issuers released cards with poor security. With smartcards, compliance to the standards does not ensure the highest security, it's about the options within that standard you execute. However, where the liability shift applies, the cost for low security, falls to the issuer, so it should not affect merchants and acquirers.

There are two types of contactless payment cards, magstripe grade, and EMV grade. Magstripe grade is essentially magstripe data via contactless interface, EMV grade is the equivalent of EMV via contactless interface. There are two ways of securing magstripe grade contactless, either with a static pre-generated code , for example Static CVC3, or with dynamically generated codes, for example Dynamic CVC3 and dCVV. Dynamic CVC3 and dCVV means that the data read from the contactless interface cannot be used for a different transaction.

There are also something known as cross contamination attacks, in this scenario, data is read from the chip and used to create a conterfeit magnetic stripe. Once again, this is easily avoided using iCVC/iCVV on the Track 2 Equivalent Data inside the chip. iCVV/iCVC uses different keys than for the magnetic stripe, and thus CVV/CVC validation will fail when magstripe transaction are offered with chip iCVV/iCVC.

I'm not alone in saying the that magstripe must go:
http://www.smartcardalliance.org/articles/2009/10/...

To summarise, a chip can be made extremely secure if the proper security options are implemented; if a chip implementation does leave room for fraud, the the liability shift states that the issuer must carry the cost... thus due to the liability shift merchants and acquirers are not held ransom to poor security decisions made by issuers when it comes to EMV.

Wynand,

Thank you for an interesting perspective from the industry.

I certainly agree with your observations on the magstripe but from what I'm seeing in reports, especially those from the UK, Chip and PIN isn't all it's cracked up to be either. It appears that it was very successful in reducing fraud in the CP world, reducing losses by as much as 48% in counterfeit cards. On the other hand, according to UKCreditCards.com, phishing scams increased by 55% and fraud on foreign issued cards is up by 36%.

Correct me if I'm wrong here, but from those numbers it appears that Chip and PIN has simply pushed fraud over to the CNP world where the merchants, and not the issuers are not responsible for the losses. Good for banks - bad for merchants.

I would point out too that from everything I've read, there are no plans for Chip and PIN to be deployed in the US - at least not anytime soon.

And then there is the problem of the Chip itself. With a PIN it is still only as secure as a magstripe with a PIN and with the proliferation of ATM fraud here, we know it's not all that good. Perhaps you should take a look at all the reports that tell us waving an RFID reader near a card is just as effective as waving a card near an RFID reader.

http://www.youtube.com/watch?v=vmajlKJlT3U
http://www.youtube.com/watch?v=X034R3yzDhw

Since the decrypting is done at the reader, it doesn't look too secure to me. End to end encryption would probably solve this issue but as it stands, it doesn't look secure to me.

I appreciate that most of the people commenting in this thread operates in an magnetic stripe environment, but I am from the Chip and PIN world, and on the card issuance side at that.

In my opinion, the name, card number and signature can all stay on the card, but the one thing that has to go is the magnetic stripe.

In the Chip & PIN world many of the problems discussed in this forum do not exist (excluding gun point robbery), or at least would not exist if it was not for the dreaded magnetic stripe.

The magnetic stripe and the ability to do manual transactions is the number one cause of financial fraud worldwide, and to date no-one has found a way to secure either.

Besides the fraud problems associated with magnetic stripe, magnetic stripe is also the cause for regulatory and compliance costs by merchant in the form of PCI-DSS. PCI-DSS would not be neccesary, if we would stop using magnetic stripe cards.

EMV (Chip and PIN) secures the transaction in such a way that duplicating the data on the chip is only useful for the transaction it is being used for; so there is no point for criminals to steal chip data, as they cannot steal the keys inside the card that secures the transaction. The same applies to contactless (also inaccurately referred to as RFID) cards. Even if the PIN is stolen, it is useless without the card.

EMV Cards can be used with PIN on the internet/telephone/mail order, in Europe we do it on a daily basis. I have a personal reader from my bank, which can obtain a PIN from me and verify the PIN on my card. I can use the card and reader to log into internet banking, sign transactions, and purchase goods on merchant websites that support 3DSecure.

Both Visa and MasterCard have built in support for these readers in 3DSecure, and since this functionality is implemented by the issuer (3DSecure implies that a page from the issuer to authenticate the transaction), merchants do not even need to know about a PIN, the payment technology used is transparent to the merchant.

In the EMV world there is no need to check the registered address with that on file on the issuer of the card, since the card is secured, and the cardholder is identified via PIN.

The biggest problem to EMV is, you would not guess it, but the magnetic stripe and the ability to do manual transactions. Since only 50 countries are in progress of migrating to EMV or have completed migration, the rest of the world still use magnetic stripe, so in order to make sure that EMV cards can be used worldwide, each EMV card includes a magnetic stripes. This means that criminals steal the magstripe and PIN data and use that data in non-EMV countries. A chain is only as strong as it's weakest link, and in this case the weakest link is the magstripe.

In europe almost all cards (debit and credit) are PIN based. Criminals have moved along with the times to steal magstripe data together with PINs with fake readers, PIN pads, cameras, and wireless transmitters attached to real ATMs. In some cases complete fake ATMs are being installed in busy locations!

From a fraud prevention point of view, everyone (except criminals) benefit from WorldWide migration to EMV and the banning of the magstripe and manual transaction. Merchants will be able to accept cards without fear of fraud loss, Cardholders will have their money safely protected, and banks will save millions due to reduction in fraud and the associated administrative costs of chargebacks.

To conclude with an analogy... would you trust the lives of your family in a car using 25 year old technology? How about your money, would you trust 25 year old technology to safeguard your money in this digital age?

Magstripe technology is more than 25 years old, and I suggest that if thousands of brilliant minds have not been able to fix it's shortcomings in 25 years, perhaps these shortcomings cannot be fixed? Regarding manual transaction technology, which is more 300 years old, it goes back to the invention of printed checks; surely everyone knows checks are dead for a good reason?

My opinion is that we should bury both of these insecure technologies, and embrace Chip and PIN with open arms...

Laurie,

You make good points but when is the industry going to have to put security in front of convenience. This is something that I've been saying for a long time. I'm a merchant too, so I do understand the marketing aspect of it but the speed and convenience of transactions needs to take a back seat before any progress can be made in fraud prevention.

The emergence of the RFID cards is a good example. Is it really necessary to trim the two second card swipe down to the one second card wave? The payment industry would argue yes. Globally they process tens of thousands of transactions per second. I would argue that we've reached a point where security trumps speed but since the merchant, not the payment industry, takes most of the losses, there is no incentive for the industry to change.

OK I realize this will not be popular but everyone pull out your marketing hat and tell me how many customers use their credit card versus their debit card simply for the fact that they don't have to remember a pin number... Similar to the Chip card there will need to be a demand before the Merchant and processors are going to be incented to accept this card type. (like every fifth third customer will need to have one in hand and be standing at the merchant location waiting to make a purchase) And as far as interchange I would imagine that eventually if this is to be a universal card used everywhere there will be costs involved with processors, gateways etc... therefore requiring some type of reimbursement or fee collections whether you call it interchange or processing fee... I do like the idea of no name or number on the card... I think we even have a name for that it is called gift card...

Interesting concept. It could work online if card issuers, gateways, and processors changed the paradigm to add an additional input field and check it against issuer records (much like the CVN is handled today). It would add an additional layer of protection in cases where someone's card was stolen.

The card associations could cover such transactions, similar to their guarantees on 3D secure purchases.

There are also, of course, some challenges with the idea. First, in cases where there is identity theft, it becomes moot - the thief just creates their own account together with a PIN and they look golden to the merchant(s). If it was opt-in for customers then it would be as ineffective as 3D Secure, where you see fraudsters signing up on customers' behalf because the customers have never heard about it or are afraid of it. There is also the potential problem of adoption and cost to change the paradigm, as with any new security concept.

Still, I think it's this type of thinking that is in the right direction - multi-factor security is a good idea.

Are some of you still only shipping to the verified billing/shipping addresses? What about gift orders (especially during the holidays)? Seems like you're turning away a lot of good business with that mindset. Cindi, I agree that it is a great idea to require cardholders to list any additional addresses on file (I wish all issuers would start doing that!). However, that doesn't work with gift orders that need to be shipped somewhere else.

I probably should have read between the lines on the referenced article. I did, of course realize that the card could not be used for online transactions. By design, there is no PIN involved in those.

What I did NOT pick up on, and a Merchant911 member pointed it out in our email list, (thank you David) was the fact that this is not a normally branded card from Visa, MasterCard, Amex, Diners, or Discover. It is it's own brand of card, a RevolutionCard, much like a Sears or Penny's card. First Third is simply going to be an issuer of those cards.

We had some discussion on our list about a year ago and pretty much decided that it was all but useless because not many retailers accepted it. That appears to be changing, albeit a bit slowly. They've added some notable national chains like BJ's , CVS, Office Depot, Walgreen's and others. See https://www.revolutioncard.com. No, I don't see it grabbing a major market share any time soon.

Still, I have to wonder if maybe they don't have something. Take the name off, take the account number off, take everything off except the mag strip. Then require a PIN that isn't recorded on the mag strip. Put the Visa brand on it and maybe we have something there if it's a credit card and not a debit.

Is it airtight - no. But it sounds like cloning the strip won't do it without a PIN. Can the PIN be gotten - of course. They're doing it now. But, put the same zero liability and theft reporting requirements on it and it's certainly no worse than what we have now. And there won't be an RFID chip for the bad guys to read while the card is in your pocket.

I'd carry it. The benefit to merchants? No Interchange fee, although I have to believe that would change if Visa branded it.

And Cindi is right - shipping to anything but the bank verified billing address is begging to be robbed.

This might solve some problems, it's a little better than a CVV. But our number one problem with fraud is people wanting to ship to alternate addresses, and this won't help.

To help us, the card companies should tell all their customers it is a new REQUIREMENT that they can only have product shipped to addresses on file, so they should call their credit card companies and put their shipping addresses on file. The credit card companies should also have better systems in place to verify these addresses. It is incredibly time consuming now to inform the customer, convince the customer, contact the credit card company multiple times, etc.

Seems like a good idea, but what about merchants who don't have processing methods that can distinguish a Debit Card from a Credit Card? My two favorite places to go to lunch don't have methods for PIN input. I have to sign for everything. Would these merchants be forced to change their processors? Or take on a second one?

While we're at it, how is this going to work in an online store? I'm not exactly an expert on the subject, but matching a name and card number input into a website looks to run the same risk as having card number and PIN. Instead of a name you have a PIN. It has to be stored somewhere. Doesn't this seem like the same security issue with different nomenclature?

Or maybe I'm wrong. I'd love to be wrong. Tell me I'm wrong and this is going to make our lives easier.

How is not having your name on the card, a benefit to the card holder (in terms of security and having it used without authorization in retail environments)?

All a good pick pocket thieve has to do is be next to you when you're purchasing something and see you entering your pin, then pick your wallet before you even get to your car. Then they're free to use it at any retail outlets since it doesn't have any name on the card (nothing for the clerks to check). Thieves would love to get their hands on something like that.

I do get asked to show my ID more often than not these days when I'm purchasing with my credit card. But I'm never asked to show my ID when using my debit/ATM card.

I think they have a screw loose if they plan on leaving the card holders name off the card.

How would you use something like that online? They are going to have to enter a pin number and some merchant is going to store that pin number and then the card can be comprimised.

Tom,

What happens when the card is used online? I am assuming that the customer will enter the usual billing address and CVV, but surely they are not expected to enter their pin anywhere?

It will help card swiped stores, but not internet stores. If the card is stolen, it can still be used online without any problem.

Steve

This is OK for card present (retail) transactions. However, if you have a gun to your head, you'll give out the credit card PIN just as you would if you're being robbed by an ATM.

For online transactions, I don't see how this is any different than 3D Secure (Verified by Visa & MasterCard SecureCode) that's already in place. For online, will merchants then have to spend time and money to support a credit card PIN entry? Which merchants will be willing to adopt that without real benefits to them? Adopting 3D Secure benefits merchants because of the fraud chargeback protection.