Feeds

Smart credit card scheme kicks off in the UK

Chip and PIN

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

UK banks, building societies and retailers began the introduction of a more secure method of authorising credit card payments in Northampton today.

Designed to combat fraud, the Chip and PIN Programme will see the magnetic stripes on credit and debit cards replaced with more secure smart chips. The huge project will see more than 850,000 retailer terminals, 120 million cards and 40,000 cash machines upgraded over the next 18 months.

Consumers will verify their purchases by keying in a four-digit PIN (Personal Identification Number) - rather than signing a receipt.

For consumers, the new system should mean greater protection against fraudsters, as fraud on skimmed or stolen cards (which account for more than 60 per cent of total losses) will be reduced significantly, it is hoped.

Card fraud is one of the fastest growing crimes in the UK. A record £424.6 million of fraud was committed on UK cards in 2002, up from £411.5 million in 2001, according to UK trade association the Association for Payment Clearing Services (APACS).

Counterfeit card fraud is the biggest category, accounting for £148.5 million stolen in 2002, followed by card not present fraud (£110.1 million) and lost and stolen cards at £108.3 million.

Testing Times

Chip and PIN begins its public trial in Northampton today. Over the coming weeks, 150,000 Northampton residents (or half the adult population) will be sent the new-style cards, and banks and retailers throughout the city will be switching on revamped terminals. Large and small shops, petrol stations, pubs, hotels and restaurants will be involved. In total, around 1,000 retailers are expected to participate.

During the trial (which is scheduled to end in July), Northampton consumers will be prompted to use their PIN for one in every two or three transactions, using a range of debit and credit cards. Entering PIN information will replace signatures in authorizing transactions. Chip and PIN cards and retail terminals in Northampton will continue in use beyond the trial period.

A nationwide rollout is scheduled to follow.

American Express, Barclaycard, Barclays Bank, the Co-operative Bank, Egg, Girobank Merchant Services, HSBC, Lloyds TSB, MasterCard, The Royal Bank of Scotland Group, Switch and Visa are all participating in the trial.

The UK is one of the first countries to introduce chips on cards which meet new global specifications known as EMV (Europay/MasterCard and Visa). In time this means cards will be accepted around the world using the same security checks.

A similar domestic PIN-based system in France has seen an 80 per cent reduction in fraud since its introduction ten years ago. Most European countries, including France, are expected to implement the EMV system over the next five years.

The Northampton trial is the start of a full national rollout due to be completed by the start of 2005. Cards will be reissued and retailers will upgrade their terminals throughout the period. Consumers do not need to take any action themselves as their card companies will get in touch when they are ready to issue the new type of card.

Step in the right direction?

When we covered the initial announcement for the scheme back in April we wondered if the scheme would cut fraud.

Reg readers Joel Smith and Peter Fairbrother of the open-source cryptography project m-o-o-t.org both warned of the same potential pitfall of the scheme.

For a long time, Banks have denied that it is possible to make fraudulent transactions using a PIN in an ATM. However, it has now been shown to be possible.

Smith writes: "If a PIN transaction is made on my card after it has been stolen, how do I deny that it was me who made the transaction? Anyone with access to the PIN becomes an authorised user. I don't regard PIN codes as being overly secure, and this might be a step backwards in security."

Fairbrother believes the Chip and PIN scheme has the effect of shifting liability to the consumer.

"As the bank's will say that any 'phantom withdrawals' are down to the customer - because of course Chip and PIN is secure" Fairbrother. "This is becoming a problem in France, and elsewhere in Europe, where people are being deprived of compensation (and sometimes arrested) after complaining about phantom withdrawals / CC charges."

So although depending on a chip - rather than a magnetic stripe - is more secure, if you do become the victim of shoulder surfing the new scheme might mean you're in even more trouble.

Which is not nice. ®

External Links

Chip and PIN Programme - "the biggest consumer project since decimalisation" launches today
"Annual card fraud figures reach record high", APACS report (PDF)

Related Stories

Smart credit on UK cards. Will it cut fraud?
ID theft: a $1bn a year crime
How to get an ATM PIN in 15 guesses
Crackers gain sight of up to 5m credit cards

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.