Feeds

Smart credit card scheme kicks off in the UK

Chip and PIN

  • alert
  • submit to reddit

Internet Security Threat Report 2014

UK banks, building societies and retailers began the introduction of a more secure method of authorising credit card payments in Northampton today.

Designed to combat fraud, the Chip and PIN Programme will see the magnetic stripes on credit and debit cards replaced with more secure smart chips. The huge project will see more than 850,000 retailer terminals, 120 million cards and 40,000 cash machines upgraded over the next 18 months.

Consumers will verify their purchases by keying in a four-digit PIN (Personal Identification Number) - rather than signing a receipt.

For consumers, the new system should mean greater protection against fraudsters, as fraud on skimmed or stolen cards (which account for more than 60 per cent of total losses) will be reduced significantly, it is hoped.

Card fraud is one of the fastest growing crimes in the UK. A record £424.6 million of fraud was committed on UK cards in 2002, up from £411.5 million in 2001, according to UK trade association the Association for Payment Clearing Services (APACS).

Counterfeit card fraud is the biggest category, accounting for £148.5 million stolen in 2002, followed by card not present fraud (£110.1 million) and lost and stolen cards at £108.3 million.

Testing Times

Chip and PIN begins its public trial in Northampton today. Over the coming weeks, 150,000 Northampton residents (or half the adult population) will be sent the new-style cards, and banks and retailers throughout the city will be switching on revamped terminals. Large and small shops, petrol stations, pubs, hotels and restaurants will be involved. In total, around 1,000 retailers are expected to participate.

During the trial (which is scheduled to end in July), Northampton consumers will be prompted to use their PIN for one in every two or three transactions, using a range of debit and credit cards. Entering PIN information will replace signatures in authorizing transactions. Chip and PIN cards and retail terminals in Northampton will continue in use beyond the trial period.

A nationwide rollout is scheduled to follow.

American Express, Barclaycard, Barclays Bank, the Co-operative Bank, Egg, Girobank Merchant Services, HSBC, Lloyds TSB, MasterCard, The Royal Bank of Scotland Group, Switch and Visa are all participating in the trial.

The UK is one of the first countries to introduce chips on cards which meet new global specifications known as EMV (Europay/MasterCard and Visa). In time this means cards will be accepted around the world using the same security checks.

A similar domestic PIN-based system in France has seen an 80 per cent reduction in fraud since its introduction ten years ago. Most European countries, including France, are expected to implement the EMV system over the next five years.

The Northampton trial is the start of a full national rollout due to be completed by the start of 2005. Cards will be reissued and retailers will upgrade their terminals throughout the period. Consumers do not need to take any action themselves as their card companies will get in touch when they are ready to issue the new type of card.

Step in the right direction?

When we covered the initial announcement for the scheme back in April we wondered if the scheme would cut fraud.

Reg readers Joel Smith and Peter Fairbrother of the open-source cryptography project m-o-o-t.org both warned of the same potential pitfall of the scheme.

For a long time, Banks have denied that it is possible to make fraudulent transactions using a PIN in an ATM. However, it has now been shown to be possible.

Smith writes: "If a PIN transaction is made on my card after it has been stolen, how do I deny that it was me who made the transaction? Anyone with access to the PIN becomes an authorised user. I don't regard PIN codes as being overly secure, and this might be a step backwards in security."

Fairbrother believes the Chip and PIN scheme has the effect of shifting liability to the consumer.

"As the bank's will say that any 'phantom withdrawals' are down to the customer - because of course Chip and PIN is secure" Fairbrother. "This is becoming a problem in France, and elsewhere in Europe, where people are being deprived of compensation (and sometimes arrested) after complaining about phantom withdrawals / CC charges."

So although depending on a chip - rather than a magnetic stripe - is more secure, if you do become the victim of shoulder surfing the new scheme might mean you're in even more trouble.

Which is not nice. ®

External Links

Chip and PIN Programme - "the biggest consumer project since decimalisation" launches today
"Annual card fraud figures reach record high", APACS report (PDF)

Related Stories

Smart credit on UK cards. Will it cut fraud?
ID theft: a $1bn a year crime
How to get an ATM PIN in 15 guesses
Crackers gain sight of up to 5m credit cards

Beginner's guide to SSL certificates

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.