Feeds

Smart credit card scheme kicks off in the UK

Chip and PIN

  • alert
  • submit to reddit

SANS - Survey on application security programs

UK banks, building societies and retailers began the introduction of a more secure method of authorising credit card payments in Northampton today.

Designed to combat fraud, the Chip and PIN Programme will see the magnetic stripes on credit and debit cards replaced with more secure smart chips. The huge project will see more than 850,000 retailer terminals, 120 million cards and 40,000 cash machines upgraded over the next 18 months.

Consumers will verify their purchases by keying in a four-digit PIN (Personal Identification Number) - rather than signing a receipt.

For consumers, the new system should mean greater protection against fraudsters, as fraud on skimmed or stolen cards (which account for more than 60 per cent of total losses) will be reduced significantly, it is hoped.

Card fraud is one of the fastest growing crimes in the UK. A record £424.6 million of fraud was committed on UK cards in 2002, up from £411.5 million in 2001, according to UK trade association the Association for Payment Clearing Services (APACS).

Counterfeit card fraud is the biggest category, accounting for £148.5 million stolen in 2002, followed by card not present fraud (£110.1 million) and lost and stolen cards at £108.3 million.

Testing Times

Chip and PIN begins its public trial in Northampton today. Over the coming weeks, 150,000 Northampton residents (or half the adult population) will be sent the new-style cards, and banks and retailers throughout the city will be switching on revamped terminals. Large and small shops, petrol stations, pubs, hotels and restaurants will be involved. In total, around 1,000 retailers are expected to participate.

During the trial (which is scheduled to end in July), Northampton consumers will be prompted to use their PIN for one in every two or three transactions, using a range of debit and credit cards. Entering PIN information will replace signatures in authorizing transactions. Chip and PIN cards and retail terminals in Northampton will continue in use beyond the trial period.

A nationwide rollout is scheduled to follow.

American Express, Barclaycard, Barclays Bank, the Co-operative Bank, Egg, Girobank Merchant Services, HSBC, Lloyds TSB, MasterCard, The Royal Bank of Scotland Group, Switch and Visa are all participating in the trial.

The UK is one of the first countries to introduce chips on cards which meet new global specifications known as EMV (Europay/MasterCard and Visa). In time this means cards will be accepted around the world using the same security checks.

A similar domestic PIN-based system in France has seen an 80 per cent reduction in fraud since its introduction ten years ago. Most European countries, including France, are expected to implement the EMV system over the next five years.

The Northampton trial is the start of a full national rollout due to be completed by the start of 2005. Cards will be reissued and retailers will upgrade their terminals throughout the period. Consumers do not need to take any action themselves as their card companies will get in touch when they are ready to issue the new type of card.

Step in the right direction?

When we covered the initial announcement for the scheme back in April we wondered if the scheme would cut fraud.

Reg readers Joel Smith and Peter Fairbrother of the open-source cryptography project m-o-o-t.org both warned of the same potential pitfall of the scheme.

For a long time, Banks have denied that it is possible to make fraudulent transactions using a PIN in an ATM. However, it has now been shown to be possible.

Smith writes: "If a PIN transaction is made on my card after it has been stolen, how do I deny that it was me who made the transaction? Anyone with access to the PIN becomes an authorised user. I don't regard PIN codes as being overly secure, and this might be a step backwards in security."

Fairbrother believes the Chip and PIN scheme has the effect of shifting liability to the consumer.

"As the bank's will say that any 'phantom withdrawals' are down to the customer - because of course Chip and PIN is secure" Fairbrother. "This is becoming a problem in France, and elsewhere in Europe, where people are being deprived of compensation (and sometimes arrested) after complaining about phantom withdrawals / CC charges."

So although depending on a chip - rather than a magnetic stripe - is more secure, if you do become the victim of shoulder surfing the new scheme might mean you're in even more trouble.

Which is not nice. ®

External Links

Chip and PIN Programme - "the biggest consumer project since decimalisation" launches today
"Annual card fraud figures reach record high", APACS report (PDF)

Related Stories

Smart credit on UK cards. Will it cut fraud?
ID theft: a $1bn a year crime
How to get an ATM PIN in 15 guesses
Crackers gain sight of up to 5m credit cards

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.