Banks undermine chip and PIN security because they see profits rise faster than fraud

The Chip and PIN card payment system has been mandatory in the UK since 2006, but only now is it being slowly introduced in the US. In western Europe more than 96% of card transactions in the last quarter of 2014 used chipped credit or debit cards, compared to just 0.03% in the US.

Yet at the same time, in the UK and elsewhere a new generation of Chip and PIN cards have arrived that allow contactless payments – transactions that don’t require a PIN code. Why would card issuers offer a means to circumvent the security Chip and PIN offers?

Chip and Problems

Chip and PIN is supposed to reduce two main types of fraud. Counterfeit fraud, where a fake card is manufactured based on stolen card data, cost the UK £47.8m in 2014 according to figures just released by Financial Fraud Action. The cryptographic key embedded in chip cards tackles counterfeit fraud by allowing the card to prove its identity. Extracting this key should be very difficult, while copying the details embedded in a card’s magnetic stripe from one card to another is simple.

The second type of fraud is where a genuine card is used, but by the wrong person. Chip and PIN makes this more difficult by requiring users to enter a PIN code, one (hopefully) not known to the criminal who took the card. Financial Fraud Action separates this into those cards stolen before reaching their owner (at a cost of £10.1m in 2014) and after (£59.7m).

Unfortunately Chip and PIN doesn’t work as well as was hoped. My research has shown how it’s possible to trick cards into accepting the wrong PIN and produce cloned cards that terminals won’t detect as being fake. Nevertheless, the widespread introduction of Chip and PIN has succeeded in forcing criminals to change tactics – £331.5m of UK card fraud (69% of the total) in 2014 is now through telephone, internet and mail order purchases (known as “cardholder not present” fraud) that don’t involve the chip at all. That’s why there’s some surprise over the introduction of less secure contactless cards.

Continue reading Banks undermine chip and PIN security because they see profits rise faster than fraud

A Digital Magna Carta?

I attended two privacy events over the past couple of weeks. The first was at the Royal Society, chaired by Prof Jon Crowcroft.

All panelists talked about why privacy is necessary in a free, democratic society, but also noted that individuals are ill equipped to achieve this given the increasing number of technologies collecting data about us, and the commercial and government interests in using those.

During the question & answer session, one audience member asked if we needed a Digital Charter to protect rights to privacy. I agreed, but pointed out that citizens and consumers would need to express this desire more clearly, and be prepared to take collective action to stop the gradual encroachment.

The second panel – In the Digital Era – Do We Still Have Privacy? – organised in London by Lancaster University this week as part of its 50th Anniversary celebrations, chaired by Sir Edmund Burton.

One of the panelists – Dr Mike Short from Telefonica O2 – stated that it does not make commercial sense for a company to use data in a way that goes against their customer’s privacy preferences.

But there are service providers that force users to allow data collection – you cannot have the service unless you agree to your data being collected (which goes against the OECD principles for informed consent) or the terms & conditions so long that users don’t want to read them – and even if they were prepared to read them, they would not understand them without a legal interpreter.

We have found in our research at UCL (e.g. Would You Sell Your Mother’s Data, Fairly Truthful) that consumers have a keen sense of ‘fairness’ about how their data is used – and they definitely do not think it ‘fair’ for them to be used against their express preferences and life choices.

In the Q & A after the panel the question of what can be done to ensure fair treatment for consumers, and the idea of a Digital Charter, was raised again. The evening’s venue was a CD’s throw away from the British Library, where the Magna Carta is exhibited to celebrate its 800th anniversary. The panelists reminded us that last year, Sir Tim Berners-Lee called for a ‘Digital Magna Carta’ – I think this is the perfect time for citizens and consumers to back him up, and unite behind his idea.

Why Bentham’s Gaze?

Why is this blog called “Bentham’s Gaze”? Jeremy Bentham (1748-1832) was an philosopher, jurist and social reformer. Although he took no direct role in the creation of UCL (despite the myth), Bentham can be considered its spiritual founder, with his ideas being embodied in the institution. Notably, UCL went a long way to fulfilling Bentham’s desire of widening access to education, through it being the first English university to admit students regardless of class, race or religion, and to welcome women on equal terms with men.

Bentham’s Gaze refers not just to his vision of education but also to the Panopticon – a design proposed for a prison where all inmates in the circular building are potentially under continual observation from a central inspection house. Importantly, inmates would not be able to tell whether they were actively being observed and so the hope was that good behaviour would be encouraged without the high cost of actually monitoring everyone. Although no prison was created exactly to Bentham’s design, some (e.g. Presidio Modelo in Cuba) have notable similarities and pervasive CCTV can be seen as a modern instantiation of the same principles.

Finally, the more corporeal aspect to the blog name is that UCL hosts Bentham’s Auto-Icon – a case containing his preserved skeleton with wax head, seated in a chair, and dressed in his own clothes. The construction of the Auto-Icon was specified in Bentham’s will and since 1850 has been cared for by UCL. His head was also preserved but judged unsuitable for public display and so is stored by UCL Museums. Many of the staff and students at UCL will walk in view of Bentham while crossing the campus.

You too can now enjoy Bentham’s Gaze thanks to the UCL PanoptiCam – a webcam attached to the top of the Auto-Icon, as you can see below from my photo of it (and its photo of me). Footage from the camera is both on Twitter and YouTube, with highlights and discussion on @Panopticam.

UCL Panopticam

View from PanoptiCam (2015-02-19)