[LINK] Consumer Credit-Card Risks
swilson at lockstep.com.au
Wed Jan 13 11:49:39 AEDT 2010
Nudged, nudged, Roger!
I think your analysis is fine.
I too am bemused by the misuse of the term "algorithm". It's curious
that business people often decry technologists' difficult terminology,
but then occasionally co-opt jargon and get it wrong. It's actually very
common in biometrics for the template generated from scanning a body
part to be wrongly called an "algorithm".
But having said that, I don't actually think Chris Clark's explanation
of one-time codes is all that misleading for lay people, so personally I
would forgive him using "algorithm".
More importantly, I don't think he is actually talking about one time
passcodes as most of us know them (the codes generated by key fobs for
online authentication). Rather he seems to be referring to the one-time
dynamic cryptograms exchanged between the chipcard and the terminal,
under the covers. This is the mechanism that defeats skimming.
Yes, un-authenticated use of cards in vending machines is increasingly
common esp. in carparks. What astounds me is that when I used a credit
card face-to-face with a person at the Sydney Opera House carpark, there
was nothing to sign either. Seems to be a new category of "Card
Present, Merchant Asleep" transaction.
Indidentally, I was greatly relieved to not see any mention of
biometrics in the article. Does anyone know of any biometric payment
security scheme that has survived its pilot? IMHO biometrics remain
totally academic in retail or consumer security.
So I agree Roger that we should welcome the advent of chip cards in
Now, do you mind if I push the envelope a little? The reason chip cards
are important in payments is that, one way or another, they protect the
integrity of the cardholder account number and other details, as
transmitted with the user's consent (PIN), from the card to the
terminal. The details are encrypted (signed if you will) between the
chip and the terminal, which stops replay attack and thwarts ID theft.
More subtly, by increasing the dependability of those details, it means
that in princple less personal information is needed to corroborate a
These properties are sorely needed in e-government and e-health. If
we're keen on chip cards in payment security, then we should also be
looking for properly designed smartcards to secure e-health records and
the like. Different cards for different domains of course.
I declare an interest: my company Lockstep Technologies sells a
smartcard based ID solution. But I don't believe that programs like
longitudinal e-health records and personal health records are safe
unless they have smartcards protecting users' IDs.
Phone +61 (0)414 488 851
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
Roger Clarke wrote:
> I'm continuing to work on the question of contactless cards. I've had
> a prompt response from Visa, including some useful info. I've not yet
> had any information from MasterCard or ASIC.
> It continues to appear that no risk assessment or risk management plan
> from the consumer's perspective exists, and that at no stage has
> consultation been undertaken with reps of and advocates for the
> consumer interest.
> On a related matter ...
> [If anyone detects anything materially wrong or misleading in the
> analysis that follows, I'd appreciate a prompt kick in the head, as
> brief as you like, on-list or off-list as appropriate. Nudge, nudge,
> An article headed 'Security under the microscope' appears in the Money
> Manager segment of the SMH today, and presumably of The Age. (If that
> section is on the Web, it's well-hidden).
> The article provides a half-decent examination of the upgrades to
> security that Visa, MasterCard and issuers have been making, including
> contact-based chips and one-time passwords (referred to in the article
> as 'unique transaction codes').
> Many of us have been arguing for years that the financial services
> sector has been very lax in not upgrading security.
> The figures in the article suggest that, worldwide, 285 million data
> breaches occurred in 2008, 98% involving payment card data. In
> Australia in FY 08-09, APCA said there were 531,000 fraudulent
> transactions resulting in losses of $180 million.
> Those losses are borne almost entirely by merchants. (Financial
> institutions issue chargebacks to merchants. So they only bear the
> loss if the merchant has disappeared, e.g. gone bankrupt, before the
> chargeback is issued. Kiwibank's CEO declared his bank had lost
> $1,000 in 2006-07 I think it was).
> But there's also a large volume of undiscovered fraud that is borne by
> consumers who fail to reconcile their accounts, are too lazy to pursue
> mysterious transactions with their financial services provider, or
> fail to sustain their concentration long enough to last through their
> financial institution's processes - which can be tortuous and very
> (In 2009, in order to force NAB to credit me back $70 fraudulently
> charged to my card in northern Slovakia, I had to have knowledge of
> how to read an EFTS terminal data-dump. 'Yer average mug punter'
> would have given up and copped the loss. A key reason I hung in there
> for a mere $70, and forced a chargeback against the
> fraudster/service-station-operator, was that I'm a consultant,
> researcher and expert witness in relation to such matters, and hence
> could justify the effort involved as research).
> Interim conclusion:
> The contact-based chip and one-time password initiatives do appear to
> be much more effective security features, and are very much to be
> The SMH article doesn't mention two aspects of serious concern:
> - contactless cards
> - other transactions in which no authentication is undertaken as to
> whether the person presenting the card is authorised to do so.
> Visa tells me that this category is a lot more widespread that
> I'd realised, and has been expanding since about 2004. Visa tells
> me that I'm a rare bird never to have done one in a car-park, and
> that there are many other merchant-categories with such terminals.
> So ... my concerns are now much wider than contactless cards, and
> include all of those transaction-types.
> Finally, a quote in the article seems very strange to me.
> Visa GM Chris Clark is quoted as saying:
> "The [contact-based] chip produces *an algorithm* that *authenticates
> the user* once only. The next time it is used its interaction with
> the terminal generates *a new algorithm*. That process makes it much
> harder to copy customer details" (emphases added).
> Firstly, surely the chip generates a new number, not a new algorithm.
> I can understand attempts to simplify complex technology, or
> re-express it in ways consumers will understand (e.g. maybe pilots
> with consumers have shown that they can grasp 'unique transaction
> code' better than 'one-time password').
> But is the seemingly incorrect word 'algorithm' really easier for
> consumers than a seemingly more appropriate term such as 'number',
> 'code', 'one-time password' or 'unique transaction code'?
> Secondly, and much more importantly, the one-time code that's
> generated authenticates *the card* (or, more correctly, *the chip*).
> It's materially misleading to say that it "authenticates the user".
> That can only be done through the use of something the person, and
> only that person, 'has, knows, is, or is now'. Having the card isn't
> enough, because the card can find its way into the hands of an
> unauthorised user.
> I'd have been disappointed if a nominally specialist reporter made
> such an error, but I think it's remarkable, and pretty poor, that the
> Visa GM appears to have made the mistake.
More information about the Link