Chip and PIN Security
Home About Workshops Articles Writing Talks Books Contact

Chip and PIN

 Chip and PIN was introduced in the UK in 2004 and over a period of several months all magnetic stripe credit cards (and debit cards) were replaced with smartcards. Smartcards contain a chip that can contain data and can run applications. Access to the chip is protected by a four digit personal identity number (PIN). The credit card companies announced chip and PIN with a widespread advertising campaign claiming that we were "more secure with numbers". In this article I will examine this claim.

Introduction

 Chip and PIN is an example of two-factor authentication. Authentication is a mechanism where you prove who you are. Security systems then have a further step called authorization which indicates what each authenticated person is allowed to do. Without authentication a person can only get default authorization, which usually means that they are not authorized to do anything. As the name suggests, this two-factor authentication involves two items. Usually this is something you know (a pass phrase, for example) and either something you have (for example, your driver's licence) or something you are (biometrics: your finger print or iris scan). Just one of these things is fairly insecure. You could guess the PIN for a mobile phone (usually that is easy if you know the birthday, or marriage date of the phone's owner), if you know that your neighbour keeps their front door key under the door mat it does not mean that you should be allowed to enter their house. Two forms of authentication (for example, a driving licence and a face that matches the photo on the card) is much more secure. With chip and PIN the smartcard is the thing that you have and the PIN is the thing that you know. The idea is that if you have just one of these (the card, but not the PIN; the PIN but not the card) then you will not be authenticated and so will not be authorised to perform a financial transaction.

Prior to chip and PIN authentication of credit cards was either through the data on the magnetic stripe and a PIN, or the data on the magnetic stripe and the signature, or using the embossed cardholder's details and the signature. There are various problems with these methods. A fraudster could record the embossed cardholder's details and use these for telephone 'cardholder not present' purchases, sometimes this occurred by a clerk saving the carbon paper from the transaction, or a 'dumpster diver' could retrieve these details from the shop's trash. Ultimately, mail order vendors who authorise 'cardholder not present' purchases are liable for the cost - the credit card company will not honour the payment - and so in response to such frauds, some mail order companies refuse to ship goods to addresses other than the cardholders. However, some online services do not involve the shipping of any goods, and others, due to their somewhat shaky legality (for example, porn sites), probably don't care if the occasional transaction fails.

A quick search of the internet shows that a simple algorithm can be used to verify that a credit card number corresponds to a particular credit card company. Thus, it is possible to generate numbers by random and reject those that are valid, (but although it is possible to generate a valid number, there is no guarantee that the number actually refers to a valid account). If a site does not verify that the purchaser's details are the same as the account details then fraud becomes easy. The credit card companies counteracted this issue by providing three additional numbers on the signature strip. These numbers are not part of the same validation algorithm mentioned above, and since they are not embossed it means that they will not show up on carbon paper. However, if you give your credit card to a waiter who takes it out of your sight, that waiter could record all the card details including the security code on the signature strip. These security digits make the 'cardholder not present' fraud more difficult, but it does not prevent all fraud.

A search on the internet will also come up with details of the information held on the magnetic stripe on a credit card. Card writers are freely available, and blank cards are trivial to obtain. (You could use anything with a magnetic stripe, for example a video club card.) So cloning cards is easy to do, and if the PIN is known a cloned card can be used in an automated teller machine (ATM) to obtain cash. (Of course, no one in their right mind will ordinarily withdraw cash with a credit card because most credit card companies will charge you interest the instance you withdraw the money, regardless of whether you pay off your bill in full. In other words, the month grace period given by most credit card companies is not applied to cash withdrawals. However, this is a facility of credit cards that you get whether you like it or not, and credit card companies quite like people who spend as if they are not in their right mind.)

(c) 2006 Richard Grimes