Chip and PIN: Complete Fraud Solution or Just One Piece of the Puzzle?
In markets where the Chip and PIN initiative has been introduced, there has been a noticeable increase in card security at point of sale (POS) terminals. In the UK alone, the Association for Payment Clearing Services (APACS) credited an annual 47% reduction in retail card fraud throughout 2006 to the introduction of Chip and PIN. Similar success stories have been reported throughout Europe and Asia.
The result has been a significant shift in card fraud from POS terminals to card-not present (CNP) scenarios, which include purchases made over the Internet, telephone and by mail order. Again, using the UK as an example, CNP fraud as a percentage of total card fraud has risen dramatically, from 7% in 1996 to nearly 50% in 2006 according to APACS. Clearly, this is a sign that in light of the breakthrough with POS fraud, banks and financial institutions have a new and growing problem to address.
MasterCard introduced its Chip Authentication Program (CAP) application in response to the growing threat from CNP fraud. Sub-licensed by Visa, CAP uses the cryptographic functions available on an EMV card to provide core security during cardholder authentication. The business case for CAP was initially built around the need to protect cardholders at the’log in’ stage of internet-based banking transactions, in the face of emerging online scams such as phishing. While the initial intention was that CAP offered a solution to combat internet-based CNP fraud, it was eventually designed to enable its wider usage in telephone and mail order purchasing scenarios.
A key question which is being debated in the UK payments industry today is whether CAP is really the’one solution fits all’ answer for different types of CNP fraud. If the answer is yes, why has the adoption and rollout of CAP been noticeably slow to date? If the answer is no, then is there an alternative technology being considered as a serious contender by the banks?
Before addressing the strengths and potential weaknesses of CAP, a brief overview of the current situation in the UK will help to explain, in part, why UK banks have experienced a delay in the implementation of planned CAP deployments.
A critical element of any CAP programme is the Personal Card Reader (PCR) which must be issued to every individual cardholder, in order that they can securely and independently generate tokens which will be required to authenticate them in a CNP transaction. Following the introduction of CAP, the UK banks made a joint decision, through APACS, that PCRs issued by individual institutions needed to be interoperable, allowing the cardholder to use any PCR with all issuers’ CAP programmes. The logic was that for CAP to be widely accepted by cardholders, the technology had to be easy to understand and intuitive and a critical mass of interoperable PCRs had to be reached within the consumer marketplace. The debate over the functionality, and general look and feel of a generic PCR lasted more than two years before the final implementation was agreed.
On top of this debate, APACS had identified some additional issues with the way in which the CAP specification worked in relation to the UK banking industry. A request was made to MasterCard to define a subset of the CAP specification for use by UK banks, and this led MasterCard to issue an updated version of CAP in March 2007, which took into account a number of regional variations.
Aware of the debate and technical developments being undertaken throughout this time period, UK banks planning to invest in CAP naturally delayed commencing their development processes until the specification and PCR issues had been resolved to APACS’ satisfaction.
Yet despite the introduction of the updated CAP specification nearly a year ago and the eventual consensus by APACS on the PCR functionality, in 2008 the UK is still waiting for CAP to fully materialise in the marketplace. The reason for this is that those issuers who are planning to implement CAP are aiming to minimise their deployment costs by replacing cardholders’ EMV cards with CAP enabled alternatives as their existing cards expire. While this avoids the need to incur significant card re-issuance costs, it does necessitate a three year phased implementation programme, as the lifecycle of the most recently issued cards in the marketplace run their course before expiration.
While the PCR debate, the updated release of the CAP specification in March 2007 and the three year lead time for CAP card implementation all pose adequate explanation for the slow uptake of CAP in the UK, there is another complicated twist which further fuels the delay. Due to the three year time gap between banks issuing the first and last of their initial CAP cards (explained above), many banks now have a technical issue to overcome. Only two data elements differentiate the EMV Specification and the CAP application and one of these is the Issuer Proprietary Bitmap (IPB). The IPB determines the precise make-up of the information that will go onto the CAP token, so it is crucial that IPBs are carefully designed as the choices made will impact issues as diverse as the overall security of the CAP tokens and the user experience (certain choices will increase the length of the CAP token, resulting in more digits for the cardholder to enter, while others will decrease its length). The concern for many banks is whether decisions taken now regarding the structure of the IPB will still be valid and’future-proof’ in three years time and beyond. Much research and development is still being undertaken to ensure that CAP programs scheduled for a short-term launch will offer longevity.
While these technical aspects are being addressed, the banks have still had to contend with major threats to their e-banking systems in the form of phishing, pharming and Trojan Horse attacks among others. The initial promised solution to this – CAP – has been significantly delayed while the business need has become ever more critical. Many banks have therefore already started to deploy other forms of authentication on their eBanking websites, such as one-time password (OTP) tokens and site authentication images, as a cheap, short-medium term solution. This raises a serious issue – has the delay in CAP rollout and the banks’ subsequent and necessary move to other two-factor authentication (2FA) methods compromised the potential success of CAP as the de-facto solution for strong authentication in the banking industry?
2FA has become widely acknowledged across the world as an accepted method of securing CNP payment transactions, with CAP emerging as a clear front-runner. While there are many solutions now available for authenticating internet log-in, the technology available for securing other types of CNP transactions is relatively limited, explaining the current popularity of CAP for these types of scenarios. Whether CAP will hold up in the long term, however, remains to be seen as it does have its limitations.
While the OTP and’challenge-response’ modes are commonly used and widely accepted in the marketplace today and can easily be applied to all types of CNP transaction scenarios, these methods only authenticate the cardholder – they do not validate the specific transaction data. This leaves cardholders vulnerable in cases of identity theft and man-in-the-middle (MITM) attacks, which are currently on the increase. MITM attacks involve a fraudster intercepting a connection between a customer and their bank, who then uses the details exchanged between parties to undertake a real-time transaction, while modifying instructions such as which account a payment should be made into and how much should be paid.
While CAP clearly does offer a solution to this type of advanced fraud – in the form of the third’transaction data signing’ mode – the reality is that this method is challenging to implement. CAP does not specify which data elements must be inputted by the cardholder and in which order (e.g. amount, store number, currency type etc), so this is left up to the issuer to define. Due to the way in which this method works, the data elements and order in which this data is inputted, specified by the issuer, would have to be rigidly adhered to by all of that issuer’s merchants across the world. If the wrong data is inputted or if the correct data is inputted in the wrong order by the cardholder, the transaction will fail. This means that this type of CAP method requires issuers to have a very close relationship and strong interaction with their merchants, who in turn have to pass on clear instructions to cardholders. Of course there are some instances, where this scenario will work, and in those cases transactions will inevitably be more secure and issuers are likely to be seen as innovators within the industry, but generally speaking it could be very difficult for issuers to realise.
The final problem with CAP is the need for a PCR to be available wherever the cardholder is required to provide a second form of authentication. While banking cards containing the CAP application may be front of wallet and carried almost everywhere, the readers are far more bulky and are unlikely to be carried at all. For this reason, to achieve general CAP acceptance, it is critical that a reader is readily available to a cardholder whenever they need one. This is the main reason why interoperability of PCRs remained such an important issue with APACS for member banks.
Despite all of the advantages of CAP, it’s limitations regarding transaction data signing have caused some UK banks to consider SMS tokens as a serious alternative technology. If an issuer has access to the mobile phone numbers of cardholders, SMS tokens can offer a convenient and inexpensive way to communicate directly with a cardholder through their mobile handset, in order to authenticate a transaction in real time.
Not only can SMS tokens be based on a one-time password format, which most cardholders are now familiar with, but transaction data can be entered to ensure the highest levels of security are maintained, thwarting MITM attacks. Another obvious advantage of this technology for issuing banks is that the costs and complexity associated with issuing PCRs to each individual cardholder can be avoided, since the technology is based on the mobile phone handsets that most people in developed markets today consider a lifestyle essential, and carry with them at all times.
From a technical and security viewpoint, it is clear that transaction data signing is the next major step to be considered by banks in order to address the growing levels of CNP fraud. Both CAP and SMS tokens provide workable solutions, based on technology that exists today, so it remains a guessing game as to which banks will choose which technology to suit their strategic business requirements. My opinion is that the market will see the emergence of both technologies running in parallel in the short to medium term and both solutions will capture a credible market share. It is quite possible that banks will opt to use both technologies, choosing for example to implement CAP for online authentication and SMS tokens for other CNP transactions, such as phone and mail order purchases. That way, they will be able to exploit the obvious security advantages of both technologies while keeping their future options open.