Fall 08 - T33 - G3

=The Fraudulators=

Group Members:

 * Walters, Andrew Scott
 * Mai, Ngoc Luong
 * Evans, Jillian Angela
 * Farooq, Kanwal
 * Hird, Meghan Lynn

Technology:

 * Chip and Pin Technology

Issue:

 * Fraud Prevention on credit cards

Initial Problem Statement:

 * Anyone can be a victim of fraud! In such a case one stands to lose something they have worked hard to obtain. Our mission is to discuss chip and pin technology as a means of fraud prevention. A system has been developed for credit card transactions which are conducted in person. This system involving microchips and personal identification numbers (PINs) was developed in the United Kingdom. Many regions of the world have already begun to use this new technology, and now it’s coming to Canada. With the use of chip and pin technology one will insert a card that has a chip on the front and enter their PIN as opposed to swiping their card and signing a receipt. The use of chip and pin technology will have cause a sustantial decrease in credit card fraud.

= Chip and Pin Technology=

What is Chip and Pin technology?

 * Chip and Pin technology consists of three components the chip, the pin and the card reader.

The Chip:

 * The Chip is essentially a microchip imbeded into a plastic card. The chip consists of a microprocessor, RAM and ROM which holds all of the cardholders information in an encrypted format for safe keeping.

The Pin:

 * The Pin is a four digit number used to verify the cardowner is in fact the person using the card. The pin consists of four digits selected by the card holder and kept confidential. Because each digit can be any number from zero to nine and is not required to be unique there are 10000 possible combinations for a users pin. It is the volume of possible combinations which helps prevent thieves from guessing the pin.

The Card Reader:

 * The card reading device makes chip and pin technology possible. The card reader sends power to the chip via gold or silver contacts on the front of the card. The chip and card reader then communicate back and forth to ensure that each is a legitimate party and the user proceeds to enter their pin. This information is then used to complete the transaction and a purchase is made.

History and Development

 * Chip and Pin technology was first trialed in Northampton, England in 2003, and due to its success was then introduced to all of the United Kingdom (UK) in 2004. By February 14th, 2006 all transactions in the UK involving credit cards with the new chip technology were to be processed using the chip technology and pin verification code. This meant that all retailers were required to upgrade their Point of Sales transaction systems. An observation of extensive success of the new technology and the major reduction of fraud in the UK, France and Ireland adopted similar systems with chip and pin technology.


 * Canada has now caught on to the popular chip and pin trend with Visa introducing the technology to its cardholders. However, the conversion is still in its initial stage. Many cardholders are not issued their new chip and pin Visas until their current card expires. Also, many merchants have not upgraded their current Point of Sales systems to accept the pin technology, meaning many people with chip and pin cards are still signing their receipts for payment method, rather than using the pin technology.


 * Despite this, over 262 million chip and pin Visa cards have been issued around the world and the technology is currently available in over 86 countries. The benefits of the new technology are said to outweigh the costs, with a definite decrease in credit card fraud already being observed. However, magnetic stripe cards will still continued to be used as a safe, reliable, and convenient method of payment, including in the United States. Chip reading terminals will continue to process magnetic stripe cards as well. Therefore, both methods will continue to be used.

[[Image:plus.JPG|Plus|75px]]Advantages

 * Chip and PIN secured visa cards are very efficient and have been introduced in order to decrease security related issues.

Reduces Credit Card Fraud:

 * One of the most important benefits of Chip and PIN technology is to decrease the amount of fraud. Credit related Frauds have significantly declined in European nations in recent years. Banks claim that in the UK fraud has decreased by a half since introduction of new technology in 2004. The chip is impossible to copy and doesn’t store the PIN used, nor does it store any information regarding purchases. The PIN identifies the person and disallows use of the card if it has been stolen.

Ease of Use:

 * It is a faster process and easier for customers to use. Not using the signature feature and picture for verification makes it much easier for both consumers and sellers saving time spent at each service. PINS that are used can be easily changed using ATM machines or bank branches if in doubt of the security. Credit card businesses assure that this is one major step towards liability of customers.

Card Holder Benifits:

 * Chip cards also provide more authority of the card to the customer, as they don’t have to turn in their card to sellers while paying. The card can be inserted by the user into the terminal. The chance of forgetting your card while paying would be quite low as the card is only being handled by the cardholder. These new cards can be used globally as they meet needs of global introduced standards called EMV. Chip and PIN secured cards come with several expectations and benefits and are believed to meet the high standards set by investors.

[[Image:minus.JPG|Minus|75px]]Disadvantages

 * Although Chip and PIN technology does have several advantages, it also poses some disadvantages:

Liability:

 * Chip & PIN users are now more liable for fraudulent purchases made on their card. Four-digit PIN numbers can be seen much more easily by others when compared to signatures, but can also be shared much more easily with others. It is therefore up to the user to protect their PIN and card from being stolen or used unlawfully. This responsibility could possibly put users at fault for phantom withdrawals (depending on the country).

More prone to theft or attack:

 * Since chip technology has proven to be much more difficult to clone, users may find themselves more prone to theft or attacks. Once the PIN of the user is known by another person, the owner’s safety may be compromised. They face the possibility of having their card or wallet stolen, having their vehicle or home broken into, and may even face the possibility of physical assault by another person attempting to steal their card.

Fallback:

 * Once all ATMs and POS machines are equipped with Chip & PIN reader technology, users may still find themselves at risk for fraud. If a user has a damaged chip, or does not have Chip & PIN technology on their card yet, they are once again vulnerable to magnetic stripe skimming and cloning. Back-up methods for use are less secure and leave the user at risk.

Problems with chip technology:

 * Users may find themselves at a loss if their chip malfunctions. Damage to the chip by static electricity, magnetism, wear and tear, or simply by just being dirty, places users once again at a risk for fraud via fallback, but also at an inconvenience. Furthermore, depending on the chip type (either Static Data Authentication (SDA) or Dynamic Data Authentication (DDA)), the user may be at a greater risk for card cloning. SDA technology is much less secure than DDA, allowing fraudsters to easily program and clone cards to withdrawal cash from ATMs and purchase items at POS without even knowing the correct PIN.

Cross-border issues and fraud:

 * Not all countries are equipped with Chip & PIN technology. Many European countries are far in advance with the technology and soon may remove magnetic stripe technology from ATMs and POS machines, leaving customers from other countries with few options for payment. Also, since not all countries are equipped with Chip & PIN, visitors from European countries may also be stuck with few options for payment if all magnetic striping is removed from their bank cards. Furthermore, cross-border fraud may be an issue if cards are stolen from users where Chip & PIN technology is utilized more, and then used in a country where the Chip & PIN are bypassed and magnetic striping is used.

EMV weakness:

 * Although there have been no major problems with EMV technology yet, there are bound to be some technical flaws and security breaches in the future. Fraudsters will eventually find a way around the security of EMV, and users may once again be at risk for illegal activity by others.

Online problems continue:

 * Chip & PIN technology does not reduce fraud for online or “card-not-present” purchases.
 * Although Chip & PIN may be a great alternative to magnetic stripe technology, there are still several issues included with it, some that may never be resolved by any form of technology. Users must be aware that even though their information may be more secure with this technology, there are people out there using many methods of action to get a hold of their personal banking information. It is therefore, first and foremost, up to the user to protect their information by blocking their PIN from bystanders, CCTV, and store clerks. It is also important to keep their information safe from phishing (telephone and online scams).

Some other fraud prevention technologies



 * The most basic method of fraud prevention is electronic authorization. This process verifies that the credit card is valid and has enough funds. There are significant limitations associated with this process, Eg. no assurance that the person using the card is the real cardholder. Technology is rapidly developing to provide the merchants with more protection.


 * For face-to-face transactions, a system involving microchips and personal identification numbers (PINs) is currently being developed in the United Kingdom.


 * For card-not-present transactions[9], the problems of card and cardholder authentication still remain:


 * 1. The AVS (Address Verification Service) is obtained through the cardholder's issuing bank, where numerical details of the address are cross-checked in the online order. This method doesn’t work if the cardholder has moved but the bank has not updated. It is often used for mail order [1].


 * 2. Similarly, the shopper could enter the CVN (Card Verification Number), usually a three- or four-digit number printed on the back of a credit card. Again, there is no assurance that the person using the card is the real cardholder in case the card is lost. This method is often used for phone orders [7].


 * 3. The third method is payer authentication offered by both Mastercard (Mastercard Securecode) and Visa (Verified by VISA). These are password-based programs which request cardholders to enter a password to verify the purchase. However, this requires cardholders to register for the program and it also requires merchants to be registered. This method is used for online transactions [8].


 * a. Benefits [11],[2]: In addition to the benefit for the cardholder when the card is lost, there are also benefits for the merchant.


 * Liability shift: The major benefit to merchants is that they aren't responsible for chargeback. The bank, the card issuer, will assume the liability.


 * No additional charges: There is no additional charge for VbV and MSC from Protx. The bank may charge the merchant to add the merchant number, but the merchant may find that the bank will lower its other charges to the merchant.


 * Flexibility: The merchant could set up a rule base on Protx account to accept or reject transactions relating to the authenticated results.


 * Cards that are part of the scheme: VISA, VISA DELTA, MASTERCARD, UK MAESTRO, SOLO, and VISA ELECTRON are used again for VbV or MSC.


 * b. Limitations [3]:


 * Chargeback can still occur: The merchant will be responsible for the chargeback in case the shopper denies the receipt of goods.


 * Cards are not always part of the scheme: There are no similar initiatives for American Express, JCB or Diner's Club.

Conclusion

 * 1. From the above information, we can learn something new about Chip and PIN technology. The microchip is added in the card, and it is impossible to dulplicate. The microchip together with the PIN will replace for the signature to verify transactions, and save time. Chip cards accompanied by chip terminals at the point of sale help to ensure more secure transactions. The world is migrating to chip, and millions of card users worldwide are already using the technology. Major chip migration programs are underway in 86 countries including the United Kingdom, France, Finland, Italy, Brazil, Australia, South Korea, Japan, Taiwan, Hong Kong, Russia, Poland, Czech Republic, Germany and Sweden.
 * 2. Other technologies for fraud prevention such as AVS, CVN, VbV, show us the similarities between Chip and PIN technology and VbV technology as they both need passwords. For Chip and PIN the card information is checked by a chip terminal. For VbV, the card information is checked by computer program of the issuer. Therefore, using chip terminals at home in the near futrure with our own computers we will no longer require the use of VbV for online transactions.
 * 3. Chip and PIN does change the way we pay for our everyday personal transactions. Chip and PIN is the right technology for now and for the future. The focus now is to build the infrastructure for publishing and processing chip cards. Once that is in place, the fraudulators no longer have an advantage.