Chip and PIN: Good but not good enough

Nick

I know you're in the business of selling biometric authentication, but to do so by attacking chip and PIN is misleading to say the least.  Here's the facts as I see them:

- As you point out, chip and PIN has been tremendously effective in reducing face-to-face fraud in the physical world.

- But chip and PIN is also the best solution for tackling fraud in the virtual world via Remote Chip Authentication (RCA - what MasterCard calls CAP and Visa calls DPA): ie inserting your card in a reader, entering your PIN, and generating a one-time-password OTP).

- RCA is widely used to reduce online banking fraud.  Barclays PINSentry for example has been quoted as reducing Barclays' online banking fraud to zero.  A key point about this solution is that because the reader is physically separate from the PC, malware and phishing are not effective.

- Increasingly, RCA is starting to be used to tackle Card-Not-Present (CNP) fraud, by the simple expedient of treating the OTP as a MasterCard SecureCode or Verified by Visa code.  In other words the user only has to remember the one PIN which they already use in the physical world.  All the Belgian banks have rolled out this solution.

Tackling card fraud is difficult and takes years of effort.  The global migration to EMV chip started 15 years ago and is still evolving through RCA and 3D Secure, but it's the best solution we've got and a magnificent achievement.   There are undoubtably niche markets for voice authentication and other biometric solutions, but the card payments market is I fear not one of them.

Since we're seeing biometrics being proposed as an alternative to VbV and MasterCard SecureCode, it follows that the context is CNP / online. That being the case, are we to assume that webcam for iris scanning, fingerprint scanner for capturing fingerprint impressions, and all other types of biometrics authentication equipment are part of basic hardware? Otherwise, I'm not sure how biometrics will work without any additional hardware.

Can you please quantify what is meant by "impersonation is almost impossible"?  What is the demonstrated False Detect rate?  What is the corresponding False Reject rate and what are the conditions of testing?

RCA has made great strides, and should be supported, but I think Nick O still has a point.  In the future, won't users of tablets and smartphones find card readers too clunky to carry around?  In which case, couldn't biometrics provide an alternative, and very portable, means of authentication?  

Both tablets and smartphones can capture sounds and images for biometric verification, and these can only get better with time.  The question is, how long do we have to wait?   It's down to the vendors to demonstrate whether this provides a serious alternative authentication method at this time, with the devices and bandwidths currently available. 

Still not a fan of CHIP and PIN - I feel happier providing some evidence of who I am, such as Signature which could be verified and challenged if too different - a PIN is just too personal.

Also I can't remember more than 1 PIN, so either have to write them all down (which could be lost/stolen), or have the same PIN for everything, which provides a weak link, so in the end I went for CHIP and Signature instead.

Hello Nick.

Just checking if you saw my questions:

Can you please quantify what is meant by "impersonation is almost impossible"?  What is the demonstrated False Detect rate?  What is the corresponding False Reject rate, and what are the conditions of testing?

Cheers, Stephen Wilson, Lockstep.