Limitations of chip and PIN

In the US, credit cards use a magnetic stripe to carry the information that's needed to carry out a credit card purchase. In other parts of the world, more sophisticated cards are used. These so-called "smart cards" actually contain lots of very advanced technology that protects the cryptographic keys that authenticate the card when its used.  

If you want to try to find a protected key using advanced tricks like measuring the timing of cryptographic operations or by measuring the power consumed by the card's processor while it's doing a cryptographic operation, for example, then these cards have built-in features to thwart you. They're not perfect, but they're much more secure than cards that use just magnetic stripes are.

If the US credit card market moved to smart cards, how much would it affect the total amount of credit card fraud? It certainly wouldn't eliminate it, because smart cards don't protect against all threats. They do nothing at all, for example, to reduce losses in card-not-present transactions, like you have when you buy something on the Internet.

It's even possible that moving to smart card wouldn't reduce the total amount of fraud at all. It might just move it from face-to-face transactions to card-not-present transactions. That's apparently what happened in the UK market when they moved from magnetic stripe cards to smart cards. This is described in "Can Smart Cards Reduce Payments Fraud and Identity Theft?" by Richard Sullivan, an economist at the Federal Reserve Bank of Kansas City. You can get the paper here, if you want to read it.

So moving to smart cards probably isn't a way to totally eliminate credit card fraud. It might not even reduce it if it just makes cyber-criminals move to different types of attacks. Based on the data from the UK, it might even not reduce it at all.

Would moving to smart cards reduce credit card fraud? Like any question in information security, this one also turns out to be more difficult than you might think. 

  • Sid Sidner

    So going to online authentication using Chip & PIN might be the solution to this.
    The use of disconnected smartcard readers that support the MasterCard CAP or Visa DPA chip applications would help a lot. The simple code mode generates a one-time password (OTP) value, whereas the challenge mode can “sign” a transaction hash. The readers are not personalized (the EMV card is) so these inexpensive readers can be left at home, the office, in the car, or at a beach house.
    The values generated in either case must be validated by the issuer’s authorization system, so there is no easy way for merchants to use them. However, there is movement to support the transmission of these values with a merchant authorization transaction for purchases. To use them for login would require a new transaction on the world payment card networks to authenticate the value. Presumably in this case, the user would enroll at the merchant by providing their PAN from their EMV card, and then during subsequent login they would provide the OTP value from their reader. The merchant (or other relying party) would send this to the issuer for authentication. How much would this be worth to the merchant?
    Alas, this only works in countries like the UK where the cost of EMV deployment has already been absorbed. In other places, like the USA, this form of online authentication is not possible.


  • Sid Sidner

    I went to Wikipedia and read the CAP article. They have a link to a paper by Ross Anderson et al at Cambridge about the flaws in CAP:


Leave a Reply

Your email address will not be published. Required fields are marked *