Embed Size (px)
Citation preview
13Card Technology Today • July/August 2007
feature
According to the UK’s payments association, APACS, Internet banking fraud cost the UK’s banks £33.5m in 2006. Fraudsters are using ever more advanced methods of acquiring Internet banking usernames and passwords, not just through the use of spoof emails such as phishing, but with more sophisticated key logging and screen skimming spyware. Up until now, account holders still had three to five days, from the moment the fraudster infiltrated their online banking account, before the funds were transferred to the fraudster’s account. So banks and some consumers are naturally concerned that the introduction of Faster Payments will mean that the money could have disappeared long before anyone notices.
Limitations of one-factor authenticationOnline fraud today exploits the limitations of one factor authentication methods. A fraudster that can somehow acquire the username and password – something known only by the account holder – can impersonate the real user from any PC with an internet connection. Yet in the physical Point-of-Sale Environment, we have become accustomed to Chip & PIN as a two factor authentication mechanism – something you have and something you know – for some time. Over the coming months, many customers of the UK banks will be receiving a handheld smart card reader with pin-pad that will enable them to perform chip & PIN at home transactions, to secure the set up of new payees. Customers will insert their new Chip & PIN card into the handheld card reader, enter their PIN on the keypad (and not on the keyboard of their PC), and the reader will generate a transaction-specific eight digit number or cryptogram, that they will
be required to key into the browser to authenticate the creation of a new payee. This makes things significantly harder for fraudsters: Now they will have to steal the chip & PIN card and find out the PIN number of the card to be able to impersonate the cardholder.
What about risk?But do the benefits of faster payments, and more secure transactions, outweigh the restriction of having to have the handheld reader to hand; the costs of deploying the new readers, and new smart cards that support the chip & PIN at home functionality? Customer adoption rates will tell us whether the solution is viable, but are the banks missing a trick here? Smart cards have long been heralded as a technology that could deliver additional benefits to consumers, by combining payment functions on the card, with additional applications such as transit, loyalty and other user selected applications. Wouldn’t it be great if your chip & PIN at home reader was connected to your PC, so you could also use it to top up the Oyster application that was co-resident on your chip & PIN card, and earn on chip loyalty points when you shop on line, that could be redeemed next time you’re in the supermarket?
As consumers get used to using their chip & PIN cards in handheld readers at home, a logical next step would be to provide connectable readers that allow these additional applications to be accessed, or indeed for new ones to be downloaded to their cards.
Keeping ahead of the restBanks in other parts of Europe are already using the latest smart card technology with smart card
readers connected to PCs to provide home access to additional applications on the chip & PIN card. For instance, Banka Koper, a leading financial institution in Slovenia, is one of the first banks in Europe to supply connected chip & PIN readers to consumers. This is combined with the added security of chip & PIN at home for home banking and an internet assistant application that stores favourite web addresses, usernames and passwords to log into protected sites. This data is stored inside the smart card chip – and protected by the PIN.
In November last year, Kreditkort Iceland, the provider of MasterCard Debit and Credit services to Icelandic banks, became the first issuer in the world to allow cardholders to download the chip & PIN at home functionality over the Internet to their existing payment card. The service is offered in branches, and allows Kreditkort to provide the handheld reader to the customer, download the functionality to their smart card, and also give a brief introduction in how to use the solution to secure Internet transactions.
The flexibility to offer the customer a variety of applications on the card while increasing security in the face of Faster Payments, was in both cases achieved by using connected smart card readers. While many UK banks are using ‘fixed’ functionality smart cards based on ‘native’ operating system chips, Banka Koper and Kreditkort use an open standard and flexible technology platform.
By using such a platform, issuers can combine standard chip & PIN payment functionality, with the chip & PIN at home functionality (also known as Chip Authentication Programme or ‘CAP’), with additional applications such as Internet assistant, loyalty, contactless payment, transit, and more. Such chips are updateable and allow new functions to be loaded onto the card without being reissued, guaranteeing a future-proofed investment and all costing no more than the ‘fixed’ functionality chip cards we have today.
In the competitive financial services industry, there is no doubt that issuers need a flexible and future proof platform that changes in parallel with financial services trends. In the case of the chip & PIN at home, end-users will now feel and in effect, be, more secure. However, end users also have to learn a new process and banks will have to pay for millions of new cards to be re-issued.
Maybe with the introduction of card readers at home, banks will be encouraged to offer more compelling services, by extending the infrastructure further and perhaps by investing in smarter smart cards.
This feature was provided by Tim France-Massey, chairman, Business Advisory Group of the MULTOS Consortium. He can be contacted at: tel: +44 207 868 5071, email: [email protected]
New opportunities for smarter smart cardsIt has been seven years since the government-sponsored Cruickshank report demanded a reduction in the time it takes for banks to clear funds transferred between accounts. And, after much discussion, UK banks are now taking action. In November 2007 the Faster Payments scheme will reduce the clearing times of three to five days to 24 hours and even quicker when money is transferred online. While this speedy process offers convenience to online bankers, it could also be a gateway for fraudsters seeking weaknesses in the process. Because of this, the majority of large UK banks are now rolling out ‘chip and PIN at home’ to prevent online fraud. Chip & PIN at home is a nice start, but rather than re-issuing all of the cards and using completely new technology, shouldn’t banks try to utlilise their existing resources or invest in more future proof products?
