The latest improvement to bank card protection system – Chip and PIN – was supposed to reassure the public that their money was safe. But less than three months after it became the de facto standard for in-store purchases, thanks to a change in liability which saw retailers rather than banks become liable for card fraud, the retailers have raised doubts over the system.
Oil company Shell suspended the use of the technology at 600 of its petrol stations after it became apparent that bogus engineers had fitted Chip and PIN systems with memory cards that logged customers’ cards and numbers. Over £1 million was taken from customers’ bank accounts.
The UK’s payment association Apacs, which is responsible for pushing Chip and PIN implementation remains committed to the technology. Apacs said that the problem was specific to the types of smart card readers being used in Shell’s petrol stations.
A spokesman for Apacs told BBC Radio 4’s Moneybox programme that Chip & PIN had helped reduce card fraud which fell from £504m in 2004 to £439m in 2005.
One of the big advantages of the Chip and PIN system is that it is unobtrusive: consumers are used to the idea of entering four-digit codes. Nevertheless, that has not stopped retailers looking at alternative solutions.
In March 2006, Co-op Mid Counties went live with a biometric payment system, where shoppers can use their fingerprints to authenticate themselves. Co-op’s IT managers have also told the press that they believe that the system is not only safer, but quicker, taking less time to authenticate users than Chip and PIN.
However, given resistance in some corners about the use of biometrics, there remains a question over how to provide a useable and robust security.
For more details about the tensions between building robust and usable systems, see next month’s issue of Information Age.
The experts' response…
Martin Illsely, director of research at Accenture Technology Labs says that biometrics, while useful, are no panacea to security problems.
“With biometrics, you have to accept that there is a balance to be struck between usability and security. You can set fingerprint readers to be extremely sensitive, which will make sure that you get accurate results, but it may add to the time it takes to do the check.
We’re very excited about the potential for biometrics to be used in financial services, but I don’t think we’re saying that all the possible applications [of the technology] have been perfected just yet.”
Biometrics are yet to be proven in large trials says Miles Clement, senior research consultant at the Information Security Forum, unlike Chip and PIN.
“Chip and PIN is very good and very secure technology. You get a low level of false positives, and it’s a good system for large numbers of users that aren’t particularly tech-savvy. The big problem with biometrics is we don’t really have any really sound evidence about how they operate over a large population. The evidence we have is that the people who register for the trials tend to be technology-oriented. I’ve had some very good experiences of biometric technologies – but I’m probably not the ‘typical’ user.”