Phish and chips: A tale of Canadian banking

Canada’s banks are moving towards implementing smart cards instead of magnetic stripe-based cards (magstripe cards), with the first transaction planned for early in 2007.

They’re making this move in an effort to reduce the amount of fraud associated with skimming (double-swiping a magstripe

card to copy the stripe contents) and PIN-theft (we are all now familiar with the little picture urging us to shield the POS or ATM keypad when punching in our PINs). Meanwhile, in the UK, where they are already moving toward chip-and-PIN cards, fraud is on the rise. The March 8 issue of The Guardian newspaper reported “”Bank and credit card fraud rose 20 per cent last year, costing British banks £505m, with part of the increase due to the introduction of new chip and pin cards.””

The problem with enhanced security technology is it frequently gives people a misplaced sense of security. In the UK case, during the roll-out of chip cards, approximately 100,000 cards were being mailed out to existing cardholders every day. Villains simply stole the cards out of the mail. Foolishly, the cards had been pre-activated, so they were ready for use. This simple mistake cost the British banks £73 million last year.

That’s not all. If you want to use your debit card in the U.S., say, where smart cards haven’t been implemented, authentication will still rely on the magstripe. The card “”falls back”” on the magstripe. This means that security is no better than it ever was. Again in the UK, recognizing that in an interim period not all POS terminals would be chip-enabled, and recognizing that smart cards fail anyway due to factors such as dirty contacts, they allow the fall-back authentication at any time.

And for “”card-not-there”” transactions, such as on-line purchasing, the technology is irrelevant. It’s not clear whether Canadian banks recognize these problems. Interac, in a recent press release, helpfully points out, “”The complete migration to chip is expected to take several years . . . As a result, chip cards will continue to carry the magnetic stripe, which currently facilitates transactions. This will not only facilitate the transition to chip, but also allow cardholders to use their debit cards in other markets not planning to introduce chip in the near future, such as the United States.””

Besides the very real security concerns, there is also the issue of shifting risk. The risk of loss associated with debit card use is set out in the Canadian Code of Practice for Debit Card Services. Loss is certainly borne by the issuer after he has been notified of a card’s loss or compromise. Before that you are on the hook unless “”it can be shown that “”the cardholder has been the victim of fraud, theft (etc.).”” You may find it harder to convince your bank that this is so, when a chip-and-PIN card is involved. The burden of proof, and the security risk of the system for which the bank should be responsible, may then have been passed to you.

This is not to be construed as a polemic against chip-and-pin, which certainly can provide banks with greater security. But as we get closer to implementation in Canada it would be useful to have an informed public debate on the consequences, both intended and unintended.

Share on LinkedIn Share with Google+