This article outlines lessons from the European deployment of smart cards. The intended audience is not coders, but system designers from banks, merchants, regulators, and consumers. European experience should be useful in the US, although the context is somewhat different as consumer protection is more strongly entrenched in the US, and the real battle will probably be about interchange fees, $30 billion, rather than fraud, $3 or $4 billion.
In any case, the full effect of implementing smart cards will not be felt for many years until all automated teller machines (ATMs) and point-of-sale (POS) terminals have been updated; newly issued smart cards will continue to have a magnetic strip. Customer identification with smart cards can be done with a personal identification number (PIN) verified on the card or using the existing signature procedure. Some US banks will use PINs, others signatures.
The article describes various fraudulent techniques. In the UK, some terminals were not tamper-proof. Fraud losses actually increased in the UK after smart cards were introduced, although they subsequently declined. The increase also reflects card-not-present (CNP) fraud, transactions through the Internet. Another fraud, relay attack, used a fake terminal to gain access to a customer’s account. In other frauds, random numbers used in transactions were predictable by accessing a stolen telephone.
A stolen card can be used without knowing the PIN through a device between the card and the terminal causing the terminal to believe the card verifies with a signature. The use of PINs puts the customer at a disadvantage in dispute resolution. This article is readable, even fascinating.