Borrowing chip and pin credit cards

Just before she left for school on Friday, the wife told me that her debit card was in a certain drawer in her cupboard, and I should use it in case I wanted to go out. She told me the PIN and said that I could wish to draw money from the ATM downstairs if necessary, or simply swipe the card wherever I go.

I’ve always been queasy about borrowing or lending credit/debit cards. I’ve always thought that it’s illegal to use someone else’s card, even with their consent. The traditional way a credit/debit card works, your signature on the charge slip is supposed to be compared to the signature on the back of the card, and the merchant can refuse you service if the two don’t match (this is seldom implemented in India, but that’s the theory). For that reason, if i were to use the wife’s credit card and the waiter sees that the signature on the charge slip doesn’t match that on the card (obviously!), it might lead to an embarrassing situation.

For this reason I ended up withdrawing a significant amount from the ATM and using the cash thus withdrawn for my expenses. Looking at credit/debit card swipes in action later on, however, I was wondering if it was actually necessary to do so.

In Europe, like in India (Europe is the leader, India followed; US has no plans to follow it seems), all credit and debit cards are chip-and-PIN based cards. The credit card is not swiped in the terminal, but instead is inserted in a way that the terminal can read an embedded chip (more secure than the magnetic stripe). To this, you enter a four-digit PIN, which acts as the validation after which the charge gets approved. Typically, after you’ve approved a transaction with your PIN, a signature is not required, though in India they insist on it (despite the charge slip saying “PIN verified; signature not required”).

And that is what I’ve noticed here in Spain ever since I withdrew money from the ATM that day – there is no requirement for signature in any transaction. The waiter (let’s say we’re at a restaurant) brings the swiping machine, you enter the card, the waiter enters the amount and you enter your PIN, and out comes the slip and the waiter hands back the card to you and walks away. No signature! And this is standard practice across all debit and credit card terminals!

A possibly unintended advantage of this is that it’s now possible to borrow (with permission) someone else’s credit or debit card and actually use it!

Second factor authentication

Ever since I wrote my Pragati piece on the two bad recent pieces of regulation by the Reserve Bank of India, and since I had a long conversation with Deepak Shenoy about them, and since (I believe) Raghuram Rajan replied to my Pragati piece in a subsequent speech, and since I got a mail from Citibank that starting next month I can’t use my internet password as a second factor authentication and must instead use a One Time Password, and since I realised I’m traveling abroad next month, and am not planning to use international roaming to be able to receive the One Time Password, I’ve been thinking of ways in which a bank or a credit card company can securely use a second factor of authentication without really inconveniencing the customer.

Essentially, a second factor of authentication is the provision of a piece of information that is not stored on the magnetic strip or pin of your credit/debit card. This ensures that the possession of your card alone will not allow a fraudster to defraud you, unless he is also in possession with the second factor of authentication. This makes is much less likely for  credit card fraud to happen (but not entirely foolproof – what if the same guy steals both your credit card and your phone? – but it is impossible to design systems to that degree of security).

The four digit PIN that you have to enter when you use an ATM is one such second factor authentication (remember the note the bank sends you along with your card telling you to not write down the PIN anywhere close to the card). Similarly, the four digit PIN you have to enter to authenticate a CHIP transaction on your credit card is a second factor. Earlier credit cards would require you to sign as a second factor, but that was done post payment processing, so that is not seen as a reliable second factor – and hence they are being phased out. In the United States, for example, your ZIP code (a piece of information not available on your card) is your second factor (in the rare case it is asked for – the US is among the last major countries to move to two factor credit card transactions).

Given that it could be just about any piece of information not available on your card that can be a second factor, it is puzzling that most banks and credit card providers insist on a One Time Password sent over SMS or email as being the second factor. It is as if they believe that telecom networks are far more secure than any other way to disseminate a second factor of authentication. A friend who was visiting from the US, for example, was unable to transact online in India since his Verizon package didn’t provide him SMS services – it has gone out of fashion there.

Earlier today I was reading this excellent piece on how the US’s move towards Chip and PIN cards (will take half a decade for the transition to be complete – interestingly India made this transition in less than a year) is going to lead to higher security for credit card transactions worldwide. Among other things, the piece mentions a “Visa Token Service” where a dynamic token will replace the static credit card number.

I have had a trading account with Kotak for a few years now, and they have provided me with a physical token. Upon pressing the only key on the token, a six figure number is displayed, which is my additional factor of authentication that I need to log on to the website and transact securities. The algorithm of my token is synced with my account (basically it’s to do with the seed of the random number generator that operates on my token), and thus I get authenticated.

My last employer had issued us Blackberrys for work email (this was in 2009, when they were in fashion). They had also issued us tokens that we could use to log on to the corporate network from home – in the rare case when we had to login from home. And since I got the token after I’d got my blackberry, the token simply sat as an app in my blackberry. Considering that this second factor authentication is just a six digit random number set to a certain seed, why can’t my second factor of authentication be tied to one such token that resides in the Citibank app on my phone (which is already authenticated), rather than being sent to me by SMS?

This is only one possible method in which the second factor could be authorised. For transactions on taxi services, for example, your credit card details can still be stored with the taxi service, but at the end of the service on your way out you simply enter a four digit passcode into the driver’s app (the passcode could be generated by your app, or your phone and the driver’s phone can do an NFC handshake).

As I had mentioned, the opportunities for a second factor authentication are endless, but for some reason banks seem to be hell-bent on using a SMS-based One Time Password. Could it be a conspiracy by the telecom companies to maintain at least some of their SMS revenues?

And I think we need a statement from the RBI Governor stating that banks are not obliged to use a SMS-based OTP as second factor authentication, and they can be creative with it!