Bruce Schneier has apparently decided that "chip & pin" cards (which I am pretty sure are debit cards) are "identity cards". I wonder whether he really believes this or is intentionally misusing the term. It seems reasonable to me for people to assume Schneier means some form of National ID card when he uses the term "identity card" (given his strong, frequently stated opposition), and I believe this is also an appropriate use of the term. But to assert that "Identity Cards Don’t Help" due to some "research" on debit cards is strange to say the least. Debit cards are account ownership cards, not identity cards. About as strongly related to identity as telephone numbers, I would say. (That doesn’t mean you can’t steal money, just that it is highly unlikely that you can commit identity fraud).
[Note: I just noticed in another article that they do mention ID cards briefly, so I guess Schneier is exonerated slightly, but since he quoted heavily from an article that doesn't discuss ID cards, I decided to leave the above comments. It is still extremely weak.]
[Note 2: My "research" on this "research" consisted of reading two of the stories that Schneier linked to. Couldn't find the actual report itself.]
Regardless of how Schneier abuses the term, this research is really laughable in itself (worse even than mine;-)). Get this, hot off the press: a PIN can be stolen! Whoa, Nelly! And the researchers actually did it! Whoa, Nelly! Now, the researchers didn’t actually try to steal or duplicate the card, presumably because it is illegal and not because it is hard (since that would refute their argument), nor did they attempt to actually use it, presumably because it is illegal and not… well, you get the picture. Giddyup, Nelly!
Let’s take this seriously just one step further, because I am always a bit mystified about assertions like this. The reports I read quoted Dr. Emily Finch as saying fraud is "easier" but they don’t say what it is easier than. I mean, there isn’t even mention of some sort of Finch Equilibrium equation to test the hypothesis (a proposal: "Chip & Pin Card Fraud = Easier"). Now, that would be interesting, so at least we can test whether debit card fraud is easier for fraudsters than:
- Cash. Using cash wouldn’t be identity fraud (their use, not mine). In addition, there seems to be a LOT more opportunity and LESS time required to steal cash, with fewer people involved. A tough equilibrium to meet.
- Credit Cards. Credit cards don’t require a PIN, though they do require a signature. But they also are not the consumer’s liability. I guess debit card fraud might be easier than credit card fraud. I don’t know whether debit cards can be used online or not. If not, I think credit card fraud would get the edge.
- Checks. Heck, most retailers don’t even take checks anymore. But if they did, (wait for it) debit card fraud would probably be easier because check fraud used to be easier. Now they have debit cards, because they were harder than checks. But now they might be easier. Go figure. This easier/harder stuff really isn’t easy. Thus the need for some better research.
- Barter. Heck, I don’t know.
Let’s get to the research conclusion: I am pretty sure (seriously) that Dr. Finch’s conclusion is that traditional social engineering is harder because if debit cards are used, social engineering is easier. Seriously – I defy you to tell me where I have misread this conclusion.
By the way, they got some of their "research" data on how easy debit card fraud is from fraudsters who got caught. Sounds easier to me.
I thought ‘So fraud is actually easier…’
1) than working…
2) than beating the guy senseless and then stealing his card…
3) than stealing the guy’s card and then trying to social engineer the solution out of him…
Hey – this is fun…
Actually, it’s easier -on- the banks. Stolen pin means stolen money from the card owner. The banks are shifting the liability.