Abstract
The credit card system has been one of the world’s great successes because of its adaptability. By the mid-1990s, a credit card had become a mechanism for authenticating a transaction by presenting a username (the card number) and a password (the expiry date, plus often a CVV) that was already used in mail order and could be adapted with little fuss to the Internet. Now banks in Europe, and increasingly elsewhere, have moved to the EMV “Chip and PIN” system which uses not just smart cards but also “trusted” hardware. The cryptography supported by this equipment has made some kinds of fraud much rarer – although other kinds have increased, and the jury is still out on the net effect. In the USA in particular, some banks and others oppose EMV on the grounds that it will damage innovation to move to a monolithic and inflexible system.
We discuss the effects that cryptographic lock-down might have on competition and innovation. We predict that EMV will be adapted to use cards as keys; we have found, for example, that the DDA signature can be used by third parties and expect this to be used when customers use a card to retrieve already-purchased goods such as air tickets. This will stop forged credit cards being used to board airplanes.
We also investigate whether EMV can be adapted to move towards a world in which people can use bank cards plus commodity consumer electronics to make and accept payments. Can the EMV payment ecology be made more open and competitive, or will it have to be replaced? We have already seen EMV adapted to the CAP system; this was possible because only one bank, the card issuer, had to change its software. It seems the key to innovation is whether its benefits can be made sufficiently local and incremental. We therefore explore whether EMV can be adapted to peer-to-peer payments by making changes solely to the acquirer systems. Finally, we discuss the broader issue of how cryptographic protocols can be made extensible. How can the protocol designer steer between the Scylla of the competition authorities and the Charybdis of the chosen protocol attack?
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Anderson, R.: Security Engineering – A Guide to Building Dependable Distributed Systems. Wiley (2008)
Anderson, R.: How to get money back from a bank, on LightBlueTouchpaper.org (March 29, 2010), http://www.lightbluetouchpaper.org/2010/03/29/how-to-get-money-back-from-a-bank/
Anderson, R., Bond, M.: The Man-in-the-Middle Defence. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols. LNCS, vol. 5087, pp. 153–156. Springer, Heidelberg (2009)
The Smart Card Detective: a hand-held EMV interceptor, Omar Choudary, MPhil thesis at University of Cambridge, Computer Lab, http://www.cl.cam.ac.uk/~osc22/scd/
Drimer, S., Murdoch, S., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing. In: IEEE Symposium on Security and Privacy, pp. 281–295; journal version as Failures of Tamper-Proofing in PIN Entry Devices. IEEE Security and Privacy 7(6), 39–45 (November-December 2009)
Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: IEEE Symposium on Security and Privacy, pp. 433–444 (2010)
Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)
Evans, D.S., Schmalensee, R.: Failure to Launch: Critical Mass in Platform Businesses. Review of Network Economics 9(4) (2010), http://www.bepress.com/rne/vol9/iss4/1
Kelsey, J., Schneier, B., Wagner, D.: Protocol Interactions and the Chosen Protocol Attack. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 91–104. Springer, Heidelberg (1998)
Murdoch, S.J., Anderson, R.: Verified by Visa and Mastercard Securecode: Or, How Not to Design Authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Anderson, R., Bond, M., Choudary, O., Murdoch, S.J., Stajano, F. (2012). Might Financial Cryptography Kill Financial Innovation? – The Curious Case of EMV. In: Danezis, G. (eds) Financial Cryptography and Data Security. FC 2011. Lecture Notes in Computer Science, vol 7035. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27576-0_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-27576-0_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27575-3
Online ISBN: 978-3-642-27576-0
eBook Packages: Computer ScienceComputer Science (R0)