3. METODOLOGÍA
3.1.1.4. Procesamiento Método Enumeración de Causas
In information security today, information security management has become one of the most important features to be established by institutions. Authentication as part of information security is probably one of the most essential processes to set up at the first stage since it typically poses the first line of defence against the possibility of fraudulent activities.233
In the payment card industry, the need to secure the system has been recognised from its inception. The security of card payment transactions is deemed a basic requirement as this will give confidence to institutions and customers. Consumer authentication is required to ensure the authenticity and integrity of a transaction.234
Because of the increasing incidence of frauds in e-banking environments, banks have developed improved security measures as demanded by legal and regulatory requirements to enhance the consumer authentication methods used to combat fraud in e-banking transactions. Because of this requirement, along with handwritten signatures, the PIN has become a primary choice by many institutions, including banks, to secure their transactions. From legal perspective, the recognition of electronic signature such as PIN as an equivalent to the signature of a person on a written document has long been known recognized as the adoption of the “functional-equivalence approach” doctrin.235 The PIN is a secret number created by banks or other card issuers as selected by individual cardholders and serves as an authentication method in electronic funds transfer transactions (EFT). Further, as Meyer and Matyas explain, ‘[a] PIN is a simple form of passwords, consisting usually of four to six digits, which can be used with a numeric keypad rather than a full keyboard.’236
They further assert that ‘the PIN is
232 Ibid 40.
233 Jie Zhang et al, 'Improving Multiple-Password Recall: An Empirical Study' (2009) 18(2) European
Journal of Information Systems 1.
234 Madan and Reid, above n 205, 41, 43–4.
235 CPSS, Retail Payment in Selected Countries, above n 187, 5. See also United Nations Commission on
International Trade Law (UNCITRAL), 'UNCITRAL Model Law on Electronic Commerce with Guide to Enactment' (United Nations, 1996), 20. 40.
59 basically the cardholder’s electronic signature, and serves the same role in an EFT transaction as a written signature serves in a conventional financial transaction’.237 Therefore, in consumer transactions, a PIN is not used to identify the customer, instead its function is as a signal for the legitimacy of the payment authorisation.238 Given its crucial role in payment card transactions, it is important to understand how a PIN really works.239
However, Mohammed has argued that for payment card authentication, such as for use at an ATM, there has been no significant improvement since its inception in the 1960s.240 He states that the authentication method typically involves an ATM card or token and the cardholder’s PIN as a password.241
In other words, consumers are identified by something that the consumer has (a banking card with a magnetic stripe) and something the consumer knows (their PIN).242 The use of a PIN is also described by Pipkin as an old authentication method. He says that, ‘using a password to authenticate an identity is as old as [using] a sentry [to guard] … the gate of an ancient city‘.243 Nevertheless, Hendry argues that ‘PINs should only be regarded as a secondary identity check; the card is the primary identification‘.244
237 Meyer and Matyas, above n 72, 430–1. See also Madan and Reid, above n 205, 48.
238 Marco Gercke, 'Legal Approaches to Criminalize Identity Theft' in United Nations Office on Drugs
and Crime (ed), Handbook on Identity-related Crime (United Nations, 2011) 12. See also Australian Payments Clearing Association, above n 195. One of the clearest definitions regarding the PIN as an authentication method in payment transactions can be found in the regulations for Consumer Electronic Clearing System (CECS)-Australia. In this regulation, a PIN is described as follows: ‘“PIN” means a personal identification number which is either issued by an Issuer or selected by a Cardholder for the purposes of authenticating the Cardholder by the Issuer of the Card’.
239 It is important to understand the detailed flow of PIN in payment card transactions since a PIN might
be captured during transmission from a consumer activated terminal, node, or switching point to host terminal, in particular when a PIN in an unencrypted form when being re-formatted at switch points. See Omer Berkman and Odelia Moshe Ostrovsky, 'The Unbearable Lightness of PIN Cracking' (2007) 4886 Lecturer Notes in Computer Science 224, 224–5. The material comprises part of a collection of 2007 conference and workshop proceedings: Sven Dietrich and Rachna Dhamija (eds), Financial Cryptography and Data Security, 11th International Conference (IFCA 2007) Scarborough, Trinidad and Tobago, 12–15 February 2007, and 1st International Workshop on Usable Security (USEC 2007) Scarborough, Trinidad and Tobago, 16 February 2007. Text of this document at: <http://cs5128.userapi.com/u11728334/docs/5ad84be07c9d/Sven_Dietrich_Financial_Cryptography_and _Data_S.pdf#page=243>.
240 Credit card or debit card schemes under the Visa and Mastercard brands have implemented new chip
card technology to store cardholder information (smart card) under their EMV programme. This new chip card has proven to be more secure and has greater capabilities compared to magnetic stripe cards; however, most proprietary cards issued by banks typically still rely on magnetic stripe cards.
241 Mohammed, above n 195, 214. See Hendry, above n 203, 37. See also: Meyer and Matyas, above n
72, 475. See also Radu, above n 210, 388.
242 Meyer and Matyas, above n 72, 481. See also Mohammed, above n 195, 214. 243
Pipkin, above n 226, 130.
60 In on-line ATM/debit transactions with a PIN as a means of identification, authentication and authorisation happen automatically in a consecutive manner, through a bank network or via a switch that links the EFTPOS/ATM terminal of the acquiring bank (payee) with the issuer card institution (payer). This process relies upon a telecommunication network (line or wireless) as a bridge and computer devices routing the card and account information between computer activated terminals and the cardholder’s financial institution or its substitute if the processed has been outsourced to third party institutions.245
From the work of Radu,246 and Meyer and Matyas,247 we can define in brief payment card identification, authentication and authorisation, as follows:
1. Identification:
a. Cardholder at consumer activated terminal, such as an ATM or EFT-POS terminal, dips or swipes their magnetic stripe card into the machines.
b. The machines then read the cardholder’s information from the magnetic stripe card.
2. Authentication:
a. Cardholder types PIN into the PIN pad of an ATM or POS terminal.
b. Magnetic stripe card and PIN data are transmitted from the consumer-activated terminal to the issuer host system.
3. Authorisation:
If cardholder enters the correct PIN, the funds in the cardholder’s account are still adequate to cover the amount of transactions, and the type of transaction is permitted, then the system will authorise the electronic funds transfer.248
Continued innovation in authentication technology has recently resulted in the development of improved authentication methods, which in general, can now be classified into ‘shared secrets such as smart cards or tokens, digital certificates, and
245 Committee on Payment and Settlement Systems (CPSS), 'Clearing and Settlement Arrangements for
Retail Payments in Selected Countries' (Bank for International Settlement, 2000) 3.
246 Radu, above n 210, 388. 247
Meyer and Matyas, above n 72, 475. See also: Sullivan, ‘Can Smart Cards Reduce Payments Fraud and Identity Theft?’, above n 33, 40–1; CPSS, Clearing and Settlement Arrangements for Retail Payments in Selected Countries, above n 245, 28–9.
248 See CPSS, Clearing and Settlement Arrangements for Retail Payments in Selected Countries, above n
245, 3, 43. According to CPSS, authorisation in payment card system means ‘the approval or guarantee of funds to be transferred’.
61 biometric identifiers’.249 However, the PIN as a fixed password is still widely used because of its ease of implementation and use with relatively low investment, even though it has many drawbacks (such as password guessing, dictionary attacks and being subject to social engineering).250
2.5. Conclusion
The development of the payment system and the proliferation of electronic funds transfer in the banking industry benefited from advances in information technology and communications networking. The payment card system as one of the most prolific features of the electronic retail payment system offers many benefits to consumers, such as, relatively unlimited access to banking services outside office hours, greater convenience and easy access to pervasive consumer activated terminals. For the banks, the benefit of payment card products comes from greater consumer-generated fee based income, deposits and loyalty.
What appears to be a seamless and simple transaction in payment cards transactions actually involves many complex technical infrastructures (such as ATM, electronic data capture (EDC), networks, host computers, switch networks, storage and so on) and the involvement of many parties (such as issuer and acquirer banks, third party processors, ISOs, switching companies, network vendors, consumers, and so on). However, the nature of consumer activated terminals such as the ATM and EFT-POS terminals that are located mostly outside of bank premises, empirically create a security issue for consumer due to lack of supervision.
Magnetic stripe cards and PINs are still heavily used in most ATM/debit card transactions. Unlike scheme credit cards that have moved to chip technology with EMV standards driven by Visa and MasterCard, scheme debit cards and proprietary ATM/debit card systems mostly still rely on old and relatively weak magnetic stripe technology as a means of identification, and PINs as a means of authentication and authorisation — and hence are relatively vulnerable to fraudulent activities.
249
Kondabagil, above n 194, 99–101.
62