Susan Burns, George R. S. Weir, Department of Computer and Information Sciences, University of Strathclyde, Glasgow G1 1XH, UK {susan.burns, george.weir}@cis.strath.ac.uk

University of Strathclyde and Associates: Abstract. The introduction of smartcard technologies has reduced the incidence of card fraud in the UK, but there are still significant losses from fraudulent card use. In this paper we detail the context of smartcard introduction and describe the types of fraud that remain a threat to cardholders and other stakeholders in the card system. We conclude with a risk analysis from the cardholder’s perspective and recommend greater cardholder awareness of such risks.

University of Strathclyde and Associates: Introduction. A recent report from the European Security Transport Association (ESTA) found that nearly 20% of the adult population in Great Britain has been targeted as part of a credit or debit card scam. As a result, the UK has been termed the ‘Card Fraud Capital of Europe’ [1], with UK citizens twice as likely to become victims of card fraud as other Europeans. Plastic card fraud is a lucrative exploit for criminals and the proceeds may be used to fund organised crime. Smart payment cards (Chip and PIN cards) were introduced in the UK to replace magnetic stripe cards and support PIN verification of card transactions. By the end of 2005, more than 107 million of the 141.6 million cards in the UK had been upgraded to smart cards [2]. Levels of plastic card fraud fell by 13% to £439.4 million in 2005 [3] and again to £428 million in 2006 (Figure 1). The reduction has been widely attributed to the rollout of smart cards with Chip and PIN authentication.

If the media is to be believed, the UK introduction of Chip and PIN authentication for credit and debit card transactions is flawed and has failed to reduce levels of card fraud across the board. Specific cases highlighting the security implications of smart card based technology have been widely reported, including exploits at Shell petrol stations [4] and Tesco self-service tills.

As cards are a widely accepted international form of payment, fraud can happen virtually anywhere in the world or on the Internet. Cards can be compromised in the UK and then used overseas. Cardwatch research shows that most of the fraud committed abroad on UK cards affects cards that have been compromised in the UK

Although the financial cost of card fraud is largely borne by the banking industry, the cardholder experiences loss of time in taking steps to resolve matters, as well as inconvenience, worry and frustration while a fraudulent incident is investigated. The cardholder’s credit rating can be affected and the whole affair can be a distressing experience.