Saturday, April 21, 2007

Broken Social Protocols: Chip and Pin

The UK's move to Chip and (s)Pin has been greeted with criticism from elements of the security community. However most of the usability criticisms have been focused on two problems:

1. Memorability of four digit codes

2. Usability of terminals, which generally is very poor.

However, I argue there is a much more insideous usability problem with Chip and Pin which comes from using a broken social protocol. To start with, let's considered what happened with Card and Signature, the old system.

Merchant -> Customer: Cost
Customer -> Merchant: (Card and Signature)
Merchant -> Customer: (Reciept and Copy) (includes Cost)

*Customer checks cost
Customer Signs reciept and copy

Customer -> Merchant: Reciept and Copy with Signature

*Merchant verifies signature

Merchant -> Customer: Card + Receipt

Items marked with a '*' are optional steps. One of the main problems with this protocol is that really security is managed by the user possessing the card What you have authentication, rather than the signature matching What you are authentication. So just about any signature would do.

Chip and Pin promises to replace this with What you know authentication, based on a four digit number. However, I assert that the social protocol used to handle Chip and Pin is broken.

The first problem we have with describing the Chip and Pin protocol is, there isn't one. Consider the most basic operation:

(I'm using Point of Sale Terminal to refer to the thing that the merchant uses, and Chip and Pin Terminal to be the thing the customer enters a pin number into)

--Phase 1--

Merchant -> Point of Sale Terminal: Cost
Point of Sale Terminal -> Chip and Pin Terminal: Cost

Customer verifies cost

--Phase 2--

Customer -> Chip and Pin Terminal: Card
Customer -> Chip and Pin Terminal: Pin

(Assuming correct, authorised etc.)


--Phase 3--

(Concurrent) Chip and Pin Terminal: 'Remove Card'
(Concurrent) Merchant -> Customer: Receipt
(Concurrent) Collect shopping


So this looks OK?

Well there are a litany of problems:

Phase 1 is not at all standardised. In some systems the merchant enters the data into the console and pre-accepts the amount so the user has no idea how much they're actually paying for until the receipt is produced, in others the user gets to approve it by pressing a key, others just type in the pin. This is very poor usability, though considering how poor the rest of the protocol is forcing the user to think may actually help security(!!)

Phase 2 is where most of the previous usability work has been done. Problems with shoulder surfing, exclusion of blind people, people with dispraxia etc. But it's been covered elsewhere, I'm going to ignore it. The delay at the end is important though (see later)

Phase 3 here things get really dodgy. Notice, that the three items occur in parallel.

And there is a delay between entering the pin, and being able to remove the card.

The delay matters, because the customer gets bored, and rather than only waiting for the prompt to remove the card, starts collecting their shopping. So the customer is faced with:
-> Collecting their shopping (completion of task)
-> A person handing them something
-> A machine with some unreadably low contrast text which changed from 'please wait' to 'remove card'. The environment is noisy, and visually distracting and the shopper may well be stressed.
There are intuitive reasons why this is bad, but there is also, at least one, fairly sound psychological problem.


Consider another task, withdrawing cash from an ATM in the UK. The machine won't give you your cash until you take your card. Why? To stop you getting your cash (completing the task that you went to the ATM for), and then leaving without collecting your card as your mind has moved on to whatever you're wanting to do next.

Again, consider Card + Signature, the old scheme. Here, you don't get your card back until the merchant has looked at it. The process is sequential, you're not doing anything else, you've handed the merchant your card and are expecting it back in a second or so. Further, you've given it to a person, most polite people will pay more attention to a human than they will to a machine. Further, the merchant has a tangible reminder to give you your card back. Not only that, but you gave them your card, this imbues an unspoken responsibility to take care of it, including giving it back to you. All the cues point the right way.

But in Chip and Pin none of this happens. As mentioned above the user has at least three competing actions:

1. A person is giving them their receipt. (This takes precedence over machine interaction)

2. You're collecting your shopping. This completes the activity you were there to do in the first place. You probably do this whilst you're waiting as the delay between pin entry and remove card is long, several seconds

3. The (unreadable) text on the chip and pin terminal changes.


And now the shocking news. People leave their cards behind (Post Completion Error). Chip and Pin has been around for short while, maybe about a year and a bit. In the past month, I've now seen 3 people leave their cards behind. In 10 odd years I've been watching people use signatures, I never saw this happen.


If a security system can't survive Murphy (Random chance), it will break horribly under Satan (malice). There are any number of things that a merchant who wanted to steal cards could do. E.g. they notice you're about to retrieve your card, so they hand you your shopping or receipt to interrupt the process. They then remove your card after you've left. They're already stolen your pin number by watching you type it in.

It's not surprising that this didn't emerge for a while, at first people were going through this process consciously, it's a kind of damning indication that it took so long; 12 months to learn how to do a task that you perform several times a day is not great.


So what can we do about this?

The Post Office seems to be one of the very few organisations who has put some thought into Chip and Pin. They're terminals are big, tolerably easy to read, though they could be better and have easy to cover number pad, and they beep at you when they want you to remove your card.

It's not a fix to what is fundamentally a protocol that doesn't encourage the correct process, but it's certainly a lot better. Kudos to the Post Office.


So Chip and Pin is not only very dubious from a technical security perspective, it's also fundamentally worse from a social interaction perspective. It's so bad, that failures happen by accident. I hate to think how many Cards and Pins a smartly dressed attractive shop assistant could steal.