Chip and Pin — the risks
231 wordsUpdate: What I wrote below turns out to be wrong. It was “conventional wisdom” which I’d heard from several anecdotal sources, but according to the Co-op bank website:
THE MYTH: After 1 January, the liability for card fraud losses switches from the banks to the cardholder.
THE TRUTH:
This is absolutely not the case. With the introduction of chip and PIN there is no change in liability for the cardholder. You will remain fully protected from the cost of card fraud and are covered under the Banking Code. From 1 January 2005 there is a shift in liability for some types of card fraud from banks to retailers, but this will not affect cardholders in any way.
Below is what I originally wrote, wrongly it seems.
—–
On several occasions in the USA, cashiers would notice the chips in our British credit and debit cards, and make some approving comment about how it was more secure. Sometimes I would try to explain how the credit industry was moving the fraud liability away from themselves and onto the customer, but usually I wouldn’t bother — because it’s quite a subtle point and dammit, I was meant to be on holiday.
An article in today’s Guardian reveals some of the risks of chip and pin fraud — and remember, unlike with traditional signature based card transactions, if someone fraudulently uses your card in this way, your bank won’t refund you.
September 6th, 2005 at 14:13
I think that there is a lot of doublethink going on here.
From a strict point of view, the liablity has not changed - so the Co-op FAQ is right.
However - the liability, in either case, requires a certain level of doubt to be placed into the validity of a given transaction. In the case of old cards, everyone knows that signatures are easily forged, so the proof needs to come from the bank/retailer. With the introduction of Chip and PIN, the banks will peddle the view that nothing in the system could possibly have gone wrong and so it will be up to the individual to prove that they did NOT authorise that transaction - in the face of a bunch of techno-legal oiks from the bank saying that their system is foolproof.
That is the shift in the reality of the liability.
September 7th, 2005 at 09:34
Bruce Schneier quotes some research suggesting that removing the human element from the point of sale actually makes things worse. http://www.schneier.com/blog/archives/2005/09/identity_cards.html (not sure what it has to do with identity cards though)
September 7th, 2005 at 09:47
More on Chip & Pin
Paul did some more digging after his comment on my Chip & Pin post.
Chip and Spin clearly explains the subtle way in which the burden of proof, and hence the liability for fraudulent use has been transferred at least partly to the customer. The …
October 4th, 2005 at 19:16
My bank decided that it would prefer to give me a Chip & Signature credit card rather than have me comply with their T&C on the Chip & PIN card.
The terms of the C&P card required “cardholders to notify the bank immediately the cardholder suspected anyone else knew their PIN” - the banks words not mine. I pointed out that everytime I used the card in a store I must suspect that someone knew my PIN (shop assistant, customer behind, CCTV camera operator). Even if I shielded my PIN I could not be sure nobody knew.
Therefore I was duty bound to call them and advise them of my suspicion and they could take what action they deemed necessary.
The T&C did not specify what action they would take and I would not insist on any. When they told me that the automatic action they would take was to cancel the card and re-issue it, the penny then dropped with the bank that they could either issue me 50 plus cards a year or issue a C&S card.
The thing I found interesting was the bank commenting that they didn’t expect people to read the T&Cs. I wonder why.
“If you forget your PIN, many retailers still let you sign. But this option will end, unless you have a disability that stops you from using a PIN.� WHICH? September 2005.
OR you comply with the card issuers own Terms & Coditions!