# Chip & Pin credit card security



## Elcato (8 Sep 2003)

*Chip & Pin credit card security*

Discussion originally started on


----------



## Max Hopper (27 Nov 2004)

*Re: Scams to look out for*

From a mate in the banking biz -<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Keep a watch out for people standing near you in the checkout line at retail stores, restaurants, grocery stores, etc who have a picturephone in hand. With the picturephones, they can take capture an image of your credit card, which gives them your name, number, and expiration date.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->CBS News reported this type of identification theft is one of the fastest growing scams today.


----------



## ClubMan (27 Nov 2004)

*Re: Scams to look out for*

Not disputing the need for  in this context _Max_, but shouldn't  (for card present transactions) and the  on the signed strip on the reverse of the card (for non card present transactions - e.g. online) help defeat unauthorised use of credit cards given only the details on the front?


----------



## okidoki987 (30 Nov 2004)

*Re: Scams to look out for*

The big problem with Chip and Pin is going to be the number of people that will now be liable for any unauthorised withdrawals or purchases on their Chip and Pin Credit Cards once they have changed the PIN number.
The Banks will save a fortune when the customers start using these cards.


----------



## rainyday (30 Nov 2004)

*Re: Scams to look out for*



> The Banks will save a fortune when the customers start using these cards.


Why?


----------



## ClubMan (30 Nov 2004)

*Re: Scams to look out for*

*The Banks will save a fortune when the customers start using these cards.*

Great. I might buy some shares in the banks so given that this cost cutting measure should boost their profits even further.


----------



## okidoki987 (30 Nov 2004)

*Re: Scams to look out for*

rainyday
Because if you change the PIN number to your own number and the card gets used fraudulently, then you are liable for all the loss(es) as the only person who would/should know the number is you. Therefore the Bank will insist on the card holder paying for any fraud committed by somebody(else) who presents the card. Not sure how on-line or phone fraud will be treated as the card will not be present.
In the old days a signature was required.
The Banks will save a fortune as any fraud that is committed will have to be repaid by the cardholder (unless the card wasn't presented).


----------



## ClubMan (30 Nov 2004)

*Re: Scams to look out for*

As far as I know my bank (_PTSB_) still doesn't allow card holders to change their _PIN_ numbers [broken link removed]!



> PIN Security
> 
> By the end of 2004 most full-service ATMs in Ireland will offer PIN management services. This will mean that at these ATMs you will be able to change your PIN if you think it may have been compromised, or simply to change it to an easier to remember 4-digit number of your choice.



:|


----------



## rainyday (1 Dec 2004)

*Re: Scams to look out for*

But you are missing out the important point, okidoki987 - How will they be able to commit any fraud unless you have been careless with the PIN number?

BTW, chip-and-pin does not come into play for 'card-not-present' transactions (e.g. online, phone, mail order)


----------



## ClubMan (1 Dec 2004)

*Re: Scams to look out for*

*chip-and-pin does not come into play for 'card-not-present' transactions (e.g. online, phone, mail order)*

But the authorisation code on the signed strip on the reverse of the card generally does these days as I mentioned earlier. Another protection against fraudulent use.


----------



## Max Hopper (1 Dec 2004)

*Re: Scams to look out for*

Knowing that not all wish to subscribe (for _free_) to AJ's online daily, here's a squib from yesterday's Indo that is definitive -<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->*'Chip and PIN' users warned they'll be liable for card fraud*<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END--> THE country's three million credit and laser cardholders will be liable for any fraudulent transactions made using their cards under a new system being introduced in the coming months.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->New 'chip and pin' credit and laser cards will be issued to consumers under a new system where customers will authorise payments by typing a four-digit PIN into a terminal without the need for a signature.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->As cards are coming up for renewal, the new chip and pin versions are being issued.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->But the Irish Financial Services Regulatory Authority (IFSRA) has warned that new changes by card providers mean that if the PIN is divulged to a third party, the provider (the banks) will not be responsible for covering the cost of fraudulent transactions.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Up to now the provider covered cardholders if their signature was forged and purchases made on their card, but under the new system this will no longer apply.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Credit card fraud costs financial institutions about €7m a year, and the IFSRA has warned cardholders to shield the keypad where the PIN is inputted with a hand or wallet to prevent 'shoulder surfing', or someone stealing your PIN.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Chip and pin is being introduced to prevent fraud. A chip implanted on each card will make it more difficult to forge the cards.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Consumer director with the IFSRA, Mary O'Dea, said customers should read the information they receive with their card carefully.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->"Many cards' terms and conditions now state that cardholders will be held liable for all transactions where a PIN is used," she said. "It is very important that people do not tell anyone their PIN as they could find that they have to pay for the amount of the transaction even if they did not use the card themselves.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->"The introduction of chip and pin in Ireland is a welcome development and it is hoped that it will reduce the incidence of credit card fraud. Your PIN is personal to you and unlike your signature, it cannot be forged if someone steals your card.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->"The chip on your card also makes 'skimming' more difficult and we welcome any initiative that will make consumers less of a target for fraudsters. Some consumers may have concerns about using chip and pin technology, but experience in other countries has shown that people adapt to it quite quickly."<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Mr O'Dea added that people with disabilities who may find it difficult to remember a PIN or enter their number on a PIN pad could continue using a signature card if a disability prevents them from using the new technology.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->The IFSRA will today publish a fact sheet explaining chip and pin, warning people that pin numbers should never be given over the phone or internet, regardless of who asks.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->It advises that if you have a chip and PIN card, you will need to know your PIN before you go to countries where the new technology is used.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->The authority also points out that if you have an older card that does not have the technology, you can continue to use a signature to authorise transactions. Your card issuer can advise you on when you will receive your new card.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->*Paul Melia*<!--EZCODE BR START--><!--EZCODE BR END-->© Copyright Unison.ie​


----------



## Imogen Bertin (1 Dec 2004)

*Re: Scams to look out for*

I rang AIB, my credit card supplier to ask how exactly a customer could ever prove that they were innocent of having been "careless with their PIN". They couldn't give an answer. I asked if I could retain my old card since I do not want a new card that gives me less protection. That wasn't possible. I complained in an email to IFSRA about this forced reduction in consumer rights (a lot of good that will do). I would cancel the card only for the fact it is now pretty much impossible to buy an air ticket without one.

I am sick of being treated like s**t by banks and other large organisations. Strangely, the phrase "security feature" has now become synonymous with reduced service thoughout the service sector as far as I can see. 

The last people who tried to convince me something was a security feature were Vodafone because of their idiotic system where you can only register for offers, website services etc. if you have BOTH a mobile phone signal and and Internet connection in the same place at the same time since they will only issue passwords by text. Apparently this is a security feature as email cannot be relied upon (strange, someone should tell the people at ROS that...). Dubs among you, internet and mobile signal together is not always possible in this country outside our great capital...

Imogen


----------



## rainyday (1 Dec 2004)

*Re: Scams to look out for*



> security feature were Vodafone because of their idiotic system where you can only register for offers, website services etc. if you have BOTH a mobile phone signal and and Internet connection in the same place at the same time since they will only issue passwords by text.


Is there anything to stop you holding the password sent by text on your mobile until the next time you get onto your Internet connection?


> Apparently this is a security feature as email cannot be relied upon (strange, someone should tell the people at ROS that...).


Internet email is not secure or private. ROS send out their security codes by snail mail, not email.


----------



## MichaelL (1 Dec 2004)

*Time Limit*

This has happened to me before as well, you have to enter the password they text you within 10 minutes, or else it is invalidated


----------



## ajapale (1 Dec 2004)

*Re: Time Limit*

Yes, I did this last week and they gave me 20mins to validate.


----------



## Monsieur Bond (1 Dec 2004)

*Re: Scams to look out for*

*'Chip and PIN' users warned they'll be liable for card fraud*

This is the same as is the case with ATM cards at present - if  you divulge the PIN, you are liable. But this is difficult to prove unless you are careless - e.g. by writing it down and keeping it with your wallet.

The comment in a previous post about "if you change your PIN, you are liable as only you know the PIN" is simply untrue. There is _no _additional liability here. Your Bank or card issuer does _not _know your PIN. It is generated and distributed securely in an certified standards-compliant automated process.


----------



## Monsieur Bond (1 Dec 2004)

*Re: Scams to look out for*

As with your ATM card, you should ideally cover your typing hand with your other hand as you enter the PIN, so that no one can see it.

Some pin pads have prominent privacy shields to do this for you; unfortunately,  none I've seen so far in Dublin have them.


----------



## Monsieur Bond (1 Dec 2004)

*Re: Scams to look out for*

*chip-and-pin does not come into play for 'card-not-present' transactions (e.g. online, phone, mail order)
*



> But the authorisation code on the signed strip on the reverse of the card generally does these days as I mentioned earlier. Another protection against fraudulent use.




Yes, the Card Security Code printed usually on the back of the card - an additional 3 or 4 numbers after either the full card number or after the last 4 digits of the card number - is becoming prominent on Visa and Mastercards.

This is becoming mandatory for e-commerce sites to support.

A pity that Laser cards don't support this feature yet.

Also a pity that Address Verification Codes (based on entering the numbers in the address and post code) does not exist in Ireland - understandable, though, as we have no post codes.


----------



## Max Hopper (2 Dec 2004)

*Re: Scams to look out for*

Just booked tickets on the AL website. No mention of an authorisation code...<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->So if an front image of the my CC is snapped in Dublin, how long does it take the MMS picture to arrive in, oh let's say Lagos or Sofia?


----------



## Once Bitten (2 Dec 2004)

*Logistics of chip and pin in (say) restaurants*

In most restaurants, the waiting staff bring you the bill, take the card away and return with card and receipt to be signed.

With chip and pin, will they be going around with a pin keypad in their back pockets or will the pay from your table practice go out the door with chip and pin?


----------



## ClubMan (2 Dec 2004)

*Re: Logistics of chip and pin in (say) restaurants*

Regardless of chip and PIN ... in general financial institutions advise that you don't let anybody take your credit card out of your sight at any time. If this means following the waiter up to the desk where the card is swiped then so be it. Of course most people don't do this in practice for various reasons and so expose themselves to some level of risk of card fraud. As far as I know some outlets will have mobile chip and pin units while others will simply require the payer to present themselves at the cash desk in order to punch in the PIN.


----------



## Imogen Bertin (2 Dec 2004)

*Re: Logistics of chip and pin in (say) restaurants*

They give you half an hour to enter the text into the website. Personally I have to drive about 3 miles to get a mobile signal so if you gee yourself up it is just about possible but not exactly convenient. 

You would have to feel sorry for their call centre agents and the complaints they have to put up with which they have to answer with awful scripts... probably they only get minimum wage too. And to think I still have Vodafone shares which are so tiny as not to be worth selling in protest, as a result of the Eircom debacle. Sigh.

Imogen


----------



## rainyday (2 Dec 2004)

*Re: Logistics of chip and pin in (say) restaurants*



> In most restaurants, the waiting staff bring you the bill, take the card away and return with card and receipt to be signed.


They will if you let them. If on the other hand you take your card up to the till, you reduce the risk of skimming. Mind you, you don't entirely eliminate it unless you watch your card like a hawk to ensure it only goes through the proper card reader.



> With chip and pin, will they be going around with a pin keypad in their back pockets or will the pay from your table practice go out the door with chip and pin?


I understand they have portable units to bring to the table. I saw similar units operating in France about 3 years ago.


----------



## daltonr (2 Dec 2004)

*Re: Logistics of chip and pin in (say) restaurants*

I was asked for my pin for the first time last weekend.
I didn't know it.  I have the envelope I just haven't gotten around to changing the pin to something I'll remember.

So both places allowed me to sign.  If a Pin is not entered immediately, the machine seems to go into Sign Mode.

I wonder how long that will continue??

-Rd


----------



## okidoki987 (2 Dec 2004)

*Re: Logistics of chip and pin in (say) restaurants*

The important point is the onus is on the Credit Card card holder to make sure they don't give out their PIN number to anybody else. With an ATM card, your liability was 300 every day (the max somebody could withdraw) but with a Credit Card potentially the loss could be the Credit Card limit!
In the past the maximum you were liable for was 50 Euro (even then they never enforced it) as the fraudsters attempt to forge your sig was nearly always a rubbish attempt as they knew the staff in the shops never bothered to check them.
So what happens in the following situations
(A) Somebody breaks into your house and finds a slip of paper with the PIN number on it, then mugs the card holder for the card and buys goods up to the credit limit?
(B) Somebody beats you up and gets the PIN number and card from you and then buys goods to the credit card limit?


----------



## Monsieur Bond (2 Dec 2004)

*Re: Logistics of chip and pin in (say) restaurants*



> So both places allowed me to sign. If a Pin is not entered immediately, the machine seems to go into Sign Mode.
> 
> I wonder how long that will continue??



It is up to the acquirers as to how long they allow this PIN Bypass feature. It is only supposed to be offered for the "transition" period before the public are used to entering the PIN.

Another driver for removing this facility will be that the retailer is liable for any fraud using this facility too, as the PIN was not checked. If the PIN is used and there is fraud, then the card issuer is generally liable.

Note that if you continue bypassing the PIN, you will start getting _transaction declined _or _referred _- better to learn the PIN or change it to something you will remember.


----------



## rainyday (2 Dec 2004)

*Re: Logistics of chip and pin in (say) restaurants*



> (A) Somebody breaks into your house and finds a slip of paper with the PIN number on it, then mugs the card holder for the card and buys goods up to the credit limit?


Doesn't sound very realistic to me. The card holder shouldn't write down the PIN anyway.


> (B) Somebody beats you up and gets the PIN number and card from you and then buys goods to the credit card limit?


If someone is going to beat you up & hold you hostage to ensure that you can't report the stolen pin/card to the Gardai and the credit card company, then unauthorised transactions are the least of your worries.


----------



## Once Bitten (2 Dec 2004)

*Let's not get carried away here ...*

Last month, without C + P, a stolen credit card and a PIN would enable unlawful withdrawal from an ATM.  It is no different with C + P other than the fact that now, everyone will have to remember their PIN.

Likewise, last month, if someone stole my credit card and used it for payment over the phone or 'net, they were on a winner.  Just because the liability for the losses is tilting away from the banks, it does not mean that the fraudsters are going to be rubbing their hands and doubling their efforts.  What do they care about the ultimate liability.

Certainly there are concerns regarding the shift in liability, but do we really think fraud will increase as a result of C + P?


----------



## moneyhoney (2 Dec 2004)

I don't think fraud will increase as a result of Chip & PIN but I also don't think it will disappear like IPSO are claiming.

What has happened in the UK is a shift towards postal interception - criminals can see your PIN in the post & know that the card will soon follow. Article in the Financial Times on 4 October discussed this. As a result UK banks are allowing customers in certain areas to pick up their cards in branches, sending cards to work rather than home addresses and using different types of envelopes from the usual ones that any fool would know contained a PIN or credit card. Royal Mail are investigating this. 

Would be very hard to prove that you never received your card or PIN when someone has been using it & no signature to verify it was/was not you. Some banks require you to telephone & give a password to activate your card. 

If it comes down to your word against the bank's & T&Cs say that if PIN used it's proof that you authorised it, who do you think will win?????


----------



## ISBN (2 Dec 2004)

Received new C & P credit card in the post on Monday, the PIN arrived last Friday.  When I received the card, I had to ring a number provided to confirm that I have received it.  Had to answer standard date of birth and mother's maiden name questions.


----------



## moneyhoney (2 Dec 2004)

That's exactly what I mentioned in last post - card activation procedures. As far as I know only Ulster Bank, MBNA & Tesco (MBNA card) have this in place.


----------



## ISBN (2 Dec 2004)

Yep, mine was an Ulster bank CC.


----------



## Imogen Bertin (3 Dec 2004)

No one has answered the question I asked AIB and they couldn't or wouldn't answer which is how can a customer ever prove they weren't careless with their PIN? The bank will always be believed, not the customer.

Imogen


----------



## ClubMan (3 Dec 2004)

If some individuals don't like the terms & conditions of such a card agreement and their implications for card holder liability in the even of fraud (whether due to contributory negligence or not) then they are at liberty to decline to use such cards.


----------



## rainyday (3 Dec 2004)

> how can a customer ever prove they weren't careless with their PIN?


You can't prove a negative.


----------



## daltonr (4 Dec 2004)

> then they are at liberty to decline to use such cards.



They may not be for much longer.   I lived for a year without a Credit Card, it's surprisingly difficult.  Pretty soon all CC's will have this feature.

That said, I have no problem with Chip And Pin,  it seems like a very logical solution to me.  CC's always struck me as remarkable insecure devices.

In the states recently most of the stores had electronic pads to capture your signature.  So you signed with a styles  rather than a pen.  (Like writing on a Pal Pilot).

Some of the signatures I produced look like a 4 year old with a crayon, and bear absolutely no relation to the signature on the card.  But it was accepted without question.

Remember your card comes with a sig on the back.  Someone stealing your card can see the type of sig they need to mimick, and I don't think they even have to be that good.

Chip and Pin may have flaws, but it's a heck of a lot better than what we've had to date.

-Rd


----------



## Crunchie (5 Dec 2004)

> card activation procedures. As far as I know only Ulster Bank, MBNA & Tesco (MBNA card) have this in place.



Tesco (which is a Bank of Scotland - not MBNA - card) doesn't have any card activation procedures.

On a different note - has anyone noticed how slow C+P transactions are?


----------



## Monsieur Bond (6 Dec 2004)

*On a different note - has anyone noticed how slow C+P transactions are?*

It depends on several factors including the speed of the terminal.

Next generation terminals should handle the C+P operations more quickly.


----------



## podgeandrodge (2 Jan 2005)

*pin*

Quote: "Your Bank or card issuer does not know your PIN. It is generated and distributed securely in an certified standards-compliant automated process. "

When I got my new chip and pin card, the pin number i received from my bank was the same pin number that I had been using on my old card - how did my Bank know this number?  And if they know it and post it out to me, can I not state that I am not the only person with access to the pin and therefore not alone liable?


----------



## Max Hopper (2 Jan 2005)

No can do. Your PIN is not the password, but rather the [broken link removed]. The _password_ stored on the CC issuer's system is probably nothing more exotic than your CC account number. C&P devices are and will remain sluggish until 802.11b (or greater) wireless technology becomes widely available. C&P _handshaking_ and message-passing is relatively verbose or _chatty_ in order to handle the terminal CHAP (challenge and response authentication protocol).<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->HTH


----------



## brainlessareus (3 Jan 2005)

Correct me if I am wrong but this is how I understand it:

The terminal take the carddata (from the chip) and the pin (entered), encrypts the whole data and sends it to the bank network were it is processed.

Processed means that the card is validated, than the PIN is confirmed (complicated process involing more than one server) and than the €/$,£ is authorized or not.

Following that logic, the PIN is in possession of the bank because how can they otherwise determine if my PIN is correct or not.

The PIN might not be accessable to the customer support staff but it is definetly stored at Pin Servers because both Tesco and Permanenttsb gave me the same PIN when they send me the chip card.

If you do a search in google for ATM PIN Security you find some very nice documents about how the whole process works (including des keys, pin splits, security considerations).


----------



## mmclo (5 Jan 2005)

*C&P*

There has often been programmes on the box where presenters or actors went in with dodgy cards and signed micky mouse etc. and had payments processed. C&P may not be perfect but it seems an improvement on this level of "security"


----------

