Chip & Pin credit card security

[Elcato]

Chip & Pin credit card security

Discussion originally started on

 

[Max Hopper]

Re: Scams to look out for

From a mate in the banking biz -<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Keep a watch out for people standing near you in the checkout line at retail stores, restaurants, grocery stores, etc who have a picturephone in hand. With the picturephones, they can take capture an image of your credit card, which gives them your name, number, and expiration date.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->CBS News reported this type of identification theft is one of the fastest growing scams today.

 

[ClubMan]

Re: Scams to look out for

Not disputing the need for in this context Max, but shouldn't (for card present transactions) and the on the signed strip on the reverse of the card (for non card present transactions - e.g. online) help defeat unauthorised use of credit cards given only the details on the front?

 

[okidoki987]

Re: Scams to look out for

The big problem with Chip and Pin is going to be the number of people that will now be liable for any unauthorised withdrawals or purchases on their Chip and Pin Credit Cards once they have changed the PIN number.
The Banks will save a fortune when the customers start using these cards.

 

[rainyday]

Re: Scams to look out for

The Banks will save a fortune when the customers start using these cards.

Why?

 

[ClubMan]

Re: Scams to look out for

The Banks will save a fortune when the customers start using these cards.

Great. I might buy some shares in the banks so given that this cost cutting measure should boost their profits even further.

 

[okidoki987]

Re: Scams to look out for

rainyday
Because if you change the PIN number to your own number and the card gets used fraudulently, then you are liable for all the loss(es) as the only person who would/should know the number is you. Therefore the Bank will insist on the card holder paying for any fraud committed by somebody(else) who presents the card. Not sure how on-line or phone fraud will be treated as the card will not be present.
In the old days a signature was required.
The Banks will save a fortune as any fraud that is committed will have to be repaid by the cardholder (unless the card wasn't presented).

 

[ClubMan]

Re: Scams to look out for

As far as I know my bank (PTSB) still doesn't allow card holders to change their PIN numbers [broken link removed]!

PIN Security

By the end of 2004 most full-service ATMs in Ireland will offer PIN management services. This will mean that at these ATMs you will be able to change your PIN if you think it may have been compromised, or simply to change it to an easier to remember 4-digit number of your choice.

:|

 

[rainyday]

Re: Scams to look out for

But you are missing out the important point, okidoki987 - How will they be able to commit any fraud unless you have been careless with the PIN number?

BTW, chip-and-pin does not come into play for 'card-not-present' transactions (e.g. online, phone, mail order)

 

[ClubMan]

Re: Scams to look out for

chip-and-pin does not come into play for 'card-not-present' transactions (e.g. online, phone, mail order)

But the authorisation code on the signed strip on the reverse of the card generally does these days as I mentioned earlier. Another protection against fraudulent use.

 

[Max Hopper]

Re: Scams to look out for

Knowing that not all wish to subscribe (for free) to AJ's online daily, here's a squib from yesterday's Indo that is definitive -<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->'Chip and PIN' users warned they'll be liable for card fraud<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END--> THE country's three million credit and laser cardholders will be liable for any fraudulent transactions made using their cards under a new system being introduced in the coming months.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->New 'chip and pin' credit and laser cards will be issued to consumers under a new system where customers will authorise payments by typing a four-digit PIN into a terminal without the need for a signature.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->As cards are coming up for renewal, the new chip and pin versions are being issued.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->But the Irish Financial Services Regulatory Authority (IFSRA) has warned that new changes by card providers mean that if the PIN is divulged to a third party, the provider (the banks) will not be responsible for covering the cost of fraudulent transactions.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Up to now the provider covered cardholders if their signature was forged and purchases made on their card, but under the new system this will no longer apply.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Credit card fraud costs financial institutions about €7m a year, and the IFSRA has warned cardholders to shield the keypad where the PIN is inputted with a hand or wallet to prevent 'shoulder surfing', or someone stealing your PIN.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Chip and pin is being introduced to prevent fraud. A chip implanted on each card will make it more difficult to forge the cards.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Consumer director with the IFSRA, Mary O'Dea, said customers should read the information they receive with their card carefully.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->"Many cards' terms and conditions now state that cardholders will be held liable for all transactions where a PIN is used," she said. "It is very important that people do not tell anyone their PIN as they could find that they have to pay for the amount of the transaction even if they did not use the card themselves.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->"The introduction of chip and pin in Ireland is a welcome development and it is hoped that it will reduce the incidence of credit card fraud. Your PIN is personal to you and unlike your signature, it cannot be forged if someone steals your card.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->"The chip on your card also makes 'skimming' more difficult and we welcome any initiative that will make consumers less of a target for fraudsters. Some consumers may have concerns about using chip and pin technology, but experience in other countries has shown that people adapt to it quite quickly."<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Mr O'Dea added that people with disabilities who may find it difficult to remember a PIN or enter their number on a PIN pad could continue using a signature card if a disability prevents them from using the new technology.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->The IFSRA will today publish a fact sheet explaining chip and pin, warning people that pin numbers should never be given over the phone or internet, regardless of who asks.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->It advises that if you have a chip and PIN card, you will need to know your PIN before you go to countries where the new technology is used.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->The authority also points out that if you have an older card that does not have the technology, you can continue to use a signature to authorise transactions. Your card issuer can advise you on when you will receive your new card.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Paul Melia<!--EZCODE BR START--><!--EZCODE BR END-->

© Copyright Unison.ie​

 

[Imogen Bertin]

Re: Scams to look out for

I rang AIB, my credit card supplier to ask how exactly a customer could ever prove that they were innocent of having been "careless with their PIN". They couldn't give an answer. I asked if I could retain my old card since I do not want a new card that gives me less protection. That wasn't possible. I complained in an email to IFSRA about this forced reduction in consumer rights (a lot of good that will do). I would cancel the card only for the fact it is now pretty much impossible to buy an air ticket without one.

I am sick of being treated like s**t by banks and other large organisations. Strangely, the phrase "security feature" has now become synonymous with reduced service thoughout the service sector as far as I can see.

The last people who tried to convince me something was a security feature were Vodafone because of their idiotic system where you can only register for offers, website services etc. if you have BOTH a mobile phone signal and and Internet connection in the same place at the same time since they will only issue passwords by text. Apparently this is a security feature as email cannot be relied upon (strange, someone should tell the people at ROS that...). Dubs among you, internet and mobile signal together is not always possible in this country outside our great capital...

Imogen

 

[rainyday]

Re: Scams to look out for

security feature were Vodafone because of their idiotic system where you can only register for offers, website services etc. if you have BOTH a mobile phone signal and and Internet connection in the same place at the same time since they will only issue passwords by text.

Is there anything to stop you holding the password sent by text on your mobile until the next time you get onto your Internet connection?

Apparently this is a security feature as email cannot be relied upon (strange, someone should tell the people at ROS that...).

Internet email is not secure or private. ROS send out their security codes by snail mail, not email.

 

[MichaelL]

Time Limit

This has happened to me before as well, you have to enter the password they text you within 10 minutes, or else it is invalidated

 

[ajapale]

Re: Time Limit

Yes, I did this last week and they gave me 20mins to validate.

 

[Monsieur Bond]

Re: Scams to look out for

'Chip and PIN' users warned they'll be liable for card fraud

This is the same as is the case with ATM cards at present - if you divulge the PIN, you are liable. But this is difficult to prove unless you are careless - e.g. by writing it down and keeping it with your wallet.

The comment in a previous post about "if you change your PIN, you are liable as only you know the PIN" is simply untrue. There is no additional liability here. Your Bank or card issuer does not know your PIN. It is generated and distributed securely in an certified standards-compliant automated process.

 

[Monsieur Bond]

Re: Scams to look out for

As with your ATM card, you should ideally cover your typing hand with your other hand as you enter the PIN, so that no one can see it.

Some pin pads have prominent privacy shields to do this for you; unfortunately, none I've seen so far in Dublin have them.

 

[Monsieur Bond]

Re: Scams to look out for

chip-and-pin does not come into play for 'card-not-present' transactions (e.g. online, phone, mail order)

But the authorisation code on the signed strip on the reverse of the card generally does these days as I mentioned earlier. Another protection against fraudulent use.

Yes, the Card Security Code printed usually on the back of the card - an additional 3 or 4 numbers after either the full card number or after the last 4 digits of the card number - is becoming prominent on Visa and Mastercards.

This is becoming mandatory for e-commerce sites to support.

A pity that Laser cards don't support this feature yet.

Also a pity that Address Verification Codes (based on entering the numbers in the address and post code) does not exist in Ireland - understandable, though, as we have no post codes.

 

[Max Hopper]

Re: Scams to look out for

Just booked tickets on the AL website. No mention of an authorisation code...<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->So if an front image of the my CC is snapped in Dublin, how long does it take the MMS picture to arrive in, oh let's say Lagos or Sofia?

 

[Once Bitten]

Logistics of chip and pin in (say) restaurants

In most restaurants, the waiting staff bring you the bill, take the card away and return with card and receipt to be signed.

With chip and pin, will they be going around with a pin keypad in their back pockets or will the pay from your table practice go out the door with chip and pin?