By Andy McCue, 8 November 2004 17:08
NEWS Fraud fears over the new chip and PIN credit and debit cards have been dismissed by APACS, the card payment body behind the programme.
Over the last year banks and retailers have been replacing customers' existing magnetic strip credit and debit cards with new chipped cards and point of sale terminals that use a four-digit PIN code instead of a signature to validate transactions.
From 1 January 2005 European retailers using the new chip and PIN terminals will be protected from liability for fraudulent transactions and APACS said the roll out is "on track".
Concerns have been raised about counterfeit card criminals who will be forced to change tact by 'shoulder surfing' customers at chip-and-PIN-enabled checkouts and then stealing the card by pick-pocketing or mugging the person outside the store.
But Gary Hocking, director of chip and PIN implementation at APACS, said fraudsters into card counterfeiting would be forced into other areas such as CD and DVD counterfeiting.
"Someone who sits in their bedroom counterfeiting cards is not going to go out into the streets mugging old ladies," he said.
There is already evidence that fraudsters are targeting other weak links in the chain and Sandra Quinn, UK spokeswoman for APACS, said there has been a sudden spike in the number of cards stolen in the post due to the high volume of replacement credit and debit cards being sent out to customers as part of chip and PIN. But she said this would be a temporary blip.
At the end of October 30.8 million cardholders had at least one new chip and PIN card and more than 520,000 tills in the UK have chip and PIN terminals. Major retailers already on board include Safeway, HMV, Shell and Selfridges.
Hocking also dismissed concerns that the onus of liability on fraudulent chip and PIN transactions would shift to consumers.
"There is no reason why it should be any different to fraud at an ATM. It is down to the banking ombudsman," he said.
Comments
There are 24 comments. Join the discussion
1. Jamie Bishop
That doesn't match the evidence in countries that have been using PINs at store terminals fo payment. Muggings outside stores in Madrid went up 300% on the introduction of these systems.
But of course, the retailers and card providers no longer are liable for the losses from these crimes and the cost is now spread amongst all card holders in the form of insurance.
No wonder the UK retailers and banks are pleased with this new idea.
2. Roger Huffadine
There are much easier ways of getting the PIN.
I am pursuing the matter with a major High Street retailer who compromised my PIN and the issue will almost certainly go to the Information Commissioner.
APACS are doing a 'head in the sand'
3. anonymous
The weakest link in "Chip and Pin" is the customer's liability when the card is stolen/cloned the PIN recorded for use by someone else.
I am not an expert but this is all about the banks streamlining processing and pointing the finger at the customer when freud occurs.
My local shops do not even have guards to protect the buttons being pressed.
"It must be your fault Sir - only you know the PIN". Of course when you hand over the card in a shop and they return 10 mins later and watch you enter the code - do you know what they were doing out the back?
Am I being stupid here about the risk?
4. Andrew
We have every reason to be worried about APACS complacency and typical institutional "couldn't care less" attitude. Already I have seen entry units with no guards, placed in positions where it is difficult not to see what pin is being input, and best of all a retail outlet, where the retail assistant asked the customer for the pin and insisted in entering it themselves. The elderly lady, whose card it was did not realise this was not correct and the assistant became quite aggressive when we pointed out the proper procedure. It's a thieve's charter!
5. anonymous
The last comment reveals there is a lot of education still to be done.
In a PIN environment your card shouldn't leave your sight. In a shop you place it in the terminal while you enter your PIN then you remove it. Restaurants should either bring the terminal to your table or invite you to pay at the cashier's desk.
Equally a retailer can't compromise your PIN - you should ensure YOU enter the PIN and use your body to obscure the pinpad. If the retailer asks for the PIN tell him he can't have it!
6. Michael Dixon
Of course the PIN is there to protect the bank and the bank only; the retailer can not be expected to check a signature, but the PINpads should have a proper and effective guard.
Come on guys it can not be that expensive - and that means you APACS!
7. anonymous
I have noticed twice now since Chip and Pin that the paper receipts retained by the retailer have the full card number printed on them.
What are the retailers going to do with all these receipts? Shred em?
8. anonymous
not at all !
These are serious risks that are being ignored by the hype'ers.
At my Tesco's everyone can see you entering the pin code, including the shop's cameras.
The risk of mugging will go up as it's an easy picking for any crook.
How long will it be before someone put a keylogger on to the shop based PC tills?
How long before the revese encryption software is out to get the pin from your card?
9. anonymous
Prior to Chip & PIN I had no use for a PIN with my credit card, after reading some of the postings I have less use now.
Is it compulsory to accept a PIN with a credit card if it's never used to withdraw cash?
Could a Chip & PIN card be cloned and used at a non chip reading ATMs at home or abroad?
Why are banks own savings cards, basic bank account cards not chipped, yet they can be aa be used in cash machines?
What incentive is their for someone to accept a Pin with a card if they can be held liable for the misuse of a that PIN?
If you’ve not got a PIN crooks can’t get money at cash machines, or use stolen card and PIN in a shop without being challenged.
Then again at Tesco unmanned check-outs you don’t need to Sign or enter a PIN. Just swipe the card and as long as the spend is under £60 nobody cares Tesco is allowing fraud to happen. It could be on your card.
FAQs on card issuers pamphlets and web sites never ask these sort of questions.
10. Hid S
Why is it that people think that 4 digit PIN is any less safe than using a signature?
Why can't criminals mug u for your signed card, look on the back, think, oh yeah, i'll just have 5 goes at practising this and I can use it with no problems.
Not exactly the hardest thing in the world.
Atleast if u lose your card, the PIN is not so obvious.
With the signed card, all u have to do is turn it over and it says, Copy This Signature and You Can Use It np.
Odd really.
11. anonymous
"Why is it that people think that 4 digit PIN is any less safe than using a signature?"
Because they are starting to catch on that a lot of things surring Chip & PIN is just sPIN!
Why can't criminals mug u for your signed card, look on the back, think, oh yeah, i'll just have 5 goes at practising this and I can use it with no problems.
Nothing but they cant use a signature to obtain cash, other than £50 cashback with a debit card. They then have to ID themselves for a second time and face down shop staff. A signature remains a deterrent. A PIN is now a 'must have' Who will stop a challenge a crook using a PIN with a card?
"At least if u lose your card, the PIN is not so obvious."
Absolutely true, but then again with a Chipped card as soon as you report it lost or stolen, (and in theory in cant be cloned), then that card should be blocked in near real time.
"Odd really."
Its odd that card issuers are not making it absolutely clear if its compulsory or not to have a PIN with your credit card. Consumers have a choice, it's just that they've not been told the truth.
12. Goten Xiao
What I don't understand is why, for the amount of money they spent implementing C&P, they didn't just put some electronic signature pads and embed the signature in the chip. That way, it's nigh-on impossible to forge (i.e. a touch sensitive pad removes almost all possibility of faking).
Never can a 4 DIGIT pin be more secure than a biometric password - your signature.
Or, better yet, for the same price just put some thumbprint scanners in. Even more secure and even harder to fake.
13. anonymous
Why a PIN is less secure is also why it is more attractive to those currently taking losses:
A signature is contestable, even disprovable, even after "5 goes" at mimicry. Then the cash flow line is stuck. But the PIN is "letter perfect" and so one cannot tell a fraudster's entry to the owner's hand.
Hence, liability is transferred away from the cash flow and to the "owner" of the plastic fixative that briefly holds the data - well more correctly to the alleged holder and named recipient by the cash flow line.
14. Fred Smithe
A friend of mine child took his card into town one saturday last month and spent over a £150 on CDs and makeup, He said he had hidden the pin number in the bottom of one of his draws but she must have either search and found it or she heard when he told her mother what the pin was. He was asleep after comming home from the night shift when she took the card. The bank said since the correct pin number was used with the card they dont see it as fraud and therefore is unwilling to do anything about it.
15. anonymous
There are two separate issues related to commiting fraud with a Chip card...
Card cloning, which was EXTREMELY easy in the old magstripe world, is effectively a dead issue. Although somone may overhear or observe you entering your PIN they need your actual card to buy any goods using this method. The introduction of a chip on the card makes fake cards a thing of the past.
Entering a PIN is a far better authentication method as the verification of your "ownership" of the card is a positive act - rather than a subjective judgement based on the examination of a signature.
Both of these measures make card fraud an unattractive proposition to criminals.
Previously the production of fake cards was so easy there was a huge escalation in fraud. Criminals will take the path of least resistance and target other soft spots e.g. CD/DVD copying and e-commerce (where the card is not present at all) so this battle will continue.
A majority of PIN Pads are not fixed so those feeling protective of their PIN can pick the device up - this has been proposed to comply with DDA rules.
Comments that this is a benefit to the retailer do not take into account the investment that stores have had to make in their IT... Many are postponing their introduction of Chip & PIN equipment due to the high up-front cost of the hardware. With the exception of smaller stores that lease hardware from banks most retailers buy their own equipment.
Chip & PIN should be viewed as a good thing for consumers as it closes down one avenue that was used to finance many other (far worse) criminal acts.
16. Fred Smithe
A friend of mine child took his card into town one saturday last month and spent over a £150 on CDs and makeup, He said he had hidden the pin number in the bottom of one of his draws but she must have either search and found it or she heard when he told her mother what the pin was. He was asleep after comming home from the night shift when she took the card. The bank said since the correct pin number was used with the card they dont see it as fraud and therefore is unwilling to do anything about it.
17. Simon
Living in the real world does have its downsides but at least it allows me to see matters clearly - in my opinion of course. If Mr Andy McCue feels there is no risk of increased fraud and crime due to the introduction of chip and PIN, maybe he should spend a few months on the front line as a retail store manager. Once he has experienced store security issues first hand and still feels there is nothing to ammend in his piece, then that is fine with me.
18. Simon
Last comment should make reference to APACS, not Andy McCue
19. Thomas Opel
Biometrics are the only way to identify a person. When my VISA card was stolen, a lot of money was withdrawn by entering a correct PIN. But the PIN wasn´t noted anywhere. So somehow the thief must have had access to my PIN (cracking ?, internet PIN sharing databases ?, ...).
PINs are crap, biometrics are the only way forward.
20. Andy
APACS are not fraud specialists - they are the mouthpiece of the UK Card industry. From bitter experience they waffle and dither on most issues and usually (as a committee type structure) come up with solutions that are wide of the mark.
Also APACS focus almost 100% on UK Issued Card fraud - that's all they care about. Yes, retailers will get a liability shift on Cards that are PIN enabled if they too are Chip & PIN compliant but what no-one seems to worry about is the French experience. Whilst it's true fraud on French issued cards fell through the floor on the introduction of their "EMV" style PIN process INBOUND fraud shot through the roof and more than compensated for the saves. So much so that non-French issuers lobbied the French to reduce floor limits to zero for non-French cards.
APACS reference to "counterfeiting in a bedroom" is typically crass. Counterfeiters of any stature run factories and are usually linked to organised crime - -mugging will be a walk in the park!
Best of all Chip & PIN cards will still have a skimmable mag stripe so will be capable of counterfeiting - a simple dab of clear nail varnish will defeat the chip and force retailers to fall back to mag stripe - where upon liability slams straight back to them.
The hoo haa over Chip & PIN is just that. UK Issuers will win but the merchant will most certainly not.
21. Jayne M.
Two weeks ago on receiving a bank statement, i discovered that i had been the victim of card fraud....there were 8 transactions on my account of cash being taken from cash machines. I still had the card in my possession and i have never used a cash machine in my life. The bank is investigating, and they inform me that the correct pin number was used, there were no 'mis-hits'. I have never used a cash machine in my life, and prior to the introduction of chip and pin, i had no knowledge of my pin number. The bank seem mystified as to how this has happened, and so am I. They are issuing me with another c&p card, but im afraid to use it, as this could happen to me again, as no one seems to know how it could have happened. Prior to my card being changed to c&p in october, i have never had any problems with bank cards.
22. anonymous
Now it seems even easier to steal all your money. Mr Fraudster can now make a machine that not only clones your card but it also captures your pin number too - and he could make it look just like a chip and pin machine.
Ok, so I havent seen one yet, but surely its only a matter of time !
Take these scenarios...
1. Without chip and pin:
You steal my credit card, you cant do much with it, only mail order and even then you usually can only get items delivered to the cardholder address. I suppose you could practice my signature then try to pass off as me in a shop if you were good enough. The shop keeper manually verifies the authenticity of the signature and also has the option to ask me for other ID if he/she so wishes - or even to refuse the transaction completely.
2. With Chip and Pin
Ok, you just saw me enter my pin at the chip and pin counter. Now you steal my card. What can you do ? Visit every cash machine in the country and draw money out of my account.
So which is more secure ?
Side issue...
Is there a law about shops using CCTV cameras pointing at the counter and the use of chip and pin ?
23. anonymous
it's either a banking error or you ought to look a bit closer to home! .... someone (possibly your kids/partner) ?have been dipping into your account. If it's not huge amounts that have emptied your account within a few days, it's someone you know.
24. anonymous
The magnetic strip on a chip and pin is its weakness - perhaps card holders should consider removing/damaging the magnetic stripe to prevent reading.