Re: smart card versus credit card

• Previous message: Bartosz Zoltak: "Re: Security flaw in Streambuddy"
• In reply to: Daniel James: "Re: smart card versus credit card"
• Next in thread: Jan Panteltje: "Re: smart card versus credit card"
• Reply: Jan Panteltje: "Re: smart card versus credit card"
• Reply: Daniel James: "Re: smart card versus credit card"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 16 Mar 2004 14:43:03 -0800

Daniel James <wastebasket@nospam.aaisp.org> wrote in message news:<VA.000005bd.00fc7940@nospam.aaisp.org>...
> In article news:<471fc78e.0403080330.534c90dd@posting.google.com>, James
> wrote:
> > > What is the source of those figures?
> >
> > Sources: Card Fraud the Facts 2003 (www.cardwatch.org.uk - Media)
>
> Interesting site - hadn't seen that one.
>
> I note that it says: "If the chip and PIN system was not put into
> action, forecasts show that UK losses would be in the region of £800
> million by 2005" -- that's annual losses for 2005 alone. Makes the cost
> of implementing the system seem quite cheap.
>
> They also say: "Other crimes such as burglaries, muggings and car
> break-ins are often motivated by the opportunity to steal payment
> cards".
>
> > For smart cards to be totally effective, every single ATM machine
> > and point of sale terminal not only in th UK but world-wide must
> > be capable of interrogating smart cards. Until that time Plastic
> > Cards with Magstrips and Chips will still be subject to cloning.
>
> To clarify: The magstripe component of the card will be subject to
> cloning, the smartcard part will not. Retailers will presumably have to
> decide for themselves whether to accept a card with a magstripe and no
> (functional) chip, or whether to reject any card with no chip (or a
> dummy chip) as unacceptable or whether to process it as a magstripe or
> (more likely) paper slip transaction. If fraud then occurs, presumably
> the retailer will be expected to bear the cost?
>
> > The retailing position is that retailers who own their own
> > terminals and decide not to upgrade to Chip & PIN type terminals
> > by the end of this year will be liable for fraud that a C&P
> > terminal could have prevented. This will be a commerical decision
> > for them.
>
> I imagine some will be early adopters, while others will delay the
> upgrade until their POS equipment wears out. As you say - a business
> decision.
>
> > I wonder what the postion will be for a retailer or cardholder
> > when someone acquires a genuine card and PIN, then uses it before
> > it is reported lost or stolen.
>
> One would hope that the retailer will not be liable in that case!
>
> If it were up to me I'd say that the cardholder should be responsible if
> he has not safeguarded his PIN adequately ... but the banks are actually
> quite good at covering losses that their T&Cs do not require them to
> cover (it's good customer relations and seldom costs them very much) and
> will proabably continue to be so as long as the cardholder is not unduly
> negligent in PIN management and is not thought to be party to the fraud.
>
> > You are correct, you can use a Smart Card without a PIN. A Pin
> > opt-out with a Chipped Card is an option but it is like pulling
> > teeth trying to get this information from card issuers.
>
> As I said, I have VISA credit and debit cards that contain chips. Many
> retailers at which I have used these cards do use chip-readers rather
> than magstripe readers to obtain the card details, but no PIN checking
> at POS is yet being done (I'm not even sure whether these particular
> cards are ready for chip-and-PIN use).
>
> The most annoying thing about it is that the cards I have don't work in
> unmanned French petrol stations - apparently the French chipcard system
> predates the internationally agreed standards and many POS devices still
> only recognize the older French cards.
>
> That makes running out of petrol quite easy in France, except at peak
> hours and on busy (e.g. autoroute) services!
>
> > Banks in the UAE have upgraded their ATM terminals to include
> > digital CCTV. Two reasons for this are to deter theft at ATM's
> > and customer protection over disputed ATM transactions.
> > Can you see UK retailers offering this added security measure
> > at till points?
>
> Yes, certainly, if they thought it would be worthwhile in terms of
> increased security. Why not?
>
> > Liability for Fraud. In all cases you are not liabile for any
> > transactions after you report your card lost or stolen. Assuming
> > someone has acquired your PIN how can you prove you didn't
> > compromise your PIN or in banking words were not negligent
> > with it? At the very least with a signature you can say
> > - that's not my signautre nor are my prints on the shops copy
> > of the till receipt.
>
> If someone has acquired your PIN there are really only three possible
> explanations:
>
> 1. You *were* negligent with your PIN and it *is* your fault.
> 2. The bank's system has somehow been cracked and the bad guys know
> *everyone's* PIN.
> 3. Someone nicked your card and was incredibly lucky and *guessed* your
> PIN before the card locked.
>
> (2) will be rather obvious, and the bank will *have* to admit
> responsibility. (3) *will* happen, once in a while ... not so very often
> if we're allowed to pick PINs of more than 4 digits. I wouldn't worry
> too much about it.
>
> OTOH, my written signature never looks quite the same twice - my sister
> can do it better than I can ... so, probably, can others. Sometimes I
> sign a transaction slip and *I* think "that doesn't look like my
> signature" ... but I've never had the signature queried. It currently
> costs the banks a small fortune bearing the cost of fraud that *should*
> have been detected and prevented by the retailer - it's high tike that
> imbalance was redressed.
>
> [Aside: My wife used to have a credit card with her photograph on the
> back - good for security, you might think - but when the card was stolen
> it was successfully used in a CARD PRESENT transaction by the thief, who
> was of neither the same sex or race as she! Retailers don't check (and
> aren't likely to argue, if the customer is large and aggressive-looking)
> but electronic security doesn't have the same potential for laxity.]
>
> > IMHO, a PIN with a credit card opens a window of opportunity
> > for crooks. Opportunist theives ... Chances of catching them
> > are less than before.
>
> They have to be able to obtain both the card and the PIN - before they
> only had to be able to obtain the card. I'd say that there are fewer
> open windows with a PIN than without.
>
> > ATM fraud climbed by 37% in the UK last year. (source Card Fraud
> > the Facts 2003).
>
> Most (all?) ATMs still use the magstripe. Most ATM fraud involves the
> use of cloned magstripe cards. Smartcards will stop this. (This is not
> an argument either for or against PINs, though.)
>
> > PIN security. What PIN security. Shoulder surfing is easy,
> > try it. One ATM in particular is sighted beneath an esculator
> > - overhead surfing. Look at the new type PIN pads, you hold
> > many of them in one hand a enter a PIN with the other. How do
> > you shield your PIN?
>
> I agree that's a problem. The people responsible for siting ATMs need
> lessons in security. I have heard of a case of POS fraud in which a
> retailer's own security systems were used to monitor customers entering
> their PIN - something to look out for. I have seen PIN-pads with
> physical shields fitted to prevent "shoulder surfing" (where? Can't
> remeber. Australia?) - that sounds like a good idea and should be
> adopted more widely.
>
> > From the Chip and PIN website, The Norhamtpon Trial Report
> > page 7, they say that; "The PIN proves coustomers are who
> > they say they are." Sorry, but this is to say the least
> > misleading or maybe just sPIN.
>
> <smile> Indeed - it's not proof, but it is corroborative evidence.
>
> > My preferred option is a Chipped card, with photo, signature
> > and prompt given to shop staff that the cardholder (me)
> > authenticates my signature with my print.
>
> I agree that a photo and thumbprint on the card would offer worthwhile
> improvements in security - but the evidence is that retailers don't
> check these things, and that they are reluctant to turn away business so
> will give the prospective purchaser the benefit of the (sometimes huge)
> doubt. The great thing about a PIN is that it is checked
> programmatically - which is quick, cheap, reasonably reliable, and can
> be enforced by the bank. I certainly agree that any extra checks that
> are implemented on top of that are still worth making.
>
> > People who are harmed by PINS are: ...
>
> Yes, it's a shame that it will make like harder for those people, too.
> No system is perfect, and while this one seems better than many it
> still leaves room for improvement.
>
> The point is, though, that it will hurt criminals ... you left them off
> the list.
>
> Cheers,
> Daniel.

This following has appeared on a UK consumer group within the last few
days:
A Colleague at work has had his credit card stolen, he noted the loss
with in a couple of hours and informed the card supplier straight a
way. Unfortunatly losses of £900 were run up. The card company will
not accept the loss because his pin number was used.

James

• Previous message: Bartosz Zoltak: "Re: Security flaw in Streambuddy"
• In reply to: Daniel James: "Re: smart card versus credit card"
• Next in thread: Jan Panteltje: "Re: smart card versus credit card"
• Reply: Jan Panteltje: "Re: smart card versus credit card"
• Reply: Daniel James: "Re: smart card versus credit card"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]