back to article Americans to be guinea pigs in vast chip-and-PIN security experiment

Next year US banks will begin a wide-scale rollout of chip-and-PIN bank cards, just 11 years after the UK made it mandatory. In doing so, Americans will take part in a vast experiment to test chip-and-PIN against chip-and-sign when it comes to stamping out money thieves. Not every US bank is keen on the PIN system, so some …

Page:

  1. Someone Else Silver badge
    FAIL

    Possible option:

    Send the chip-and-PIN card back, and insist on a chip-and-sig, or will close the account. Have done it several times with proximity cards.

    1. Bakana

      Re: Possible option:

      Chip & Sign will get resistance from most large chain stores because getting the Signature takes about 4 times as long as entering the PIN at the cash register.

    2. Dagg Silver badge
      Mushroom

      Re: Possible option:

      Why, chip-and-sig is a huge fail! No body ever checks the signature, anyone can use your card and just sign with something that just vaguely like your signature. Doh!

      1. ITS Retired

        Re: Possible option:

        I can't write on those credit card thingies at the check out. My own signature sometimes does not look vaguely like my own signature. Then what?

    3. big_D Silver badge

      Re: Possible option:

      Here in Germany it seems to be down to the merchant, whether it is chip and pin or chip and sig.

      Buying fuel is always chip and pin, buying groceries is often chip and sig.

      1. Charlie Clark Silver badge

        Re: Possible option:

        Buying fuel is always chip and pin, buying groceries is often chip and sig.

        They're actually two different types of payment - chip and pin is an immediate and incontestable deduction from your account (Electronic cash), the signature initiates a request from their bank to yours (Lastschriftverfahren). Read about all the exciting possibilities…

  2. Daedalus

    50 ways to love your lever

    The USA does it differently, sometimes 50 times differently. It's not long since banks were local to states, or in some cases counties within a state. The US govt. can't always crack the whip to enforce one way of doing everything, even if it wants to. Sometimes the best it can do is promote a common model for everybody to work from. So if we appear to be behind the times relative to those in electoral dictatorships, bear with us.

    1. Spearchucker Jones

      Re: 50 ways to love your lever

      The US govt. CAN crack the whip. And if the whip doesn't work, they could just invade themselves and install puppet CEOs at the banks...

      1. Yet Another Anonymous coward Silver badge

        Re: 50 ways to love your lever

        But only if they had oil and WMDs

        1. Someone Else Silver badge
          Alert

          Re: 50 ways to love your lever

          But only if they had oil and WMDs

          Check! And...check!

        2. Tex Arcana

          Re: 50 ways to love your lever

          Re: 50 ways to love your lever

          But only if they had oil and *non*-WMDs

          Fixed. Because we murkins need flimsy excuses.

      2. P. Lee

        Re: 50 ways to love your lever

        Too late... the banks have already invaded and taken control of the government.

        And back on topic, where is my duress PIN? That is the old way to deal with the, "I'll chop off your ear" threat. Perhaps to much "owner fraud"?

        1. Anonymous Coward
          Anonymous Coward

          Re: 50 ways to love your lever

          And back on topic, where is my duress PIN? That is the old way to deal with the, "I'll chop off your ear" threat. Perhaps to much "owner fraud"?

          Too much open to abuse, plus confusion on what to do when they receive a PIN like that.

          If an abuse PIN exists, you may be held until the criminal is sure it's clear - or killed (easier). Next is what the bank would have to do if they receive a distress PIN: alert the police? Refuse the funds? Either activity could lead to more danger for the customer and (which is what REALLY matters) more risk and liability for the bank, so it's not going to happen.

          Apropos liability: it's exactly the shift from the bank having to prove it was you during a transaction to you having to prove it was NOT you who entered the PIN that will make this a done deal in the US - I still wonder why it has taken so long, other than the severe mental effort to memorise a 4 digit code..

    2. Irony Deficient

      make an afghan, Stan

      Daedalus, there have been national banks in the US since 1863, although even national banks can have just a single branch.

  3. Dan Paul

    BOA/VISA Don't even think of it!

    I will move to cash only if I get one more damn fee or charge from Bank of America. They can kiss my ass on a step ladder in the middle of Times Square if they or VISA think they are shifting the blame to me for bank fraud or card fraud.

    1. poohbear

      Re: BOA/VISA Don't even think of it!

      No one has mentioned WHY the banks are shifting the responsibility... one reason I can imagine is fraud perpetuated by customers. Let's take a chip-and-pin card. I drive a suitable distance from my normal places, withdraw some money from the ATM, and then shortly thereafter call the bank and report my card stolen. (I think I left it in the restaurant...). I then destroy my card, and wait for the bank to refund me and issue a new card. The banks have no defence against this other than to shift the blame to you. I agree for most people who would never dream of a scam like I've just described, it's unreasonable if their card is actually swiped or cloned.

      1. Richard_L

        Re: BOA/VISA Don't even think of it!

        Just go in disguise when you do this because most ATMs have CCTV covering them as they're great sites for mugging, bag snatching, shoulder surfing, fraud etc...

        1. Anonymous Coward
          Anonymous Coward

          Re: BOA/VISA Don't even think of it!

          > they're great sites for mugging, bag snatching, shoulder surfing, fraud etc...

          ...and dogging. :-b

      2. Anonymous Coward
        Anonymous Coward

        Re: BOA/VISA Don't even think of it!

        > No one has mentioned WHY the banks are shifting the responsibility... one reason I can imagine is fraud perpetuated by customers.

        Banks do know about this, and factor it in as cost of doing business (you and I pay for it).

        Source: my very candid bank manager. :)

      3. Charlie Clark Silver badge

        Re: BOA/VISA Don't even think of it!

        @poohbear and just how much you think you can scam like this? $100 - $200 at a restaurant? How far do you think you have to drive to "get away with it"? And how often do you think you can pull a scam like this? I don't think you have really thought this through.

        There are much easier and safer ways for you to make a quick buck of the system than this.

  4. phil dude
    Meh

    credit unions...

    besides, here in the USA there are credit unions as well as banks. These are normally much closer to their constituents that most banks, on account of their local founding status (not as strict as it used to be). Foisting unpopular things will be met with some resistance.

    Chip and sign is probably an improvement, and essentially what most UK users get in the USA all the time...

    But as the honourable Ross Anderson pointed out, one of the reasons Americans have resisted having a *secondary* piece of information associated with payment cards, has been the threat of violence. It raises the criminal risk since previously "skimming" does not require any extra information.

    Then again, perhaps bogus terminals will be quick to propagate instead...

    P.

  5. Anonymous Coward
    Anonymous Coward

    Unfounded concerns

    These are basically the same concerns that have been trotted out wherever chip & pin has been rolled out - and the forecast catastrophe has never happened. The weaknesses in the technology have proved to be pretty trivial compared with the hopeless lack of security inherent in the old mag stripe/signature system (particularly since experience shows the signature is never really checked), and the extortion of PINs at knife/gunpoint is rare as hens teeth. In fact most of the remaining card theft fraud we have this side of the Atlantic is actually as a result of stolen European cards still being usable in places like the USA. Come on America, we did the experiment a decade ago - just get on with it!

    1. disgruntled yank

      Re: Unfounded concerns

      Well, cars and guns are pretty common in the US, so now and then ATM coercion does happen. I'm not sure the little fob thingies will make a difference.

      1. Eddy Ito

        Re: Unfounded concerns

        Let's not forget that card theft is often grab and run. Actual muggings are also a time limited affair unless you really are at the far end of a dark alley so it isn't likely that someone will stand there waiting for you to try remembering your PIN. Besides, it's much easier to search through the wallet/purse later for the scrap of paper all the PINs are written down on.

    2. Charlie Clark Silver badge

      Re: Unfounded concerns

      Going for details at gun or knife point is a high risk strategy for a criminal: the offence is no longer just theft but assault (or worse); the likelihood of witnesses rises with every second and there is a much higher chance of being identified.

      Online fraud is easier and safer for those practising it. The banks prefer online fraud too as the customer has all the risk.

  6. Gene Cash Silver badge

    Restaurants?

    So how will this affect restaurants, where the server usually takes your card and the signed receipt to swipe somewhere else?

    Some of the restaurants have Android tablets-with-card-swipe, but these are incredibly poorly implemented and so far I refuse to use them. For example, they let you play trivia games, and then charge you for that. As another example, they're on a separate wi-fi network from the patron wi-fi network (smart) but the wi-fi password was the chain name (dumb)

    Then they expect you to pay through the device, so if you want to pay cash, you then have to get the server to come back and deal with it. You can guess how well that's handled.

    1. Yet Another Anonymous coward Silver badge

      Re: Restaurants?

      They have little terminals that they bring to your table, with batteries and radio waves so it doesn't need wires.

    2. DaLo

      Re: Restaurants?

      If you let the waiter/waitress take your card away for swiping then you are asking to be cloned...

      The idea is that they come to your table to swipe or check the card or you go to them. Don't let them take the card.

    3. localzuk Silver badge

      Re: Restaurants?

      If you're letting someone take your card out of eyesight, then you're basically an idiot in this day and age. Either go with them to the payment machine, or pay with something other than your card.

      However, over here they just use mobile chip and pin terminals in most restaurants.

  7. James 100

    A friend has a local restaurant with a chip&PIN machine which prompts you for a tip first. He's told me an alarmingly large number of people accidentally enter the PIN as a four-digit tip ("Did you really mean to give me a £27.45 tip on that £20 meal, or would your PIN happen to be 2745...?")

    The ease of extracting and verifying the PIN is alarming, though: I would hope banks get wise to that and either disable those remote PIN-checkers, or start using different PINs for actual card transactions and those remote banking operations. Yes, criminals could then use actual card terminals to try a transaction - but of course that leaves a much stronger paper trail (they'd need an online terminal to process that transaction, giving the police something to hunt down).

    I liked the idea of chip&PIN, replacing signatures which really don't give any security at all, but there are indeed plenty of flaws in the current approach.

  8. Greg J Preece

    The part I never got with chip & pin was the 4-digit limit on PINs. Then I moved to Canada, and was both pleasantly surprised and frustrated to find that PIN lengths here are variable between 4 and 12 digits, according to user preference. I have a PIN at the higher end of that range as a result. 4 digits is pathetic.

    1. Anonymous Coward
      Anonymous Coward

      > I have a PIN at the higher end of that range as a result. 4 digits is pathetic.

      314159265359?

      1. Yet Another Anonymous coward Silver badge

        Damn you guessed - now I have to change the universe

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        that's a good one

        I like pie

    2. T. F. M. Reader

      PIN lengths here are variable... 4 digits is pathetic.

      So what do you do when you travel outside of the enlightened Canada and are presented with a prompt for a 4 digit PIN? Will the first 4 digits work?

      And what if 4 digits are not enough? I saw that at a petrol station in Italy once. Around midnight it was dark and empty, so it was self-service or nothing. I stuck my card into the slot at a pump and was prompted for the PIN. I punched my 4 digits in only to notice that there were 5 positions, and the device did not allow me to proceed with just 4. I turned to my Italian friend who was with me in the car and asked, "This is weird. Do your credit cards have 5 digit PINs?" She looked at me and said, "I wouldn't know. I have never had a credit card in my life."

      1. Anonymous Coward
        Anonymous Coward

        Re: PIN lengths here are variable... 4 digits is pathetic.

        Swiss pins are six digits. Some GB machines accept them. Some accept just the first four digits, some threaten to block the card.

        It seems to me the biggest weakness is in the standard of the readers.

        As for online fraud: I can not see that pin or signature makes a blind bit of difference if one just types in the printed details from the card, or reads them out over the telephone (an ex-wife used my card to buy tickets to NZ for herself just like that). Certainly it has increased: there is infinitely more online shopping and direct fraud, at a shop or restaurant is considerably harder unless one knows the PIN, so fraudsters seek the easiest option - online or telephone. That demonstrates the strength of the chip and PIN, not the weakness.

        Of course, many British and Swiss sites now demand that one verifies the transaction via a separate system after the card details have been entered.

        And signatures! Most waiters and shop staff are too busy even to look at photos on those cards with them. Those who check people's somewhat variable signatures (if it has not faded, been washed out when your wallet got soaked in that thunderstorm that drenched you through and through ....) are rare indeed. A delightful neighbour managed to filch a cheque from me long ago and had no difficulty using it to get cash despite the signature been as unlike mine as is imaginable. It got picked up at the bank only because I happened to work there and a colleague, processing it, pointed out that it would make me overdrawn and had I really intended it. Only I checked my signature (in those days one had a cheque card just to provide a sample signature for comparison, to be shown as one paid by cheque).

        As with mobile 'phones, affordable health care and economical cars, the Americans are just catching up with modern life and technology for the masses.

      2. Greg J Preece

        Re: PIN lengths here are variable... 4 digits is pathetic.

        So what do you do when you travel outside of the enlightened Canada and are presented with a prompt for a 4 digit PIN? Will the first 4 digits work?

        When I travel to the states and am lucky enough to get a chip machine, the longer pins work just fine. I believe the restriction is in the card, not the reader.

  9. Bakana

    Not such a big change

    When you come right down to it, Chip & PIN isn't really all that different than most DEBIT Cards in use right now. It replaces the Magnetic stripe with the Chip. The PIN could easily stay exactly the same although I'd favor a longer, variable PIN like most Canadian banks use.

    The Chip Does have the advantage of being more difficult to erase by Accident when getting too close to a magnet.

    As far as the Crooks go, well I can still remember a news story years back when Washington DC's subway system was new. They bought machines to allow Magnetic fare cards that could be purchased with enough credit for days, weeks or months worth of rides. The CROOKS who were making counterfeit subway passes actually got the machines to make the Magnetic cards Before the Subway authority got Theirs delivered.

    The subway system found out when people started trying to Use the fake magnetic cards several days before they received any of the new machines.

    1. Yet Another Anonymous coward Silver badge

      Re: Not such a big change

      Slight difference. You know the warnings about checking for hidden card readers and cameras on ATMs where they might spy on your pin?

      With chip+pin you get to enter your pin in 100s of different terminals at every convenience store, gas station and cafe.

      If banks can't secure an ATM inside their own branch how much do you trust the cyber security of the chip+pin terminal at Billy-Bob's muffler store ?

      1. Dagg Silver badge
        FAIL

        Re: Not such a big change

        >>With chip+pin you get to enter your pin in 100s of different terminals at every convenience store, gas station and cafe.

        Er, this is the same with your basic debit card, the only difference is you swipe the stripe and then key in the pin. You can do this in the same 100s of places on the same terminal that could be compromised in the same way.

        1. Greg J Preece

          Re: Not such a big change

          Er, this is the same with your basic debit card, the only difference is you swipe the stripe and then key in the pin. You can do this in the same 100s of places on the same terminal that could be compromised in the same way.

          I've been tapping a lot recently, especially at the local 7-11. I have no idea what my tap limit is, but it seems to be ludicrously high - I put $200 through it a month ago and the reader just said "yep, sure" and processed the payment!

      2. Steve Davies 3 Silver badge
        Holmes

        Re: Not such a big change

        Which is why I use CASH most of the time for purchases under £20.00.

        When traveling in the US I make a point of NEVER EVER using a card at a convenience store even though I have a card that bills me in USD.

        I also use one card for Fuel and nothing else. Another Card (from a different bank) is only used for online purchases (I have forgotten the PIN).

        Spread your risk and use different PIN's and you will have done everything you can to keep your money safe.

        1. Fred Flintstone Gold badge

          Re: Not such a big change

          Spread your risk and use different PIN's and you will have done everything you can to keep your money safe.

          Sensible, until you get mugged and have to cough up the codes to all with a knife against your throat. OTOH, with a signature card they don't need to bother..

  10. MrRtd

    I don't know about anyone else, but I like my chip-and-pin and contactless cards. Banks and anyone who has worked in retail know that it is rare a signature is accurately verified.

    It appears that some US banks are using these cards as an excuse to pass on the fraud costs to the consumer. I suspect they will offer fraud insurance at an additional cost. Remember it's all about reducing their costs and making more money from you.

    1. Vic

      anyone who has worked in retail know that it is rare a signature is accurately verified.

      A long time ago, I had an accident which meant I could not use my right hand for several months.

      I would have to tell the checkout operators that I couldn't sign for my purchases - this was before Chip&PIN came in.

      None of them were pleased about the situation, but I didn't have a single transaction declined...

      Vic.

      1. This post has been deleted by its author

  11. AJames

    Americans are so funny

    Yes, by all means let's have a vast chip-and-PIN experiment. Except that the rest of the world has been on chip-and-PIN for years. Next you'll be telling us about a radical experiment with a brand-new system of decimal measurements!

    In any case, it's not so much about security as it is about liability. Concurrent with the switch to a chip-and-PIN card, you will get a nice little change of service agreement from your bank with lots of fine print which basically says that you are deemed 100% liable for any card transactions which they claim have used your PIN.

    No more of those messy fraud investigations, the customer is responsible! Never mind those pesky cases where the customer claims that he was half a world away and has never shared his PIN with anyone. Never mind those cases where the it turns out that the bank lied when they claimed that the PIN was used. Minor incidents, nothing to get in the way of a great innovation in liabilityxxxxx I mean of course security.

    1. Fred Flintstone Gold badge

      Re: Americans are so funny

      No more of those messy fraud investigations, the customer is responsible! Never mind those pesky cases where the customer claims that he was half a world away and has never shared his PIN with anyone. Never mind those cases where the it turns out that the bank lied when they claimed that the PIN was used. Minor incidents, nothing to get in the way of a great innovation in liabilityxxxxx I mean of course security.

      Yes, they have done a great con job with that in Europe - and not a SINGLE regulator has as much as raised their eyebrows.

      However, it's not all bad news: this geographic difference is already used by a number of providers to question transactions. I have had calls about attempted transactions from across the globe when one of these online idiots turned out to retain CSVs and had their whole database stolen, and they picked that up because all my other transactions were elsewhere. I had to switch to another card as the provider barred it as stolen/copied, and issued a new one.

      1. localzuk Silver badge

        Re: Americans are so funny

        You're both wrong about that now. The UK law changed in 2009 which made it legally a responsibility of the bank to prove it was a transaction authorised by the cardholder rather than them simply brushing it off as "can't be done, as only you know the pin".

        So, the bank IS still liable by default, and regulators HAVE done something about it.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon