Capital One Chip and PIN?

I thought they'd made spam illegal, what more do you want? ;)

Not to mention those of us with about ten different cards thanks to chasing the 0% deals! Interesting question as to whether to change all the PINs to the same number ...

The next best thing to writing down the PIN onto each card is to devise a secret function which, when applied to the card number, gives its PIN. Then you only need to remember the function, not any actual numbers.

"Marcus Collie" wrote in message news:bu794a$e9s$1$ snipped-for-privacy@news.demon.co.uk...

Whilst I am not against Chip & Pin per se, consider this situation:

A customer buys something from a C&P enabled store, person enters PIN and PIN is either noted down by a "dodgy" store or - even worse - the terminal is actually a chip version of a skimmer and makes a copy of the chip and notes the PIN seperately. If the terminal is not a skimmer, the card could then be lifted by someone "affiliated" with the dodgy store and used.

The issue here is how would a customer know the PIN is not being recorded by the machine? I know proper Chip and Pin terminals merely verify the PIN stored on the Chip but surely some crooks out there must be considering making such terminals?

What happens in this case?

Bring on biometrics I say....

Regards, Far

"Marcus Collie" wrote in message news:bu794a$e9s$1$ snipped-for-privacy@news.demon.co.uk...

Most cards are not yet Chip and Pin in the UK- and virtually no large retailers are yet ready though there is one exception (might be Safeway) but thats only as they had plans to replace all their tills already.

See

The rollout only started in October 2003 and given that there are 850,000 shop terminals, 122 million cards and 40,000 cash machines being upgraded its going to take time.

Even if the rollout was on schedule in the UK (its not) it was officially estimated that 20% of cards would be "chip and pin" by the end of 2003 and it would take until 2005 before the majority of transactions would take place under the new system.

As for international use

says that "Other European countries expected to implement EMV standard Chip and PIN over the next five years include Austria, Belgium, Denmark, Finland, Germany, Iceland, Ireland, Israel, Italy, Luxembourg, The Netherlands, Norway, Portugal, Spain, Sweden and Switzerland."

5 years is rather a long time... - and in some cases the old systems may be used until 2010

Regards Sunil

Do you mean something like..take the last 4 digits and add 1 to each (Or 1 2

3 4) or whatever? Neat idea. Its either that or the same PIN for all.

I'd complained about those stupid measures and I don't think they like it when I say they're incompetent.

It's pretty straight forward how to stop spam but nobody in government has the balls to do it.

in

I realise you can be faced with a fake keypad but isn't the whole idea of genuine keypads that the number is not known to the store and the PIN is transmitted directly to the card company?

I wouldn't have thought so. What would they need a chip for then? I'd have thought the chip has the means to verify the PIN, and just gives a yes/no answer. The keypad machine basically asks the chip whether the PIN is right, and it can work it out without knowing what it is. There should be no need actually to transmit the PIN at all.

Yes, you're right. I looked at the following web site

It's doubtful whether anyone in this Government has any balls....

Regards, Far

Given that the original poster's query was regarding the fact that his card did not have a chip, I would suggest that in his case, it IS an issue

Most ATMs actually read the magnetic strip, not the chip. If the chip is going to replace the magnetic and signature strip system, it logically follows that the ATMs must also be upgraded. If you are going to be patronising I suggest you get your facts right first. FWIW no-one suggested that ATM security would be affected - I simply pointed out that the necessary upgrades were being made.

You seem to put a lot of stock into your use of the phrase 'at the moment'. The introduction of chip&pin will happen in the next few months and hence arranging for cc upgrades now is a sensible idea. How pissed would you be if you went shopping and then could not actually use your card?! In the context of the original poster's query, suggesting he do nothing now when he will need to change in 8 weeks (with a consequent risk of loss of service if no action is taken) or so seems a little silly to me.

Your suggestion that the technology is useless may well be borne out, but my local Marks and Spencer, Next and John Lewis all have the units operational already. Ergo, your allegation that no extra security is available at the moment is, quite frankly, wrong.

Marcus

"Marcus Collie" wrote

Your comment is silly - customers will not be turned away when the PIN machines do become operational, even if their credit card has not been re-issued yet by the cc company... [The two systems will work in tandem for a while.]

"Marcus Collie" wrote

I don't agree. Even if a *Chip&PIN* card is stolen at the moment, the thief will simply use it in a store which hasn't yet started using the PIN machines, hence there is no extra security there (yet) ...

Your antispam attempt is a bit more sophisticated but don't people who put something like snipped-for-privacy@petersaxton.co.uk just get caught out by programs that remove the NOSPAM automatically?

When I used my chip and pin card recently in a chip and pin reader, I asked what happened when customers could not remember their pin. I was told that the customer would just be asked to sign the receipt. I guess at some point in the future when everyone is used to the new system the card readers will refuse transactions if no pin is entered. Not sure if it is the retailer or card issuer who decides if the sale goes through if no pin is entered, or if the retailer accepts more risk if they let the transaction go through without the pin being entered?

This suggests a spam-avoidance technique : register a domain which *does* include the letters "nospam", eg "nospam-tim.com". Now if I gave my email address as snipped-for-privacy@nospam-tim.com, and the spammer program removed the "nospam" then they'd be spamming the non-existent email address snipped-for-privacy@tim.com, rather than the real address snipped-for-privacy@nospam-tim.com!

"Marcus Collie" wrote in message news:bubfok$dod$1$ snipped-for-privacy@news.demon.co.uk...

Incorrect, the OPs original q was about him getting better *security* by getting a chip and pin card, not getting a chipped card for the sake of it. No one here has yet suggested how the customer as opposed to the bank would get better security through chip and pin, you have only to read the press material to see its because the CC companies are losing (IIRC) 400m/year, they arent doing it to give us better security!

Well, if you want to be patronising you've made a good start by removing most of the original text so you cant see what I was replying to! But IIRC someone (you?) seemingly made the point that a chip and pinned card would require a PIN at at ATM as if that didnt happen now.

Thats because the OP was in a rush to get a chip and PIN card even though he'll be getting one within the next few months and since *at the moment* there is almost nowhere he can use the PIN capability. Hence I thought I'd say 'at the moment' since (a) its true, and (b) otherwise some pedant would point out that at a future date he could use it.

Not for individual users it isnt since he'll be getting one issued automatically well before the capabilities are in place to use them.

That is simply not going to happen because since such a high proportion of customers *with* such cards arent goung to remember their PINs anyway, the banks have trained us all for the last 20 years not to need them and poopooed other security measures. So, they'll just let it pass for the first several months, maybe even a year or two, they'll need extra publicity in the media and in stores to make this a success.

Lets get this straight, your supposition is that in 8 weeks time all credit cards that are not C&P will be refused by stores? That seems *very* silly to me! (Of course, if this highly unlikely scenario is going to happen, his cc company will of course be issuing cards within the next 8 weeks anyway

Extra security for who? The user, or the CC company?

FWIW I havent said the technology is useless, I've questioned who the security is for, which the OP appears to believe is for him, whereas chnaces are it will actually decrease his security. Thats not to say it wont save the CC cos oodles of money *in the long term*.

Your antispam attempt is a bit more sophisticated but don't people who put something like snipped-for-privacy@petersaxton.co.uk just get caught out by programs that remove the NOSPAM automatically?

A good reason to do something slightly more sopihisticated then.

Unless you're suggesting that the UK should cut itself off from the rest of the internet I don't see how the UK government can stop spammers in other countries, which is the bulk of the problem.