Game over for Chip and PIN?

At 18:47:39 on 08/01/2007, snipped-for-privacy@yahoo.co.uk delighted uk.finance by announcing:

It is still for the bank to prove.

Sam Nelson writes

Wasn't the old method safest, when they had a highly skilled calligrapher on every till to check your signature carefully? I reckon they only looked at it once in 100 times...

"Alex" wrote

If just the embossing on the card was a satisfactory fallback from magstripe, then why isn't just the embossing also a satisfactory fallback from C+P ?

In other words, why do we now *need* the magstripe fallback **in addition** to the embossing fallback?

At 13:07:26 on 09/01/2007, Tim delighted uk.finance by announcing:

Because the embossing requires a manual imprinting process whereas the information on a magnetic stripe can be processed electronically.

So what? Since a fallback is only needed in exceptional circumstances, the need to fall back to a manual process only exceptionally cannot represent that much of a problem.

In any case, there's no reason an embossed card could not be processed electronically after the numbers had been manually keyed into a terminal. That's what happens with telephone orders all the time.

"Alex" wrote

Then why didn't we also "need" an electronic fallback in the pre-C&P days?!

Wasn't the "manual imprinting process" fine & OK for the fallback system back then? ;-)

At 17:12:17 on 09/01/2007, Tim delighted uk.finance by announcing:

It's not a case of not needing one; there wasn't one that could be used.

Not really, but it was the best thing available. BTW - as of a few years ago, it was still the method used in over 80% of transactions worldwide.

Harvesting PINs and cloning cards certainly is an industry.

At 18:19:03 on 16/01/2007, James delighted uk.finance by announcing:

"They believe hundreds of thousands of pounds may have been stolen when card details were copied at an ATM machine outside the garage in Princes Avenue, and from a scanning machine inside the garage shop."

The first one would have happened irrespective of EMV, the latter is possible because of it. However, if EMV was adopted worldwide it wouldn't matter in any case; nobody's ever cloned a chip so far. It's also worth remembering that the bank/merchant operating the ATM/terminal is liable for any fraud if they do not perform an EMV transaction.

"The size of the fraud appears to bring into question the effectiveness of chip and pin technology, which aimed to reduce identity theft and bank card crime."

No it doesn't. It highlights the fact that every ATM/terminal needs to be upgraded as a matter of urgency.

I fully agree with you it does highlight that ATM terminals need to be upgraded - but as we both know, by November last year only 1 in 4 ATMs were upgraded according to the BBC.

Alex wouldn't you agree that the cloning and PIN collecting which took place inside the garage would have possibley covered both debit AND credit cards - I should imagine about a 50/50 split.

My whole point is why use a PIN with a credit card? When that card if cloned can be used with a valid PIN to hit 3 out of 4 ATMs in the UK and almost 99% world-wide.

There if you opt out of the PIN part of C&P and continue to Sign (and you can) - these crooks wouldn't be able to hit ATMs with forged credit cards, poping one card after another into the said cash point.

There are enough instances now where genuine cards have been stolen, the PIN acquired and the card has been used to obtain cash AND buy goods - and victims are being hauled over coals to prove they've not been negligent with their PIN. Why be responsible for something - a PIN, which industry can't guarantee it's integrity when you don't need to be.

Sign with your credit card - you know it makes sense.

At 20:04:00 on 16/01/2007, James delighted uk.finance by announcing:

Because there's no way for the card to verify your signature.

But they'd be able to forge your signature.

Armed with a cloned or stolen card & PIN they can hit any ATM, or any shop and never be challenged. In fact crooks can have loads of cloned cards with PINs and as I've said pop them into an ATM one after the other.

If you've no PIN, they can't hit ATMs. The need to physically face down shops staff, they have to produce a card that at least looks valid other than use a blank piece of plastic which they can enter into an ATM.

Oh yeah and I just picked this up:

A bank was ordered to compensate an 80-year-old woman ?1,500 after she lost thousands through ATM fraud. She had never used her card or PIN but over a 10-day period ?700 per day was taken out of her account

I wonder what this 80-year-old went through to get her compensation?

At 20:52:23 on 16/01/2007, James delighted uk.finance by announcing:

And the ATM operator or merchant is automatically liable for such a transaction since it was not conducted according to EMV rules.

Is it possible to tell from the outside which ones have been?

I currently don't have any C&P cards but it would be useful on occasion to be able to use a cash machine rather than to have to go to a supermarket and get cashback. If I were to get a C&P debit card and sandpaper off the magstripe, that would presumably render it secure against cloning, but only usable in ATMs which had been converted.