Could cause some fun if the "checkout chick" has not been properly trained. I remember, many years ago, being told by one that there was "something wrong" with my RBS switch card as it did not have an issue number.
Just have patience.
I have no idea whatsoever. But the fact remains it looks possible, yet "the system" is claimed to be secure. Bit like touting the merits of the new front door lock, while the back door is left wide open.
No, I'm just pointing out that the simple assertion "reduction is good" ignores various ramifications. Which is probably ties up with the lack of a good metric for crime reduction (10 petty thefts == one grand larceny perhaps? :-) Is it "better" to annoy 10 poor people slightly or one rich person a lot?)
Nevertheless, signatures are more difficult to fake convincingly, so that after the event it is often possible to tell that a signature was fake, whereas a PIN, once discovered by a miscreant, is trivially faked, and much more difficult to prove not to have been used by the card holder.
And PINs can also be guessed with a reasonable chance of success, particularly given partial results from clandestine observation.
Checkout chicks could be given more rigorous training and instruction, backed up by the threat of being held jointly liable if they accepted a signature which was obviously Mickey-Mouse, and should be encouranged to refer to a supervisor any signatures which look a little odd.
Signature technology has a way to go yet. I'd have thought it ought to be possible to capture a cardholder's signature digitally and store it in the chip, so that it doesn't appear visibly on the physical card itself. The new generation of card readers could have a display screen on which the customer's signature (read from the card's chip) is flashed up for the checkout chick to compare with the customer's signature on the till roll. That way the fraudster is denied the opportunity of practicing the signature beforehand, and this type of fraud would then only be possible with the checkout chick's collusion (e.g. by photographing the signature off the screen). Risk can be minimised further by requiring the PIN *as well*, so that the card would not send the digitised signature to the machine unless a valid PIN had been provided.
Another possibility (but I don't think technology has quite advanced enough yet to make this realistically feasible) is not to store the sig on the chip, but instead to capture the signature either by camera or pressure pad at point of use, and to transmit it for online verification at card HQ.
Hell's teeth! Will you be throwing a colonation party?
Yes, by means of existing tried and tested signature technology. If, as you said, cloning has been the single biggest means of fraud, then chips address that problem because they are effectively impossible to copy, unlike magstripes, and therefore fraudsters will no loner be able to use copied cards but have to use stolen originals.
Having to use stolen originals also means they will have to practice the signatures thereon, which is a non-trivial exercise, whereas if they use copied cards, i.e. blank cards onto which they copy the magstripe info from a card which has been temporarily in the restaurant waiter's possession, then they can put their own "signature" onto the blank strip which will not be difficult for them to repeat "in action" to the satisfaction of even the most scrupulous checkout chick or her supervisor.
Well, C&S is what I'm advocating! I don't accept the need to deny this to everyone. I'm saying that slovenliness among checkout chicks needs to be eradicated.
As I said elsewhere, my Amex appears to be C&S without my having asked for it to be.
It is not faulty logic. You had said that the principal problem is cloning. Chips solve *that* problem because they cannot be copied.
What do you mean it cannot be left to humans? The system of human verification has been -by and large- very successful for decades, with fraud only escalating in scale as aresult of easy clonability.
We are already seeing what happens. Victims of fraud are being accused of fraud.
And another thing. Traders have been paying pretty high rates of commission for the convenience of being able to take payment by card, figures of 2.5% to 3% are typical. It is said they are so high because they include the cost of underwriting fraud losses. If this new system really does cut fraud (without leading to reduced use of cards because customers are pissed off by the perceived increase in risk to them personally (as opposed to risk to the bankers)), are we going to see the commission rates come down? I doubt it. Frankly, I'd rather pay the 3% on the understanding that it contains fraud insurance than pay 1% and carry the risk myself, even if the risk is much smaller, because *to me* the risk is bigger (because no-one else will underwrite it).
At 12:37:31 on 18/01/2006, Ronald Raygun delighted uk.finance by announcing:
And as your Ts&Cs say, it's not *your* card.
At 12:48:06 on 18/01/2006, Ronald Raygun delighted uk.finance by announcing:
But not by the organisations who matter; the police and CPS.
A pedantic irrelevance. We all know what he meant.
It does matter if the victim loses money, and in any case if the bank were serious about it they *would* involve the police.
At 15:08:22 on 18/01/2006, Ronald Raygun delighted uk.finance by announcing:
The 'victim' will only lose money if they do not follow through on their statutory rights.
Involving the police is not the same as the police (or CPS) charging the customer with fraud.
True, but not everyone is aware of them, many will just give up in despair.
The police never charge anyone spontaneously, but act on information received. If the bank involves the police, this is a process of supplying just such information and it would result in the customer being charged if the CPS felt there were sufficient prima facie evidence for there to be a case to answer.
At 16:38:22 on 18/01/2006, Ronald Raygun delighted uk.finance by announcing:
Exactly. Or the CPS could tell them not to be so bloody daft. It depends on the evidence, which must be stronger than "But the PIN was entered so the customer MUST be at fault!"
There is a cloning risk until the *mag stripe* has been removed. Unless when you say "all old style machines" you mean all of them in the world.
I wonder if anyone has sandpapered the stripe off a C&P card just to avoid this type of fraud? After all, it should no longer be needed in the UK, should it?
At 18:44:46 on 18/01/2006, Jim Hatfield delighted uk.finance by announcing:
What happens in those merchants who don't use the chip yet? What happens to those merchants whose chip reader is currently broken? What's to stop a fraudster reading the mag track information off the chip and writing a cloned card?
the security protection of the chip itself prevents it being read.
At 19:53:56 on 18/01/2006, Tumbleweed delighted uk.finance by announcing:
Rubbish! Where did you hear that? You cannot read the private area of the card. The track 2 information (the part of the card that holds your card number) is freely available by requesting tag 57, Track 2 Equivalent Data, which contains an exact copy of the track 2 information without the start & end sentinels and the LRC.
I stand corrected. Thats very scary. So you dont even need to read the magstripe. I wonder why they didnt make it all private data in the chip?
Do you know what protection there is against the firmware in readers being hacked? All you need is a crooked employee that would substitute a device for a day or two then swap it back and you could get the basic card info and the PIN for all the cards that were read.
Given that someone had the sophistication to access a payroll db to get personal info in order to create false bank accounts that were then used to get govt payments, it cant be too long before we see something like this. Basic card details and the PIN would be enough to get money from foreign ATMs for a very long time. And maybe UK ones if they still 'talk' to a C&P card whose chip isnt working.
At 20:46:14 on 18/01/2006, Tumbleweed delighted uk.finance by announcing:
Because it doesnt need to be! The same data's printed on the front of the card; it's hardly secret. The same information could be retrieved with a buttonhole camera - with the benefit that you'd have access to the CVV code which isn't stored on the chip AFAIK.
I know what types of protection there are, yes.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.