"Mike Scott" wrote
Hey, Mike - someone had 50 quid stolen the other day and *you* will have to pay - because you cannot *prove* that you didn't steal it!! Or do you think you won't have to? - If so, what's the difference?
The C&P site (and bank sites which reproduce some of the content) are still saying "In France, although French customers use PIN already, UK cardholders will continue to use signature for some time." I had nearly all my cards replaced with PIN versions in the first half of last year, but the first time I had the opportinity to use them with their PINs was not until September - and it happened in France! I used cards in restaurants, and a hairdresser. Admittedly nearly all transactions still had to be signed for, but that's not the point. Over Christmas in Belgium I used PINs for nearly all my transactions; some had to be signed for, but I was told in one shop that the equipment would be upgraded this month. So signatures will be required for a while in various countries, but it is misleading to single out France.
Meanwhile, I am STILL waiting for Sainsbury's to install terminals (as well as Aldi and Lidl where I also shop). I'll be interested to see how they position the pads, too; in Begium and France they are sensible placed (in supermarkets) so that you face the queue when using the terminal. The positioning in my local Boots is far from user-friendly.
Chris
"micrometre" wrote
You should have refused to do both at the same time - if they are accepting PINs, then they shouldn't need your signature and vice versa - if you sign then you don't also need to enter your PIN.
You effectively authorised each transaction *TWICE*!!
[You should have worried about them harvesting your PIN number for fraudulent purposes - as the transaction was already authorised by the signature ... ]Without a hint of irony, "Tim" astounded uk.finance on 09 Jan
2005 by announcing:
Please don't mislead the public. Combination CVMs are specifically catered for within the EMV specs.
No I didn't. What I meant was that the majority of transactions still had to be swiped; it was only in a couple of places that mu UK card worked with its PIN. Where the PIN worked, I didn't sign.
Chris
The PIN. Or are you trolling?
"Alex" wrote
Really? - Well it's not me misleading the public anyway, it's every bank that sends out leaflets on C&P - all of which say that "when you use your PIN, you won't have to sign".
Why are they all getting it wrong??
"Mike Scott" wrote
What, the PIN that will be guessed *correctly* on every one-in-10,000 tries by a thief?
Or do you think that the number of thieves guessing PINs is bound to be much, much less than that? If so, why?
"Mike Scott" wrote
Certainly not. Just irritated by the sort of misleading comments that you are making on this subject!
Without a hint of irony, "Tim" astounded uk.finance on 10 Jan
2005 by announcing:
Who said they are? Just because *they* may decide not to use combo CVMs does not mean that nobody will. The answer is, as usual, ask your own bank. There's no general statement that can be made about such things.
This has been done to death, repeatedly. The point is that PIN-terminal equipment is not secure. Either with camera or tampering your PIN can, unbeknownst to you, become known to others. After which you *cannot* prove you didn't use it - it's not like a signature: if your card details are used in, say, HK, and you happen to have been at Grannie's in Birmingham at the time, it cannot be your signature on the chit. If the PIN is the only security, tough cheddar.
Not helpful. I don't think I've posted anything that's materially inaccurate. If you know to the contrary, please let me know and I'll post a retraction.
"Mike Scott" wrote
Exactly! - This is an important reason why it is never necessarily *always* the cardholder who enters a PIN at a terminal, even when they have not been negligent / told anyone else the PIN.
"Mike Scott" wrote
... and similarly, the card company cannot prove that you *did* - simply because the PIN could have been used after any of the camera/tampering tricks you mentioned yourself (or even by a lucky guess).
"Mike Scott" wrote
Equivalently: "If your PIN is used in, say, HK, and you happen to have been at Grannie's in Birmingham at the time, it cannot be you who entered the PIN at the terminal..."
"Mike Scott" wrote
Eh??
"Mike Scott" wrote
How about :-
"Mike Scott" wrote [on 04/01/2005]
Which is (see above), of course, untrue.
We'll have to differ on that one. The whole point of the PIN is that, like any other secret password, it is to authenticate the user - only authorized users are supposed to have it, and possession of it implies authorization. My understanding is that banks have *already* been stroppy about so-called phantom withdrawals at cash machine, and been very slow to admit that these can indeed be due to 3rd-party fraud, which I believe reinforces the point I've tried to make about chip&pin.
I would agree that we need to see what the courts will say when such cases appear. But if they say the PIN isn't evidence as to authorization, then what use is the PIN?
No it isn't. In this instance, I think Mike chose his words with care. Prima facie evidence is not the same thing as conclusive evidence.
But the key issue is that we fear the banks will try to have just such flimsy PFE treated as conclusive. "It must have been you, or else you can't have kept it secret, in which case it's still your fault. Heads, we win, tails, you lose."
Thank goodness some has got the message :-)
Without a hint of irony, Mike Scott astounded uk.finance on 11 Jan 2005 by announcing:
It increases the difficulty of generating a fraudulent transaction. The next step would, of course, be biometric authentication for each transaction. We know that even this would not be 100% foolproof, however.
"Ronald Raygun" wrote
... in which case, you sue the bank for libel. They aren't allowed to go around slighting your good name, without actual proof that what they say is true!
"Mike Scott" wrote
... but only upto a certain tolerance - which is *not* (even meant to be)
100.00% accurate.It is simply a means of *limiting* fraud to *tolerable* levels - *not* of "proving" that the person entering the PIN is indeed the true cardholder.
"Mike Scott" wrote
Rubbish. There are only 10,000 possible 4-digit PINs. There are many millions of cards. Therefore several *other* people (apart from yourself) *must* have "possession" of *your* PIN.
"Mike Scott" wrote
"very slow to admit" = "they *have* now admitted"
"Mike Scott" wrote
Of course.
"Mike Scott" wrote
It would appear that the card companies are happy enough to accept that, in most cases where a PIN has been entered, it will have been done by the true cardholder. It will then be up to them to shoulder the liability when the PIN was entered instead by a fraudster - it is their choice to use this system.
In that case, the PIN is useful to show that *most* transactions made with it are genuine - and it need mean nothing more. If the card companies can dream up an even better system, that shows that an even greater proportion of transactions (made under it) are indeed genuine, then they can introduce that instead!!
Use of the PIN cannot show that the transaction **was indeed** made by the cardholder in every single case.
If a true cardholder tried to insist that they had not authorised a transaction which they had indeed made, then other evidence can be used to prove it was them - eg CCTV, witnesses, etc etc. The PIN system does not mean that cardholders could get away without paying, just as much as they cannot insist that they didn't sign the voucher when they did!
Without a hint of irony, "Tim" astounded uk.finance on 11 Jan
2005 by announcing:
Remove the ones that will be rejected as insecure and there are even less.
True.
But I think people may have lost sight of the required level of proof. The bank would only have to show >50% likelihood that the cardholder was responsible for the transaction (whether by using or having revealed the PIN), not anything like the "beyond reasonable doubt" required for a criminal case to succeed. Nor does "innocent until proven guilty" apply in a civil case. Assuming the PIN has been used, it seems that it will necessarily be up to the cardholder to show he wasn't one way or another responsible, which as I think I've implied, he may assert, but most likely cannot prove.
I get the feeling there are two rather entrenched views about all this; I don't really think I can any more that would be useful. Meanwhile, I shall use my chip & signature card extorted at great effort from my bank, and so won't be the one in the firing line.....
But doing that makes the remaining ones less secure. No PIN is inherently less secure than any other.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.