Originally written by Paul Vigay, 1st Jan 2005
According to a leaflet from Abbey
"Chip and PIN is a new, more secure card payment method that's gradually being introduced by banks and shops across the UK. When you use your card to buy something in a shop you key in your Personal Identification Number (PIN) instead of signing a receipt. This is the same PIN you use at a cash machine to take out cash.
Shops in your area may be using it already and it will be common at all major retailers by 2005."
It goes on to say,
"Chip and PIN is designed to reduce card fraud and the hassle it causes. Built-in microchip technology protects the data on your card from being copied or altered."
For a start, there are infinite subtle variations of personal signature, which are all unique. There are only 10,000 (10x10x10x10) combinations of PIN code due to using a four-digit number. From a technical point of view, this is roughly 13bit encryption (2^13 different permutations), whereas current eBanking and shopping on the internet uses 128bit encryption (2^128 different permutations and because security is exponential to the number of bits, this is many billions times more secure) so it seems that highstreet shopping has suddenly become billions of times LESS secure than online shopping.
Far be it from me to say I told you so, but here are just a few recent (ie.since I wrote this article) reports of chip and pin card's insecurity
Because all cards are moving to Chip and PIN, and many people have several cards, it's highly likely that most people will use the same PIN number for all their cards - how many different PIN numbers can YOU remember? This means that if someone loses their wallet containing more than one card, they can all be compromised.
Another worrying scenario I've been alerted to, is that many old people simply can't remember, or don't know how to use their PIN. One recent example involved an elderly women paying for goods in a local post office. When the cashier asked her to place her card in the card reader and enter her PIN, she became flustered when it didn't appear to work. She tried to enter the PIN a couple of times, to no avail. The cashier asked her if she'd entered the code correctly, to which she replied, "I have. It's 8288 and I've entered it a couple of times". The cashier immediately told her not to tell anyone the PIN - but it was too late - any muggers or potential card thieves already knew her number in case they wanted to grab her handbag outside.
Another scenario which was recently pointed out to me is that a lot of large supermarkets now have CCTVs pointing at the tills - for their own security. These can often record people entering their PIN numbers so is another area of insecurity.
Other people who either can't remember their numbers or don't know the implications of sloppy security have been known to write the number down on a piece of paper, even storing it in their wallet or purse! Of course, banks have been warning of the dangers of this for years, but until now people have been free to not worry about remembering PINs because they can simply sign for goods. I predict a return to cheque books for many people, which will inevitably lead to longer queues and delays in shops.
See an article on 'easy to remember' PIN codes on Bruce Schneier's website.
As mentioned above, because of the insecurity of the PIN code, they will be an easy target for pick-pockets or muggers. Some more muggers may also threaten people with violence until they reveal their PIN code - before carrying out fraudulent transactions - perfectly legitimate from the banks verification view. Previously, you'd still have to fake someone's signature if you wanted to fraudulently use their card. Plus, because the PIN reader machine is often on the customer side of the counter in shops, the card doesn't even have to be passed to the shop assistant for verification, so you could steal and use a card from a member of the opposite sex - a simple security check which is now removed, by having people enter their own PIN into the machine.
And don't forget that it's relatively easy for someone to look over your shoulder and see what digits you enter into the terminal. This will become worse as people become more accustomed, and thus blasé to checking who's behind them.
As always, because the public erroneously perceive the cards to be more secure when in reality, they're less secure, this will lead to more crime because the rewards will be higher for card thieves and fakers.
A topical article has just appeared on Silicon.com talking of precisely the dangers I predicted.
Because the PIN code is deemed to be secure, and because it's digital, you have no evidence to prove your innocence in the case of fraudulent or incorrect charges being made to your card. This is one of the main reasons for the banks implementing Chip and PIN cards - because it removes the cost of fraud (already many millions of pounds a year) and shifts it to the consumer or small business/shop.
In the event of disputed transactions previously, you could point out that you didn't sign for anything, or your signature is a fake (signatures being much more secure, each one being unique).
Once a valid PIN number has been entered for the transaction, you have virtually no way to prove the transaction wasn't valid. The onus has shifted your responsibility to guilt unless you can prove your innocence. Because the system is entirely digital, with no input from the customer, how do you prove to the bank that it wasn't you that entered a valid PIN code? You'll be treated the same as a criminal who has to prove an alibi or provide evidence they were geographically somewhere else when the transaction took place. Previously you only had to prove the signature wasn't yours - and signatures are much more secure, each one being unique instead of one in 9999.
Again, the general public are being baffled by science or technology. Because the average consumer doesn't understand digital encryption or electronic security methods, they tend to rely more on what the bank and media feed them via leaflets or technospeak.
Even now, I get people thinking that I'm scare mongering by writing this article, but that's generally caused by their own ignorance of how the system works or how you've been convinced into the false security by the banks propaganda.
If you're unsure, I urge you to do your own research. Try some of the following websites for more information:-
As experienced by the elderly lady in the post office, mentioned above, you're now being forced to remember your PIN code, even if you never previously used it for obtaining cash from a cash machine. If you have a new Chip and PIN card you now have to use it, so if you can't remember your PIN or you don't understand how the technology operates, an extra feeling of embarrassment when faced with paying for things will lead to people feeling flustered or confused, especially if your transaction is declined through simple operator error or even machine malfunction.
Again, if you feel intimidated or embarrassed at making a mistake, I'd advise you to go back to using cheques or cash to pay for goods and services.
Because Chip and PIN cards are destined to fail to provide the level of security or remove bank card fraud, I foresee a situation where the government steps in and suggests that an ideal solution would be to combine Chip and PIN cards with National ID cards, and thus they are merely a stepping stone to more draconian and Orwellian schemes to come. You've possibly heard of implantable micro-chips - currently being developed and tested. However, the public is not ready for this, so the government can't take huge jumps, purely because the public would see through their motives and agenda. Thus, they have to make little steps at a time. That way people won't perceive so much change occurring - until they stop to examine how far things have progressed in a relatively short period of time.
Of course, once Chip and PIN or ID cards have been seen to fail, the government can start imposing 'more secure' or 'better' schemes for security. They'll admit defeat and once security loopholes and breaches have been publicised, the government will be able to offer an alternative 'solution'; How about implantable chips with your details stored on them - no card to lose or get stolen and you can just swipe your finger on a sensor to pay for goods! Always with you - and we can even put your medical records on it, just in case you're involved in an accident and doctors need your information urgently! Just look for the excuses in order to manipulate the next stepping stone of global control and your eroded freedom and privacy.
As already mentioned above, and confirmed by BBC News resellers who aren't already (as of 1st Jan 2005) equipped to accept Chip and PIN cards by installing up-to-date card readers, are now liable for losses incurred through fraudulent transactions.
Again, as predicted, resellers and consumers are bearing the cost of fraud, rather than the banks.
For all the reasons stated above, the introduction of Chip and PIN cards will lead to more confusion, less security, more fraud and crime and less peace of mind for end consumers.
I would urge you to boycott them and use alternative methods of payment, such as cash and/or cheques.
(see also reasons to refuse National ID Cards)
Last edit: 10th Apr 2016 at 1:55pm
Viewed 17859 times since 19th Aug 2005,