Monday, 9 June 2008

Drop the PIN

Banks in Australia are starting to push the idea of using a PIN instead of signing for credit card transactions.

This sounds as if it should be more secure. After all it involves the new wonder magic "technology". However, there is a serious downside to using a PIN instead of signing: if someone spots you typing the PIN and steals the card, they can use it on an ATM. If they steal the card without knowing the PIN, they can only use it to make a purchase, with a range of risks that don't apply to using the card at an ATM.

If the thief only has a signed card without a PIN, the thief can only use it to make purchases, with a bunch of risks, all of which could result in arrest:

  • through bad luck, they use the card with someone who knows you
  • the forged signature is not good enough and they are unlucky enough to encounter one of the more vigilant shop assistants
  • they were not quick enough, and you already reported the card stolen

On the other hand, if they are able to see you typing the PIN and steal the card, they have the option to go to the nearest ATM and draw cash to the limit of your card. At worst, if they mis-spied the PIN or you were very quick to stop the card, the machine swallows the card. While some ATMs have cameras, it's not that hard to find one in an isolated spot and cover your face, so the risk of being caught is slight.

How likely is it that someone will spy on you, spot the number and nick your card? It's a lot more likely when you are shopping than when you are using an ATM:

  • You have distractions: there may be screaming kids, you are watching your stuff, moving bags around and checking that the total matches what you thought you'd spent.
  • The keypad is easier to see: an ATM is designed to screen you from an observer, unless they are looking over your shoulder. Some PIN pads have limited screening in around the key area, but many do not.
  • You are more likely to leave the card lying around because of the distractions and not notice someone taking it.

A study by a Czech university has shown that it's not terribly hard for a determined thief to see what you are typing, even if the keypad is shielded.

How does this all apply to EFTPOS transactions with a debit card? Pretty much the same except with your debit card, the thief can only steal money you already have, whereas with your credit card, any cash withdrawn at an ATM will attract interest at a rather unfavourable rate.

Is there a better technological fix? Yes. Having the customer sign electronically on a pad that records not only the signature but details of pen strokes would make it much harder to forge a signature.

So why are banks doing this? Because it takes responsibility for security away from merchants and their own systems. In other words, it makes it the cardholder's problem.

What can you do?

If offered the option of a PIN, just say no.

No comments: