Chip and Pin!!

[Guest Alison82]

Did you know that if you have fraulent activity on your account that was taken via a chip and pin transaction eg in a store you are not covered and won't get your money back!!??!!!

[barracad]

Yes - the argument is that they must have known your PIN to use your card, so the bank reckon it's your own fault.

 

If you are worried about this then request a chip and signature card instead - although some would argue it is easier for someone to forge your signature than it is to guess your PIN.

[Movingon]

I have opted out of Chip and Pin but I had to jump through all sorts of hoops to achieve it; I had to say that I have discalcula which makes it impossible for me to enter numbers into keypads accurately. I have to ask my family to assist when I need to use a cashpoint or buy something at a chip and pin terminal.

 

I received my Chip and Signature card this week and have yet to use it.

 

Anyone who says that it's easier to forge their signature than it is to obtain and remember a four digit number needs to change their signature. Accurately and consistently forging a good signature needs hours and hours of practice and much patience. A signature forger is also often unaware that the retailer is watching them sign; if it looks unnatural or if there are unnatural pauses while they're signing they can alert the authorities via their push-button very quickly... and the signature will be very carefully scrutinised in these circumstances. A four digit number? Most people don't cover their fingers while they type it in; in fact older people (I've noticed) tend to press each button carefully and slowly, peering at the keypad from a distance so that they can see it... meantime the bloke stood behind them is making notes... all too easy.

 

No - Chip and PIN is a nice easy way for the bank to avoid paying out for fraud, rather than a nice easy way for reducing fraud.

 

When they introduce retinal or fingerprint testing as part of retail purchases I'll be interested. For now I'll stick with my difficult-to-forge signature.

[Movingon]

P.S. I'm pretty convinced that if someone is a victim of card theft and usage, and their PIN was NOT compromised to their knowledge, and their security procedures were good, that there will be a reasonable case for recovering stolen money from the bank in the Small Claims Court if they claim PIN compromise. I'm not certain but I think that the onus would be on the bank to prove that you have poor security procedures rather than on you to prove otherwise.

[buzby]

That may be true, but ther problem is you have to go to court to gain satisfaction. Like you, I was horrified at the loss of protection, and demanded the RBS supply me with a signature card. Unlike you, I did not have to profess an illness, my claim that I wasn't going to take the responsibility of someone discovering my PIN and the bank using it as an excuse for my supposed lack of security. The card, which is branded Cashline/Maestro and previously had my photo on the reverse (which IMHO was a far better idea) arrived, and on using it I am asked for a signature.

 

The problem is, on trying to take money from an ATM (any ATM) the machine reports there's 'No PIN Stored' and the withdrawal is rejected! Complaining to the Bank they say this shouldn't happen but until the issue is resolved be prepared for the possibility of ATM functions being denied on Chip & Signature cards.

 

I now do my cash withdrawals at ASDA as a cashback - and that's not an inconvenience, but it's worth remembering!

[meagain]

It's worth noting that Chip & PIN is not entirely evil. Unscrupulous merchants and restauranteurs engaged in a practice known as the "double swipe". That is, they'd run your card through twice (typically claiming the first time wouldn't run) and take payment twice. With the new system, the entire transaction must be carried out within sight and sound of the customer, as the mobile terminals allow you to verify the amount that is being taken before authorising it.

 

Of course, the notion that your PIN was used therefore it's your fault is complete and utter genitals. This was never the case if someone stole your card and used it at a cash machine. If you suffer fraud, and your bank tells you it's all your fault, tell them to stuff it and sue them instead. Remember, cards and PINs are issued by the bank at their own risk - don't let them forget that.

[Movingon]

Remember, cards and PINs are issued by the bank at their own risk - don't let them forget that.

 

It is important for potential litigants that there is a source for this piece of information... what is the source? It certainly says nothing of the kind in my Ts and Cs...

[meagain]

It's a general legal principle that you are responsible for your own actions and decisions. The T+C probably state that it is at your risk, though I would imagine UCTA and UTCCR (and probably SOGASA) provide that the supplier cannot waive their usual risks and responsibilities and dump them onto you. They issue the PIN, they accept the risk of third-party fraud. Second opinion advisable.

[Guest NATTIE]

If you report the incident to the police as it is theft then surely the bank would have to reimburse on that basis alone. Why would you, if you were pulling a fast one, report it to the police? In relation to forging signatures, without wanting to get the post edited by a Mod, it can be done in a matter of minutes not hours. Who really checks signatures in a shop? I've had a card with my signature not very clear at all, and I have gone to a shop who have simply looked at me and not asked to additional ID which i had.

I have heard as well of instances possibly on a thread here, where shops have refused a CHIP and SIGNATURE card and insisted in a PIN number being put into a terminal.

[Movingon]

I have heard as well of instances possibly on a thread here, where shops have refused a CHIP and SIGNATURE card and insisted in a PIN number being put into a terminal.

 

That's nonsense because there is no PIN with a chip and signature card, and the machine does not present a request for a PIN. It tells the retailer to ask for a signature.

[Guest NATTIE]

Important to note the personal bit of "I have heard" even though to do ask for a Pin. I will see if I can find the link on here. Actually I will refine what I have said to state the retailer refused to take it. Apologies for earlier confusion in what was posted

[buzby]

As Tom correctly points out Chip & SIG cards have no PIN (as evidenced by my experience it attempting to use the card at an ATM). However, as to the banks liability to fraud, in my case this states that the bank will be the final arbiter in such matters (!) and that the entry of a correct PIN is deemed evidence that the cardholder disclosed by some means, the 4-digit number to access the card. This is a major shift when compared to a signature, which can be easily checked whether it is remotely like the signature showing on the card.

 

As to the double swipe [problem], at least 10 years ago terminal software was modified to prevent the sequential swiping in the manner described previously in this thread. It was stated this was to prevent 'operational errors' where staff with good intentions were unaware the previous swipe had resulted in a successful debit. This still works today as I filled with fuel at a Shell petrol station - the same pump dispensed petrol and diesel in two transactions (one for the car, the other into jerry cans). At the till, the attendant didn't listen that I said there were 2 transactions and took the first only. Noticing the amount was incorrect and asking for the second to be added, was told it couldn't be, as the next transaction would be disallowed as being sequiential. The solution was to let someone else be the next card customer, and my transaction was accepted after this.

 

We have now reached the stage that banks will happily pay out on any card transaction whether the card is swiped or not, and it is always the cardholder who has to fight to get their money back. This is getting far too prevelant,and my tradition of having 5-6 credit/debit cards have been reduced to just 2 (one of each type). The risks are too great otherwise.

[meagain]

As Tom correctly points out Chip & SIG cards have no PIN (as evidenced by my experience it attempting to use the card at an ATM).

 

Precisely. The reason too many retail outlets are refusing signatures is that they're not aware of the difference. They see "get a signature" and they think "no way!" on the basis that they are not protected against fraud when using a signature for a PIN card.

 

However, as to the banks liability to fraud, in my case this states that the bank will be the final arbiter in such matters (!) and that the entry of a correct PIN is deemed evidence that the cardholder disclosed by some means, the 4-digit number to access the card.

 

Something is seriously up there. As far as I am aware, the bank is not entitled to appoint itself to such a position, and must submit itself to a higher authority (so if you get stung and the bank refuses to play ball, sue them - you shouldn't have to do so, but there we go).

 

This is a major shift when compared to a signature, which can be easily checked whether it is remotely like the signature showing on the card.

 

As has been stated, nobody bothers checking signatures. I once received a new card and forgot to sign the back. I tendered it, signed, and all was well. A week later, someone pointed out that I'd not signed the card, after a dozen or so signed transactions. There's also a well-documented case on the Web of someone who decided to have some fun with his signature, signing various names (including Mickey Mouse) - in one case, simply drawing a fine grid over the signature area. In all cases, nobody bothered to check the signature against the card.

[barracad]

We have now reached the stage that banks will happily pay out on any card transaction whether the card is swiped or not, and it is always the cardholder who has to fight to get their money back. This is getting far too prevelant,and my tradition of having 5-6 credit/debit cards have been reduced to just 2 (one of each type). The risks are too great otherwise.

 

This has reminded me for some reason of Tesco... if anyone has ever used their 'Pay@Pump' to pay for fuel, or used the new 'self scan' checkouts - you just simply insert your card - no PIN, no signature. Surely this is a big risk and I don't understand how Tesco are allowed to handle transactions in this way. The self scan at Asda asks for your PIN number, as does the drive through petrol station where you can pay at the pump.

[Movingon]

This has reminded me for some reason of Tesco... if anyone has ever used their 'Pay@Pump' to pay for fuel, or used the new 'self scan' checkouts - you just simply insert your card - no PIN, no signature. Surely this is a big risk and I don't understand how Tesco are allowed to handle transactions in this way. The self scan at Asda asks for your PIN number, as does the drive through petrol station where you can pay at the pump.

 

I've been complaining about this for two years since I first saw Tesco self-service. They don't give a damn; but basically I could go into Tesco, do £200's worth of shopping, and then cry "THIEF!!!" and probably get all my money back. Or my card could ACTUALLY be stolen, and hundreds of pounds spent on it.

 

As far as I know, there is NO identity checking; not even a camera at the self-serve till taking pics of the person using a card.

[meagain]

The funny part is that there's no ID checking, but there is a member of staff on hand to make sure every item is paid for!

[barracad]

As far as I know, there is NO identity checking; not even a camera at the self-serve till taking pics of the person using a card.

 

I know they've used it for years at the petrol stations and whilst slightly concerning I haven't thought of it as a massive problem because I understood car registration numbers are recorded for security anyway. However, not asking for a PIN number or signature at a checkout is very alarming in my opinion.

 

-------------------------------------------------------------------

[buzby]

Regarding Tesco (ASDA's self-service tills are fully compliant regarding PIN entry, incidentally) and their procedures, they issued a staterment last month stating that the problem was only (1) the fact Chip & PIN had not been integrated within the self-service checkout software but all stores would be upgraded by the year end. Not soon enough in my book, but I digress.

 

Backat the Chip and Signature problems, the fact the assistant is asking for a PIN is largely irrelevant, as there is no part of this process that even requires the cardholder to touch the keypad - actually, I tell a fib, Pets @ Home got me to press the GREEN key, before going on a hike to find a ball-point. Similarly, if the card terminals go offline, I understood there was a way terminals can request a signature for PIN cards in order not to disrupt the sale - so retailers taking the attitude that no PIN = No Sale will be in the minority, especially when tourists fill up and there isn;t even a Chip on their cards.

 

The RBS does state that your PIN must not be disclosed, and if it is used, they are not responsible. As meagain points out, if you claim you didn't disclose it - how could they prove that you did? The end result remains the same, they will deny the claim and assert their exclusion... until challenged - like we now have to do with just about everything else. Little wonder I have to switch into Vicroe Meldrew mode 2 or 3 times a day just to get throught it!

[meagain]

Similarly, if the card terminals go offline, I understood there was a way terminals can request a signature for PIN cards in order not to disrupt the sale

 

You understand incorrectly. You are assuming that staff at retail outlets know what they're doing. One week last year, I had to do my shopping twice because Tesco would not take the card at all. It didn't help that the cash machine outside had no £10 notes, and that my balance at the time was less than £20.

 

Little wonder I have to switch into Vicroe Meldrew mode 2 or 3 times a day just to get throught it!

 

Now I don't believe that. (sorry, couldn't resist )

[buzby]

You understand incorrectly. You are assuming that staff at retail outlets know what they're doing. One week last year, I had to do my shopping twice because Tesco would not take the card at all. It didn't help that the cash machine outside had no £10 notes, and that my balance at the time was less than £20. Now I don't believe that. (sorry, couldn't resist )

 

Well, let's exclude Tesco's as they're hardly at the sharp end of card technology - apart from Shell's temporary moratorium on PINs (reverting to Signature only), the system and its back-up will work as advertised, and assuming staff manage to get their act together. Since the lack of a PIN on my card, I just get the cash from Asda's cashback and my problem is solved.

 

Just for devilment, ever considered shopping elsewhere?

[meagain]

the system and its back-up will work as advertised, and assuming staff manage to get their act together.

 

That's where the wishful thinking comes in - expecting someone else to know what they're doing. Just doesn't happen in retail

 

Just for devilment, ever considered shopping elsewhere?

 

It was a combination of local shops that refused small card transactions, or paying a fee for them. In most cases, the discount on the goods would be outweighed by the card fees. Excuse me for not wanting to carry the entire balance of my account in my pocket, or in a place which was at the time uninsured.

[plonker]

Amore worrying thing in my opinon is I work for a supermarket chain and work within the EPOS side of things and on our chip and pin software if the online auth goes down it just stores all the transactions in a nice easy to read excel spreadsheet including pin numbers until the online auth cmes back up. Now that in my opinon is very worrying !

[Movingon]

Amore worrying thing in my opinon is I work for a supermarket chain and work within the EPOS side of things and on our chip and pin software if the online auth goes down it just stores all the transactions in a nice easy to read excel spreadsheet including pin numbers until the online auth cmes back up. Now that in my opinon is very worrying !

 

Would you be willing to state (in a private message if nothing else) which supermarket chain that is? This is EXACTLY the sort of evidence that should be going before government to get rid of this chip and pin fiasco once and for all... obviously if I write to anyone the source of this information would not be disclosed.

[plonker]

To be honest I wouldn't its not a major chain anyway more the convience chain. Got over 1000 stores nationwide.

 

would prefer not say. However our software is bought in from another company , which supplies to other stores so I'm sure there are others out there which may be able to help.

 

Sorry i'm not been able to help anymore. Just thought i'd highlight the fact, that chip and pin is not that sercure and woud be far better from an IT side of things if the pin number was NOT stored on the card's chip .

[buzby]

I'm also concerned that there is an ability to pull off the PIN and store it in a way that allows it to be coupled back to the originating card. What is the made of terminal that punters use that lets you access the entered data?