Ben Laurie blathering

PINs Make You More Secure. Honest.

More news about Citibank’s PIN problems. I’m less than sure whether I actually believe the theories about how this came about, especially since they all appear to come from a single source: a Gartner VP called Avivah Litan. But you have to love this quote:

“Security is tight at the ATM, but point-of-sale is a whole other story,” said Litan. “Look at your [debit card] account on a regular basis, and don’t use a PIN-based debit card at point-of-sale,” she recommended. “I never do.”

What a shame that in the UK we have no choice.


  1. Well, this isn’t quite true — some issuers will give you a PIN-suppressed card on security grounds, and some if you complain enough, just to keep your business (the choice is entirely in the hands of the issuer). APACS advertise that anyone who is unable to or prefers not to use a PIN owing to a disability can get a PIN-suppressed card too, and that they won’t ask for medical evidence; however, pretending to be disabled to get such a card is probably “obtaining a pecuniary disadvantage by deception” and therefore inadvisable when dealing with a bank…

    Comment by Chris Lightfoot — 12 Mar 2006 @ 16:10

  2. What pecuniary (dis)advantage does one gain by using a signature instead of a PIN?

    Comment by Ben — 12 Mar 2006 @ 19:11

  3. Well, you evidently believe that there’s some advantage to using a signature, otherwise you wouldn’t be complaining about being forced to use a PIN! The specific advantage in question is presumably either (a) a reduction in the risk of fraud on your account; or (b) a reduction in the risk that you will not be properly compensated for such fraud (because forged signatures are repudiable and PINs aren’t, really). ((b) seems to me more likely at the moment in the UK situation.)

    I’d have thought this comes within 16(2)(b) of the Theft Act which covers deceptions which improve the terms on which money is borrowed or insurance is written (though perhaps the wording excludes this case, since it refers specifically to overdrafts). q.v. Deception offences in Wikipedia.

    Comment by Chris Lightfoot — 12 Mar 2006 @ 20:15

  4. Barclaycard tried to discourage me from getting a Chip & Signature card but said that there was no reason I couldn’t have one other than that it might not be in my interests as the card might be rejected. I was quite explicit about refusing to lie to them about being disabled, as in 2004 Chip & Sig was “for” disabled people.

    Barclaycard agreed to issue me with a Chip & Sig card. It came with very misleading paperwork which was obviously a cut-n-paste job on Chip & PIN paperwork, but behaved exactly as a Chip & Sig card should.

    This card has been rejected only once, at a restaurant in Islington, and that was very recently.

    When I rang Barclaycard a few weeks ago about the new Chip & PIN arrangements, they were much more willing to countenance non-disabled people getting Chip & Sig cards, and said there was no reason vendors shouldn’t accept them. I surmise that were I to attempt to change to Chip & Sig now rather than two years ago, Barclaycard would require less in the way of polite but firm and very persistent pressure to issue one.

    Comment by Martin Keegan — 12 Mar 2006 @ 20:28

  5. These are not chip and pin cards though. They are mag stripe and (weak) pin. If someone has a (complete) copy of the mag stripe and some additional knowledge it is possible to work out the pin from the data on the mag stripe alone. This is what the shaddow crew lot were up to.

    This is actually an advance on the situation a couple of years back when the PIN could actually be reconstructed from the account number alone. What has happened since then is that ATM machines have been rejigged to read the CVV code on the mag stripe, a code that is only written to the mag stripe, never on the card itself. So now that we have cleared the perps off the Internet they are looking for new venues for the old scam

    Chip and PIN works differently. The PIN number is used to gate access to the private key of the on chip smartcard. Unlike the mag stripe schemes it is not possible to ‘skim’ the card data, the private key never leaves the card.

    Comment by Phill — 14 Mar 2006 @ 5:32

  6. […] Laurie has started porting Chromium (the open source project behind the Google Chrome browser) to FreeBSD. In my copious spare time, […]

    Pingback by Porting Chromium to FreeBSD | FreeBSD - the unknown Giant — 2 Sep 2009 @ 22:28

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress