Security - Why do we bother....

[MD]

Throughout every day it affects us, there is no doubt that at somepoint you will be asked something to do with your security - be it the name of your first dog's left foot or the first, sixth and twenty third letter of your secret security password, there is just no getting away from it.

So, we have all been forced to embrace the Chip and Pin system, so every time you shop in store you enter your code and there is nothing to sign. Online of course there has never been this problem, but the verified by visa product that the likes of Scan use and I know credit card company mint enforce means I sleep a little happier in the knowledge that some people have taken extra steps to secure your life.

What has caused this point of view from me today? Well, given the excellent offer on Sat Nav from Halfords I decided my lunch should involve some retail therapy of my own, and seeing as thier site is out of stock I went in store to see what they had, great, shelves load of the Sat Nav I want, and a friend of mine had expressed interest so I was asked to call him to see if he wanted one, I did, he did, they had three in stock (but about 50 empty boxes on the shelves, go figure.), so I asked the lady for two and off she went to fetch them.

Normally I would have put this on debit card, but for some reason I decided to put it on the old faithful plastic friend, so in the card goes and Im asked to enter my pin, disaster, I cannot remember it, so I tried twice, and then thought, a ha!, entering a third time I was greeted with the sort of thing that instantly makes all those in the queue think you are poor, I was denied, card blocked, so I said, no problem, ill pay on my debit card.

The polite lady behind the counter said "no sir, no need, you try three times and it fails so then all it asks for is a signature like old times".

What?!?

Whats the point?

Its pure proof that the security that is supposed to protect our daily lives is so inheritently flawed its not even funny. For the first time in a long time I actually felt as if it would have been better and safer for me to have shopped online. I never thought i would see the day I wrote that, but its true, the online experience is so much easier, so less embarassing and whatsmore starting to look more secure.

I scrawl my name and exit the store, calling the credit card company on the way, asking for the card to be unblocked I was told that 'all' I had to do was to go to a Natwest bank machine, insert my card and enter my pin. "err, look love, not being funny, but if I knew my pin to do you really think i would be calling you?" the reply was one of disgust, she immediately said that it was a problem indeed, so I asked "can you mail me a new pin and I will sort it out?, this was effort, something the robotically programmed staff member wasn't to appreciative of being asked, but then again, I did just wonder home many times she had had an idiot like me on the phone in the last six months trying to crack a joke at my own stupidity, lots probably.

So I hung up, went and charged the sat nav, parked the car, went shopping, then couldn't find my car in the car park, stupid, moi?

[Jonny M]

THe option to sign is only there during the changeover period, soon PIN will be the only way to auth the card.

[Funkstar]

There are certain banks which don't have the option for signature outhorisation. Was standing behind a guy in Tesco who couldn't use his CitiBank card because he didn't know the pin and the till wouldn't let him sign for it. The way the cashier was speaking i got the impression that not all cards can be signed for even now.

[schmunk]

PIN becomes mandatory in February.

[herbert_goon]

PIN becomes mandatory in February.

I think until then if you as a merchant accept sigs, you become liable for the refund of any fraud.

[Spud1]

yeah afaik schmuch is right, but it currently depends entirely on your credit/debit card provider as to whether you can sign or not. Some still let you, some don't My rbs VISA still lets me sign, but my rbs maestro doesnt, and my UBS (swiss) maestro doesnt either.

I've locked my card before too, and yes all you get told is go to a cashpoint to unlock it...I do agree that it's stupid currently - but i would go even further as to say that chip and pin is flawed almost as much as signing.

With a chip and pin card fraud is so much easier in some ways, for example if you are behind someone in a queue, you might be able to see their pin being entered - be this because the 'shield' is no use (i've seen lots wtih a poor attempt at a sheild, or if your a very tall person it must be easy to see) or because the person entering it is doing it so slowly that you can tell what is being pressed.

With that info you could go and 'obtain' their card (mugging, following and theiving, whatever) and bingo for teh next few hours you have a credit card to max out with a very slim chance of being caught - after all, you know the pin...

With signing this vunerability is gone - yes you can forge a signiture, but the odds of being caught are much higher. While working on the tills for a few months last year at sainsburys, I had two people try to use cards who's signiture didn't quite match - it is so easy to spot as long as you (the till operator) is awake enough. I suppose the advantage is that it takes away the responsibility of the till operator, and skimming a card becomes harder...but to be honest I would think that a merger or the two technologies would be much more secure. Less convenient yes i grant you - the current system is very quick and easy, but I would happily add the extra 10seconds or so onto my transaction time to ensure everything was secure..surely this is the best way forward?

Some tills are even more of a joke - ever used a self scan till? Well you can still choose to sign on them (some don't even have chip and pin readers yet) and whats even worse is that with those, even though you sign - your sig is NOT checked against what is on the card. It is not legally allowed for the machine to send a copy of what you sign to the bank for verification, and it cannot check against what is on the card because of the anti copying measures in place on the card..so you can actaully sign anything you like on those machines. To prove my point while I was in the UK i used the self checkouts every time i did my shopping ( much easier ) and i signed each time wtih a smilley face, never once was I rejected...now THATS bad security no?

[TheAnimus]

Originally Posted by herbert_goon

I think until then if you as a merchant accept sigs, you become liable for the refund of any fraud.

Indeed notice the shift of liabilty for fruad moving from the banks.

I was exlaining this to a friend of mine, because i used to have a mobile phone on a "talkshare" this ment we could call other family members on the talkshare for free anytime. But only my farther could change certain things on it.

Not a problem, i know his maden name, his DOB, and the password he ALWAYS uses.

Then i started thinking, i know pretty much everything i need to about my friends, but thats okay because most of the time you know about family names + pets etc, its because ur friends.

But my train of thought continued, last thursday, I was completely failing to get off with this rather attractive girl who did suffer a tad bit of emo syndrome, but had no problem telling me when her birthday was, her mothers maden name etc.

[Spud1]

Originally Posted by TheAnimus

But my train of thought continued, last thursday, I was completely failing to get off with this rather attractive girl who did suffer a tad bit of emo syndrome, but had no problem telling me when her birthday was, her mothers maden name etc.

That goes towards social engineering style though Ie what kevin mitnick used in most of his 'hacking' exploits. Simply asking people for seeminly innocuous(sp?) information which they will freely give but that helps you to do whatever. DOB, mothers maiden name etc, all commonly used with some relation to passwords, all useful information. Now obviously we shouldnt take things to extreams here and suddenly become social recluses, but it does pay to be careful about who you tell what, eg some random stranger asks for your DOB do you give it them or do you think why do they want to know?

Most people would just give it freely, and the same extends into the workplace. I've lost count of how many times I have phoned people up to help them with a problem ( a tiny part of my job involes some 3rd level support ) and most people offer their passwords freely to me, I don't even ask for it (and never would...) yet just because I say I am from X team who wants to help them they expect that they need to give it. This is despite all the security training that says you should never give your password to anyone regardless of who they claim to be. Hell in this situation they can;t even check via caller ID as i was using an external phone (complex internal phone systems ;p) so my number just shows up as external on their screen.

Comes down to common sense here really i think

[Workaholic]

Originally Posted by PrivatePyle

I thought they were phasing out allowing signatures for chip and pin cards? They were keeping signatures just for a while as people got used to having the new system.

Where I work, we still use signatures as the company feels it would be a disaster if the new Chip and PIN system went down during this busy christmas period. Therefore although they say it was ready since summer we won't get it till January....

[BUFF]

Originally Posted by schmunk

PIN becomes mandatory in February.

There are ways to get cards without chip & PIN but the banks don't advertise them.
They have to be able to provide them for people with disabilities etc.

[Lee @ SCAN]

*Shakes Head*

I spent 10 minutes queuing yesterday at Asda for something that should have taken less than 30 seconds as the baffoon in front of me put their card in the Chip & Pin card into the reader the wrong way. Then dizzy stood and just stared at the PDQ machine and the person stated 4 times please enter your pin.....

Then she got the mobile out to phone her spouse as she did NOT know her PIN number and then recited it at the top of her voice 3 times in her pseudo-posh accent.

HOW HARD IS IT TO REMEMBER A 4 DIGIT NUMBER THAT YOU CAN CHANGE TO SOMETHING MORE MEMORABLE ?