Just a reminder, always guard your pin.

[Saracen]

Unfortunately for you this won't be the case when NFC cards become more popular as someone bumping into you could read enough info from the card to attempt to process a payment (or even being in close proximity)

My bank notified me they were sending me what was effectively an NFC card. I informed them, reasonably politely, exactly where they can shove it.

Given a choice, I'll refuse to have, let alone carry, an NFC card. But if they become all pervasive and impossible to avoid, I can see a market for RF-screened wallets or card-cases, if indeed there isn't already one. Even then, it will simply sit at home the vast majority of the time as, most of the time, I don't use cards anyway.

Perhaps the day will come when cash ceases to exist and everything is done by card, but to be honest, I don't expect to live long enough, I'm glad to say, to see it. And if it does come in time, I'll go down kicking and screaming rather than give in. They can (maybe) force me to not have a card without it, but they can't force me to carry it, and certainly not unshielded.

[Saracen]

Neither is the pin though and that's how this one was done.

Problem with a PIN is if it's right, you never question it - you cannot. PIN + sig...well...then you at least could.

I'm not quite sure what you mean, but if it's that you cannot question or dispute a transaction if the correct PIN was used, that certainly isn't the case. If a transaction(s) are done, with the correct PIN, then the bank must prove that you :-

- authorised the transaction, or
- you acted fraudulently,
- or you acted deliberately, or were grossly negligent, in protecting card details, PIN and/or password.

It is certainly not sufficient (though they may try it on) for them to just say "the PIN was used, so it's a valid transaction". The onus is on them to prove one of those, not for you to prove none of them apply.

[roachcoach]

I'm not quite sure what you mean, but if it's that you cannot question or dispute a transaction if the correct PIN was used, that certainly isn't the case. If a transaction(s) are done, with the correct PIN, then the bank must prove that you :-

- authorised the transaction, or
- you acted fraudulently,
- or you acted deliberately, or were grossly negligent, in protecting card details, PIN and/or password.

It is certainly not sufficient (though they may try it on) for them to just say "the PIN was used, so it's a valid transaction". The onus is on them to prove one of those, not for you to prove none of them apply.

No, no. I meant when it is used in store, a clerk cannot challenge a PIN authentication. They could challenge a bad signature match.

Removing the signature made 'steal the pin over the shoulder>lift wallet' fraud not just possible but actually easier. No need to quickly practise a sig, much wider window of opportunity to spend before its noticed and cancelled as a result. Having a two tier system of PIN/signature would have avoided that. Hell I could walk into a store with my wifes card joint account card and use it, no-one would even have the opportunity to notice the card says 'Mrs so and so' and the sig on the back isn't a big 'X' these days.


Basically the PIN subconsciously lifts any suspicions the cashier may have - after all, if they know the PIN it must be legit right? I used to work in a store when I was at uni and some signatures definitely got more scrutiny that others.

[TheAnimus]

It is certainly not sufficient (though they may try it on) for them to just say "the PIN was used, so it's a valid transaction". The onus is on them to prove one of those, not for you to prove none of them apply.

The card provider told me the exact opposite, don't suppose you've got time to post some reading on the matter?

(Thanks, and hoping for a long post )

[roachcoach]

It's usually in the T's&C's of the card provider mate.

[Saracen]

The card provider told me the exact opposite, don't suppose you've got time to post some reading on the matter?

(Thanks, and hoping for a long post )

Can't do a long post right now. But yes, there's some reading. Gimme a minute.

Okay, start here. FSA Guidance.

That takes you straight to an FSA leaflet of consumer advice to banks. Additionally, go to the FSA website and there's a consumer advice section, including some stuff (including that PDF) on your rights with banks.

[Saracen]

It's usually in the T's&C's of the card provider mate.

It is indeed, and it varies, but T&Cs don't trump the law or the regulator.

This was one of the reasons I objected to CnP cards - the change in fine print that essentially placed more of a burden on the account holder. But it's moved on somewhat since then, and the FSA has now taken on oversight of the Banking Code.

The issue of the PIN is not absolute that you will get your money back, nor that you won't. But the basis of it is that as long as you weren't fraudulent or grossly negligent, it's the bank's liability, so it really comes down to whether they can prove you were. Of course, what is or isn't "gross negligence" is a bit subjective and open to argument.

Banks have sometimes held that if you write down your PIN, that's gross negligence. But what if you write it down and store it in a secure safe that has not been compromised, and to which you and only you have access?

What if you write it down in coded form? That one has caused arguments, with banks pointing out that their T&Cs say that's a breach and you're therefore liable. The FSA has held that it depends how you coded it. If you did it in a way that's easy to decode, you may be liable, but that you aren't unless the way you did it was such that it aided the breaking of the PIN.

So, if you write if down backwards, label it "bank PIN" and keep it with the card, you're in trouble. If you've got 200 phone numbers in a list in your wallet, and one of them is a key to the PIN, but you have to take the 1st, 3rd, 6th and 7th digit, and subtract 1,2,4,6 respectively to get the PIN, then no crook is likely to break that. On the other hand, if you can't remember your PIN, you'll probably not remember how to decide that phone number and if you write that technique down and keep it with the card ....

Another contentious point is using the same PIN for multiple cards. Banks tell you not to do it but the FSA, while recommending against it, don't explicitly ban it. It does, personally, strike me as a monumentally daft thing to do for bank cards, but I get the convenience of it. Sadly, it's convenient for crooks too, because if they get multiple cards (like a handbag snatch) and they crack one PIN, they've cracked multiple ones.

Personally, I tend to use adaptations of numbers that mean something to me, but not even my closest family know or are likely to guess what I use, much less how I've adapted it and it certainly isn't anything obvious like phone numbers or dates of birth. And I've got a hint to remind me what I used for each card, but not in a form that would mean anything to anyone else even if they found the hints, which they won't.

[kalniel]

I know the limit of wireless transaction was said to be around £10 but, I didn't know you could disable it.

Just tell your bank IIRC. Could be wrong.

[santa claus]

Also, leaving a card behind the bar is a risky move.

Can't do a long post right now.

I'm still trying to decide which of these statements shocks me the most. What is the World coming to ?

[Saracen]

I'm still trying to decide which of these statements shocks me the most. What is the World coming to ?

An end, if you listen to the politicians over the eurozone crisis.

[peterb]

I'm still trying to decide which of these statements shocks me the most. What is the World coming to ?

The second one, I'm surprised you even need to think about it!

[santa claus]

An end, if you listen to the politicians over the eurozone crisis.

Well George isn't doing much talking. He's virtually a spectator.

The second one, I'm surprised you even need to think about it!

If he says anything like that again I'm gonna end up in rehab .

[Saracen]

Well George isn't doing much talking. He's virtually a spectator.

....

Oh, I don't know. When George announced that referendum yesterday, it certainly caused a reaction, not least from Merkel and Sarkozy, and put the cat right among the proverbial pigeons. Stock markets down, the Chinese pulling back from offering funding, French bond rates spiking and a crisis summoning to Cannes. Also talk of contagion spreading, and a potential eurozone collapse. Hardly a spectator. He couldn't have had a much more dramatic effect if he'd detonated a nuke on the EU headquarters in Brussels (or Strasbourg).


Deliberately misunderstand you? Wot, moi? Shirley Knot?

[Saracen]

.....

If he says anything like that again I'm gonna end up in rehab .

Satan, get thee behind me. Oh, the temptation, the temptation.

[Spud1]

Fingers crossed that you get your money back mate - I know what it's like to be a victim of this kind of crime, nasty stuff.

The problem we have is that neither Chip and Pin or signature veficiation are even remotely secure - in different ways. Signature verification relied on the "human factor" and imo this is still one of the best solution, as if a cashier is even slightly concerned they can easily refer the transaction for futher checks. When I worked in that job I did it many times..but the problem is this is a pain for the consumer, and ofc the cashiers are not always on the ball. Makes it simple for "insider fraud" and card cloning too.

Chip and Pin isn't much better - it takes away the human factor, but makes it much more difficult for the card to be challenged there and then you never see the name on the card now for example, and don't get to check things like the authenticity stamps/watermarks/pictures (many debit cards used to have a photo of the cardholder on the back). Add to that the fact that its trivial to tamper with a chip and pin machine to allow you to process transactions with an invalid pin, or alternatively to just collect all transaction data..yes this has become more difficult with more recent pin pads, but some of the most widely used ones (the Verifone SC5000 in particular) have some crazy security holes in them (this is the reason their licence was revoked on that model and all the big retailers are replacing them with secura's and the like). Allowing any pin to go through requires a hardware mod, but to collect pins and data you just need to flash a different firmware. The end user never knows any different.

Add to that the fact that the banks try to put the onus on the consumer to prove that there was fraud (even though the legality of this is hotly disputed), and you can see that chip and pin just doesn't work.

Floor limits are also a major problem (though not one specific to chip and pin) meaning that depending on the retailer and their merchant account, your transaction may not ever be authorised until later that day - it becomes automatically approved if under a certain limit. I know that certain high street retailers set their limit at a crazy £100, meaning that with some research you can take a hacked/cloned card and spend £1000 between a few shops without anyone noticing.

Just like airport security, card security is a thin veil that makes the general public feel happier about using that particular product. If someone really wants to get a gun on a plane (or blow one up), or really wants to get your credit card details..they will just do it. None of the current security measures actually work..as sad as it is.

My advice after all that? Simply don't worry about it, and just take all logical steps to protect yourself..keep your card on you at all times, don't use it in the more "dodgy" places and just be overvant. Keep talking to your bank if you are going to do any odd/unusual spending so as not to throw your spending pattern out of whack, and odds are you won't have a problem.