Chip n'pinday

So, chip and pin. I like it. But I thought the whole idea was the card never leaves your control.

So when I go into the supermarket, why do I have to hand the checkout staff my card instead of slotting it into the top of the chip'n'pin terminal? :confused: I try to do it and they pull it out and swipe it in their thing! I bet they'd get shirty if I tried to grab their stuff though.

And why do the Tesco automated tills not check signature or pin, but the Sainsbury's ones can do either?

And why does my corporate AMEX card have no chip? Why do bu**er all places accept AMEX for that matter?

And why do "over-the-phone" transactions still exist? Sure, you have to give them your address to deliver whatever it is you are buying, but do they think PIN will stop people using uninhabited houses as delivery addresses (as they always have done for fraud).

And also, I recall the old streamline systems would only call in for transactions over £50. Do all PIN transactions get checked during the transaction itself, or are they saved up for a big dump?
 
Sponsored Links
AdamW said:
And why does my corporate AMEX card have no chip? Why do bu**er all places accept AMEX for that matter?
Click to expand...

Their fees are astonomical.

AdamW said:
Do all PIN transactions get checked during the transaction itself, or are they saved up for a big dump?
Click to expand...

The PIN is on the chip so yes.
 
Eddie M said:
crafty1289 said:
I'm glad its being made compulsory for chip'n'pin users to use their pins. It is so much easier for checkout staff to use the chip'n'pin system than it is to check signatures - what a polava that used to be! It also removes the responsibility for fraud prevention from the retailer, and moves it back to the banks / CC providers - a good thing IMO.
Click to expand...

Sorry, that's not true, it moves the responsibility from the bank to the customer.
Click to expand...
Sorry, that's not true either. Nothing has changed - only criminals are exempt from the responsibility of fraud prevention.
 
Eddie M said:
AdamW said:
Do all PIN transactions get checked during the transaction itself, or are they saved up for a big dump?
Click to expand...
The PIN is on the chip so yes.
Click to expand...
The PIN is stored both on the chip and in the bank's computer. The exact process of authentication is not generally published beyond those-who-need-to-know, so I'm curious to know the basis of your reasoning here.

AdamW, it depends what you mean by "get checked". The transaction is authorised at the point of sale, which involves authenticating the card and getting confirmation from the bank that it will release the funds.

This is what always did happen with EPOS transactions - a PIN is just part of an authentication scheme that is less open to copying/forgery than a signature. A PIN is not the be-and-end-all solution to fraud prevention and detection - its purpose is to reduce the fraud that arises from lost and stolen cards. Like any deterrent, it's a hurdle to jump, and the number of hurdles we have is a compromise between crime prevention and convenience - we can't have it both ways.
 
Sponsored Links
The PIN is stored both on the chip and in the bank's computer. The exact process of authentication is not generally published beyond those-who-need-to-know, so I'm curious to know the basis of your reasoning here.
Click to expand...
it's not particularly complicated, the PIN is stored using a one way encryption process. The PIN can be changed in an ATM or an on-line PIN pad, but not an offline one. Once the pin is changed, the new encrypted PIN is written to the chip.

Sorry, that's not true either. Nothing has changed - only criminals are exempt from the responsibility of fraud prevention.
Click to expand...

Well perhaps not very well phrased the burden of proof has shifted. If the bank can prove the PIN was correct, then the customer is generally in breach of the contract with the bank by revealing the PIN, and therefore generally liable for the amount taken out there account. There extenuating circumstances of course, such as coercion etc, but generally that 's the principal.
 
How is the pin verified in ATM transactions? Does it use the chip on chip'n'pin cards? or does it still verify with the central pin computer? Obviously the latter will still be the case with non-chip cards and ATM-only cards, but I heard many ATMs had been upgraded to chip'n'pin?

Adam said:
So when I go into the supermarket, why do I have to hand the checkout staff my card instead of slotting it into the top of the chip'n'pin terminal? I try to do it and they pull it out and swipe it in their thing! I bet they'd get shirty if I tried to grab their stuff though.
Click to expand...
Tesco do that. Does my crust in - they swipe it into that silly holder thing on their till. Dont know if its something to do with their till system. Why have both chip readers in the first place? :rolleyes: Morrisons let you insert the card yourself. What sort of stuff were you going to grab Adam? the reciept printer? :LOL: PC world will let me insert my own card into the pin pad - even though they have the silly swipey dock like Tesco. Probably just different software.

AdamW said:
And why do the Tesco automated tills not check signature or pin, but the Sainsbury's ones can do either?
Click to expand...
not sure what you mean by this - if you mean overriding chip'n'pin cards to signature - most EPOS systems have this in the software, for example, the tills I use - when it asks for the PIN input, you press subtotal and it reverts to signature. We dont do it though - we get so many fraudulent cards.

Over-the-phone transactions work the same as before - "cardholder not present" - just as insecure as before. But this only represents a small percentage of all cc txns.
 
Eddie M said:
The PIN is stored both on the chip and in the bank's computer. The exact process of authentication is not generally published beyond those-who-need-to-know, so I'm curious to know the basis of your reasoning here.
Click to expand...
it's not particularly complicated, the PIN is stored using a one way encryption process. The PIN can be changed in an ATM or an on-line PIN pad, but not an offline one. Once the pin is changed, the new encrypted PIN is written to the chip.
Click to expand...
I never said it was complicated, however I have no idea what you might mean by "one way encryption" - isn't all encryption one way?
In any case, you've misunderstood. When I said:

Softus said:
I'm curious to know the basis of your reasoning here.
Click to expand...
I was referring to this:

Eddie M said:
AdamW said:
Do all PIN transactions get checked during the transaction itself, or are they saved up for a big dump?
Click to expand...
The PIN is on the chip so yes.
Click to expand...
In other words, how do you conclude that each PIN transaction gets checked during the transaction from the knowledge that the PIN is on the chip?

Eddie M said:
...the burden of proof has shifted. If the bank can prove the PIN was correct, then the customer is generally in breach of the contract with the bank by revealing the PIN, and therefore generally liable for the amount taken out there account. There extenuating circumstances of course, such as coercion etc, but generally that 's the principal.
Click to expand...
So, if I've understood your point correctly, what you're saying has changed is the likely liability for fraud when it occurs. Not fraud prevention then, for which the onus hasn't changed. Nor fraud detection, for which the banks now have more technology and more ability.

I can see that we should expect an increase in the proportion of crimes involving PIN disclosure, but in such cases there is still a chance that the PIN has been guessed, rather than disclosed, so I don't agree that the burden of proof has shifted to the cardholder. That would be a little like saying that DNA evidence has shifted the burden of proof onto the alleged rapist.

Although you've used the word "generally", I don't understand what you mean by it in this context, and it didn't gain any meaning for me when you put it in bold. By "generally", do you just mean "more often than not"?
 
crafty1289 said:
Why have both chip readers in the first place? :rolleyes:
Click to expand...

Cause in other countries (NL for one) the pin is (still) stored in the strip and even UK shops must be able to accept foreign cards :LOL:
 
doesn't the pin reside in WORM? ie the diode links are burnt out rendering further writing impossible?
 
kendor said:
doesn't the pin reside in WORM? ie the diode links are burnt out rendering further writing impossible?
Click to expand...
Not according to what I've read, and not according to logic either - when you change your PIN the encrypted information is written to the card chip and also sent to the bank.
 
Softus said:
kendor said:
doesn't the pin reside in WORM? ie the diode links are burnt out rendering further writing impossible?
Click to expand...
Not according to what I've read, and not according to logic either - when you change your PIN the encrypted information is written to the card chip and also sent to the bank.
Click to expand...
yes but after that first time changing it the memory is "burnt" by using a higher voltage that basically destroys the links on the matrix and thereby leaves the desired connections intact ie the memory addresses are loaded with their relevant information on a permanent basis.
Isn't that Write Once Read Memory in it's electronic form?
 
kendor said:
yes but after that first time changing it the memory is "burnt" by using a higher voltage that basically destroys the links on the matrix and thereby leaves the desired connections intact ie the memory addresses are loaded with their relevant information on a permanent basis.
Isn't that Write Once Read Memory in it's electronic form?
Click to expand...
You seem to be saying: it behaves like WORM, and this is how WORM works, therefore surely it's WORM.

If you say the memory on the card is WORM, then, leaving aside the technical description of how it works, which I understand, I don't have enough knowledge to disagree with you.

However, from what you're saying, the first PIN change is recorded on the card, whereas all subsequent ones, of which there can be many, are not. I can't conceive of a reason for designing it to be like that. Can you?
 
Softus said:
kendor said:
yes but after that first time changing it the memory is "burnt" by using a higher voltage that basically destroys the links on the matrix and thereby leaves the desired connections intact ie the memory addresses are loaded with their relevant information on a permanent basis.
Isn't that Write Once Read Memory in it's electronic form?
Click to expand...
You seem to be saying: it behaves like WORM, and this is how WORM works, therefore surely it's WORM.

If you say the memory on the card is WORM, then, leaving aside the technical description of how it works, which I understand, I don't have enough knowledge to disagree with you.

However, from what you're saying, the first PIN change is recorded on the card, whereas all subsequent ones, of which there can be many, are not. I can't conceive of a reason for designing it to be like that. Can you?
Click to expand...
I admit i'm guessing hence the question mark above but I believe that you only get one change of pin? hence my assuming it's WORM
 
You must log in or register to reply here.
Sponsored Links

Similar threads

B
conveyor belt and plane answered at last ??
27 28 29
Replies
423
Views
28K
securespark
securespark
Scoby_Beasley
Message widths
Replies
3
Views
467
pipme
P
J
  • Locked
free auction site
Replies
0
Views
426
johnny5
J
B
  • Locked
crazy diy : purse,discount,leather
Replies
0
Views
356
bag1881
B
G
Nooooooooooo she's back!!!!!!!!!!!!!
Replies
0
Views
528
gcol
G
Back
Top