From this Friday, Australian credit card holders won't be able to use a signature for in-store transactions; you'll only be able to use a PIN. While that's an improvement in security, it doesn't mean the end of credit card fraud — and it shifts more of the onus to individuals rather than banks.
EFTPOS picture from Shutterstock
That changeover has been a long time in the planning, and you can read all about the details of how it might affect your transactions in our comprehensive guide. While it's an improvement to have numbers rather than signatures as the default option, experts warn that this won't mean an end to fraud problems.
Anyone can practise a signature until they can produce a reasonable facsimile, and that's making the charitable assumption that the person processing the card bothers to check it anyway. It's much harder to fake a PIN number, since the card will be rejected if you repeatedly enter the wrong PIN.
It's also difficult to hack a terminal to circumvent the PIN requirement. "The thing with an EFTPOS terminal is that it is tamper-resistant," said Associate Professor Asha Rao, who specialises in information security at RMIT. "It actually will shut down if somebody tries to break into it."
Rao sees the shift as an improvement on the current lax signature regime, but points out that it won't affect one of the fastest-growing areas of credit card use: online shopping. "Does it make all transactions safer? Not really — it only makes card-present transactions safer. If you're using your card to make purchases, your PIN doesn't help at all." While some cards will require extra details (such as a one-time SMS code or a second and separate security PIN), these measures are far from universal.
From a forensic perspective, the move is arguably a step backwards. Richard Boddington, visiting fellow at the Centre for Forensic Research at the University of Western Australia, points out that if there's a disputed transaction, it's much easier to identify a dubious signature than to work out who was responsible for a PIN leaking (if indeed the transaction involved a PIN). "The problem is linking transgressors to those events," Boddington said. "In reality in forensics computer evidence often stumbles and fails when you can't get that nexus. You have to make sure that the quality of that evidence meets the expectations of the court."
That means that the banks arguably have an advantage. "It's harder for you to prove it's not you, so the banks do win out, but they have to make sure everyone is using a PIN," Rao said. "Ultimately, no matter what happens, the banks win."
Boddington favours additional measures such as photographs on cards or the use of biometrics. "Reliance on four or six digit pins is not sufficient protection. You should be using passphrases in conjunction with a security token." That said, he doesn't expect that to happen because of the cost involved in deployment.
So how can you stay safe? Monitor your cards like a hawk. "My advice to customers is to always keep an eye on transactions and always report any anomalies as soon as possible," Rao said. Boddington checks his credit card balance daily to avoid any unexpected shocks.