Why Switching From Signatures To PINs Won't Stop Credit Card Fraud

From this Friday, Australian credit card holders won't be able to use a signature for in-store transactions; you'll only be able to use a PIN. While that's an improvement in security, it doesn't mean the end of credit card fraud -- and it shifts more of the onus to individuals rather than banks.

EFTPOS picture from Shutterstock

That changeover has been a long time in the planning, and you can read all about the details of how it might affect your transactions in our comprehensive guide. While it's an improvement to have numbers rather than signatures as the default option, experts warn that this won't mean an end to fraud problems.

Anyone can practise a signature until they can produce a reasonable facsimile, and that's making the charitable assumption that the person processing the card bothers to check it anyway. It's much harder to fake a PIN number, since the card will be rejected if you repeatedly enter the wrong PIN.

It's also difficult to hack a terminal to circumvent the PIN requirement. "The thing with an EFTPOS terminal is that it is tamper-resistant," said Associate Professor Asha Rao, who specialises in information security at RMIT. "It actually will shut down if somebody tries to break into it."

Rao sees the shift as an improvement on the current lax signature regime, but points out that it won't affect one of the fastest-growing areas of credit card use: online shopping. "Does it make all transactions safer? Not really -- it only makes card-present transactions safer. If you're using your card to make purchases, your PIN doesn't help at all." While some cards will require extra details (such as a one-time SMS code or a second and separate security PIN), these measures are far from universal.

From a forensic perspective, the move is arguably a step backwards. Richard Boddington, visiting fellow at the Centre for Forensic Research at the University of Western Australia, points out that if there's a disputed transaction, it's much easier to identify a dubious signature than to work out who was responsible for a PIN leaking (if indeed the transaction involved a PIN). "The problem is linking transgressors to those events," Boddington said. "In reality in forensics computer evidence often stumbles and fails when you can't get that nexus. You have to make sure that the quality of that evidence meets the expectations of the court."

That means that the banks arguably have an advantage. "It's harder for you to prove it's not you, so the banks do win out, but they have to make sure everyone is using a PIN," Rao said. "Ultimately, no matter what happens, the banks win."

Boddington favours additional measures such as photographs on cards or the use of biometrics. "Reliance on four or six digit pins is not sufficient protection. You should be using passphrases in conjunction with a security token." That said, he doesn't expect that to happen because of the cost involved in deployment.

So how can you stay safe? Monitor your cards like a hawk. "My advice to customers is to always keep an eye on transactions and always report any anomalies as soon as possible," Rao said. Boddington checks his credit card balance daily to avoid any unexpected shocks.


Comments

    I had my card-strip scanned and grabbed, and my PIN number scanned and grabbed in a RESTAURANT in Cronulla some months back. It was being abused in ATMs within a few blocks of that exact restaurant within hours, so these guys can get copies made REAL FAST.

    In contrast, I can't say I've ever been defrauded with signature. At least, you know, you can't empty a person's bank account of negotiable cash -- just buy slabs of piss and petrol for all your friends.

    Getting their PIN and mag strip content lets you buy slabs of piss and petrol for all your friends *AND* get piles of negotiable cash. I fail to see that this will do anything but ASSIST in creating MORE fraud.

      PIN is slightly better because it doesnt come with the card like a signature does. The fact that your PIN was also scanned means that the criminals have had to step up their game. With a sig only card, you only need to get the mag stripe and youre fine; just make another card and make up the signature.
      ATMs exist for a more convenient and quicker way of withdrawing money. Would you prefer we all go back to having to visit the local branch to get money out just to avoid having to use PINs? Plus, people still go up to a bank with a stolen/cloned card and pull money out, PIN or no PIN...

        My card has both chip and mag strip. I would prefer that there be one pin for the ATM and another pin for purchases.

          It's the magnetic strip that is the problem here. The chip is secure and difficult to copy, but all the important data is out in the open on the magnetic strip. If they ditched the mag strip you wouldn't need to worry about your pin being scanned unless your card was also stolen. (For all practical purposes anyway.)

        I always have $0 in my Savings account. Whenever I go to use an ATM or Eftpos, I transfer the exact amount to my Savings account from the high interest account, which you can't make any payments/withdrawals from. So if someone wants to steal from me, they need my magnetic strip, PIN. and Internet banking password.

      You also can't use a lost card without a pin (well, couldn't before paypass) anymore. Most retail stores do not check the signatures when someone signs, hell most customers take their card immediately without giving retailers a chance to check the signature.

    When they did this in the UK, one of the biggest changes didn't affect the customers, but potentially impacted retailers.
    The card issuers shifted the responsibility of preventing fraudulent transactions onto the merchants. If they accepted a card transaction that later turned out to be fraudulent, the retailer had to suck up the loss. Kind of a "you asked for better protection, and now it's there any issues are your problem".
    I wonder if Aussie banks have done the same thing and card not-present transactions or unreadable chip payments will now be an increased risk for retailers. I'm sure a lot of them are itching to increase their "you dared to pay electronically" surcharges.

      As far as Im aware, if a chargeback is made and a PIN has been entered, it ends up being the cardholder's loss (since the PIN is meant to be something only they know) unless theres evidence to suggest that the PINs been obtaining fraudulently (eg: from a tampered ATM or something).
      The only time a retailer takes on a chargeback is if the transaction was a MOTO (mail order/telephone order) transaction, as this has zero security checks (you only need the credit card number and expiry month+year to make the transaction). Schemes make the fees incurred on these types of transactions high to discourage its use, as well as have EFTPOS providers make the retailer aware they're about to take 100% responsibility for any chargebacks against MOTO transactions

        A customer can still argue that the signature isn't theirs (and if they can show receipts with their signature and they are different enough), the merchant will wear the loss in this case as well. PIN transactions are the only ones a consumer wears - as long as is can't be proven they did something like write the number on their card, and they report it stolen/missing asap.
        Most banks do not make a MOTO transaction any different in most cases (fees or responsibility wise) - the consumer and the retailer still have the same responsibilities and if it is a fraudulent transaction the merchant will always lose - biggest pain in my butt as a business owner that was in an industry where this type of transaction is a necessary evil.

          Banks arent the ones that set the fees depending on the credit card used; mastercard, visa, etc do, and as an acquirer of credit transactions, merchants do wear MOTO transactions when a chargeback comes in. Its why we make it clear to merchants what the risks are with MOTO every time they do one. What other acquirers do is up to them but this is what we've been informed by schemes and what we've seen happen when dealing with stolen cards/fraudulent transactions

          Last edited 31/07/14 1:00 pm

    “The thing with an EFTPOS terminal is that it is tamper-resistant,” "It actually will shut down if somebody tries to break into it.”

    I guess the hacked McDonald's eftpos terminals saga didn't happen then.

    Last edited 30/07/14 3:30 pm

      Hacked? I think you will find they were replaced with skimming EFTPOS machines by people pretending to be repairmen.

        I think you'll find that if you pull something apart and turn it into something else it's what we term hacked, loosely used these days. I assumed from the article that "tampered with" they meant if you pulled one of these apart to compromise it it would render the terminal useless. The offenders in this case pulled them apart, placed a skimmer inside, put them back together and swapped out legit units thus hacking the terminal and compromising the customers PIN.

        Although I do see your point using the term hacked and breaking in to it could also mean if the device detects the data being tampered with it shuts down.

          Yes, Their is a chip on board that contains the encryption key to decode the rom. If an EFTPOS terminal is altered in any way like being opened. That chip will self erase the key, rendering the machine useless. There are tamper switches galore in a eftpos machine.

    "From this Friday, Australian credit card holders won’t be able to use a signature for in-store transactions; you’ll only be able to use a PIN"
    Wrong.
    If you are currently using a valid card that doesn't have a chip, then you will still be able to sign for transactions. At least, that is what AMEX are telling me. I can just imagine what they will be saying in stores......

      https://www.americanexpress.com/au/content/chip-and-pin.html?inav=au_sitefooter_chipandpin
      I'd suggest printing that page out. From the retailers I've spoken to, none of them are aware of this exception, though that may be because few people accept AMEX.

      Last edited 30/07/14 4:43 pm

        Amex have been really dragging their feet on this (which is typical of Amex in Australia) but there is a definite cut-off period where you have to enter a PIN. At least there is meant to be but things keep being changed from definitely by August 1, to from August 1, to gradually being phased in from August 1, to...

    I had a similar experience to Barb. I have no idea how/where they got my details, but card thieves withdrew over $1400 in cash from ATMs in Bankstown.

    Not only had I NEVER withdrawn cash from my credit card, I also hadn't been in Bankstown.

    Bank refused to pay part of it back since "There is no way to prove that it wasn't you withdrawing the cash - your PIN was used therefore you mustn't have taken all appropriate steps in protecting your details" Cops explained that people can alter their eftpos mahchines to skim both magnetic strip and pin, or they could have gone as low tech as a camera to watch people entering their pin. The ATMs used had no security cameras.

    I was left to foot the bill.

      That's why ATMs always have "Protect your PIN" notices on screen with a diagram showing you how to cover your hand while you enter your PIN. That way if there is a camera, it will see your hand, not your PIN.

      Couldn't you just prove you were somewhere else at the time so it couldn't have been you?

        Doesn't prove that you didn't take reasonable steps to ensure your security, though, since clearly the crims had the PIN.

    @kat_douglass, I would have sued them for the money back, based on the proven existence of card-skimming machines. My bank didn't even question it. I had the money back within a week or so. Most of the several withdraws they did were done at various banks' ATMs. Perhaps one or more had a camera and they could clearly see it wasn't me. Dunno.

    I was in Coles 2 or 3 weeks back. There was a guy who asked for 5 cartons of cigarettes - the total came to a bit over $300. He asked if he could split the payment across multiple cards (I love it when I'm standing in line at the register behind somebody who does that), and the girl said that was OK.

    He then proceeded to put $99 on each card and then the remainder on the final card. I.e. he went for the exact limit of what you can do on PayWave - any higher and he would have needed to produce a signature or a PIN.

    I stood there watching this, shaking my head in disbelief that the girl on the checkout didn't even ask to look at the cards to ensure they at least had the same name on them. Surely there must be some kind of responsibility on the part of retailers to do some kind of basic id check in cases where something appears to be blatantly dodgy?

      There is...... Though as the above case dictates, there a fucking idiots working everywhere.

      Its partly why they want to go away from signature, because merchants were shown to do a very poor job at verifying signatures (or that there even is one on the back of the CC). Unfortunately in the name of convenience, there are still things that require merchants to do some form of checking :/

      He could have had accounts with multiple providers that offer moneyback on Paywave/Paypass purchases under $100. ING offer 5% of your purchase price back for 6 months. I assume they're not the only provider doing it.

        Perhaps - or he could be using other people's cards. It just seems to me that a simple check by the cashier would at least be prudent.

    This would be less of a problem if companies followed through on cards which integrated one-time password generators like these.

    "oddington favours additional measures such as photographs on cards" - My credit card (with no annual fee) 10 years ago, had my photo on my card

      Wouldnt those be still somewhat easy to forge? After all, you have forged drivers license

        "Of course I'm AnthonyQld, my photo is on this card I printed at home"

    When I worked in retail I always checked people's signatures, and if their card wasn't signed (or the signature had worn away) I would ask to see photo ID. People would always get really upset with me for wanting to make sure someone wasn't using their cards fraudulently.

      This is part of the problem. Consumers don't want to be inconvenienced themselves, but cry bloody murder the minute someone steals there stuff because of lax security measures.
      I applaud you DN.

Join the discussion!