A forced PIN for all credit cards won't stop the biggest fraud

Jul 31, 2014 by Asha Rao
A typical credit card includes your signature which anyone can copy. Flickr/Beau Giles, CC BY

Put the pen away when you next take out your credit card as from tomorrow (Friday August 1) Australians will no longer be able to use their signature when completing a transaction in a store. It's PINs only from now on, although this will apply only in store and not for online transactions.

According to PINwise, an initiative of the Australian payments card industry, using a PIN () for credit and debit card purchases in store is "safer and faster than signing". But is this really the case?

Both PINs and signatures are means of authentication for proving that you are who you say you are. Or in the case of credit cards, of proving to the merchant that it is your credit card and you have the right to use it.

Thus, for the usage of in store, the signature and the PIN takes the place of the password for , whereas the physical card takes the place of the "login" credentials. Now, which of these is safer – and why?

A signature is not secret

The problem with signatures is that the signature itself – the "secret" information – is written on the card, allowing a person to acquire it if they get hold of the card.

Also, when authenticating with a signature, you are expecting the merchant, a human, to actually verify that the signature matches the one on the back of the card. Aside from the fact that the merchant is not a signature expert, often there is no attempt to verify the signature.

A PIN, on the other hand, is not stored on the card, or at least, is not supposed to be stored on the card. In addition, we do not need to depend on the merchant to verify the PIN – the EFTPOS machine does that automatically – taking out the human factor, which has been shown, time and again, to be the weakest link in the security chain.

This video is not supported by your browser at this time.

In addition, the EFTPOS machine is tamper resistant and difficult to break into it. Even if it is broken into it will wipe the information stored in it.

A further fact is that when you use a PIN, you are technically using two-factor authentication – a physical card that you possess, and a PIN that you know (or rather, remember). Using a card with a signature is only one-factor authentication, since the signature is on the card.

Some people have suggested that having photos on the card would make them more secure than PINs. This is not necessarily the case, as again, we expect a human to check that it is your photo on the card – and as with checking signatures, humans are again the weakest link. After all it is your money, and not theirs!

Where the fraud occurs

We then come to the question of whether this change, from signatures to PINs, makes all transactions safer? Not really – it only makes "card present" transactions safer. When using your card to make online purchases, your PIN does not help.

Thus your bank or credit card company may require you to use another security factor such as a text message to your mobile phone before you can complete certain online transactions.

There is also the question of how much fraud would such a change, from signatures to PINs, reduce? According to figures from the Australian Payments Clearing Association, for the financial year ending 2013, fraudulent transactions on credit and debit cards issued in Australia exceeded A$281 million.

The majority of this was "card not present" (CNP) fraud, which increased from A$183 million to more than AU$219 million from 2012 to 2013. CNP is usually a transaction over the phone, mail or internet.

On the other hand, counterfeit or skimming fraud remained at A$37.2 million. With the move from signatures to PINs, the banks will be hoping that the latter figure decreases. Whether this will happen remains to be seen.

Is a PIN enough?

The other worry is whether a four-digit PIN is sufficient – the extra security features of locking the card after three wrong attempts goes some way to address this, but it does not prevent people using weak PINs, such as a date of birth.

We need to consider the security over the new ways of tapping a credit card on the EFTPOS terminal – the PayWave, PayPass and Tap and Go facilities. These have been introduced mainly for convenience and don't always need a PIN to complete a transaction. The banks have capped the transactions – mostly to A$100 maximum – and hence must believe that the level of fraud possible is worth the risk.

So what can we do to be more secure? The best way is to keep an eye on your transactions and report any anomalies to your bank as soon as possible.

With online banking, this is easier to do than in the past when one had to wait for the statement to arrive. Taking the extra time to make sure that the transactions are yours, and not a thief's, is worth it – it is your money, after all.

Explore further: Target: Customers' encrypted PINs were stolen

add to favorites email to friend print save as pdf

Related Stories

Target: Customers' encrypted PINs were stolen

Dec 27, 2013

Target said Friday that debit card PIN numbers were among the financial information stolen from millions of U.S. customers who shopped at the retailer earlier this month.

Bank card identifies cardholder

Mar 06, 2013

From the gas station to the department store – paying for something without cash is commonplace. Now such payments become more secure: The Fraunhofer Institute for Computer Graphics Research IGD engineered ...

Weak US card security made Target a juicy target

Dec 22, 2013

The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.

Recommended for you

Britain's UKIP issues online rules after gaffes

Dec 21, 2014

UK Independence Party (UKIP), the British anti-European Union party, has ordered a crackdown on the use of social media by supporters and members following a series of controversies.

Sony saga blends foreign intrigue, star wattage

Dec 21, 2014

The hackers who hit Sony Pictures Entertainment days before Thanksgiving crippled the network, stole gigabytes of data and spilled into public view unreleased films and reams of private and sometimes embarrassing ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
not rated yet Jul 31, 2014
but it does not prevent people using weak PINs, such as a date of birth.

Aren't PINs generated by the bank and sent to you? These shouldn't be weak (aside from the fact that a 4 digit PIN isn't excatly the strongest type of password)
Eikka
5 / 5 (1) Jul 31, 2014
but it does not prevent people using weak PINs, such as a date of birth.

Aren't PINs generated by the bank and sent to you? These shouldn't be weak (aside from the fact that a 4 digit PIN isn't excatly the strongest type of password)


You can change yours for an extra fee.

4 digits is enough because one always has to enter the PIN manually. It is never used in online banking, where instead a one-time-pad of four digit codes is typically used.

Even a 3 digit PIN would give you less than 1 in 333 chance of guessing the correct number with three attempts, so even if you had a criminal with loads of stolen credit cards, less than a third of a percent of the attempts to use them would actually succeed. By that time, someone surely would have noticed a man who seems to constantly forget his PIN.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.