A forced PIN for all credit cards won't stop the biggest fraud

July 31, 2014 by Asha Rao, The Conversation
A typical credit card includes your signature which anyone can copy. Flickr/Beau Giles, CC BY

Put the pen away when you next take out your credit card as from tomorrow (Friday August 1) Australians will no longer be able to use their signature when completing a transaction in a store. It's PINs only from now on, although this will apply only in store and not for online transactions.

According to PINwise, an initiative of the Australian payments card industry, using a PIN () for credit and debit card purchases in store is "safer and faster than signing". But is this really the case?

Both PINs and signatures are means of authentication for proving that you are who you say you are. Or in the case of credit cards, of proving to the merchant that it is your credit card and you have the right to use it.

Thus, for the usage of in store, the signature and the PIN takes the place of the password for , whereas the physical card takes the place of the "login" credentials. Now, which of these is safer – and why?

A signature is not secret

The problem with signatures is that the signature itself – the "secret" information – is written on the card, allowing a person to acquire it if they get hold of the card.

Also, when authenticating with a signature, you are expecting the merchant, a human, to actually verify that the signature matches the one on the back of the card. Aside from the fact that the merchant is not a signature expert, often there is no attempt to verify the signature.

A PIN, on the other hand, is not stored on the card, or at least, is not supposed to be stored on the card. In addition, we do not need to depend on the merchant to verify the PIN – the EFTPOS machine does that automatically – taking out the human factor, which has been shown, time and again, to be the weakest link in the security chain.

In addition, the EFTPOS machine is tamper resistant and difficult to break into it. Even if it is broken into it will wipe the information stored in it.

A further fact is that when you use a PIN, you are technically using two-factor authentication – a physical card that you possess, and a PIN that you know (or rather, remember). Using a card with a signature is only one-factor authentication, since the signature is on the card.

Some people have suggested that having photos on the card would make them more secure than PINs. This is not necessarily the case, as again, we expect a human to check that it is your photo on the card – and as with checking signatures, humans are again the weakest link. After all it is your money, and not theirs!

Where the fraud occurs

We then come to the question of whether this change, from signatures to PINs, makes all transactions safer? Not really – it only makes "card present" transactions safer. When using your card to make online purchases, your PIN does not help.

Thus your bank or credit card company may require you to use another security factor such as a text message to your mobile phone before you can complete certain online transactions.

There is also the question of how much fraud would such a change, from signatures to PINs, reduce? According to figures from the Australian Payments Clearing Association, for the financial year ending 2013, fraudulent transactions on credit and debit cards issued in Australia exceeded A$281 million.

The majority of this was "card not present" (CNP) fraud, which increased from A$183 million to more than AU$219 million from 2012 to 2013. CNP is usually a transaction over the phone, mail or internet.

On the other hand, counterfeit or skimming fraud remained at A$37.2 million. With the move from signatures to PINs, the banks will be hoping that the latter figure decreases. Whether this will happen remains to be seen.

Is a PIN enough?

The other worry is whether a four-digit PIN is sufficient – the extra security features of locking the card after three wrong attempts goes some way to address this, but it does not prevent people using weak PINs, such as a date of birth.

We need to consider the security over the new ways of tapping a credit card on the EFTPOS terminal – the PayWave, PayPass and Tap and Go facilities. These have been introduced mainly for convenience and don't always need a PIN to complete a transaction. The banks have capped the transactions – mostly to A$100 maximum – and hence must believe that the level of fraud possible is worth the risk.

So what can we do to be more secure? The best way is to keep an eye on your transactions and report any anomalies to your bank as soon as possible.

With online banking, this is easier to do than in the past when one had to wait for the statement to arrive. Taking the extra time to make sure that the transactions are yours, and not a thief's, is worth it – it is your money, after all.

Explore further: Target: Customers' encrypted PINs were stolen

Related Stories

Target: Customers' encrypted PINs were stolen

December 27, 2013

Target said Friday that debit card PIN numbers were among the financial information stolen from millions of U.S. customers who shopped at the retailer earlier this month.

Bank card identifies cardholder

March 6, 2013

From the gas station to the department store – paying for something without cash is commonplace. Now such payments become more secure: The Fraunhofer Institute for Computer Graphics Research IGD engineered a solution for ...

Weak US card security made Target a juicy target

December 22, 2013

The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.

Recommended for you

The powerful meteor that no one saw (except satellites)

March 19, 2019

At precisely 11:48 am on December 18, 2018, a large space rock heading straight for Earth at a speed of 19 miles per second exploded into a vast ball of fire as it entered the atmosphere, 15.9 miles above the Bering Sea.

OSIRIS-REx reveals asteroid Bennu has big surprises

March 19, 2019

A NASA spacecraft that will return a sample of a near-Earth asteroid named Bennu to Earth in 2023 made the first-ever close-up observations of particle plumes erupting from an asteroid's surface. Bennu also revealed itself ...

Nanoscale Lamb wave-driven motors in nonliquid environments

March 19, 2019

Light driven movement is challenging in nonliquid environments as micro-sized objects can experience strong dry adhesion to contact surfaces and resist movement. In a recent study, Jinsheng Lu and co-workers at the College ...

Revealing the rules behind virus scaffold construction

March 19, 2019

A team of researchers including Northwestern Engineering faculty has expanded the understanding of how virus shells self-assemble, an important step toward developing techniques that use viruses as vehicles to deliver targeted ...


Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Jul 31, 2014
but it does not prevent people using weak PINs, such as a date of birth.

Aren't PINs generated by the bank and sent to you? These shouldn't be weak (aside from the fact that a 4 digit PIN isn't excatly the strongest type of password)
5 / 5 (1) Jul 31, 2014
but it does not prevent people using weak PINs, such as a date of birth.

Aren't PINs generated by the bank and sent to you? These shouldn't be weak (aside from the fact that a 4 digit PIN isn't excatly the strongest type of password)

You can change yours for an extra fee.

4 digits is enough because one always has to enter the PIN manually. It is never used in online banking, where instead a one-time-pad of four digit codes is typically used.

Even a 3 digit PIN would give you less than 1 in 333 chance of guessing the correct number with three attempts, so even if you had a criminal with loads of stolen credit cards, less than a third of a percent of the attempts to use them would actually succeed. By that time, someone surely would have noticed a man who seems to constantly forget his PIN.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.