PIN's and credit cards.

[Matthew Byng-Maddick]

On Sat, Nov 16, 2002 at 09:03:22AM +0000, lists@notatla.demon.co.uk wrote:
> I didn't see anything in there on shifting liability to the customer - only
> to organisations not using chip cards to ensure high uptake in the next few
> years.

The problem is that it's not an explicit shift of liability, but as Bettina
mentions upthread, "your entire bag got stolen, the only way the mugger
could have known your PIN is for you to have written it down on a piece of
paper inside your handbag, therefore you must take the liability". As far
as the banks are concerned, use of the PIN becomes incontrovertible evidence
that it was you using the card.

Also, how tamper evident do these things have to be? I mean, yes, the PIN
might be encrypted once it reaches the card, but could you solder wires
across the contacts of each of the push switches for the PIN for example,
at which point the PIN comes up on little lights underneath the counter.

I find that there's a depressing tendency of banks these days to not be
able to authenticate themselves, (try ringing up one of the call-centres
and, after they've asked you to authenticate, ask them to prove that they
are the bank - they'll flounder), this kind of thing only makes that problem
worse. How do I know that I'm not typing my only secret into something that
*looks* like a real machine but isn't. Now, in general, it will be OK. But
really, I think I want these things to give some sort of feedback that they
are the real thing (knowing something about me that only the bank should
know, for example), then I might have more confidence in the technology.

MBM

-- 
Matthew Byng-Maddick         <mbm@colondot.net>           http://colondot.net/