Chip and PIN

Ian Johnson ukcrypto at chiark.greenend.org.uk
Fri, 25 Jan 2008 21:00:58 +0000 

On Fri, 2008-01-25 at 16:25 +0000, Ian Batten wrote:
> On 25 Jan 08, at 1604, PeteM wrote:
> > Ian Batten wrote  on 25-01-08 15:10:
> >> Unfortunately, we don't know (a) what the ratio between customer- 
> >> bad and customer-good ATM/Card fraud is and (b) how many people  
> >> who go to the ombudsman are trying it on (the latter is  
> >> unknowable, of course).

My understanding is that the police now only class as fraud when
incidents are reported by the bank, they were getting too many
and it was spoiling their stats. As a result even answering how many
cases of claimed fraud are there is hard if not impossible.

> >> ... Does the ombudsman get it  
> >> consistently wrong because of regulator capture?  It wouldn't  
> >> surprise me.   But some people here appear to believe that the  
> >> ombudsman should automatically find for the customer, because  
> >> customers are honest as the day is long and banks are all guilty.

Reading Ross & Nicholas's paper suggests the regulator effectively takes
the banks word for the level of authentication that was achieved.  In
which case the regulator is pointless regardless of whether he has been
"captured".

> But on the other hand, if he had obviously been defrauded, I presume  
> your contention is that the Financial Ombudsman is so deep in the  
> pockets of the banks that it is rejecting complaints that are  
> obviously valid, knowing them to be valid? 

Bank says we verified by chip & pin, regulator says that's ok then next
case.

> ...And if the banks exert a magnetic effect on regulators such  
> that they will risk public ridicule for rejecting obvious cases, how  
> come those self-same regulators have pummelled the banks for millions  
> over the selling of endowment mortgages, and the pressuring of  
> members of DB pension schemes to buy DC pensions?

Regulator understands financial products, doesn't understand technology
or crypto is my take.

> [[ My mother left her then union when they started allowing wide boys  
> to market DC pensions to teachers through union channels; personally  
> I think anyone with post-18 education who was taken in by that scam  
> deserves their fate, and I'm hardly more sympathetic to anyone who  
> didn't understand the risks of low cost endowments, but that's why  
> I'm not a financial regulator. ]]

Off-topic, but I see that as a marketing & paperwork issue more than a
technical one.  The rates of return that companies were allowed to quote
convinced people.

> There are plenty of people who will convincingly  
> tell You and Yours that a WiFi basestation ruined their health until  
> it was cured by homeopathy, but I trust we don't regard that as  
> conclusive...

My feeling is the regulator is one of those wrst to communication
from the banks!

> Every athlete nicked for drug use protests their innocence, their  
> willingness to take blood tests,..

A major difference is that at least the procedure is open and
verifiable.  Anyone can access the prohibited substances & the levels
that are viewed as infringing (www), the athlete can have a lab of
their choosing test a second sample.

With cash machines it appears customer says "it wasn't me", bank
says "chip & pin", regulator says result for bank.

Ian