[Gllug] natwest fantasticness

FORSTER, David david.forster at mfi.co.uk
Tue Apr 6 10:32:08 UTC 2004


> -----Original Message-----
> From: gllug-bounces at gllug.org.uk [mailto:gllug-bounces at gllug.org.uk]On
> Behalf Of Stephen Harker
> Sent: 06 April 2004 10:59
> To: Greater London Linux Users Group
> Subject: Re: [Gllug] natwest fantasticness
> 
> Given that most shop assistants rarely even look at your 
> signature, someone 
> who steals your card can buy loads of stuff and get away with it.
> 
> If no-one knows your 4 digit pin except you (and why would 
> you tell anyone?) 
> then someone who nicks your card has 1 in 9999 chance of 
> guessing your 
> pin-number. A stolen card that requires a pin-number for all 
> transactions is 
> practically useless to anyone else without knowledge of that 
> number. And 
> while we're at it, why do switch cards have your sort code 
> and bank account 
> number printed on the front. How stupid is that??
> 
> I know which version I'd rather have. New Zealand has had 
> pin-number EFTPOS 
> cards since the 80's. Whats the problem?

Personally, I understand why "Chip and Pin" has been introduced, I
understand the benefits of it to security and everything, but it saddens me
that we're fixing the symptoms (shop assistants not checking signatures
etc.) and not the problem (people who steal credit cards/credit card
details). 

It also concerns me that even though, in theory, Chip and Pin has been well
thought out in terms of security, somebody somewhere has made a decision
that compromises it... something silly like storing the pin number on the
magnetic strip so that cards can still be charged when the phone line breaks
or if there isn't a phone line available, or maybe some website is
inadvertently storing the pin number and it gets cracked, and we'll be back
where we started from.

I have a friend from NZ and she tells me that, over there, the pin number is
used instead of a signature, not in addition to. Surely *IF* my card is
compromised in some way that then makes it dramatically easier to make a
fraudulent purchase as it's easier to remember a four digit number than to
forge a signature?

I think it's a good idea in theory, but I remain dubious as to the actual
implementation. I think that while the amount of fraud will decrease
slightly, the value of fraud will remain the same.

What I'd like to know is will this pin number replace the CVV number that's
used to prevent cardholder not present fraud?

Also, silly point, but isn't it a 1 in 10000 chance? My pin number could be
0000 couldn't it?

David.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: InterScan_Disclaimer.txt
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20040406/6c6f37e8/attachment.txt>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list