Why I Refuse To Use Chip & Pin

For those who don't know, "Chip & Pin" is an authentication system brought in by the banking industry in the UK to (in their words) reduce fraudulent activity on their customers accounts. Previously people authenticated themselves by signing their name, now they're expected to slip their card into the reader on the counter and enter their pin number, which (in theory) only they know. The "Chip & Pin" wiki page has a much more expansive explanation. I have three main issues with Chip & Pin.

1. The potential for someone to see your PIN as you type it in has just multiplied many times over.
2. The banks rewarded themselves for making fraud harder, by allowing themselves a loophole to avoid paying out because "you must have shared your PIN".
3. The banks were offered a choice of two electronic systems which would offer Chip & Pin, a cheaper (and less secure) option, or a more expensive (and more secure) option. Guess which one they chose?

The Accidental Sharing Of The PIN

Since ATMs (Automated Teller Machines) have been with us a long time, people have gotten used to leaving a gap behind the person using it, to the front of the queue. People have gotten used to expecting a gap around them while using it, being aware of anyone looking over their shoulder etc. People don't (or in some cases cant) apply that same thinking to a keypad on the counter of a store where part of the queue can watch the keypad. They don't think to cover their hands as they type, they rely on everyone in the queue glancing in different directions. That's not counting staff who in many cases have little enough space behind the counter to do anything but stand and avert their eyes. When you're curious enough to put the effort in, you can comprehend stuff upside down, so even though the keypad is facing the customer, you can visualize the buttons and the numbers just fine. That's assuming the staff and company are honest. Since these devices are in the hands of people other than the banks, you have to rely on them vetting their staff, and having procedures in place to ensure that tampered keypads are not being used, which grab the card details as well as the PIN.

Here's a fun little exercise for you to try, one which the banks would no doubt be appalled at. Make sure you carry a small post-it notepad and a little bookies or Argos pen in your pocket at all times. When you're in a queue with a badly placed and / or designed keypad that you can see from your place in the queue watch people who put their PIN's in. Take a quick note of their PIN number on your post-it note, tap them on the shoulder as they pass you and hand them their PIN number. Being handed a note from a complete stranger with information only they should know will likely stick in their minds. Think of it as your chance to be Derren Brown for a minute.

You Must Have Shared Your PIN AKA We're Not Paying

While the banks were loudly proclaiming with one voice how wonderful Chip & Pin was, how much safer it was, how fraud would be much harder to commit now, what they didn't shout about was the change in liabilities they managed to get for themselves as a "reward" for introducing a more secure system. This part they "forgot" to mention in all the proclamations of "doing the right thing for the customer". This was something they had to admit when questioned by MPs.

Previously they had to deal with forged signatures which people can contest, with handwriting analysis etc. This is open to error in both directions. How often have you had an injury to your writing hand and had to write temporarily with your non-writing hand? Even if you've been lucky and never experienced this, try it for yourself, pick up a pen and sign your name with your weak hand. Looks like you're back at primary age writing class huh? Try signing your name with gloves on, or when your freezing cold. All of these factors and more affect our signatures on top of the fact that we're not robots, so every signature is slightly different.

Often the signs a teller has to go by are more on the body language, if the person seems to be having to think about it. All of this provides loopholes which the bank then had to pay out on. Chip & Pin is a digital method. It's either 0 or 1, on or off, correct or incorrect. There's no ambiguity. Add to that, the banks go to great lengths when they send your card and number out that they arrive on different days, in different envelopes and give you all sorts of advice about memorizing and destroying the PIN number, not writing it down anywhere, not divulging it to anyone including bank staff.

So in theory, something that only the customer knows should be great as authentication and it is. Therefor any transaction which is authenticated by the correct PIN number for the card "must" be genuine. There is no appeals, it's digital proof that it was genuine. If someone else used your PIN, you must have shared your PIN with them, which means it's YOUR fault, therefor YOU pay, not the banks. I wonder how many people who get handed a post-it note with their PIN number on it from a complete stranger would agree with that.

We Did It For Our Customers

While the banks are using the excuse of "we did it for our customers" what they don't mention is another thing which they had to admit while being questioned by MPs. They were offered two electronic systems which would allow the Chip & Pin service to work, one involved much heavier encryption etc but was considerably more expensive. They went for the cheap option.

This, combined with the liabilities switch from them to the customers has me convinced that the real reason behind Chip & Pin is to save money in payouts. It can't of course be sold to the public as that, so they need some reason to buy in, hence "better fraud protection" was the reason sold to us. If they'd been upfront in explaining ALL of the deal, I'd have been more accepting of it, but since two of the key parts only came out because they HAD to tell MPs, I question the Chip & Pin system. Not only that but I refuse point blank to use it.

You Can Avoid Chip & Pin

When I'm in a store which demands Chip & Pin for Switch transactions, I either pay in cash, or go elsewhere if I can't draw cash and need to pay with Switch. When I'm in my bank, the counter staff mostly recognize me and no longer hand me my card back and ask me to put it in the machine and enter my PIN. They know I refuse. They have an override command which they will tell you they can't do; but they can. They may not like it, they may be trying to phase it out but it exists in case people can't remember their PIN.

On a quick side note, I used to wonder how people could forget their PIN numbers, until my mind went blank one day at the ATM immediately after checking my wages had been paid in. When I put the card back in to draw some out, my mind went blank. After three failed attempts I had to waste my lunch hour queuing inside to get my card back.

Be polite but firm. Refuse to use Chip & Pin. They will try to insist but they can't if you stick to your guns. What they can do is ask for additional proof of ID. I have no problem with this personally, as my bank have tried that a few times to "encourage" me to comply with their new Chip & Pin goodness. It didn't work. I know go to the bank armed with my card and ID, although I never get asked in my branch now, they know me well enough. I'm living proof that it does work.

Final Thoughts

I welcome processes brought in to genuinely make our accounts more resistant to fraud. I understand that it will involve a little more hassle for customers to prove their identity, again I'm happy with that. Chip & Pin is not the answer. If it was, the banks wouldn't have switched liability, nor would they have gone for the cheap option on the keypads. We all want fraud to be all but impossible to happen in the first place, which means NOBODY needs pay out, the customers or the banks. With Chip & Pin, someone still pays.

Disclaimer

I do NOT condone gathering PIN numbers, nor using them for any illegal activity ie on accounts that are not yours. The point of that exercise is to make people aware how vulnerable they are to educate them.