Hampton Lintorn Catlin

Credit Card Security Through Insanity

How do we make credit card purchases secure? That is a question we have been asking ourselves since the instrument was first created. Traditionally, its been a signature panel on the back, plus a clerk maybe asking for photo identification if the purchase is large enough. Recently, things have gotten more advanced in most countries. In the UK in particular, they have gone all out with the “Chip and Pin” system.

Basically its a chip on your card that contains an encrypted version of your pin number… and you slot the card into the reader device and enter your pin. Some magical encryption things happen and BAM! Your purchase is done. 100% fool proof!

Anyone who knows anything about security knows that that isn’t true. Anytime you believe a system to be completely safe, it instantly makes it vulnerable. Any thinking person knows that actually comparing signatures is the dumbest thing in the world. My signature barely ever looks the same and with a little practice, someone could ape it pretty well. However, the clerks are responsible for figuring out if its your card. Things like looking at the name and comparing it to the person (male/female, etc), reading body language, seeing their demeanor, and of course… asking for ID if anything seems strange.

However, with chip and pin, the clerks aren’t responsible anymore. If you know the pin, then you aren’t questioned no matter how large the purchase! And get this… there are multiple ways to break into the chip and pin system. Just recently someone completely broke the system. That is, there is no security in chip and pin anymore which makes the following story even odder.

Today I had a singularly frustrating experience at the Game store (yes, that’s its name) in Cambridge’s Grand Arcade mall. Being an American, I don’t have a UK bank account yet. My business is run in the US and my income is in the US. So, I just stick with my US cards. My US cards are not “chip and pin”... and I feel pretty damn good about it (seeing as its completely insecure anyway). So, I go up to the counter to checkout and bring out my Amex. Here is the transcript:

Clerk: “Oh, sorry, we don’t take American Express”

Me: “No problem! I have a visa card too” [Hand him my US visa card]

Clerk: “This card isn’t signed”

Me: “Yeah, I know. Signing is such a bad way to do it, so I just always show ID. Here!”

[I hand him a top-security level EU identification card]

Clerk: “Doesn’t matter. If its not signed, then I can’t take it”

Me: “Ok, well then, I’ll sign it!”

Clerk: “You can’t do that”

Me: “Why not?”

Clerk: “You just can’t.”

Me: “Ok, well I have this EU id… and I have a US drivers license… so, you know… that has to be me!”

Clerk: “You could have stolen the card though”

Me: “Uhhh… right, but I have two forms of photo ID that match the card name. Are you saying I stole the card from someone with the exact same name?”

Clerk: “Yeah, but its not signed”

Me: “Right, but what does signing prove?”

Clerk: “It proves its your card”

Me: “No, the ID does that”

Clerk: “No, I need it to be signed. That’s our policy.”

Me: “Like I said, I’ll sign it”

Clerk: “No”

Me: “What if I sign it tonight and come back tomorrow?”

Clerk: “If you sign it and come back in 2 weeks, then you can use it”

Me: “Huh? So, I can steal a card, but if I’m just patient then I can use a stolen card”

Clerk: “That’s the policy. You are supposed to use Chip and Pin”

Me: “I’m a recent immigrant (obvious from my accent), and chip and pin is compromised. Its no longer secure at all, so I’m trying to give you my ID which is the best proof you could possibly have that its me.”

Clerk: “That doesn’t matter”

Me: “You know you can easily fake signatures, but not this shiny, new, official EU ID, right?”

Clerk: “But the card has to be signed”

He was polite, but it was like talking to an insane person.

The only system that works well is asking for ID and making sure that its good ID. That system works. Why are we trying to make machines do a job that humans are better at?


Aug 8, 2010
bobobo1618 said...
I agree with you on the insecurities of our silly cards. Something worse over here (Australia), that I'm not sure the rest of the world has yet is the touch system. Mastercard and visa allow you to make payments of up to $30 by touching the card to the scanner. No form of ID whatsoever. Seems wrong to me. Nice blog btw, hope you update it soon.