Put in your pin, don't sign on the line

As credit card companies introduce a mandatory 'chip and pin' system in order to minimise fraud, will the onus of responsibility…

As credit card companies introduce a mandatory 'chip and pin' system in order to minimise fraud, will the onus of responsibility shift to the cardholder, asks Paul Cullen

Everyone has a story. Or knows someone who has a story. How their credit card was used to buy luxury goods in Bangkok. How their money was withdrawn from their account in ATMs around Dublin while they were lying on a Spanish beach. Or how they ended up with a hefty bill for internet purchases they never made.

Official figures suggest that debit and credit card fraud is falling, but it doesn't appear that way.

This week it was the turn of Newstalk radio presenter Claire Byrne, who learned that her bank card had been copied by fraudsters who had access to her pin (personal identification number).

READ MORE

While her bank managed to stop the con before any money was taken from her account, Byrne's plight quickly drew a response from listeners who hadn't been so lucky, including one woman who had €1,300 taken from her account by ATM thieves who skimmed her card.

In my own office, three colleagues have similar stories to tell. One woman's bank intercepted an attempt by fraudsters to place a €200 bet with her money. A colleague had €3,500 taken from his account after his credit card was cloned, most probably when it briefly left his sight in a city centre restaurant. The third person came back from holidays in Donegal last Christmas to find that more than €3,000 had been withdrawn from his account in Dublin, including €1,200 in one day.

All three were lucky in the sense that their banks recompensed them for losses incurred through no fault of their own. But will future victims of card fraud be so fortunate, now that the roll-out of "chip-and-pin" technology is being completed today? From this weekend, most shoppers will no longer be able to sign for their purchases, but will instead be required to key in a four-digit pin.

Most of us are already doing this, of course, and the sky hasn't fallen in. But in the UK, where this technology has been universal since last year, banks have been taking a harder line on customers hit by card fraud.

The new technology not only cuts down on fraud - the chips encased in cards are much harder to read or clone than the magnetic stripe traditionally used to encode a customer's personal information - but it makes it easier for the financial institutions to pass the blame on to the card holder.

BRITAIN'S FINANCIAL OMBUDSMAN has reported a rise in complaints as the victims of card fraud find that their banks show less willingness to accept liability. If a pin has been used to extract funds, banks can argue that the cardholder acted negligently by, for example, writing the number in an overly accessible place or sharing this information with a third party. In some cases, British banks have asked customers to provide proof that they did not disclose their pin in contravention of the banks' code.

Una Dillon of the Irish Payments Services Organisation (Ipso) says chip and pin will not lead to any change in policy by Irish banks on handling fraud cases. "Nothing has changed. It's less about shifting liability around than getting rid of the fraud."

Chip and pin was first introduced in 2004 and there haven't been major problems with it in that time, she points out. If people can prove they were elsewhere when the fraud occurred, or if the shop involved has CCTV, consumers should not have a problem showing they were innocent victims. Ultimately, though, she admits it's an issue for the financial institutions that issue the cards.

Both Bank of Ireland and AIB say they will investigate each incidence of fraud before making a judgment, as before. "We'll still deal with it on a case-by-case basis," says an AIB spokesman. "However, the boundaries within which it is possible to be compromised by fraud are narrower now." The Irish Banking Federation says the new procedures make it harder for third parties to break into the system unless they have the pin.

Its spokesman comments: "I would expect that institutions which have invested so heavily in this technology would say to people, 'so where did your pin go?'." An indication of how things might go can be glimpsed from one man's experience recounted on askaboutmoney.com, a financial advice website. Last year, after he visited a late bar in Brussels, he found €8,000 had been withdrawn from his account in 19 attempted transactions.

His bank claimed he must have had a copy of his pin in his wallet and refused to refund the money, citing negligence on his part.

The example illustrates a point made by Cambridge academic Ross Anderson, an outspoken critic of chip and pin, or "chip and spin" as he refers to it. Before chip and pin, he argues, it was easy to clone cards and forge signatures. However, there was always a paper record of the signature and if this wasn't the customer's, they weren't liable.

Now, however, a pin is easily copied once known and only CCTV cameras can establish whether the person making the transaction is the cardholder. Further, because so many of us simplify our lives by using the same pin for our different cards, our potential exposure to fraud is greatly magnified.

Only time will tell what difference the new technology will make to the consumer. Meanwhile, the war on card fraud moves on to new fronts, notably mail order and internet purchases.

For further information on chip and pin, see www.chipandpin.ie