Chip and PIN - It's gonna be ugly

By now everyone has heard about the new (to the US) credit cards called "Chip and PIN". And the banks have been telling us just how much better their new card technology is going to be. But better how? And for whom?

Similar to "two factor authentication" (2FA), this security relies on two things: "something you have" (the card) and "something you know" (the PIN). Hence the name.

If someone steals your card, they probably won't know your PIN code. If someone knows your PIN code (looking over your shoulder in the checkout line) they still don't have your card.

You might be using this technique now with online web sites sending you text messages to confirm your password. You "have" the phone and you "know" your password. Even if your password gets hacked (which it will) without the device, the bad guys can't get at your stuff.

If you're not doing this for your web activity (banking, etc.) you should be. Not kidding.

So far so good.

There are plenty of places you can go to read about chip and PIN technology, like here. But there are some interesting consequences that are important.

For starters, this has been available in Europe for years. Since you insert your card into the terminal instead of swiping it, they call it "dipping". They might have called it "chip and dip", but this is America and I'm sure credit card companies didn't want to deal with the fallout when we discovered it wasn't edible. Hey, we're eating everything else.

And in Europe, it's been pretty effective.

But here they've elected to go with "chip and signature" which means... nothing has changed. For now. It'll take several years, but get ready to start using PIN's with all your cards, like you would a debit card today.

And since credit card fraud has doubled in the last 7 years, credit card issuers are doing whatever they can to shift the liability somewhere else - anywhere else actually.

Retailers who don't install the chip and PIN terminals will be liable for credit card fraud going forward. That should be a holy shit moment for small merchants and accordingly they are installing the modern terminals as fast as possible.

But a few years back a European criminal ring defeated the secure chip-and-PIN credit cards. Ouch.

The tl;dr^[1] explanation is that these guys soldered a toy chip onto the chip on the card to tell it that any PIN was the right one. This eliminated the second part of the two factor authentication because it appeared to the banks that the crooks had the actual PIN of the cardholder.

OK, no big deal, right? Another twisted foreign math major beat bank security. Yawn.

Until you get to the end of the article mentioned above and read the bank's response to the cardholder claims.

Because the banks believed that the technology was totally secure they asserted that the cardholder had been careless with their PIN code and denied the claims.

That's right, and that's a real problem for us cardholders. You can see what's happening here. Once the banks can say that their technology is secure, they can shift the fraud liability away completely.

So when Dmitri buys two one-way tickets from Moscow to Rio in February on your credit card, you're going to call your bank and tell them you've been ripped off and they're going to ask you why you gave Dmitri your PIN code. Or left it at 1234.

Today I use credit cards primarily to reduce my exposure to fraud (and it's saved my butt plenty of times) and I only use debit cards at the ATM. That safety factor is going away.

And do you believe for one minute that the cost savings accrued by the banks will be passed along to merchants with lower fees or cardholders with more reward miles?

Fat chance.