I'm not sure of the exact law in Canada. I've been out of the bank for a while now and don't follow things as closely any more. I believe that there is a limit of $50 of liability on the customer or something, though that may be VISA and MC policy rather than law. In any case, banks usually don't care about a mere $50, so they probably won't even make you pay that. But they do want you to pay when the fraud is worth thousands, and they achieve this by calling it a legitimate transaction and *not* a fraudulent one. When you claim it is fraud, they make you out to be a liar.
I actually tried to address this in my previous post, but obviously not very successfully. Essentially, the bank claims that the transaction is not fraud, but the customer knows that it is. Also, it's generally accepted by the banking industry that chip and PIN is a foolproof system, even though they really know that it's not. So, who is going to hold them accountable when it's your word against theirs?
Remember, the burden of proof is on you to prove fraud under chip and PIN because the system is widely believed to be impenetrable. So, how will you prove it? The only cases I have seen where a customer has successfully proven fraud is when their one and only card is used in another part of the world at the same time it was used by them where they live.
For example, you use your card in your home state and it is used by a fraudster within the hour in Australia. Both are card present transactions. Obviously you can't travel that far in less than an hour, so the bank concedes that you have proven fraud. In every other case, you made the transaction (whether you actually did or not) because your PIN was used, so it's clearly *not* fraud (even though it is) and you are on the hook.
Unless you have a team of lawyers as big as the bank has to fight it in court (ultimately costing you far more than the likely fraud ever was anyway), you're screwed! And the feds can't help because they believe the banks when the industry tells them that chip and PIN is fool proof, so if a PIn was used, the customer 100% for sure did the transaction and must pay for it.
Did that make more sense than the first post or am I just making things more muddy? I may not be the best person to explain this stuff, but I have seen it in action a number of times. The customer never wins.
Chip and PIN is always being spun (as it is in the article) as being safer for consumers. In reality, it's only safer for the banks, and it's incredibly harmful to consumers. Having worked for several years in the banking industry in Canada, I can tell you exactly what chip and PIN means. It means that you, the consumer, will be on the hook for ALL fraudulent charges on your credit cards wherein a PIN was used, because the banks claim that only you could have used the card (since nobody else is allowed to know your PIN). Alternatively, if you gave someone your card and PIN (perhaps a spouse), you're still on the hook because you're responsible for violating the TOS of your card.
Banks claim that a chip and PIN transaction cannot successfully go through if the PIN is entered incorrectly. This is entirely false, but they will use this argument to PIN the phony charges on you, the consumer! What the banks don't--and never will, tell you, is that chip and PIN has been flawed from the very beginning. Smart criminals have long been able to trick card terminals into thinking that a wrong PIN is actually correct. When a trace is performed to see if a PIN was used for a transaction that you've reported as fraud, a simple Y or N answer comes back. Even if the PIN that was used was wrong, and the criminal tricked the terminal into thinking it was correct, a Y (meaning that Yes, a PIN was used, and therefore you must have done the transaction yourself) will come back in the report to "prove" that the transaction was legit. And who pays for the fraud when this happens? You! Not the bank, because their argument is that you must have made the charge. The burden of proof is 1--% on you to prove otherwise.
During my time as a banker I have seen numerous fraud victims further victimized by having to pay for the fraud themselves. And many of you will argue that the banks won't make people pay because they have always absorbed fraud themselves in the USA. But what you're not considering is the fact that they will now be able to reword their credit card agreements to pass liability over to the customer while still claiming to absorb all fraudulent transactions themselves. When they change the definition of fraud, they can literally pass the actual fraud on to you, all the while claiming that the charge wasn't fraudulent at all, but a completely legitimate charge. Every Canadian bank has been doing this since the day chip and PIN first came in.
Everyone that thinks chip and PIN is a good thing for consumers is in for a very rude awakening if and when their account is fraudulently used with a cloned card and a fake PIN. My advice is to hold onto your cards with the grip of death, keep your limits relatively low (to limit your losses in the event of a fraud), and set text and e-mail alerts for absolutely everything you possibly can. It may not protect you entirely, but you've got to take every possible measure to protect yourself if chip and PIN comes in.
Where is the PIN located, on the card or in the transaction network? If it's locally authenticated on the card, yeah that's fraught with problems; however I'd made the apparently blithe assumption it was checked against the back-end card issuer?
Both ways are possible, but it seems that most often the PIN is stored right on the chip. It certainly was with the bank I worked in. We needed to insert the client's card into our terminal to change their PIN. Having the PIN in the card itself makes the transaction much quicker to authenticate, since no communication with the bank's servers is necessary for this part of the transaction. Banks have the ability to choose which way this all works on their issued cards, but banks are naturally going to choose whatever is faster. So, with all other variables being equal (i.e., rewards), if bank A's card works quickly and bank B's takes twice as long, which bank's card are most people going to use once they notice the lag? People these days don't have very much patience, so bank B won't be able to compete if they store the PIN online (remotely from the card).
It's also thought that RFID cards (the fastest ones of all) make shopping so easy that people spend more money when using them. And they're very, very fast to use. Probably even faster than swiping. In Canada, where chip and PIN cards are pretty much all you can find now, most cards are also now RFID enabled, bypassing the PIN scenario entirely and making the info on people's cards easier than ever to steal. People are under the misguided impression that since you need to be within a couple of cms to tap your card, that is also how close a criminal with a portable reader needs to be to your a** to steal the info through your wallet. In reality, the distance required to read a card is directly related to the power output of the reader. It's set to within an inch or two in stores to prevent the inadvertent reading of someone else's card during a transaction, but a thief can easily steal from you at greater distances with more power output.
I personally carry a stainless steel RFID blocking wallet (made by Stewart Stand) and use individual RFID blocking sleeves for my cards whenever I just want to carry them loose in my pocket. I also never take my cards out of these sleeves when in my own house, just in case... I'm not taking any chances with my info!
I don't think the requirement of placing the card in the reader to change the PIN is proof positive that the PIN is stored on the card itself? The ID presented would need to be tied to the backend database in the external authorization scenario anyway and as such even in the simple case of a single customer having multiple cards, would need the specific one to be changed potentially or some other ID mechanism.
That's a seriously stupid security design putting doing the PIN authorization on the card, and I would've hoped anyone implementing such a system would know that. No doubt on the desire for quicker transactions, I get a little irritated with how long it sometimes take chip-enabled readers and apparently I'm not alone with the almighty Visa taking unilateral action to try to fix it.
Then again I don't have any Chip/PIN cards personally, but Chip/Signature isn't a win from my perspective. Whole thing is a mess frankly. I do appreciate your responses, interesting stuff.
No, it's not really proof—just a single piece of evidence. Everything else under the sun can be done without the card being present with the customer, but not a PIN update. I suspect this is the reason why. If it were all back end, we could surely get the PIN changed some other way.
Where the PIN is stored isn't actually something that I have first hand knowledge of. I read it in an article on chip and PIN one time. Still, all of the other stuff, such as having seen innocent customers cheated out of hundreds of dollars because of the bank's claim that PIN technology is impenetrable, is 100% first hand. I can only hope that USA banks won't end up using the myth of chip and PIN security to pass the buck to innocent Americans!
Well Google supports your assertion G, it can be stored either backend or on the chip w/local authentication in that instance.
Meh, too true about attacking the reader instead, which we've seen before and will see again. Admittedly it should cut down on the easier forms of fraud but isn't going to keep the sophisticates out.
Everytime I use a chip and sign card I never get asked to sign.
Everytime I use a chip and sign card I never get asked to sign.
I usually don't either since most of my transactions are smaller-sized. I can say that when I've had larger transactions at Kroger (+/- $200) and I use the chip, the terminal does make me sign.
I'm not sure where the cut-off is, though; my transactions are either tiny, or $200+... not much in-between... LOL.
FWIW, back when I would swipe my card at Kroger, any time I purchased $100 or greater in gift cards in one transaction I would have to give my ID to the cashier to be entered into the register. Now that I 'insert' my card the register no longer asks for this.
Funny thing is my Discover which I use all the time, is still NOT a chip card, just the plain card they issued when I got it - doesn't expire until 2019 so I guess I'll have it a while.