Does chip-and-PIN mean the number’s up for card fraudsters?

A lesson to be learned from the other side of the world

1st August 2014 saw huge changes in Australian personal finance as we welcomed in the end of an era for Australia’s debit and credit cards, with the last ever signature signed to confirm an over the counter transaction. Yes, Personal Identification Numbers (that’s PINs to you and me) have now taken the place of pens as swipe-and-sign is consigned to history.

Why are we changing?
Quite simply, the switch is all about combating card fraud. You don’t have to be a master forget to scribble a passable copy of a signature, and to many shop assistants, everyone’s autograph looks the same after you’ve been working a till for seven hours. Unless they’re incredibly lucky (a 1 in 10000 chance if internet statisticians are to be believed), a crook can’t simply guess your (PIN).

Not only that, but those four digits must correspond to the chip embedded in your card to create a virtually failsafe way to validate a transaction that’s just as secure as using a card to withdraw cash from a hole in wall.

That’s according to the banks and credit card companies who have been lobbying for change for some time and kept the pressure up until the retailers capitulated.

But the big question is, will the new system actually work and reduce the amount of retail card fraud?

Luckily, us canny Australians waited years to make the switch to chip-and-PIN – all in the name of research of course. That gives us a good picture of the effect the new payment regime has had on fraud amongst the early adopting countries. And the results make interesting reading indeed.

 
Has it worked in the rest of the world?
The first country to rollout chip-and-PIN was the UK, who way back in 2004 blazed a trail by scrapping swipe-and-sign. Since then, according the UK Card Association, fraud on lost and stolen cards in the country is now at its lowest level for two decades and counterfeit card fraud losses have also fallen to their lowest level since 1999. Losses at UK retailers have fallen by 67 per cent since 2004 and lost and stolen card fraud fell by 58 per cent between 2004 and 2009.

In a 2011 interview, seven years after the changeover, Melanie Johnson, Chair of The UK Cards Association, said: “Chip-and-PIN is a great success. The UK was the first country in the world to fully rollout this global version of chip-and-PIN and cards continue to be an increasingly popular way to pay – whether at home or abroad – which is no surprise given the fact that they allow us to pay for things safely, easily and conveniently.”

The PIN that can really hit you where it hurts
On the other side of the coin, it’s also been reported in the UK that the switch to chip-and-PIN provided a springboard for a massive explosion in the cloning of cards. This is where the card’s digital data and crucially, the accompanying PIN, are illegally gathered and used to create your flexible friend’s evil twin that can be used for all manner of nefarious purposes.

In a Daily Mail article published just three years after the switch, figures showed that before the change, PINs were used at some 50,000 bank cash machines which rocketed to 900,000 as tills, including high street stores and restaurants, started to be places where PIN numbers were regularly exposed. This multiplied the opportunities for criminals to steal the PINs and the information on the magnetic stripe, which are needed to create copies, then hit the ATMs and stores and enjoy a spending spree on you. Fraud linked to counterfeit or cloned cards hit £169.8million in 2008. That was up by 18 per cent on 2007 and by 75 per cent compared to 2005.

Criminals shifting their attention to other types of fraud has also been experienced in the UK, with a reduction in card-present fraud (the original card, not a clone) being offset by card-not-present (CNP) fraud. That’s where goods or services are paid for online or over the phone, and one that’s been netting European fraudsters ever-increasing profits as their methods become more sophisticated.

What cost for you?
It seems that the chip-and-PIN will initially reduce card-present fraud, but then open a Pandora’s Box of other types of card fraud as PINs become easier to steal and cards easier to clone.
So, as always, guard your magic number carefully and be ultra-cautious when entering it at a checkout or till and reduce risk of giving it away by using contactless payment for smaller amounts.

The view from the USA
As a footnote, the world’s largest economy and leaders in all things financial, are yet to adopt the new technology. Over in the US, they’re resisting the change for a number of reasons, the main ones being: Scale, with more than 10 million terminals that would require replacement; cost, that pits retailers and card providers against each other in the battle to see who picks up the bill; low a fraud rates that make it less of a necessity; and outdated phone technology that would overload the new infrastructure.