Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards

schwit1 writes "U.S. banks and merchants are shifting to a more secure way of authorizing credit card transactions in which customers will enter a personal identification number (PIN) at checkout instead of signing a receipt. The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here. The change is especially relevant given the massive fraud perpetrated against customers of Target in the fall. During a Congressional hearing last week, Target CFO John Mulligan said the company is accelerating the $100 million effort to switch to the so-called "chip and pin" system. The change won't happen all at once. Banks must issue cards with microprocessors and merchants need the right equipment to process the chip and PIN transactions, which is likely to happen gradually. But Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future."

Umm.. just as Europe moves beyond chip and pin...

[tobe]

In all the time I've spent in America I don't believe I've ever seen anyone really check the signature against the card.. always amazed me how lax and open to fraud that system was. In the UK we switched to chip and pin about 10 years ago.. and we were generally lagging the rest of the EU on that matter.

But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe (http://www.bbc.co.uk/news/technology-21085738) and surely enough of the initial results are in to guide the decision making there.

Sorry, it's horribly insecure,

[davecb]

One of Ross Anderson's 2010 highlights was a paper on why Chip and PIN is brokenfor which he got coverage on Newsnight and a best paper award. Later, the banks tried to suppress this research.

Ross is a security researcher at University of Cambridge.

In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".