It must be getting on for time for me to go back to California because I’m starting to behave like a regular whingeing pom. Or at least I’m having a cranky day. This post is all about something I have bent Kevin’s ear about on many occasions: the rapacity of British banks.
I hate using credit cards of any sort in the UK, but if I do I try to use the ones I have from US banks. Why? Because it is much safer. Sometimes the Brits are just incompetent. For example, I’ve had a storecard from Marks & Spencer for years. I don’t put much on it, and always pay it off in full. Today I got a statement informing me that I have a balance (which I knew), that they will be taking payment by direct debit at the end of the period (which I also knew) and that they expect to charge me interest for late payment. This, I expect, is a software error of some sort, but I do need to phone them just in case,
More generally, British banks believe firmly in putting all of the responsibility for combating fraud on the shoulders of the customer. If you read the small print in the credit card contracts carefully you will discover that if you so much as write your PIN number down, anywhere, then you forfeit all right to fraud protection. That’s also the case if you foolishly give your personal details to the police when reporting a card as stolen. And now they have this supposedly unbreakable Chip & PIN system which they claim is so safe that having your card stolen and misused is proof that you were complicit in the theft. This from the BBC:
We spoke to Jane Badger, who earlier this month was acquitted by a judge who saw it her way and not her bank’s.
She’d spotted cash withdrawals on her Egg credit card account she didn’t recognise, and disputed them. She was accused of lying and found herself facing charges. Her life changed – she was suspended from her police force job and spent close to a year fighting her case.
Luckily for Ms. Badger she found some security experts willing to testify that cracking the Chip & PIN system is relatively easy, but other people are probably getting bullied and are paying up. As the BBC says:
But perhaps our whole approach needs a shake-up. In America, customers are better protected.
Yes, that’s right, those Evil Capitalists in America protect bank customers against fraud much better than we do here.
Of course this is nothing compared to Australian banks, whose behavior is so outrageous I doubt that anyone from outside Australia would believe me if I told you.
I just got back from Melbourne, and was surprised to find that Australians all still expect you to sign for credit card purchases. The PIN thing, which seems to have alarmed and discombobulated the British so much, has been the norm in New Zealand for more than twenty years.
America doesn’t use PINs either. Personally I’m happier that way. Your average credit card thief is unlikely to be a competent forger, so if he signs for something using your card you have a good chance of proving he wasn’t you. But if someone gets hold of your PIN then you are sunk. And British banks, as I explained above, won’t accept any excuses. If a thief gets hold of your PIN then it is your fault and you are liable for every penny that the thief spends.
Entirely true about being sans paddle if someone gets your PIN. However, it’s so much easier for someone to see your signature than your PIN, and there’s a little-known sting in the tail with that, too: banks (certainly here, and I bet in the UK as well) can legally hold you responsible for your signature being forged if you let the card out of your sight while you’re using it. So every time you let a waiter whisk your card away in a restaurant you’re actually flirting with financial disaster. (Whether they actually enforce this policy I have no idea.) Provided you never write your PIN down (and why should you) and you guard against shoulder surfers, a PIN is a great deal more secure.
I take your point about waiters. I’ve used that line often enough with people who tell me that they’ll never use a credit card online because it is so unsafe compared to using one in a shop.
But chip and PIN secure? I’m afraid not. It takes just 10 minutes programming with a card reader and you can have all of the PINs you want. Granted your average petty thief won’t have the technical skills, but there will be crime syndicates that do, and all they then have to do is bribe a shop assistant to put the doctored machine in place.
Alternatively there is always the old camera-in-the-ceiling trick. And, as it turns out, cash machines don’t take much notice of the chips anyway.
Chip and PIN, like security screening at airports, is much more about providing a semblance of security than it is about actually being secure.
The only sensible way to make credit cards safe for users is to do what the Americans do – give you the right to challenge a payment, and place the risk in the hands of the banks and retailers. Sure they will complain about fraud, but they’ll be able to plan around it the same way they plan around losses due to shoplifting, accidents and stock not selling quickly enough. It works in America, so there is no reason why it can’t work anywhere else.
The alternative – putting the risk in the hands of the customer – doesn’t stop fraud – there’s no guarantee that the victims will be able to cover the amount charged to their forged cards. But it does ruin the lives of innocent individuals unlucky enough to have their card details stolen. That can’t be the right way to run things.
Absolutely. Whatever the system, and other than obviously egregious customer abuses such as writing a PIN on a card, it’s the company providing it that should be responsible for fraud. A word of sympathy for the poor old retailer, though: I used to accept credit cards online for my small internet business, and I found I was entirely responsible for fraud with very few ways open to me of preventing it. Placing the responsibility on the shoulders of the issuing bank seems fairer to me and might also spur them into developing more secure systems.
I’m starting to think there’s no type of system that’s even remotely safe. As you say here, the PIN system isn’t exactly fortress-like. And signatures seem little protection either: my mother recently lost her card and had her signature successfully forged despite having her photo on the card (she wasn’t considered liable). Either way, though, it should be the card company, not the customer, taking the risk.