back to article Chip and PIN keypads 'easily fooled' with counterfeit cards

Retail Chip and PIN devices might easily be attacked using a specially prepared chip-based credit card, according to security researchers. Researchers from British IT security company MWR InfoSecurity demonstrated the attack at a session during the Black Hat Security Conference in Las Vegas on Wednesday. MWR purchased the …

COMMENTS

This topic is closed for new posts.
  1. A J Stiles
    Holmes

    Levels of card fraud are at their lowest since 2000.

    Back in the days of signatures, the onus was on the merchant to verify that the cardholder's signature matched the sample on the card. With Chip and PIN, every PIN-backed transaction is deemed non-fraudulent by definition; the onus is on the cardholder to keep the PIN secret. Disclosing the PIN to a third party, even at the point of a knife, is authorising them to perform a transaction.

    1. MrXavia
      WTF?

      Re: Levels of card fraud are at their lowest since 2000.

      Really?

      Giving a PIN at knife point you are authorising them to perform a transaction?

      No you are not authorising them, you are being mugged, and any transaction they do is still fraud, they may have your pin but they still do not have your authorisation.

      I can think of a few ways of getting pin numbers from people without their knowing...

      I would never do it, but while Chip & Pin is inherently more secure than signature (seriously how hard is it to fake a signature), it is still possible to copy a pin then steal a card...

      1. A J Stiles
        Boffin

        Re: Levels of card fraud are at their lowest since 2000.

        "they may have your pin but they still do not have your authorisation" -- that is not the way the banks see it. What better disincentive against you fraudulently claiming to have been robbed of your card somewhere out of sight of CCTV and forced to reveal your PIN, than having to pay for it yourself?

        "Chip & Pin is inherently more secure than signature (seriously how hard is it to fake a signature)"

        You have that the wrong way round. Faking a signature is not hard -- if you have time to practise, and you can take your time writing it.

        Faking a signature in a manner which convinces the person watching you sign your name that you have been doing it for years, on the other hand, is very hard indeed. Especially given the time window for learning to reproduce it convincingly (basically, just as long as it takes the cardholder to notice the card is not where it should be. Say an hour or two).

        Then there are any number of non-intrusive ways of obtaining PINs (Most people cover up their fingers over the keys with their other hand, while leaving their tendons in clear view. And how many PIN pads randomise the key layout before each keystroke?) Two people working as a team (one getting PINs and the other getting cards) could easily accrue a decent enough amount a day.

        1. Goldmember

          @A J Stiles Re: Levels of card fraud are at their lowest since 2000.

          "Faking a signature in a manner which convinces the person watching you sign your name that you have been doing it for years, on the other hand, is very hard indeed"

          Not necessarily. One of the reasons chip & PIN was brought in in the first place was because merchants simply weren't bothering to check signatures. There were tests done, people paying for things and signing "mickey mouse" and other daft names in clearly different handwriting to the signature on the card, and the majority went unchecked. I remember myself being quite taken aback one time, when a checkout girl held up my card next to the receipt I siged to check that the signatures matched. Most simply dumped it in the till and had done with it.

          1. A J Stiles

            Re: @A J Stiles Levels of card fraud are at their lowest since 2000.

            "One of the reasons chip & PIN was brought in in the first place was because merchants simply weren't bothering to check signatures. There were tests done, people paying for things and signing "mickey mouse" and other daft names in clearly different handwriting to the signature on the card, and the majority went unchecked."

            So ..... merchants who weren't doing their jobs properly, ended up paying? Oh no! The horror of it all!

            Look, you have the till rolls that tell you which checkout operator mis-processed the transaction. So if you end up having to pay some poor sod back, you know exactly whose wages to stop it out of. And if it makes the difference between them having dinner on the table or not, then they might check the signature more carefully next time.

            1. Anonymous Coward
              Anonymous Coward

              Re: @A J Stiles Levels of card fraud are at their lowest since 2000.

              Actually, before chip and pin, the merchants used to get away with it, the banks refunded.

              1. Raz

                @AC Posted Friday 27th July 2012 17:08 GMT

                You have no idea. If the person is filing for a chargeback, the bank will bill the merchant. The banks don't pay. Period.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: @AC Posted Friday 27th July 2012 17:08 GMT

                  Yes, for a chargebacks, but what I was actually answering was about fraud carried out because of a wrong / forged signature, which used to be paid for by the banks, but since chip and pin is paid for by the merchant.

                  Chargebacks are something different, they are where the customer is in dispute with the merchant and have asked the bank to retrieve their money.

                  Maybe you'd like to read what's actually being said before steaming in with "you have no idea". Just a thought.

          2. SpaMster
            Go

            Re: @A J Stiles Levels of card fraud are at their lowest since 2000.

            I can remeber going about three years without even having a signiture on my card and nobody ever said a thing when i was paying for stuff

        2. Anonymous Coward
          Anonymous Coward

          Re: Levels of card fraud are at their lowest since 2000.

          "they may have your pin but they still do not have your authorisation" -- that is not the way the banks see it."

          Err... actually that is. If you report a transaction as fraudulent, it's up to the bank to prove it wasn't but in the meanwhile they must reimburse you. Talk to your local consumer organisation.

          "What better disincentive against you fraudulently claiming to have been robbed of your card somewhere out of sight of CCTV and forced to reveal your PIN, than having to pay for it yourself?"

          Bank employees are not stupid. Chatting to my bank manager once he mentioned it's not uncommon for people to either make a few charges which are expensive for them but not of significant value in the grand scheme of things, or pay for "embarrassing" services (brothel) then claim their card was stolen. Often the bank will just absorb the charges even though they know full well the client is lying--it's just part of the cost of doing business to them, and much cheaper than taking legal action.

      2. Anonymous Coward
        Anonymous Coward

        Re: Levels of card fraud are at their lowest since 2000.

        "(seriously how hard is it to fake a signature)"

        I have personally signed numerous credit card receipts as "Captain N: The Game Master", Batman/Bruce Wayne, and so forth. Nobody cares or even looks at the signatures.

        See also http://www.zug.com/pranks/credit_card/

    2. JimmyPage Silver badge

      Re: Levels of card fraud are at their lowest since 2000.

      I was intrigued, on holiday in Spain to notice they use CHIP & PIN *and* signatures. Payments made without proof of signature will be covered by the merchant, not the bank. Hence shops are extremely motivated to check ID with cards. Of course it helps they have ID cards.

      1. Anonymous Coward
        Anonymous Coward

        Re: Levels of card fraud are at their lowest since 2000.

        "I was intrigued, on holiday in Spain to notice they use CHIP & PIN *and* signatures"

        It's either signature + proof of ID (ID card, passport, driving licence, ...) *or* PIN, depending on the particular card / terminal combination. The receipt printed out after a PIN transaction does not have a space for the signature.

        What could occasionally happen is that you meet the odd shop assistant who hasn't been told (or refuses to believe) that a signature is not necessary--in which case you either explain the news or sign the receipt anyway and keep them blissfully happy.

        "Payments made without proof of signature will be covered by the merchant, not the bank"

        It's a bit more complicated than that, but by "proof of signature" it should be read "proof of authorisation".

        "Hence shops are extremely motivated to check ID with cards."

        In general that is no longer the case if doing a PIN transaction, with some exceptions (some petrol stations in urban areas, for example). When using signatures, that used to be always the case unless you were personally known to the merchant, in order to ensure that the card was indeed yours, as anyone can forge a signature. In case of fraud, the merchant did not have to cover the transaction usually, but it was still a pain in the arse for everyone involved, hence the precautions.

        "Of course it helps they have ID cards."

        Any official photo document can be used.

      2. AndrueC Silver badge
        Joke

        Re: Levels of card fraud are at their lowest since 2000.

        > I was intrigued, on holiday in Spain..

        I'm intrigued to here that anyone in Spain still has money left to spend or that the banks still care enough to want to stop fraud.

    3. mike2R

      Re: Levels of card fraud are at their lowest since 2000.

      While you are obviously not legally responsible for fraud done on your card with chip and pin, in practice it may not matter too much.

      The bank will work on the assumption that you made the transaction and are lying about it, and will probably do their best to prosecute you. Since they are responsible for covering the fraud rather than the merchant, you won't get the easy "we don't care, here is the money" attitude you get with cardholder not present fraud.

      1. Anonymous Coward
        Anonymous Coward

        Re: Levels of card fraud are at their lowest since 2000.

        No, it's written into law and has been for a good couple of years that the onus is on the bank to prove that the customer was the source of the fraud.

        Use of a PIN to verify is not of itself proof.

      2. Anonymous Coward
        Anonymous Coward

        Re: Levels of card fraud are at their lowest since 2000.

        Mike, your assumptions are incorrect.

        "The bank will work on the assumption that you made the transaction and are lying about it"

        As I've just mentioned elsewhere, yes, usually they know when someone is lying (at least banks that know their customers).

        "and will probably do their best to prosecute you"

        Actually no, they won't unless the sums are significant. My bank will just say OK, so your card was stolen, we'll refund that tank of petrol that someone paid for with your card at the garage which coincidentally is on your way to work, then we'll cancel your "stolen" card and no, sorry, we're not issuing a new one.

        Believe it or not, theory and practice do not always match.

      3. Thorne

        Re: Levels of card fraud are at their lowest since 2000.

        "The bank will work on the assumption that you made the transaction and are lying about it, and will probably do their best to prosecute you. Since they are responsible for covering the fraud rather than the merchant, you won't get the easy "we don't care, here is the money" attitude you get with cardholder not present fraud."

        Not in Australia. The banks make the merchants responsible. They take the money from the merchant's account and put it back in the card holder's. The back doesn't care who the victim is as long as it's not them.

    4. Bah Humbug

      Re: Levels of card fraud are at their lowest since 2000.

      The more I read about Chip & Pin, the more glad I am that I have a Chip & Signature card.

      Nowadays, when the till tells them to check the signature, they actually do it quite carefully, because it's out of the norm. I suppose that's the key to this really - chip and pin has become normal, so people get complacent about it. A few years ago, signing was the norm, and people were complacent about that.

      Seems to me that there isn't a reliable answer - people will always get complacent over things they do every day.

  2. Anonymous Coward
    Anonymous Coward

    There will always be fraud, what we need is police and CC companies to actually track down and convict the fraudsters....

    I once had about £800 taken on my card that I never spent, the CC didn't even bother investigating...

    The key thing is to always check your statements and alert the CC company that fraud has occurred so they can refund it.

    As long as you take basic precautions, like never using a DD card online, (it may cost 2-5% more, but really for the extra protection its worth it..), and keeping to a reputable bank, you should never be out of pocket

    1. Anonymous Coward
      Anonymous Coward

      Is it so hard

      to create a system whereby every transaction generates an SMS (or email) to a nominated person.

      Recently, my lads XBOX live got hacked[1], and fraudsters managed to go through nearly £1K in 3 days. The first I knew of it was when my card was declined, because it was over limit. Now if every use of the card had triggered an email, I would have had the jump on them in the first few seconds.

      [1]Yes, I've since learned. All monies refunded by MS, as they logged it was a different console the purchases were made from.

      1. Lee Dowling Silver badge

        Re: Is it so hard

        A lot of European banks do this. My girlfriend gets a SMS from her bank every time she uses her Italian credit card, for instance.

        Simple, cheap, effective. Almost makes you wonder why the banks over here (even the SAME banks) choose not to deploy it. Obviously they are making FAR TOO MUCH money to care about it and/or their "Chip-&-Pin pushes responsibility for fraud to the retailer" policy is really too profitable for them.

        1. Ramiro
          Thumb Up

          Re: Is it so hard

          Most brazilian banks do this also. They charge a small fee though, but it is very worth it.

    2. Anonymous Coward
      Anonymous Coward

      H..

      We do operate in the outrageous position where the banks are the main funders of the cheque and plastic fraud unit of the Met, I'd be mightily narked if I had to fund the "my house just got burgled" department of my local cop shop.

    3. JaitcH
      WTF?

      QUOTE: "and keeping to a reputable bank"

      Where do you find a reputable bank?

      The HSBC has been accused of fiddling the Euribor AND it is (was) the drug cartels favourite laundry.

      1. Anonymous Coward
        Anonymous Coward

        Re: QUOTE: "and keeping to a reputable bank"

        The Co-op. Next question.

    4. Franklin

      "There will always be fraud, what we need is police and CC companies to actually track down and convict the fraudsters...."

      I recall reading a magazine article some while back that talked about how banks see chargebacks as a revenue stream. When a customer initiates a chargeback, the banks deduct the money from the merchant's account, and then ADDITIONALLY deduct a "chargeback fee" from the merchant. (Here in the US, chargeback fees typically run anywhere from $35 to $90 or more.)

      So the banks have a balancing act to do. On the one hand, they do not want to be so lax about fraud that customers lose faith in their cards. On the other hand, they don't want to be so aggressive about pursuing fraud that they cut into the lucrative revenue stream of chargeback fees. So they do as little as they can to keep fraud from getting to the point where people stop using their cards, but not so much as to deprive themselves of all the profit generated from chargeback fees.

  3. Anonymous Coward
    Anonymous Coward

    Fixing ALL the fraud only costs about $10M, so why don't they?

    It is actually not even complex to improve credit card security - the tools and technology already exist and it's easy to implement.

    If I only had £10M I'd have this up in less than a year, and I'd make *real* profit, not virtual like Facebook (at the Facebook P/E ratio I could flog this for £50b in 4 years). Sigh.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fixing ALL the fraud only costs about $10M, so why don't they?

      If you know how to fix it, please tell us all....

      1. Lee Dowling Silver badge

        Re: Fixing ALL the fraud only costs about $10M, so why don't they?

        I'm not the AC above but:

        - Get a free automated text whenever you make a card transaction, detailing the transaction. Most European banks do this.

        - Allow longer PIN's. Most European banks do this.

        - Disallow any and all forms of NFC on cards.

        - Remove all information from the magstripe of the card and disallow any transaction *ANYWHERE* not performed through a C&P terminal. This stops lots of the "let's send these numbers to Russia and take out the money there because they don't have C&P"-style fraud, which is still very common. Also, homogenise international card networks so I'm NEVER required to ONLY sign for a transaction just because I'm in a different country even though I have a C&P card.

        - Have the card terminal, when queried for a transaction, provide you with a image of the cardholder's face from the bank's central computers. Fake the card/number and there's no way to get around this - you get the picture that the BANK has stored as the cardholder's face. If it's a different person, the retailer is contractually obliged to refuse/report the transaction (e.g. even if they are in league with the customer, if the CCTV shows someone else used the card, the bank doesn't pay out).

        - Have the user be presented with an image of their own choosing when they use their card, with instructions to reject any transactions that don't show them their image (as a pseudo-effective-measure against fake "proxy" terminals - when was the last time you saw where the card-reader cables actually went or were allowed to audit the shop's security procedures to see you weren't just typing your pin on something an intern knocked up from Maplin's bits?)

        Just off the top of my head. Not saying that fraud will go down to zero, but the bank's really aren't even trying and in some cases aren't even as secure in one country as they are in another!

        1. Anonymous Coward
          Anonymous Coward

          Re: Fixing ALL the fraud only costs about $10M, so why don't they?

          Lee - Texts, good idea, already in place in some banks, certainly some non-uk banks.

          Longer PINs are forgotten far more often, you'd be surprised, and when PINs are longer, they are much more likely to be written down.

          Magstripe will be removed eventually, but until all countries stop using it, it must stay.

          The display of an image from a back end source is impractical, particularly as it would require the terminals to have far higher quality screens, have much more bandwidth, be always connected (or at least be able to dial up) it would require a large amount of storage, inter-bank bandwidth and infrastructure. It would require all banks internationally to agree to replace all their existing PEDs. Maybe some time in the future, but I doubt it.

      2. Anonymous Coward
        Anonymous Coward

        Re: Fixing ALL the fraud only costs about $10M, so why don't they?

        If you know how to fix it, please tell us all....

        Of course - got £10M you want to turn into +£1B in 4 years (a P/E of about 1:18)? You have to be quick, I'll be having discussions in August about it. A proof of concept is already live..

  4. Ru
    WTF?

    "specially prepared card containing malware can be used to infect a PIN entry device"

    How on earth is this even possible? I am virtually incoherent with rage that this sort of utterly irresponsible and amateur engineering is actually permitted to participate in any sort of transaction, especially not when chip'n'pin is used as a way to place blame upon a cardholder if fraud occurs.

    There are so many different ways in which this is stupid and wrong I cannot even begin to enumerate them all.

    What the hell.

    1. philbo

      Re: "specially prepared card containing malware can be used to infect a PIN entry device"

      I felt the same sort of incredulity with this as when I found there was a JPG file filter exploit - you write something whose only function is to process data - if the data is invalid, out of range, out of spec.. then don't process it. It's not rocket science.

      1. Destroy All Monsters Silver badge
        Mushroom

        Little Bobby Tables and his sister, Little Pinny Chipcard!!

        The mind boggles, indeed.

        Some sort of injection attack? Does the terminal create SQL queries based on unsanitized strings sucked off the card's chip? Does it look for a .jar or a .dll file and thinks it would be a good idea to call up the main entry point with max privileges (considering the error messages one sometimes sees, the Windows Administrative User)??

        Is this some kind of backdoor for State Security, The Terminal Maintenance Team and/or crooked Developers?

        I suppose this must be terminals of the "bold" nature. ANYTHING might happen. You could be maimed by an exploding keyboard. What's been the status on their voting machines lately, btw?

  5. Alfred

    "...meaning they will not suffer any financial loss as a result."

    Not remotely true. I used a card once and once only on a recent trip, and signed rather than entered a number. The card's PIN never left the inside of my head. Suspicious of the actions of the clerk, I called the card company within minutes who told me that there had indeed been another (fraudulent) transaction, which I was completely on the hook for as it had been verified with Chip n' Pin. It's simply a way for the card company to wash their hands of responsibility.

    On the plus side, I shredded the card instantly (along with the replacement Bank of America sent out) and will never get a BoA card again.

    1. Anonymous Coward
      Anonymous Coward

      Re: "...meaning they will not suffer any financial loss as a result."

      I wasn't aware that BoA supplied Chip and PIN, let alone that it was actually used in the US.

      1. Alfred

        Re: "...meaning they will not suffer any financial loss as a result."

        I live in the UK and this happened in a foreign country that wasn't the U.S.

        Despite having the word "America" in their name, Bank of America are actually something of an international company.

        1. Destroy All Monsters Silver badge
          Devil

          Re: "...meaning they will not suffer any financial loss as a result."

          > 2012

          > Not considering that ANYTHING with America in its name is international in nature

          Bonus points if it has "Freedom" in its name.

  6. Purlieu

    re: Levels of card fraud are at their lowest since 2000.

    Chip and Pin was rolled out in the UK in 2004 so that statement is saying that fraud levels have now reached the same low level that they were at in 2000 which of course is _before_ chip and pin was introduced

  7. Anonymous Coward
    Anonymous Coward

    PTS doesn't cover it

    Anon - as I'm in the industry.

    From what I know about the PTS lab testing process, this goes into some detail, side channel attacks are look at, even heat sensitive bitflipping operations. I don't think anyone has ever tried to run malware on a smartcard for the purposes of compromising a pin pad. Credit to the guys here as this should now be incorporated in the PTS approval process for these devices. It is a bit of a worry though that embedded devices like this are blindly trusting the input from the ICC though...

    1. Fred Flintstone Gold badge

      Re: PTS doesn't cover it

      The whole credit card process was shot the moment we moved to "card not present" - the whole model was shot when telesales started, and zip has been done to address the real issues.

      PCI compliance is partly security theatre - it doesn't address the root problems.

  8. sugerbear

    Might ?

    Seems a like of "might and maybe" in the article.

    Why no specific details on how this type of attack would work ? There are lots of different terminal implementations and lots of different versions of software.

    So until they can demonstrate going into a retail shop and buying something then i am afraid that it all sounds a bit like scare mongering and the desire to make a name for yourself (or your consulting company wink wink).

    1. Trollslayer
      Thumb Up

      Re: Might ?

      Exactly - it is one thing to set up a demo where you have transaction information and copy that into the card, very different to do it live.

  9. Anonymous Coward
    Anonymous Coward

    Chip N Pen

    Use both

  10. I Am Spartacus
    FAIL

    Absence of evidence not equal to evidence of absence

    "Importantly, we have no evidence of this type of attack occurring, either in the UK or anywhere else in the world where chip & PIN is in use."

    FAIL: What they meant to say was:

    We have no way of determining if this type of attack is occurring ....

    See, I corrected your English for free

    1. Anonymous Coward
      Anonymous Coward

      Re: Absence of evidence not equal to evidence of absence

      Yet you don't question the amount of times the word "might" was used in the article.

    2. sugerbear

      Re: Absence of evidence not equal to evidence of absence

      But they do have a way.

      If this was a problem then merchants and acquirers would be seeing a significant number of chargebacks where no authorisation had taken place.

      (I am guessing that this "attack" makes the terminal believe that a transaction has authorised the transacton offline). There are also floor limits in place so that even if a chip card authorises a transaction offline the merchant must send it online for authorisation (or else take the hit for the chargeback).

      Also sounds like its aimed at a very specific terminal or acquirer (with specific software).

      The issuer (and cardholder) of the card is covered in this instance because the merchant/acquirer wont have obtained authorisation and the chip card itself wont have issued a genuine transaction certificate.

  11. This post has been deleted by its author

  12. dervheid

    well,

    If it's the 'merchants' that are more at risk from this one than the consumers, then maybe there'll be more pressure to sort all this shitfest out.

  13. JaitcH
    FAIL

    I "love" my HSBC code key

    HSbC have been sending out code keys that generate PINs on the fly.

    A few of our technicians were messing around and now I don't need a code key in my pocket. I have the next 50 in my electronic address book!

    So much for security.

  14. Anonymous Coward
    Devil

    Chip'n'Pin is 100% Secure

    Must be true. A banker told me,

    1. Anonymous Coward
      Anonymous Coward

      Re: Chip'n'Pin is 100% Secure

      Except Chip and Pin was never sold as being 100% secure, it was sold as being much more secure than magstripe and at a very good cost/benefit.

      Hell, if you wanted totally secure, you wouldn't ever carry around any form of cash, ever. Let alone actually buy anything. All transactions have an element of risk and it's important to understand that.

  15. mathew42
    Black Helicopters

    I'm curious about Visa payWave and Mastercard payPass. Are these more / less secure than chip'n'pin?

    Clearly if someone nicks your wallet they can run up several small transactions, but many places now automatically approve transactions under $30 anyway. So the question becomes can a rogue terminal extract enough information to reproduce the card?

    1. Anonymous Coward
      Anonymous Coward

      Self-evidently, considerably less secure in every way

      Multiple attacks can be run on the card itself from a distance without special equipment or exposing the attacker to any risk.

      So eventually someone will be able to clone an arbitrary card by simply being nearby, probably enough for CNP transaction fraud and I believe there are already attacks that get enough for cloned magstripe fraud, as it turned out that they have the same info on the contactless as the magstripe.

      On top of that, a thief can clearly undertake multiple "low-value" transactions with the card without immediate detection.

      I honestly don't understand why the banks have pushed it, such that it's really hard to even get a non-contactless card anymore.

    2. Thorne

      "I'm curious about Visa payWave and Mastercard payPass. Are these more / less secure than chip'n'pin?"

      The problem with paywave is someone can walk past you and scan your paywave card (as I understand). Yes it might be small amounts but how many $30 transactions can you do before the bank notices?

  16. Alan(UK)
    FAIL

    Banks don't care about credit card fraud

    If I am in business selling baked beans, I have to buy baked beans, it is just a business expense. Banks wanting a percentage of every transaction have to pay for occasional fraud - it is just a business expense.

    Banks want to maximize profits. First, they want customers, buyers and sellers. If they get the buyers, the sellers come by default - they are forced to accept the cards or decline the sales. To get the buyers, they need to make things as easy as possible for her; if they could get away with the buyer just saying, 'Charge it to my husband's account', they would. Slightly more secure is getting her to sign for it - not a problem in some circles, it implies the customer can write and has the status to make a purchase on their signature alone. These were the days when you knew your own bank manager and the cashier recognized your signature. Extending this system to the unwashed masses brought its own problems - nobody knew anybody anymore.

    Second, the banks want someone else to pick up the bill for fraudulent transactions. Chip and PIN solved both problems at a stroke. The seller picks up the bill if he cannot complete the transaction with Chip and PIN. The bank of course has no worries about losing the seller as a customer - he is locked into the system with no way out.

    Notice how the UK Cards Association does not seem put out by the revelation that their security is crap. As long as credit card fraud does not significantly affect their profits and does not inconvenience their most important customers, the credit card holders, the banks are not concerned.

    I have a credit card. It uses Chip & PIN which would be quite good if the bank had not sent me my PIN in a super-secure, tamper-proof, envelope - TWICE! It also has a more or less redundant magnetic stripe whose only purpose is to promote fraud. It has a super-secure signature strip that renders my signature more-or-less illegible. As the PIN is only four digits - and not all combinations are allowed, someone stealing my card stands a better than the lottery chance of hitting the jackpot. The bank asks me to enter my credit card number on a telephone keypad before they will talk to me - the issue of key-loggers on company switchboards was raised decades ago! Do not even think about Internet transactions - I am sure the bank has, and then buried its head in the sand.

This topic is closed for new posts.