MBNA (Bank of America) customers getting new credit cards might notice a new feature thrown in for free: A card that does not require the owner to insert the card anywhere, but instead communicates with the payment terminal wirelessly.
The cards come with an A5 sheet of paper explaining the new features:
You may be thinking – what about security?
The asterisk points to the following footnote:
Let us go through some of these statements:
“Even though you aren’t entering a PIN, your transaction is still completely secure as your card has the latest chip in it…”
This, on its own, is hogwash.
“…and uses the same payment technology as a Chip & PIN transaction.”
Here the bank is saying that *not* using your PIN is secure because you’re using the (presumably infallible) Chip & PIN technology. It’s like saying it’s okay not to use your seatbelt, because your car has got power brakes & seatbelts. Only with Chip&PIN it’s worse, since the security of the whole system falls apart without the PIN.
Further down we read:
“To speed up the transaction you generally won’t be given a receipt…”
Great. There are very good reasons receipts are mandatory for any kind of transaction, whether it’s buying a toothbrush or electing the next president of a nation. Let’s teach the next generation that receipts are pesky pieces of paper that slow us down.
“You will also still be covered for any fraudulent activity on your card just the same as chip & PIN transactions”
Fabulous. All these “completely secure” systems and they’re slapping this warranty on top! It’s just too good to be true.
“…providing you let us know as soon as you notice any unrecognised transactions on your statement or notice your card is missing.”
Ahh, here’s the catch. You need to check your statement every month, putting the onus on you to find the fraudulent transactions. If you don’t, it’s your fault and the bank will not refund the money stolen from your account.
Doesn’t look like such a hot deal after all.
The banks are using the term “Chip & PIN” as a magic wand – hoping that some of its “complete” security will spill over to the new contactless, PIN-less world. They are using something that is already broken to argue that a not-obviously-related product is also secure. If this is really the foundation these systems are built on, it’s not sound.
How is that not a harbinger of trouble for consumers?