Sign your name across my heart

[venta]

Today's post brought me a new debit card, which means I have finally entered the world of chip and PINnery. This evening, on my way out to rapper practice I bought some petrol, ceremonially typing my PIN in for the first time.

Chip and PIN seems to have become very widespread very quickly, and I don't doubt that soon it'll only be tiny little backwater shops which don't have the kit to do it.

Security considerations aside, I don't like it. I'm not referring to worries that someone will capture my PIN, and spend all my money. It's just that at that irrational, stomachy level where I'm allowed to behave like a three-year-old I don't like it.

The provision of a four digit code is very impersonal. It could be anyone typing in that number - even another machine. Although my PIN might be just as secure (or more so) than my signature, my signature was mine. And, within reason, I'm the only one who can provide my signature.

Tapping in a code seems transient and insubstantial. Formerly, whenever I've bought petrol there has been a little piece of paper left as evidece, a receipt with my name staring blackly back at me, giving solidity to the transaction. I was vaguely surprised to find that typing in my PIN worked tonight - although I'm aware of the technology involved, somehow I didn't seem to have done quite enough to have given away thiry quid.

I rather like my signature, which is large and flamboyant and, according to amateur graphology in something like Cosmo once, indicative of generosity and optimism. When I signed my new debit card this evening, my signature ran off the top of the little white strip as it always does. Unusually, for someone older than around twenty, my signature is legible as my name; it has not devolved into a series of stylised squiggles. It only looks the same each time by virtue of long practice, of being required to write it repeatedly on forms, of having to scribble it quickly when I pause to buy something and am running late.

Some time ago, jezzidue took me to task for this. It was not a signature, he said, just me writing my name with a flourish, and as such was easily copiable. I accepted the challenge, and ten minutes later could produce a much more convincing (to the untrained eye) version of his pile-o'-squiggles than he could of my handwritten name.

It saddens me to think that my signature will now have fewer outings than it used to. For the time being, at least, it will still be required on official forms, personal cheques and as an informal endorsement that I've agreed to something. But cheques are fast going the way of the big lizardy things, and I wonder whether some PGP-variant will soon be stepping in to ensure that everyday forms filled in online can be authenticated. Already, via internet banking, I can do things which would otherwise require a signature just by typing in my password.

I might start keeping a count, over the coming months, of just how often I'm required to put pen to paper when providing my consent to something. I fear it won't be as often as once a week. I wonder how long it'll be before there is a generation of people who don't have (or need to have) a consistent and recognisable signature.

Comments

[inskauldrak.livejournal.com]

I understand the feeling, though at the same time my new C&P card came at the point I was deciding that I *really* needed a new card due to the signature and paper line fading.

My signature doesn't really have much of a flourish, but it is nice to put down a scrawl that can be described by people who work in the NHS as 'worse handwriting than any Doctor's I've ever seen' ; )

[timeplease.livejournal.com]

Chip and PIN seems to have become very widespread very quickly

The card companies were very good at telling merchants about the liability shift that occurred on 1st January 2005; after that date, if a fraudulant transaction was made with a card that is chip and PIN capable, but the merchant's equipment wasn't chip and PIN capable or the merchant chose to accept a signature, the merchant loses the money. (Before that date, the merchant may have been able to keep the money as long as it could demonstrate that it checked the signature and performed the various other due-diligence checks in the manual.)

[venta.livejournal.com]

Ah, I'm not sure I'd known that there'd been a change in liability like that.

As someone who's presumably on the receiving end of these transactions, how've you been finding them in general ? Do people object to having to type in a number ? Do people get it wrong a lot ?

[timeplease.livejournal.com]

In general they've been fine. There were initially a few cases where people did not know their PIN, but we already knew them and were quite happy to take a signature instead. Now almost all the people who use cards in the pub have PINs; the exceptions are usually people with foreign cards.

We have occasionally refused to take a signature; for example, recently a couple of women we didn't know came into the pub, bought cheap drinks, and asked for £50 cashback on a card. It was a chip and PIN card, and they said they'd forgotten the PIN. We offered a compromise: we'd accept a signature for the cheap drinks, but we wouldn't give them cash back.

Drunk people occasionally have problems entering the PIN, but we've never had anyone get it wrong sufficiently many times (3 usually, but it depends on the card) to get it blocked.

[venta.livejournal.com]

Thanks - I had wondered to what extent people had just accepted it. I'd also wondered about typing PINs in when drunk :)

[mr-flay.livejournal.com]

My PIN number is the reverse of an old school friend's phone number (from back in the days when Kidlington phone numbers were only four digits long), and on Saturday, being faced with a keypad that was upside down compared to normal cash machines, I got it wrong twice and nearly lost my card.

I know I could change my PIN, but I'm still unhappy about the ease with which one can dump one's self back into the financial stone age purely by being drunk/mongoloid...

[taimatsu]

The first time I was presented with a PINpad (in a restaurant) I punched in my online banking PIN rather than my ATM pin - I did this twice and eventually they swiped it through with a supervisor card so that my card wouldn't get blocked. It was only afterwards I worked out what I was doing wrong.

[sushidog.livejournal.com]

I was shopping on Saturday with a friend; she made a transaction for over £50, but forgot her PIN; she got it wrong twice, and then the girl just said "It's OK, you can sign for it instead". I didn't notice (should have paid attention, actually) whether she checked the signature carefully.

[failmaster.livejournal.com]

I'm afraid I have to disagree: as someone who's spent years trying to eliminate the need to write from his life, having to scrawl my own name on bits of paper every time I want to buy something has long been one of the last unassailable bastions of graphological discontent.

Fundamentally, however impersonal Chip and PIN may be, I despise writing. Typing is fine, drawing I actively enjoy, but hand-writing is painfully slow (7wpm when I was at university had to do it regularly. Compare to my typing speed in excess of 60wpm) and painfully painful (it makes my wrist ache).

If I never have to pick up a pen again it'll be too soon.

[venta.livejournal.com]

I'm very magnanimous, I'm happy for these systems to exist for those who don't like wielding pencils and such.

I just wish they didn't have to be compulsory. I quite enjoy writing with a proper pen, even though my writing speed is way slower than my typing speed.

I've also never got the hang of "scribbling notes" on a computer. I'll happily make notes, draw pictures (preferably with lots of arrows) and scribble all over a bit of paper to enable me to plan my day/remember my shopping/design some software. Ask me to do the same on-screen, and I'm completely incapable.

[failmaster.livejournal.com]

I mostly agree, but if it requires diagrams then it's basically drawing, even if it has the odd caption or two. For scribbling notes that are primarily text, I'm a complete convert to the cause of the Wiki.

[onebyone.livejournal.com]

For scribbling notes that are primarily text, I'm a complete convert to the cause of the Wiki.

I just use a text file - do you seriously have a wiki that you find more convenient than your text editor?

The above is actually a slight lie, in that for serious todo lists like projects at work or moving house, I move up to html. But I still wouldn't use a wiki to edit them.

[undyingking.livejournal.com]

My text editor doesn't include a revision history... I wouldn't use a wiki for jotting down someone's phone number -- but for anything that's capturing ideas or is going to be progressing towards a document, I find them more useful than a plain text note.

[onebyone.livejournal.com]

If this were a technology war, I'd argue that this is what CVS is for.

[undyingking.livejournal.com]

Now that really would be techno-overkill for this purpose ;-) I don't need to be able to annotate, branch, etc the revision history of my notes -- just to access it.

[bateleur.livejournal.com]

do you seriously have a wiki that you find more convenient than your text editor

I do, even if he doesn't. Well, for some things.

The reason being that for digital notes to be like physical ones I need to be able to reach them from anywhere. That means either I plug in my USB stick and keep all my temp files on that (inconvenient and prone to me forgetting to return it to my belt) or I keep them on teh intarweb.

[onebyone.livejournal.com]

If this were a technology war, I'd argue that this is what rsync is for.

For example, I keep all my personal email on teh intarweb, but the protocol that I choose to use to access it doesn't involve a wiki.

[bateleur.livejournal.com]

Well you're right in a way - rsync also does the required job.

Still, it does it less well for my purposes. It leaves multiple copies lying around, needs to be run before I switch off the machine I was working on and isn't a standard fixture of every machine I may run across on my travels (which these days a web browser is).

(Email doesn't do the right job at all, but I assume you weren't trying to imply it did.)

[venta.livejournal.com]

Wiki ?

I'm just about familiar (I think) with how Wiki works, but unless I've misunderstood quite a lot that seems like overkill for notes. How on earth do you use it ?

[undyingking.livejournal.com]

The great thing about a wiki vs a vanilla HTML doc, for keeping / evolving notes, is that it preserves (and can readily tell you about) its revision history, and allows easy reinstatement of earlier versions.

This is good if, like me, you change your mind a lot and have a very poor memory.

I started using wikis for collaborative work (where they're invaluable) a wee while ago, but have since started using them for my own work too and found them v useful.

[onebyone.livejournal.com]

Not all wikis keep revision histories - as far as I know the defining characterstic is just "a globally writable web page". Which flavour wiki do you recommend?

[undyingking.livejournal.com]

I'm currently using PMwiki (PHP-based) for my own business stuff, although at Red Emperor (RIP) we used Kwiki (Perl-based). Both are at the lightweight end of the scale, but have all the features I need.

[davefish.livejournal.com]

I've found that if I try to type and think at the same time then writing suffers. Quite often now, if I am writing somethign difficult and technical I'll write it out first on paper, and then copy it into the computer. Especially true where there are diagrams or equations involved, since they are a lot more hassle to get into an electronic format.

[fluffymark]

Buying anything over the internet requires exactly the same info on the card but without even needing the PIN. How do you feel about buying things online? Also, many ticket machines (tube ticket machines for certain) don't need a PIN either. Just put the card in and it takes your money. Doesn't even ask to confirm the transaction. Would you use those?

[venta.livejournal.com]

Oh aye, I use those quite happily. The difference there is that they've always been like that, and there's no mechanism for a real-signature to be affixed.

As I said, I'm not claiming that there's any inherent problem with chip and PIN, merely that it feels weird because an element of the transaction which was formerly present has vanished - and been replaced with something that feels a bit mickey mouse.

[wimble.livejournal.com]

I had a certain amount of difficulty as guinea-pig for the new Brookes electronic job application system: the electronic documents to be filled in are the Word documents which are normally printed and filled in by hand. As such, there's still a space on them for "Signature".

I think, in the short term, when they come for interview, applicants are going to be given a hard copy of their application form, and asked to sign it on the spot (this may only be for the successful applicant). The sooner somebody wakes up to the need for digital signatures, and how we explain this to the applicants, the better.

[diffrentcolours]

C+P has advantages and disadvantages over signatures, from a technical and security POV. I've wibbled about them on my LJ before, but it's too late to go trawling for links.

Personally, I'm annoyed that when they went to all the hassle of introducing C+P they didn't start printing photographs on the card as well - this measure is common in Europe and is a fantastic extra defence against fraud.

However, in future you can expect to see C+P readers in more non-shop devices - imagine a TV set-top box that lets you pay for pay-per-view movies by sticking in your card, for instance.

[venta.livejournal.com]

Yes, I can certainly see advantages to it, and I've read up quite a bit on the technical/security aspects.

As I said, the problem is that I don't like it. Waaaah! Stamp! (etc)

[shrydar.livejournal.com]

Hmm - I was never comfortable while living in the UK that you didn't need to use your PIN for eftpos transactions. Hardly anyone working in retail ever checks signatures, and I'd been used to using my PIN at supermarkets from living in Australia. (they only got C+P quite recently, but required PINs from when eftpos was first introduced over ten years ago)

[triskellian]

I don't like it either, and also because I mourn the loss of my signature. I loved my old signature (spent ages designing it, back when I was fifteen or so ;-), and I could potentially be fond of my new signature, except that I haven't yet had a chance to settle into it, because I got new cards when I changed my name, and guess what? They were chip&pin cards. No new signature practice for me :-(

[undyingking.livejournal.com]

I don't like it either, for three reasons: (a) the aesthetic one you talk about -- my signature may not be a thing of great beauty, but it's mine, dammit; (b) I now have to remember a load more PINs than I used to (as I only use one card for getting cash out of machines, but I pay for things in shops etc with four different cards); and (c) it seems rather sneakily evil to me that they've taken the opportunity to shift the liability burden onto the consumer, with no real excuse for doing so.

[onebyone.livejournal.com]

shift the liability burden onto the consumer

Surely they've shifted it onto the retailer? Still evil though.

[undyingking.livejournal.com]

Surely they've shifted it onto the retailer?

Previously the card companies took the burden of liability for transactions made with fraudulent signatures, and yes, they are shifting this onto the retailer now -- the retailer is liable if they accept a signature which turns out to be fraudulent. But they can get out of that by simply refusing to accept signatures -- this is what the card companies want them to do.

The consumer is newly stuck with the bulk of the liability, as they are now liable for any fraudulent use of the card which includes the correct PIN.

So the card company used to indemnify the consumer against fraudulent signature, but they now do not do so against fraudulent use of PIN -- that's what I meant by "shifting liability onto the consumer".

[onebyone.livejournal.com]

I looked into this the other day and found a number of reports, but nothing definitive, that the card-holder is only liable for fraud if they are "negligent".

Now, I don't know exactly what "negligent" means, and probably neither does anybody else yet, but it's not the same as "any fraudulent use of the card which includes the correct PIN". Are you sure of your facts? (I'm not sure of mine, and it is important which of us is right)

For examples of the difference, if your postman intercepts both card and PIN then you are clearly not negligent. I suspect that if someone perpetrates a clever scam involving fake Chip and Pin machines in restaurants (the same people that last year were cloning our cards while they were out the back ringing them up) then you're not negligent.

The serious danger is that if someone just happens to see you typing your code, and then follows you and nicks your wallet somehow, you might be negligent if they get to a cashpoint before you get to a phone to cancel your cards. But I doubt it.

[undyingking.livejournal.com]

Are you sure of your facts? (I'm not sure of mine, and it is important which of us is right)

I'm relying on newspaper reports, in particular this one which I read at the time and which struck me deeply, which includes:

"So why are banks and retailers so very eager to shepherd in the new system? Hidden in all the song and dance about chip-and-pin systems is also a project that's "not so much about risk reduction as liability engineering", argues Ross Anderson, professor of security engineering at Cambridge University, and the leading security academic in the UK. On the surface, everything is in the customer's favour. At present, banks are liable for any losses incurred once a card has been reported stolen, though they're not overly keen on our realising this (hence the vast num bers of us who uncomplainingly pay credit-card insurance). What chip-and-pin allows them to do, according to Anderson, is claim a kind of pre-emptive carte blanche. They can start by imputing negligence - "You naughty person, you've been a bit careless with that pin, haven't you? Our new systems are secure, so it must be your fault." In the case of severe fraud, the onus may well fall on the customer to prove the fallibility of their systems, which is "an unmeetable burden of proof", says Anderson, who has even known a bank to prosecute a customer, a victim of phantom withdrawals, for attempted fraud."

Maybe though this guy's guess at the interpretation of negligence is unduly paranoid, and maybe I am being naively conspiratorial in instinctively tending to believe him.

[onebyone.livejournal.com]

What's the rational course of action if you do believe him? Is the risk of your bank robbing you of several thousand pounds acceptable, or are you thinking that you're going to somehow have to do without credit and debit cards?

[undyingking.livejournal.com]

Personally, I'm prepared to risk it, because of the inconvenience factor of doing otherwise. But that doesn't stop me being annoyed about it being forced on me. I'd have quite happily retained an old-style PINless card, remaining under the old liability structure, and just never used it in shops, if that had been offered to me.

[bateleur.livejournal.com]

I accepted the challenge, and ten minutes later could produce a much more convincing (to the untrained eye) version of his pile-o'-squiggles than he could of my handwritten name.

Further to this: Angry Dave used to work in an Argos from time to time. They paid a bounty to employees who spotted a fake signature. According to him, this amounted to a very worthwhile bonus for him (he caught quite a few) but no other employee ever spotted a single one.

Meanwhile, back on topic: I don't like chip and pin much either, but in actual fact I never use it for anything except buying food anyway. Buying petrol for my car just involves swiping the card at the pump (for which one does not require pin entry). Non-food shopping involves typing my card number in to web pages. As such, all it's achieving is to prove to Mr Tesco that I'm not stealing £10 worth of assorted bread, pasta and nappies a couple of times a week.

(Re-reading the above paragraph I've just realised it implies I eat nappies. This is not, in fact, the case.)

[(Anonymous)]

Anyone who thinks there is "no inherent problem" with C&P has never stood in the local post office on a Thursday morning and watched the pensioners fail to remember/fish out piece of paper with PIN written on/look almost tearfully back to the days of pension books.

[onebyone.livejournal.com]

Do people still go to Post Offices? I thought that all the ones that hadn't been shut were far too busy.

[undyingking.livejournal.com]

Is this meant to be an update on Yogi Berra's famous paradox, "Nobody goes to that restaurant anymore, it's too busy"?

[marjory.livejournal.com]

I do know what you mean about signatures. As an adolescent, some of us would sit in the classroom at breaktimes and practice our signatures, the wackiest being, naturally, the best to the eyes of gauche 13 year-olds. Signatures meant being grown up, having an identity of your own, being important enough to be required to sign something. I recall being especially pleased to discover that my bank offered a cashcard at 14 and then a chequebook. Not that I had any money, mind, but I liked the possibility of sending away for things which I wanted and finance being my business. It afforded me a bit more independence than the usual discussion which would ensue if I handed over my 5 quid in cash to a parent-with-chequebook who would then want to know why on earth I wanted to waste money on some crap record, tourbook, fanclub membership etc. This was back when money meant fun. The nice magic-signature Switchcard which I received as a student (also backed by no money, but what-the-heck) is also redolent of rites of passage and hopes for the future, a kind of plutographic version of the Keys to the Kingdom of the adult world.

Working in shops later, we never really had any guidance on how to detect fake signatures in the slightest and I know from some people that if there's a rush on, there isn't really time to check properly. For this reason I have to agree with the keypad option as being safer in the long-run, although it is rather depersonalised and just as easy to take for granted as thesecurity system.

If you like signing things, I could suggest that you:
a) come to Germany, where you pretty much have to carry round ID all of the time against which your signature can be checked on account of how you have to sign for everything (except for card transactions)
b) become a celebrity and have to sign autographs wherever you go