Sign your name across my heart
May. 3rd, 2005 11:38 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ventaToday's post brought me a new debit card, which means I have finally entered the world of chip and PINnery. This evening, on my way out to rapper practice I bought some petrol, ceremonially typing my PIN in for the first time.
Chip and PIN seems to have become very widespread very quickly, and I don't doubt that soon it'll only be tiny little backwater shops which don't have the kit to do it.
Security considerations aside, I don't like it. I'm not referring to worries that someone will capture my PIN, and spend all my money. It's just that at that irrational, stomachy level where I'm allowed to behave like a three-year-old I don't like it.
The provision of a four digit code is very impersonal. It could be anyone typing in that number - even another machine. Although my PIN might be just as secure (or more so) than my signature, my signature was mine. And, within reason, I'm the only one who can provide my signature.
Tapping in a code seems transient and insubstantial. Formerly, whenever I've bought petrol there has been a little piece of paper left as evidece, a receipt with my name staring blackly back at me, giving solidity to the transaction. I was vaguely surprised to find that typing in my PIN worked tonight - although I'm aware of the technology involved, somehow I didn't seem to have done quite enough to have given away thiry quid.
I rather like my signature, which is large and flamboyant and, according to amateur graphology in something like Cosmo once, indicative of generosity and optimism. When I signed my new debit card this evening, my signature ran off the top of the little white strip as it always does. Unusually, for someone older than around twenty, my signature is legible as my name; it has not devolved into a series of stylised squiggles. It only looks the same each time by virtue of long practice, of being required to write it repeatedly on forms, of having to scribble it quickly when I pause to buy something and am running late.
Some time ago,![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
jezzidue took me to task for this. It was not a signature, he said, just me writing my name with a flourish, and as such was easily copiable. I accepted the challenge, and ten minutes later could produce a much more convincing (to the untrained eye) version of his pile-o'-squiggles than he could of my handwritten name.
It saddens me to think that my signature will now have fewer outings than it used to. For the time being, at least, it will still be required on official forms, personal cheques and as an informal endorsement that I've agreed to something. But cheques are fast going the way of the big lizardy things, and I wonder whether some PGP-variant will soon be stepping in to ensure that everyday forms filled in online can be authenticated. Already, via internet banking, I can do things which would otherwise require a signature just by typing in my password.
I might start keeping a count, over the coming months, of just how often I'm required to put pen to paper when providing my consent to something. I fear it won't be as often as once a week. I wonder how long it'll be before there is a generation of people who don't have (or need to have) a consistent and recognisable signature.
Chip and PIN seems to have become very widespread very quickly, and I don't doubt that soon it'll only be tiny little backwater shops which don't have the kit to do it.
Security considerations aside, I don't like it. I'm not referring to worries that someone will capture my PIN, and spend all my money. It's just that at that irrational, stomachy level where I'm allowed to behave like a three-year-old I don't like it.
The provision of a four digit code is very impersonal. It could be anyone typing in that number - even another machine. Although my PIN might be just as secure (or more so) than my signature, my signature was mine. And, within reason, I'm the only one who can provide my signature.
Tapping in a code seems transient and insubstantial. Formerly, whenever I've bought petrol there has been a little piece of paper left as evidece, a receipt with my name staring blackly back at me, giving solidity to the transaction. I was vaguely surprised to find that typing in my PIN worked tonight - although I'm aware of the technology involved, somehow I didn't seem to have done quite enough to have given away thiry quid.
I rather like my signature, which is large and flamboyant and, according to amateur graphology in something like Cosmo once, indicative of generosity and optimism. When I signed my new debit card this evening, my signature ran off the top of the little white strip as it always does. Unusually, for someone older than around twenty, my signature is legible as my name; it has not devolved into a series of stylised squiggles. It only looks the same each time by virtue of long practice, of being required to write it repeatedly on forms, of having to scribble it quickly when I pause to buy something and am running late.
Some time ago,
jezzidue took me to task for this. It was not a signature, he said, just me writing my name with a flourish, and as such was easily copiable. I accepted the challenge, and ten minutes later could produce a much more convincing (to the untrained eye) version of his pile-o'-squiggles than he could of my handwritten name. It saddens me to think that my signature will now have fewer outings than it used to. For the time being, at least, it will still be required on official forms, personal cheques and as an informal endorsement that I've agreed to something. But cheques are fast going the way of the big lizardy things, and I wonder whether some PGP-variant will soon be stepping in to ensure that everyday forms filled in online can be authenticated. Already, via internet banking, I can do things which would otherwise require a signature just by typing in my password.
I might start keeping a count, over the coming months, of just how often I'm required to put pen to paper when providing my consent to something. I fear it won't be as often as once a week. I wonder how long it'll be before there is a generation of people who don't have (or need to have) a consistent and recognisable signature.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-05-05 09:07 am (UTC)Previously the card companies took the burden of liability for transactions made with fraudulent signatures, and yes, they are shifting this onto the retailer now -- the retailer is liable if they accept a signature which turns out to be fraudulent. But they can get out of that by simply refusing to accept signatures -- this is what the card companies want them to do.
The consumer is newly stuck with the bulk of the liability, as they are now liable for any fraudulent use of the card which includes the correct PIN.
So the card company used to indemnify the consumer against fraudulent signature, but they now do not do so against fraudulent use of PIN -- that's what I meant by "shifting liability onto the consumer".
no subject
Date: 2005-05-06 10:46 pm (UTC)Now, I don't know exactly what "negligent" means, and probably neither does anybody else yet, but it's not the same as "any fraudulent use of the card which includes the correct PIN". Are you sure of your facts? (I'm not sure of mine, and it is important which of us is right)
For examples of the difference, if your postman intercepts both card and PIN then you are clearly not negligent. I suspect that if someone perpetrates a clever scam involving fake Chip and Pin machines in restaurants (the same people that last year were cloning our cards while they were out the back ringing them up) then you're not negligent.
The serious danger is that if someone just happens to see you typing your code, and then follows you and nicks your wallet somehow, you might be negligent if they get to a cashpoint before you get to a phone to cancel your cards. But I doubt it.
no subject
Date: 2005-05-07 10:31 am (UTC)I'm relying on newspaper reports, in particular this one which I read at the time and which struck me deeply, which includes:
"So why are banks and retailers so very eager to shepherd in the new system? Hidden in all the song and dance about chip-and-pin systems is also a project that's "not so much about risk reduction as liability engineering", argues Ross Anderson, professor of security engineering at Cambridge University, and the leading security academic in the UK. On the surface, everything is in the customer's favour. At present, banks are liable for any losses incurred once a card has been reported stolen, though they're not overly keen on our realising this (hence the vast num bers of us who uncomplainingly pay credit-card insurance). What chip-and-pin allows them to do, according to Anderson, is claim a kind of pre-emptive carte blanche. They can start by imputing negligence - "You naughty person, you've been a bit careless with that pin, haven't you? Our new systems are secure, so it must be your fault." In the case of severe fraud, the onus may well fall on the customer to prove the fallibility of their systems, which is "an unmeetable burden of proof", says Anderson, who has even known a bank to prosecute a customer, a victim of phantom withdrawals, for attempted fraud."
Maybe though this guy's guess at the interpretation of negligence is unduly paranoid, and maybe I am being naively conspiratorial in instinctively tending to believe him.
no subject
Date: 2005-05-07 10:37 am (UTC)no subject
Date: 2005-05-07 01:07 pm (UTC)