Newsgroups: uk.finance
Subject: Re: Chip & Pin Fraud
From: Geoff Lane
Date: 07 May 2006 12:13:15 GMT
"Alex" wrote in
news:xn0ely0ib2krfa700f@news.individual.net:
>> So:
>>
>> 1. The card is used with the fraudulently obtained PIN; or
>> 2. The card is used with a forged signature:
>>
>> In the first case, you are deemed to have unauthorisedly disclosed
>> the PIN and are held liable.
>
> Nearly 18 months after its introduction, I'm still waiting for news
> that this has actually happened; i.e. the cardholder has ultimately
> been held liable for a fraudulent transaction they were not complicit
> in.
It has happened in the case that sparked off this thread. According to
the Daily Mail, Mary Adkins lost £1,300 and the bank is still wriggling
more than a month later even though the bank knows the media is involved.
Now what about the fraudulent transactions that the bank has deemed were
not fraud? With Chip and PIN, the onus is on you to prove that fraud
occurred - and that's something you can't easily do. (Don't forget that
banks have a history for denying liability in the case of phantom ATM
withdrawals.) There is thus an implicit shift of liability.
>
>> In the second case, the bank deems that Chip and PIN
>> could have prevented the fraud and the retailer is held liable.
>
> Correct. If the retailer does not have EMV capability, or they
> bypassed that capability, then they will be held liable. Otherwise,
> they won't.
>
>> In either case, the bank is not liable
>
> Oh yes they are! In the first case they are liable if the cardholder
> was not complicit in the fraud. In the second case they (the issuing
> bank) are liable if the card is not EMV capable.
In the first case, the bank are only liable if the cardholder can prove
that fraud has occurred and that they were not complicit in that fraud.
Prior to you informing your bank that you are not in possession of your
card, you are liable for all transactions authorised by PIN. This is a
world apart from the situation before Chip and PIN where the bank had to
show the signature was valid. There is thus an implicit shift of
liability.
In the second case, as you say, the bank is liable if the card is not EMV
capable. Presumably, the bank is not if the card is EMV capable. Thus, by
your own statement, there is a shift of liability.
>
>> where under the old system there it
>> is highly probably they would have been. Thus Chip and PIN has moved
>> liability from the banks to the retailers and cardholders.
>
> If your claims above were valid, then you'd be right. Since they're
> not, you're not.
>
There is an implicit shift in liability - period. My claims only echo the
concerns expressed by Prof. Ross Anderson et al. Here are some references
that better explain:
http://www.saynotochipandpin.co.uk/
http://www.cl.cam.ac.uk/users/sjm217/papers/cl05chipandspin.pdf
--
Geoff
|