bit-tech.net

ChipPIN' Away at my patience

The counter clerk looked at me expectantly. There was a few seconds silence whilst we tried to communicate telepathically, but it was clear that she was probably receiving ‘three wavy lines’ and I certainly wasn’t getting whatever it was that she was intimating. Physical intervention was clearly required and I wasn’t biting first, so she motioned to the keypad in front of me.

“Could you enter your PIN please?” she said. At that point I realised that we were about to go through the whole ‘Chip and PIN’ experience that the UK has recently had inflicted upon itself. I eagerly (as it was the first time) entered my PIN number and allowed the dawn of a new shopping era to take place, and I swear my technical nipples went hard. The transaction was completed and I walked away without having to sign a thing; the future was here! Just in time for the Xmas rush too. Unfortunately, whilst braving the local shopping centre and trying the same process at several other stores, I realised that not everywhere is following the same mentality as others. Many still request you sign and swipe the card themselves, some put the card in the Chip and PIN machine and have you sign, some swipe the card then have you enter your PIN and some have you do all the hard work for them. At this stage, as C&P is being rolled out across the country, the retailers are still very disparate in how they provide the service to their customers.

"..the shops themselves yield no further information, as the majority of them have absolutely no indication that C&P is in place at their store"

Firstly, the question I’d like to put out there to everyone is how aware of the C&P system you are? I personally have seen the occasional advert and have had one (yes, a single) leaflet posted to me regarding its use. Obviously being a technophile I am aware of the concept, however Joe Public will have found it remarkably easy to miss the current state of affairs. The shops themselves offer no further information as the majority of them have absolutely no indication that C&P is in place at their store, nor do many have leaflets available to inform consumers it’s already here. Granted, the devices are usually on full display, however I am guessing most people treat them like a strange curios or some kind of big brother-esque sterilisation device and shy away from it in horror.

So currently, for a change to essentially the entire backbone of the EPOS system due to be widely rolled out by 2005, the general public is still blissfully unaware of it and this is not just a learning issue, but also a potentially embarrassing one. Any unease felt during the assistant/shopper experience is something no-one should have when purchasing goods. In some circumstances you’re going to be made to feel stupid if you’re not aware of how C&P works, in others you will be waiting to be asked for your PIN whilst the assistant shoves a pen under your nose and I’m sure many of us will go through the times where we wish to sign (maybe due to uncertainty as to how visible your PIN will be) and are forced into using our PIN resulting in an argument with the store. I am certain the pig-headedness of the British consumer will have us steadfastly refusing not to enter our PIN numbers for quite some time however, much to the dismay of the seventeen year old trainee assistant who just wants to go to lunch.

Back to top

Chris Caines


I suppose the greatest concern is that this does raise the issue of ‘shoulder surfing’ to obtain your PIN. Shoulder surfing is the art of having a supposedly innocent party ‘surf’ past you and watch you enter your number, then an accomplice steal your wallet and they meet up round the corner and withdraw all your cash. Now, with the correct PIN and your wallet, your ten thousand pound Credit Card limit is now available to them and with the proliferation of joint Debit and Cashpoint cards most of your money could be at stake here. There is obviously the argument that people have been successfully forging signatures and stealing cash for years, but with everything now neatly packaged into a single number (and believe me, enough people will set all their cards to the same PIN to make it a relevant argument), the concern changes into how quickly you can realise you’ve been duped and either cancel your cards or get your PIN changed before they go wild in Ikea. Why do I think this is such a security concern? Because I have been able to see several people’s PINs being entered without even trying hard to look and have heard stories of people saying their pins aloud or getting them from a piece of notepaper they keep in their wallets. Aside from the actual theft, copying a signature is down to the individual talent of the criminal, however catching a number entered by someone umm-ing and ahh-ing is not going require the forging talents of Elmyr de Hory.

"I have been able to see several people’s PINs being entered without even trying hard to look and have heard stories of people saying their pins aloud or getting them from a piece of notepaper they keep in their wallets."

Don't get me wrong; this system will work, and I think some of the nay-saying (mine included) is definitely due to the unease of how little common sense some people can have. Lives are locked into passwords and PINs and yet some think nothing of telling the whole of Asda their secret code. So much is spent on protecting people from themselves, it makes you dizzy to wonder what the world would be like if people took their own security seriously.

Personally I think that biometrics is the safest way forward and I do find it a little irksome that they money wasn’t better spent on trying to introduce some kind of fingerprinting system, which would cure many of the ‘security problems’ in an instant (provided we forego the obvious privacy concerns), however I can’t help but feel the same people who yell out their PIN in the middle of a queue would complain about having to stick their thumb on a dirty pad. Priorities, priorities…

More information can be found at the Chip and PIN Website, I recommend everyone gives it the once over.