[17756] in cryptography@c2.net mail archive
Re: Why Blockbuster looks at your ID.
daemon@ATHENA.MIT.EDU (Peter Fairbrother)
Sat Jul 9 23:40:50 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 10 Jul 2005 00:12:14 +0100
From: Peter Fairbrother <zenadsl6186@zen.co.uk>
To: Jerrold Leichter <jerrold.leichter@smarts.com>,
"Perry E. Metzger" <perry@piermont.com>
Cc: Dan Kaminsky <dan@doxpara.com>,
Edgar Danielyan <e.danielyan@gmail.com>, <cryptography@metzdowd.com>
In-Reply-To: <Pine.SOL.4.61.0507081353020.24439@frame>
Jerrold Leichter wrote:
> There have been a couple of articles in RISKS recently about the fairly r=
ecent
> use of a two-factor system for bank cards in England. There are already
> significant hacks -
yes ...
> and the banks managed to get the law changed so that, with
> this "guaranteed to be secure" new system, the liability is pushed back o=
nto
> the customer.
I'm not too sure what you mean.
In the UK the merchant is not usually liable for card-present fraud.
There has been / is about to be a change to the liability of the merchant,
usually to the effect that if a fraud is successful because the merchant
hasn't installed PIN equipment then they will be liable. A few banks are
making merchants liable for all fraud if PIN equipment has not been
installed.
EMV said the change would begin on 1st Jan, but the banks haven't all
implemented it yet. Many did so on 1st July.
The change occurs in the contract between the aquiring banks and the
merchants, not the law; the legality of the change is questionable, but as
it is basically just a way to encourage retailers to install PIN equipment
it has not been challenged afaik.
There is no change in the merchant's liability if he has installed Chip n'
PIN equipment - the tales circulating of all merchants becoming liable for
all frauds are simply not true.
There will also be a change in the way fraud claims are dealt with, to the
almost certain disadvantage of the cardholder, as there is no physical
signature to contest and at least in the first instance the issuers
determine the "facts".
However I am not aware of any changes to the law.
There was a very recent Banking Ombudsman case where the cardholder had
been grossly negligent about her PIN security, but her liability was still
limited to =A350 (which is a statutory limit and applies to credit cards, but
not to debit cards - although it is in practice applied to them too).
Usually the =A350 limit is not charged by the issuing bank.
However the customer eventually pays for fraud anyway, in the form of
higher prices, so the issuer - merchant liability split is not of immediate
relevance to the customer. It should be tilted firmly against the banks IMO
though, as they are responsible for the system, not the merchants, who have
no say, as EMV + AmEx is an effective monopoly.
BTW, one of my banks recently sent me a leaflet which said Chip n' PIN was
going to be introduced worldwide. Anyone know more about that?
--=20
Peter Fairbrother
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
