Visa and Mastercard are moving to phase out signatures for credit card payments in Australia. It’s not a terrible move, but it’s not one that offers iron-clad security either.
There’s a report in the Sydney Morning today that states that Visa and Mastercard have approached the ACCC seeking to have the signature option from credit cards revoked in favour of a PIN-only approach.
The claim, according to the credit card giants, is that signatures are a hotbed of fraud, especially when staff fail to check actual signature details. Small merchants aren’t entirely happy with the move, because it would require all of them to update their electronic payment processing options. No more paper signatures, slips of paper, that kind of thing.
I don’t doubt for a second that there are plenty of sales staff who never check signatures, or at best only give them a cursory glance. In many cases, I suspect they’re simply not paid enough to care, or they’re working for massive conglomerates who they figure can absorb the cost.
The issue I see, though, is that while mandating a PIN changes the security landscape a little, it’s only really moving the goalposts. Lots of people have issues with remembering complex and numerous PIN details as it is, and I’ve personally growled at people I know who keep their PIN written down in wallets and purses. That’s a straight up security hole right there, because if it’s all electronic, then functionally speaking nobody is checking details… and that’s where the other problem comes in.
The weakest link in the security system is often the human one. I’ll illustrate this with a personal anecdotal example. A couple of weeks ago, I needed to change over a micro SIM for a Nano SIM for my phone account, but I had a problem.
The problem wasn’t that my telco wouldn’t be willing; it was simply that I’d foolishly left my wallet in a relative’s car, and thus the majority of my personal documentation was some 500 kilometres away. Not exactly convenient when it comes to proving identity, so I hit an alternate plan, and grabbed my passport. It’s not the “usual” form of identity papers that people expect — that’d be a driver’s licence — but it’s valid. I headed to the telco’s store and asked politely for a SIM swap, passport at the ready.
I needn’t have bothered. The sales assistant took down the mobile number I stated and happily punched all the details into her computer system… including a checkbox stating that she’d sighted my driver’s licence. Which she very much hadn’t. She didn’t ask to look at my documentation at all; the only bit of information I actually needed was the mobile number of the account I wanted to swap.
I didn’t make a fuss at the time, because frankly it was convenient to me; I had plenty of other things to do that day rather than argue security protocols with a store assistant.
But I should have, because that’s the crux of the problem. All too often, we’ll happily trade off security for convenience, which is exactly what I did on that day, and it’s exactly what happens right now when your signature isn’t examined by store staff.
Switching to a PIN-only solution will no doubt speed up some cash register lines, but a PIN is just a passcode. What happens if your PIN is accessed by somebody else? How do you prevent PINs from being socially exploited — the classic “I’m calling from your bank, but first need you to verify your identity” scam? That’s not an added layer of security if it’s bypassed via the human element alone; it’s just another method of single-factor authentication.
Image: Beau Giles