Does the improved credit card security offered by chip and PIN-embedded credit cards mean a future of greater personal liability?
For the first time in a very long while I was pleased to receive a letter from my bank. It wasn't asking for payments or hiking up their fees -- it wanted to provide me with greater security by issuing me a new chip and PIN credit card.
I have been the target of credit card fraud twice in my life, but both were while using the conventional magnetic strip card. The first time was on a sweltering hot train in Madrid when a short, fat but otherwise unassuming 40-year-old woman pickpocketed me. I contacted my bank immediately and I ended up not being penalised for the theft.
The second time was during a brief jaunt to Tony Soprano's home state, New Jersey, when I used my credit card to buy a camera. During the purchase, I was assisted by a pimply, teenage Eminem look-alike.
Everything appeared to be fine until weeks later, when I received a call from my bank's fraud investigators who told me my card had been compromised.
I couldn't be sure, but my first guess was that I'd been given the raw prawn by Eminem's doppelganger. I told them I hadn't authorised the transactions and the bank didn't hold me responsible for the losses. It wasn't comforting to know my card was skimmed by Eminem, but I at least felt protected.
The bank didn't accuse me of anything and didn't hold me liable for the losses but that could change if Australian banking customers find themselves following their UK counterparts, who introduced chip and PIN in 2006.
Under the British Bankers' Association code -- a voluntary code of practice similar to Australia and New Zealand's banking association structure -- the onus is on the bank to prove users have acted fraudulently or without reasonable care before they become liable for the misuse of the card. If it can't, the user isn't liable.
But since the introduction of chip and PIN cards, consumers are increasingly being turned away by banks when making a compensation claim.
That's because chip and PIN technology prevents cards from being cloned through card skimming scams. But so sure are the banks of this bulletproof technology that some are assuming that if a fraudulent transaction occurs where a PIN has been used, it must have been the cardholder's fault.
Bulletproof it's not though. Researchers at Cambridge University recently showed that you don't need to clone a card to compromise it.
ZDNet.com.au recently reported a case where a keylogger had been used to steal a person's Internet banking passwords, which led to the criminals spring cleaning the victim's account. When the victim told the bank about the problem, its initial response was that he must have given out his password. He denied the claim and only after the Australian Federal Police investigated the incident did the bank decide to chargeback the stolen amount.
Of course, banks shouldn't make it too easy to claim compensation, otherwise criminals would exploit that. On the other hand, it is a little scary when a bank's faith in its security technology is so great that it assumes exposure of security information means carelessness -- and therefore some liability for the fraud -- or indeed actual involvement in the crime.
What's even more scary as the holder of one of these new cards is that I could be being set up by my bank for a future of increased liability, all under the guise of increased protection. I now feel a bit dirty for being so gleeful at the arrival of chip and PIN.
And before you think this is just the ranting of a paranoid journalist, think back to the angry reaction the Australian Bankers Association gave to rumours that it would amend its Electronic Funds Transfer Code of Practice to place some liability for theft and fraud on the customer if their PC was not adequately protected with up-to-date security software.
While it vehemently denied such intentions, just months later the New Zealand Bankers Association, whose largest members are also part of the Australian Bankers Association, amended its EFT Code of Practice, to do exactly what the Australian organisation had denied.
There is however a silver lining to this cloud of uncertainty hanging over online consumers, although to see it requires a small shift in perspective. One of the UK's big four banks, LloydsTSB, has spotted an opportunity amidst the kerfuffle over identity theft and fraud in banking 2.0 -- insurance 2.0.
Now I know that banks are under pressure to please their shareholders, but this new product really is a bottom-feeding mullet you really don't want to swallow: for just Â£6.99 per month you can "safeguard your identity" and pay for services that UK banks are legally obliged to provide. Then again, maybe this product does have a target market: if you're stupid enough to pay a few thousand dollars to a Nigerian prince after receiving an anonymous e-mail, you're stupid enough to buy this insurance.