Headphones, credit card ‘chip and PIN’

My current set of headphones, that I use at work, gave up the ghost and so I went off to purchase a pair of new ones … I ended up getting a pair of Sennheiser HD497 headphones. They look like this:

They seem rather nice – the sound from them seemed to be rather top-heavy to start with, but that might have been because the old ones were so poor by comparison. They sound very good now.

My purchase of these headphones was also the first time I used my PIN number, rather than scribbling my signature, when I paid with my credit card. Being a conscientious disciple of the Bruce Schneier School of Security Thinking, I decided to make an assessment of whether the use of PINs is a Good Thing or not …

1. What problem is the introduction of ‘chip and PIN’ trying to solve? This is not terribly well-defined, although a blanket objective of ‘to reduce credit card fraud’ is probably reasonable.

2. How well does ‘chip and PIN’ solve this problem? Hard to say – people are more likely to forget their PIN than ‘forget’ their signature, so there may be problems associated with that. Also, if someone steals your card, they have the signature too, but not the PIN. Of course, that’s only helpful if you can only authenticate the transaction using the PIN – and that won’t happen until all retailers have the new hardware (however, given that these units will be supplied by the retailers’ banks, that may not be such a long time). Signatures aren’t that hard to forge and are rarely checked carefully by retailers, especially for low value purchases.

3. What new problems does ‘chip and PIN’ introduce? The consumer probably has to trust the PIN-entry keypad devices more than they would previously have had to trust a simple credit card ‘swipe’ unit. ‘Trust’ here meaning trust that the retailer hasn’t tampered with the device to record card numbers and their corresponding PINs, for example.

4. What are the economic and social costs? There is presumably a cost to the banks issuing the new cards. And I expect they hope that the costs will be outweighed by the reduction in fraud.

5. Given the above, is ‘chip and PIN’ worth the costs? Time will tell, of course, but it’s largely a gamble by the banks and so long as card users are educated how to use PINs in this way, it should be a reasonable security measure.