Sigh. This is getting ridiculous.
I’ve complained about the stupid things credit card issuers do before, most recently in April. This week, however, they reached a new low.
I got a new card. Nothing new about that, right? What is new is that it wasn’t because the old one had expired, nor had it been compromised. According to the accompanying letter, the new card “has a new layer of protection” and “For added security, your card has a new number and includes chip technology.” It also has a new expiration date.
Excuse me? My old card also had a chip.
The letter goes on to say “This is simply a preventative measure to improve the security of your card. This is not in response to your account being compromised in any way.”
If the old number wasn’t compromised, how is the new number an improvement? The only possible interpretation I can put on this is that there’s some weasel wording going on here: my account hasn’t been compromised–literally. Nobody has broken into the issuing bank’s system and accessed my account. Good to know. But that doesn’t eliminate the possibility that some merchant I used the card at–or Visa itself–has been hacked and my card information potentially exposed.
What makes this truly annoying is that the old card–which had a new number and expiration date–was four months old. What’s the point in giving me an expiration date four years in the future if you’re going to change it every four months?
The really boggling part about this fiasco, however, is that the chipped cards are no more secure than the old unchipped cards. As I said in April:
It won’t do a damn thing for Internet sales. Give ’em the card number, expiration date, and (sometimes) the code printed on the back, and they can charge the card just as they always have. And store the information insecurely, just as they always have. And get hacked, just as they always have.
But even leaving that aside, the chip technology has been thoroughly and repeatedly hacked in Europe. The reason it’s called “chip and PIN” is that the vendors couldn’t make the chip alone sufficiently secure to protect their profit margins, so the previously-optional PIN was made mandatory to provide an additional level of protection.
Lesson learned, right? Nope. When the technology came to the US, the PIN wasn’t made mandatory. None of my chipped cards came with PINs or any documentation suggesting that I create one. Store terminals don’t require a pin, and many don’t require a signature either.
Not that a signature is an effective security measure. It’s not checked against anything–there’s no reference signature stored at the bank for comparison. At most, the clerk might look at the signature on the back of the card, but odds are he or she isn’t a handwriting expert and has no idea which differences are normal variation and which could be signs of an attempted fraud.
If insanity is doing the same thing over and over again, expecting a different result*, then our credit card system is insane.
* A quote often attributed to Albert Einstein, Ben Franklin, and many others. As is so often the case, there doesn’t seem to be any evidence to support any attribution.
Oh, well. See you in four months when this card gets replaced.
You’re kidding, really? No PIN? So, we still won’t be able to use American credit cards in Tube ticket machines?
Good question, and one I can’t answer. None of my chip cards have PINs, but I’ve heard that some do. And it might be possible to get one added if you call the bank and argue with Customer Service. I’ll probably try that at some point.
But even if you get a card with a PIN, I don’t know if the American chip-and-PIN implementation is inter-operable with the European. Sounds like an excellent question for your bank.