Four-digit chip and PIN numbers have been a feature of using bank debit cards in the UK for a year, with the system extending to credit cards in 2006.
C&P is a good idea, despite what the detractors say because it is more secure than the system it replaced. Admittedly the system it replaced had almost no security at all other than asking people for signatures - and card-not-present transactions are not yet covered - but lets give it some credit for the reduction in fraud figures.
In at least one case we have learned of, it could have a small weakness - the envelope in which the PIN number is first sent to the customer.
These envelopes used by all UK banks - are designed to be tamper-proof. For instance, it is impossible to read the digits by holding the letter up to the light. Physically tampering with the envelope is also supposed to be impossible without it being obvious to the intended recipient.
But according to one source weve been made aware of recently, the envelopes sent out to customers of NatWest can allow the PIN can be read as an indentation on the envelope's surface. Its hard to say how common a problem this is, but it is reasonable to assume it is more than an isolated occurrence. Worse still, there is no way for the customer to know that this information has not been intercepted.
The moral of all this? Not all good security is electronic because banks still rely heavily on the mail to operate. As long as that is true, PINs will not be remotely secure. It is also worth the customer changing the PIN immediately on receipt, if that is allowed.
And, which on the subject, one word of warning as regards using credit card PIN numbers when they become mandatory.
People tend to have several credit cards, and remembering the numbers on all of them is not going to be much fun. The temptation is to set the same number on all cards. Dont do this. The first thing any thief is going to do with a batch of stolen credit cards for from the same person is to try the same stolen PIN. In the event that the same number works on all cards, it is by no means clear that credit card companies are going to be happy to reimburse the customer for losses on every card. Using the same PIN could be deemed to be abusing the principle of responsibility as set out in the T&C section of most credit cards agreements.