Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Holy shit, that’s horrible.

Where I am, PIN and Card arrive in different letters, and the Card letter is only sent once you confirmed via your online banking interface (which uses 2FA) that you received the PIN letter. And you need to confirm online in your banking interface to have received the card to be able to use it.



For credit cards in the US you virtually never use a PIN. Debit cards only


Well, even then.

Require the customer to verify that he/she received the card in their online banking interface.

Mark it as invalid/stolen/whatever before that.


This may seem foreign to most people here, but there's still a TON of people who don't do online banking or have an account setup/bookmarked for all their financial institutions online sites.


Well, in those cases you can go to the next branch.


That's changing as of this month. Most banks have already issued new chip cards, which require a PIN. If a merchant is still using the old swipe and sign system, now they'll be liable for any fraudulent transactions if the customer has a chip card.


All of the new chip cards in the US I've read about are signature only. It was decided that the US consumer would dislike the added complication of needing to use PIN.

I'd like a chip card that requires a PIN (and that is accepted widely in the US) because such a card would make unauthorized charges less likely after the card is lost or stolen, but was not able to find one.


I have a US chip card where I've set a PIN for transaction purposes, so it's not signature only, but it'll still accept both. That said, all of the chip card readers that I've used (few and far between still...) seem to have been configured for signature only, so I haven't been prompted for my PIN yet.


Thanks for clarifying. I agree that my "signature only" was inaccurate.


The system in the US is not chip-and-PIN, it's chip-and-signature.


Incorrect. The new cards are chip and signature. No pin involved.


Debit cards are chip and pin now, granted


Which is itself horrendous on a different axis.


How so? It means you need access to the online account, to the 2FA device, and to both letters to abuse the card.

If the attacker already has access to the online banking account, then he/she can do much worse things anyway.


Different axis aka not security. The security is much better. But it's slow and inconvenient.


I opened an account at Metro Bank (in London), in a branch. They verified my id, then printed a debit card — this took about 10 minutes — and let me set its initial PIN in the bank.

I don't know if this is now normal in the UK. The previous time I opened an account in-branch was 2004, when the chip card arrived by post a few days later, with the PIN in a separate letter.


Similar situation here in Germany – but some banks, as I mentioned, require you to verify online that you received the letters, if you enabled this security feature.

In fact, I’ll go next friday to the bank to get a new debit card, as my existing one stopped working a few months ago.


Metro Bank are a newcomer to the market who've focused heavily on streamlining their customer enrolment because of that. I don't think other banks offer this.


How is it inconvenient? It’s not like you get a new card every day.

And it only delays the process by 2 days. At maximum.


Rare inconvenience may be more easily tolerated, but it is no less inconvenient.

The fact that you can even say "well it's only 2 days delay" seems insane to me.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: