I can't see how that can be true. Prior to chip+pin, you could still withdraw money from an ATM with a card+pin, so how exactly did the security change?
In both cases, you can dispute transactions with the banks, and in both cases, the banks are going to open their defence with "but how did the thief know your PIN?" but that does not make it clear-cut, nor does it mean the banks will always win their argument.
Before Chip+PIN was introduced, card cloning or ‘skimming’ was a very common fraud method. An ATM would be modified with a device to copy the magnetic strip and register the associated PIN with a keypad overlay or a pinhole camera. This data could then be used to create a cloned card to withdraw money with, sometimes even in another continent.
Chip+PIN (EMV) prevents this because the chip cannot be cloned, and so it completely eliminates this form of fraud. However, banks also used the introduction of Chip+PIN to move liability of any fraud to the customer, whereas before the banks would fully refund any fraud.
Consumers remain fully protected from the cost of card fraud and are covered under The Lending Code. From 1 January 2005 there was a shift in liability for some types of card fraud from banks to retailers, but this will not affect cardholders in any way. If businesses have chip and PIN terminals in store, they are covered for the cost of card fraud whether customers enter their PIN or their signature, just so long as staff follow the on-screen prompts and carry out the routine checks to ensure cards have not already been reported lost or stolen. Banks will continue to be liable for the cost of card fraud committed on old-style non-chip and PIN cards, so by accepting them businesses are not putting themselves at risk in any way
So in what way has fraud liability shifted on to the customer?
Much as juries tend to believe a cop even though data suggests cops aren't very reliable even when they aren't actively lying, so they also tend to believe a smartly dressed bank official. Victims of fraud who end up on trial (either tacitly after they have to sue the bank for their money, or more rarely literally after the bank tells police they committed fraud) are disproportionally female, elderly and non-white, all factors that make them less believable to a jury, almost as if those trying this on know that...
Juries are rarely told, and bank officials would hardly volunteer that big frauds often involve a bank insider, and sometimes even an insider the bank has since caught and fired. You won't get the money back from an insider who was taking 10% but you can make a victim of the individual account holder rather than eat the loss at your multi-billion dollar bank. And all you have to do is pretend systems you know are all too fallible are instead perfect.
Ross Anderson has written about some of this on Light Blue Touchpaper
Again, I can't see how anything changed. You have a card and you needed a PIN to use it, before and after the chip was added. Smartly dressed bank officials were around in both times. In either situation/time period, banks would claim "how could someone possibly have got cash/goods without you disclosing your PIN? Our systems are secure!" whereas we know that the systems, before and after the chip, are not 100% secure. Ross Anderson has been instrumental in demonstrating this, for sure.
As I've quoted from the website, there was no change to the consumer protection in the introduction of the chip. Your description applies equally well to court cases before and after the technology changed.
"You have a card and you needed a PIN to use it, before and after the chip was added"
Er, no?
I guess it's possible you've actually forgotten what changed here.
It's 1995, I have stolen a VISA card issued to a nice old lady who lives across the street. I walk into a PC wholesaler which allows walk-in purchases, I hand over the card in the name "C. Smith" and walk out with two month's salary worth of Pentium CPUs that can be sold easily for almost their RRP. Did I know a PIN? Nope, just squiggled something that might be "C. Smith" on both the card and the receipt.
When her bank tells her she bought all those Pentiums, she's going to freak. And when she calms back down she'll say she never received that card. Has no idea where it is. Give her back her money.
The bank will of course insist that it's her card and surely she bought all those CPUs. But Ms Smith's lawyer doesn't need a Computer Science degree to understand what happened, and neither does the jury. Smart suit or not, "Her card was simply stolen from the post" is an easy argument to understand and she'll prevail.
Not so when the bank says her PIN was used. Who else could know her PIN? Those are secret. Aren't they?
Why didn't the store want a PIN back in 1995? Because they had no way to validate it, it would be useless to them. Only the _chip_ enables offline PIN verification, and in 1995 even some _ATMs_ were still doing offline transactions.
The transactions are not routinely On Line. Yes, I know, you had to wait 5 minutes the other day in an antique store because their card machine used a dial-up modem. Very annoying. And also quite possibly bogus, there's a good chance that wait was a charade. But why doesn't it have to be online, surely that's unavoidable?
Time for another brief lesson, this time not about history though, this all still true today:
Payment card transactions are really _two_ transactions, the banks make no real effort to correlate the two, and one is done entirely on the honour system.
1. Authorization: Does the card holder authorize this transaction? This is the one that has tightened up considerably due to fraud. But this doesn't move any money anywhere, and doesn't involve any real time interaction with a bank at all. Once upon a time this involved a machine that used carbon paper to take an "impression" of the 3D credit card, and collecting a signature. Today it's "Chip and PIN".
2. Settlement: Who should get paid, and how much, by who? This moves the actual money to the merchant. It's done entirely on the honour system, banks and merchants both routinely screw up, if your country's laws make them they'll eat the cost of fixing that, otherwise they'll probably blame you and make you suck it up. Hooray.
The first one has loads of serious technology thrown at it. Anti-replay for example. If I authorize one $14.99 payment, you can't just show that again to authorize another one.
And the second, which moves the money, undoes every benefit of the first, for example you needn't replay the authorization, just do settlement again for the extra $14.99 without any authorization at all. The bank will hand it over, the customer loses the money, unless they remember to explicitly complain about having $14.99 stolen you can just keep it. If they do complain, say it was a "mistake", you lose the $14.99 but so long as you don't do it too often you'll just get a slap on the wrist and can try ripping off other customers.
For all the words, I still don’t get your point. The banks introduced an improved system that we can all agree is more secure than the old one, and consumer protection did not change, but apparently you think this makes it worse for the consumer?
What on earth do you want banks to do? Make their systems less secure, so it’s easier for people to convince a court that their disputed transaction was fraudulent?
It’s natural and predictable that banks will argue that security improvements make it more difficult for thieves to make fraudulent transactions, but since these systems aren’t 100% secure, people will always be able to dispute these events and win their challenges.
Consumer protection effectively does change if its enforceability changes. If a system's security is improved (or at least the security theatre is improved), it's easier to disbelieve victims of fraud, and even accuse them themselves of fraud. This is especially true when existing known vulnerabilities are closed, and fraudsters begin using new vulnerabilities.
To use an analogy, it would be like if you improve the reliability of a product you make, then start saying those who RMA your product must have damaged or mishandled it for it to be broken, and deny them their warranty.
What you're missing is that once you have a PIN the deniability goes out the window, so you're now on the hook for the fraudulent purchases. So as a card user you're trading a high percentage of fraud with no liability for a low percentage of fraud with absolute liability. Things are better for the bank, not the customer.
Contrary to popular belief, merchants are responsible for frauduluent charges, big or small. They pay not only in any lost merchandise or services, but also in losing the payment.
This shifting of burden ultimately comes back to the consumer in higher costs and fees, and is just a cost of business for the merchants. The credit card company beneifts because they make money regardless of fraud, and they’ll make increased money from the detachment of the feedback loop from the consumer. Merchants don’t pursue fraud because they simply increase costs to cover it.
In this scenario merchants lose, consumers lose, credit card companies win from increased usage.
See the text I cited from the card association’s website. Merchants are only responsible for fraud (in the U.K. at least) if they did not use chip + PIN properly.
Who pays for fraud, in the end? Well, the customers pay, of course, since they are ultimately the only source of funds. Regardless of whether or not the merchant or bank eats the fraud, they are going to recoup the cost through their charges to customers.
In both cases, you can dispute transactions with the banks, and in both cases, the banks are going to open their defence with "but how did the thief know your PIN?" but that does not make it clear-cut, nor does it mean the banks will always win their argument.