Do you remember those early days at school where the teacher implored you to make sure that your handwriting was neat and tidy?
Most of us get sloppier as we get older, and we adopt a slightly different style — different pressure, different emphasis, a flourish with the pen here, a glide across the characters there. I have recently been selling a property that I acquired over a decade ago and it has meant accessing papers long since stored away. Had I not known that the writing was my own on some of the aged documents, I would have sworn that it was penned by someone else's hand.
So if we accept that there our signatures change for many reasons — not forgetting the media used, the pen wielded and the occasion involved — then how can a stranger be expected to authenticate our identity by comparing today’s signature to on older example? And yet, that is precisely the model upon which the government, legal, medical, financial, insurance and other sectors have relied for hundreds of years.
Challenges in distinguishing signatures for payment purposes really started to become more difficult with the advent of the plastic card. Signature strips, while they improved over the years, were often glossy, making it difficult to write on them "normally." The signature would often smudge, or fade over time, or the strip become contaminated with other marks. The people expected to check signatures transitioned from trained bank professionals (looking at a cheque, for example) to cashiers untrained on how to make a proper examination, and on how to challenge a signature that didn’t seem to match.
This is one reason why lost and stolen card fraud became one of the biggest problems for bank issuers. Criminals who obtained a wallet or purse could often pass off their vague attempt at a signature matching that on the signature strip, because most point-of-sale staff either did not check or, if they did, could not adequately distinguish a level of difference in the signature that was any greater than maybe could be considered a reasonable tolerance for the true cardholder.
So when the UK and Europe were blighted with spiralling lost and stolen card fraud in the late 1990s a conscious decision was taken to develop a defence which would address both challenges. This is where chip and PIN came into its own.
The chip became the highest level of card authenticity. The PIN became the highest level of card verification. When used in tandem they became a hugely powerful two-factor authentication. The card was something the customer had which was nigh-on impossible to fabricate unlike the magnetic stripe predecessor; the PIN was something the customer knew which was unlike the signature not manifest on the card itself.
Europe thus saw counterfeit and lost and stolen fraud migrate away from the point of sale and into environments where chip and PIN defences did not extend, like card not present.
Almost a decade after chip and PIN maturity in the UK, the US are now one of the last bastions of magnetic stripe and signature card transactions, and have of course now decided to follow the rest of the world in migrating to chip cards, as my colleague Doug Clare has previously blogged.
But not PIN. Instead, US issuers are largely opting to stick with signatures instead.
Our past has taught us that fraud, when addressed in one area, migrates to another weaker link. In the world of chip and PIN, the US may remain that weaker link.
In the recent Marvel Comics film X-Men: The Days of Future Past an understanding of future events leads to a change in the present that in effect reroutes history. Will US issuers make such a change? Or are we going to be reflecting in another 10 years that the US chip migration was too little, too late?
