Montreal, 2010-10-17 Bank of Montreal PO Box 11064 Succ. Centre-Ville Montreal, QC H3C 5A2 Case ID: [removed for Web consumption] Madam, Sir, This is in response to your letter of 2010-10-12, responding to my letters of 2010-08-28 and 2010-09-12. There are two major points here, corresponding to my two letters. The first is the imposition of chip-and-PIN rather than traditional stripe-and-signature. My concern here is not related to the security you refer to, the security against use of a stolen card or the creation of a cloned card. Chip-and-PIN does indeed increase security against those threats[%]. However, the security of a system is no better than its weakest link, and there are many other links in credit-card systems. I see this move, the imposition of chip-and-PIN, while serving to increase security against one of the most obvious threats, as also serving to shift risk from MasterCard to cardholders. I fully expect that future fradulent transactions will be met with stonewalling and "you must have just forgotten, because It's Secure" - never mind that they won't let anyone inspect their system to determine how secure it actually is, nor specify what threats it is (supposedly) secure against; we are apparently expected to take such a self-serving statement from someone with a blatantly vested interest at face value. A correspondent in the UK tells me that that is exactly what happened when a similar change happened there. This would not be a problem, except that I suspect the legal system will believe MasterCard's lies in such a scenario. As a result, I feel a need to buttress my case in case this happens to me; as a result, I decided I will not be using my card in chip-and-PIN terminals at all. I was contemplating various ways of ensuring I couldn't "forget", ranging from frying the chip (they have negligible defenses against deliberate overvoltage) to insulating the contacts. I did not have to make this decision and attempt any of them, because of my observation upon receiving the card that it implements PayPass. My first letter, directing MasterCard to reduce my credit limit to $3000, was in the nature of a second line of defense: a limit on the amount at risk even if the first defense failed. This leads into the second point: PayPass. [%] When correctly implemented. I have little faith MasterCard implements it correctly, largely because they do not allow anyone to inspect their system. However, since this is not a significant part of my concern, I am willing to, to borrow a phrase from law somewhat inappropriately, plead nolo contendere on this point for purposes of this letter. ../2 2 I am perfectly willing to believe that "an inch or two" is the range limit when using an official terminal. I do not believe that is the actual limit; consider, for example, the claims by the organizations backing RFID passports in the USA that their passports were not readable beyond four inches - until someone built and demonstrated a device capable of reading them from over thirty feet away. I don't know what the actual limit is; I am not an RF engineer. But I am very suspicous of anyone claiming "our system is secure" when it is in their interest for the claim to be believed if it is false; I am even more suspicious when they are unwilling to expose the details of the system to public inspection. Encryption of information in transit is of comparatively little value. It is of no value against man-in-the-middle attacks between a rogue (presumably high-range) transceiver and a legitimate terminal with a pseudo-card placed next to it, something that is easy to arrange with the cooperation of a store clerk. The threats encryption is capable of mitigating, while important, are not the threats I am concerned about here. The Bank's "Zero Liability" program, while sounding nice, is of comparatively little value here. Like MasterCard (I assume you have the text of my second letter available), Bank of Montreal is in business to make money for its shareholders - and most of its clients are not shareholders. The Bank has a responsibility (to its shareholders) to cast every fraudulent transaction it can in non-fraudulent light so as to avoid the costs (to the Bank) of making good on those promises. While I might be able to prevail anyway were I to suffer such a loss, I see a need, especially in view of the legal system's tendency to believe the institution over the individual in such disputes, to strengthen my position. Thus, I see no reason to modify my stance: I will not use my MasterCard in a chip-and-PIN terminal at all, and will not be carrying it unless I can come up with a way I am willing to implement of rendering it nonfunctional even when so used. However, coming up with such a way (and deciding which ways I am willing to implement) remains moot as long as the card is PayPass-capable, for I will then not be carrying it at all. I considered canceling my card entirely, but, as far as its value to me has decreased, it has not quite gone negative. [name, address, and card number removed for Web consumption]