Domain: chipandpin.co.uk
Stories and comments across the archive that link to chipandpin.co.uk.
Comments · 24
-
Re:One person's loss is another's gain
I don't think they actually 'want' fraud, I think that that eliminating it altogether just costs more at the moment than they are losing. Visa won't lose their profitable monopoly by eliminating fraud.
The UK for example has switched almost exclusively to "chip and pin" http://www.chipandpin.co.uk/ Visa cards. Some smaller stores and fast food outlets don't even accept old-fashioned signature-only credit cards any more.
Most banks in the US/Canada charge fees for a fixed number of transactions, your bank just noticed a revenue stream that it had left untapped. -
Don't you guys in the new world...
Don't you guys in the new world have chip and pin yet?
Its a million miles from perfect, but it certainly speeds up small payments and means that a crook has to clone the card *and* shoulder-surf for the PIN. Not sure any system can be high security *and* not hack off customers. OK, we use it for big payments too (perhaps they should limit the amount to 10% of the PIN!)
Alternatively, instead of setting a per-transaction limit, have a system where the *user* 'loads' the card with cash and when that is exhausted they have to provide extra verification. Otherwise, crooks just go from shop to shop notching up small purchases. I've noticed some stores limiting how many packets of cigarettes they'll sell on a card, presumably for that reason.
-
Chip & Pin
You're almost describing the EMV (Europay MasterCard VISA) standard for smart cards, implemented in the UK as Chip & PIN. The chip on the smart card is used during the encryption process and cardholder presense verified by a PIN, which is encrypted on the numberpad, before it gets any further (thus providing two factor authentication.
It has drawbacks, direct and indirect observation of the PIN plus it doesn't stop card cloning, as the mag strip still exists. Indeed specially rigged readers were used this year in petrol stations to capture the mag strip and save the card information where it ended up being cloned in India.
-
Re:Skimming a huge problem in Canada...
the UK chip system is far tougher to clone than a mag stripe. plus the pin is used to unlock the card rather than access the account.
see : http://www.chipandpin.co.uk/reflib/Customer_Leafle t.pdf -
Re:Weakest Link-You're fired!
Nah, no mag stripe. It's a smart-chip with quite a complex auth mechanism. I'm not party to the actual details (Anyone who works with it want to respond?) but from what I can tell it's a session-based encrypted system. At no point are your card details ever actually seen by the reader, only the end result of sending a key to the card. See http://www.chipandpin.co.uk/ for details.
-
Re:In the UK
Bars and restaurants mostly use wireless devices now for taking card payments. I don't know how secure the wireless actually is[...]
This is with Chip and PIN, and the important point (correct me if I'm wrong) is that your PIN number is never transmitted. -
Re:Really? Cool
I strongly suspect that the statements put about to retailers earlier this year (along the lines of "if you haven't installed Chip and Pin kit you're liable for any fraud") were somewhat overhyped.
Actually it would depend on the small print of the Ts and Cs between the bank and merchant, as APACS http://www.chipandpin.co.uk/business/card_payments /ready/shift_liability.html admits:
"If a retailer does not have a chip and PIN acceptance device after January 1, 2005 and the use of such a device could have prevented the fraud from occurring, the retailer may bear the cost of a fraudulent transaction. This will depend upon the terms and conditions between that retailer and its acquiring bank."
Obviously, if the bank can show that the merchant was negligent, they've probably got a case - just the same as they would have in the pre chip-and-pin world.
As to any shift of liability onto the consumer, it's again (notwithstanding applicable laws) down to the agreement between you and your bank. If, in the light of having to effectively disclose your PIN every time you use your card and you're present, you think that you're at risk of getting shafted, it may be time to change your bank (or start paying by cash).
With regard to applicable laws, it's worth mentioning that (in the UK) credit cards are about the safest way to buy stuff remotely thanks to the legal requirements of the distance selling regulations: http://www.dti.gov.uk/ccp/topics1/ecomm.htm
As to whether chip-and-pin is necessarily any more secure than a "signature" I couldn't say. APACS clearly think so, but I'll still be furtively covering my hand while typing a PIN in... -
Re:It's all about liabilityThe banks don't sell systems that work as you've described.
Astoundingly, they do.
-
Re:This isn't working out..
I agree that something more secure than a 16-digit number is certainly feasible and needed. But it shouldn't be something that needs to be passed through a third party. The card should be a smart card capable of signing a transaction, and only the signature should be transmitted
You mean like this?
Most retailers in the UK now have terminals where you punch in your PIN at point of sale. Has that made it across the pond yet?
Only problems I can see - I can see it resulting in an increase in ATM muggings, and I'm not sure how the elderly/disabled would handle it. -
Re:Proves that the hackers...
You do of course mean Chip and PIN. Credit cards in the UK have always had PIN #s to allow card holders to withdraw cash from ATMs.
-
Re:THIS IS NOT RFID
> Credit Cards don't require PINs. Only Debit cards do.
Incorrect.
http://www.chipandpin.co.uk/
This is something that'll probably make it's way from Europe to the US at some point in the next few years.
-
Re:Got to be better than the system here
In most smaller retailers, the terminals (including the keypads) are provided by the banks' merchant services division.
For the rest, they have to be certified equipment, from authorised suppliers, and be tested on site and approved before rollout by your merchant services provider. Aquirer Acceptance Testing is by no means a walk in the path - it's a rigorous process.
If you have unapproved equipment, then you don't escape the liability shift, and are now liable (in the UK anyway - different countries in Europe have different timetables for this) for every credit card fraud on your premises. Have a nice day.
IIRC, merchant services providers do ongoing testing/verification. I wouldn't like to be you if you're found to have tampered with equipment.
-
Smart Chip?
I know some Europeans have been using chips on cards for some time now & they're rolling it out here in the UK as well now.
http://www.chipandpin.co.uk/
Many shops I go into now don't even swipe the card, just slot it in the reader. Might there be a plan to eliminate using the mag stripe for the sensitive data (or even having one at all) in the longer term?? Obviously the ATM's...etc will need updating first
I've had a couple of dozy shop staff put my card over the antitheft magnet under the counter, there's an immediate benefit. -
Re:Security?
Aye. What he said. (In the UK, we call it "chip and pin".)
-
Re:virus software?
In fact, wasn't it America where the Dodgy credit card signatures prank was done?
Not UK - which, as other commenters have said, has had Chip and PIN for a while now. (Although on a security front, the PIN is the same for the card transactions as it is for the ATM side - so in theory someone could stand behind a chip/pin user in a shop, then steal the card and have all relevant information already...) -
Re:I blame lazy CC industry
Here in the UK, we've started using Chip and Pin credit cards; the entire point of these cards is that there is a three way handshake between the card reader, the chip on the card, and the bank. Provided the store compiles with VISA/Mastercard regulations on the PIN reader they use, the PIN is never disclosed. Instead, the card verifies the PIN, and uses it to create a verification code that the bank can check. Result? Fraud is hard, because you need to crack the chip and create a fake chip, rather than just copy a strip.
-
Re:The problem is isn't the hackers.
One solution that would greatly reduce the amount of fraudulent credit card use, and this may be in the works at the moment, is to assign a PIN to each credit card, just like ATM cards.
This is currently being rolled-out across the UK. Magnetics strips and signatures are being replaced by smart-cards and PINs. Card readers with keypads on the customer side of the till are appearing all over the place.
There is a website as part of the campaign letting people know about the new system.
I'm not all that convinved. At least a signature can be hard to forge (they do check properly sometimes at least), but it's all too easy to watch someone type in their PIN then mug them outside for their card, then buy stuff in the few minutes before they ring and get the card cancelled.
-
Re:Meanwhile...
Not in most other places, there again you may not be as lucky as us at the current time.
I heard the reasons for not implementing EMV in the US was due to other factors, like liability and inertia (less losses?) I almost read a paper saying the majority of people in the US don't hold current accounts, which I found hard to believe, but maybe there's something in it. -
Re:Nothing wrong with this...
isnt this whats happening in the UK now?
No, what is happening in the UK today is that the cards are being upgraded to smart cards, and the PIN is replacing the signature which is frequently not checked well.
Folks by and large understand the "never give away your PIN" rule. Disclosing your PIN to a web site other than your banks would completely subvert this.
It does not address "cardholder not present" fraud. -
Re:Added layer of security
Not sure about the US, but over here in ol' Blighty there's "chip and PIN" - a replacement to signatures: instead of signing for a credit/debit card transaction, the card is put into a terminal with a chip reader and you enter your pin number via a small keypad.
ChipAndPin -
Re:Code
This is already happening in the UK.
-
Chip and PIN
Thats why the UK is switching to Chip and PIN.
You put your own card in the chip reader, and you have to enter a PIN to authorise it instead of signing. Other countries like Holland have required a PIN to authorise cards for years. -
Chip and PIN
Why yes. Which is why the UK is in the process of rolling out Chip and PIN (the trial was last summer). Over the next 18 months, every credit card - and probably most debit cards - in the UK will be replaced, along with upgrades to near enough every ATM and PoS device.
The major enforcement of this is the shifting of liability from the card schemes (MC, VISA and AMEX mostly) to anyone that doesn't comply. By 2006, finding anyone relying on magstripe will be less easy than currently finding someone relying on paper carbons.
IIRC, the verification takes place on the card. The ATM passes the PIN entered to the card, which simply responds pass|fail. No keys pass between reader and card, and the real PIN is held on-card with a sensible level of encryption.
It's a far cry from the Fresno Drop of 1958.
OT: Given that:
- this is a UK story
- /. has UK-members a-plenty
- every UK credit card company has written to all cardholders about it in the last few months
- it's been well covered in
/.-friendly publications like ElReg
I'm fairly gobsmacked that we're re-inventing the wheel here.
-
Chip and PIN
Why yes. Which is why the UK is in the process of rolling out Chip and PIN (the trial was last summer). Over the next 18 months, every credit card - and probably most debit cards - in the UK will be replaced, along with upgrades to near enough every ATM and PoS device.
The major enforcement of this is the shifting of liability from the card schemes (MC, VISA and AMEX mostly) to anyone that doesn't comply. By 2006, finding anyone relying on magstripe will be less easy than currently finding someone relying on paper carbons.
IIRC, the verification takes place on the card. The ATM passes the PIN entered to the card, which simply responds pass|fail. No keys pass between reader and card, and the real PIN is held on-card with a sensible level of encryption.
It's a far cry from the Fresno Drop of 1958.
OT: Given that:
- this is a UK story
- /. has UK-members a-plenty
- every UK credit card company has written to all cardholders about it in the last few months
- it's been well covered in
/.-friendly publications like ElReg
I'm fairly gobsmacked that we're re-inventing the wheel here.