New Identity Theft Technology Fails to Protect

Nuclear Elephant writes "According to BBC News, identity thieves are quickly adapting to new technologies such as chip-and-pin credit cards using human nature tactics rather than cracking the technology. At least that's what Dr. Emily Finch (UEA), who interviews career criminals about their activities, claims. Finch swapped credit cards with a male coworker and performed a number of transactions without being challenged by cashiers. Finch also believes biometric identity cards will only exacerbate the problem. Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"

As the T-shirt says

[Emeye]

...there is no patch for human stupidity.

Re:As the T-shirt says

there is no patch for human stupidity

Yes, but did you receive several thousand dollar funding to come to that conclusion? No! That's why you'll never get an "article" on Slashdot.

Re:As the T-shirt says

Actually, yes there is a patch for human stupidity. It's called the birth control patch.

Re:As the T-shirt says

http://www.jinx.com/scripts/details.asp?affid=-1&p roductID=122

Re:Who says..

[Spy+der+Mann]

Online fraud: The return of cash payments?

I thought the space elevator was far-fetched, but THIS is ridiculous!

It was said better...

[greginnj]

and earlier, by Schneier:

"If you think technology will solve your security problems, either you don't understand the technology, or you don't understand the problems."

Re:It was said better...

[fm6]

That makes him sound like a Luddite. I think he was more to the point when he said, "Security is a process, not a product."

Credit Card prank

[saskboy]

Zug.com and slashdot has shown this gag before.

It's very funny, until you realize the implications. I no longer make my signature on credit card reciepts anything like the one on my card. Why bother?

Re:Credit Card prank

Taking your signature isn't actually a security feature per say, but rather a cost cutting procedure.

Since there is less credit card fraud associated with places that take your signature, they get lower rates to accept credit cards. As opposed to say, someone who just takes your number and your expiration date.

The more "security" policies that you state that you will require, the cheaper you can make your "dues" or "fees" or whatever the CC companies call them.

Re:Credit Card prank

[Gwyn_232]

This is slightly different from the credit card prank. In the US signatures have never been checked that thoroughly, but in the UK the majority of staff used to be quite careful about checking the card details.
 
Since chip and pin was introduced they barely look at the card (many don't even take it from you - they just ask you to put it in the card reader).

Re:Credit Card prank

[E8086]

"many don't even take it from you - they just ask you to put it in the card reader"

I remember when something similar happened over here. I was working as a cashier at the local supermarket during summer and winter breaks. Up to one summer everything with credit cards was done by us at the register, there is a keypad for entering pins directly across from us. That winter there are card readers installed, the generic for credit and debit cards ones you see everywhere now and they were further away from us, so the only time we even saw the card was when the customer ran it through the reader, no checking of the card. Apparently there was some scare/popular rumors that store employees were stealing credit cards or card numbers at the checkout counters. Yes, when someone's in a hurry and rushes out leaving their card on the counter it was "stolen" by that kid at the counter, not accidentally lost/left by a distracted customer and properly turned in to the management by that kid. As far as stolen numbers, I think it was done by people with assess to the store's database of credit transactions. I can understand the desire to have the card never leave the posession of the customer. Now someone can steal a credit card and walk into a BestBuy or other store with expensive easily resellable items and make a major purchase and not have the payment method checked, there's the assumption that the person with the card and pin is the owner. Don't you just love the tradeoff between convenience and security. Most credit card companies and banks now offer some fraud protection to cover from the time the card goes missing until it's reported lost/stolen. As for shoulder surfing, the keybad should be recessed blocking the view of anyone not using the keypad, too many card readers are too out in the open.

Re:Credit Card prank

[timeOday]

Zug.com and slashdot has shown this gag before.

It's very funny, until you realize the implications.

Signatures are a laughably stupid "security precaution" in the first place, that's why nobody looks at them, and you don't even need them to order online (including over the phone).

Does that surprise anybody? Considering the would-be theif has the signature right in front of their face? It's like a password challenge in which the prompt includes the password.

But so what? Cash never had ANY notion of "proving" who it belonged to, and it's been with us for a long, long time.

Re:Credit Card prank

[itsari]

Signature on my credit card (written in black marker):

CHECK MY ID

Sure, its a pain in my ass to have to flash my ID every time I use the card. But alomost every store clerk asks for it.

Re:Credit Card prank

[DimJim]

Technically your card is not valid unless you have signed it. During the years i was working retail, few customers came in and tried to buy with unsigned cards by showing their id. I didn't accept and they left the store looking quite angry. Mayby i should have accepted the payments(more business) but the amounts were quite small and i really didn't like their arrogant 'i do it my way' attitude either, so i went by the book.

Re:Credit Card prank

[saskboy]

" Technically your card is not valid unless you have signed it."

It is... if his name is Check Id, or Not Authorized.
Mr. Authorized always runs into that problem.

Re:Credit Card prank

[arminw]

.....fraud protection to cover from the time the card goes missing until it's reported lost/stolen.....

The obvious answer is to put the chip into the person, rather than into a card the person carries. That makes it a lot harder, although I suppose not impossible to steal. Implantable chips have been in use for animals for a while already. RFID and other readout methods exist for these chips. In combination with biological data, such a system would considerably harder to circumvent.

This sort of thing was predicted in the Bible almost 2000 years ago that some sort of numeric identifier would be implanted in every person by a coming world government run by a powerful dictator.

Revelation 13:16-17 (And he causeth all, both small and great, rich and poor, free and bond, to receive a mark IN their right hand, or IN their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name)

For centuries, before computers were even dreamed of, scholars have scratched their heads and tried to figure out how someone could be prevented from buying or selling if they did not have some kind of mark IN their body. It may still be a while before this prophecy comes true, but it certainly doesn't sound as far fetched now as it did before our modern times. Try to rent a car without a credit card. Paying cash for an Airplane ticket to a foreign country may likely attract extra attention of the suspicious security persons. Walking into an automobile dealer and paying for an expensive car in cash with a suitcase full of money will likely get the attention of the authorities to that transaction.

So, in some ways we are already approaching the kind of thing predicted so very long ago. Making completely anonymous, large amount cash transactions is getting to be quite difficult. Someday, you may not be able to buy so much as a stick of chewing gum that is not recorded.

Re:Credit Card prank

[EggyToast]

But so what? Cash never had ANY notion of "proving" who it belonged to, and it's been with us for a long, long time.

That's my thinking, too. Sure, if you keep all of your assets in cash, or are super-secure, it only takes a misplaced wallet or a break-in and you're just as screwed as anyone.

At least with a credit card, you're protected if someone steals your info and makes charges. Even if they open up new accounts using your credit rating, you can get it removed (most people who run into trouble with it are those who don't keep track of their credit information, so when they try to get a major loan, the bad info comes up and they need to rush to get it removed. If you have the time (less than 6 months, as that's the max time allowed for a company to rebuke your claim) it's relatively easy, despite the hoops and hassle).

With cash, you get none of that. If it's gone, it's gone. If your life savings of bills catches fire, you're screwed. If your credit cards burn up or are stolen... you just get a new one, with no real damage done to your actual finances.

Not to mention how difficult it is to use cash for anything but immediate, local purchases.

Re:Credit Card prank

[Rob+the+Bold]

Is the signature on the back of the credit card really for security? Could it be that the whole idea of verifying your signature with the one on the card was imagined by bored or over-zealous clerks just to fill in a vacuum of information, which nature abhors? Are retail clerks actually trained in the art of forgery detection?

I've never been caught using someone else's credit card, yet I've been "caught" on several occasions using my own, signing my own name. Each time this happens, the clerk claims to be "really good" at spotting fake signatures.

Re:Credit Card prank

[uncoveror]

Chips and pins are not the solution. What we need to do is tattoo national ID numbers on everyone's foreheads and right forearms. Where did this idea come from? George Bush.

Re:Credit Card prank

[SimilarityEngine]

That's an interesting point, but I don't think we're there yet. After all, it's not like I can't buy a new car with cash. Eyebrows may be raised, but it is still perfectly possible. And don't forget the trusty chequebook!

I don't see credit cards as being the mark, name or number of the name of the beast just yet. For me, national ID cards - such as the ones being proposed in the UK - could come a little closer.

Just out of interest, someone once told me that the number 666 was arrived at thus: that nasty man Emperor Nero (once known as Domitius) was very much hated by Christians of the time, and they pictured him being crucified with the letters "DCLXVI" above his head (just as Christ had "INRI" - Iesus Nazareus Rex Iudaeorum). I forget what the DCLXVI stood for (DC = Domitius Caesar I guess), but obviously it is 666 in Roman numerals. I think this all came from the book "The White Goddess" by Robert Graves but it was a very long time ago ...

Re:Credit Card prank

[JeremyGL]

Now someone can steal a credit card and walk into a BestBuy or other store with expensive easily resellable items and make a major purchase and not have the payment method checked, there's the assumption that the person with the card and pin is the owner

In the same way that someone buying something with a dollar bill is presumed to be the owner of that bill. Are you sure that's really their money ?
No method of payment is going to be 100% secure, chip and pin is better than card and signature, but it's not foolproof. If you're careful, it is perfectly possible to use a machine so that your pin is impossible to know and, as long as you don't write it down anywhere, there is no way a thief is going to be able to use your card even if they successfully steal it.

On the other hand you could be like the little old lady I stood behind in the queue the other day. She pulled out a wallet absolutely stuffed with cash and proceeded to hold it up as she extracted the payment. She was about 5'1" and fairly frail standing about two feet from a significantly larger person who was a complete stranger and could have been Sid the psycho for all she knew. Common sense was obviously not her strong point (or she was the bait in a sting operation :-) )

Cheers

Jeremy

Re:Credit Card prank

[rastos1]

This sort of thing was predicted in the Bible almost 2000 years ago that some sort of numeric identifier would be implanted in every person by a coming world government run by a powerful dictator.

Reminds me of tattoos on concentration camp prisoners during WWII.
No, I don't want one, thankyouverymuch.

Always a way!

[usageman]

It is possible that one day the imbedded chip under the skin would become law it may even come with a gps and auto feature that disables the user installed in it as well. But taht makes me think about the Bible in the mark of the beast and son on.With all the things you can buy unchallenged with a credit card there will always be a way around any security feature period.

Re:Always a way!

[Tycho]

Embedded chips that act like credit cards won't ever happen because too many evangelical christians would never go for something embedded chips. This would be because they feel it is one of the signs of the "End times."

Re:Always a way!

[FireFury03]

Embedded chips that act like credit cards won't ever happen because too many evangelical christians would never go for something embedded chips.

I would never go for an embedded "credit card chip" either - having your wallet stolen is one thing, but having the part of your body with the chip in it swiped is quite another (I'm being serious - there has been at least 1 case I am aware of in which a carjacker cut off the car owner's finger for the fingerprint because it had a newfangled fingerprint scanner instead of a key to turn on the ignition! I for one would rather have my car stolen rather than losing my finger.)

Re:Always a way!

Terrorism will likely lead to that. Plan or otherwise, perhaps the evolution of modern society total control. Thing are fubar'ed and for some reason I can't get past that it's the liberals who are responsible (perhaps it's the truth, perhaps it's something else)...

Anyways, those in services and understanding should concentrate soon on protecting their family, leave the more heavily populated areas because things are going to hell. They should concentrate on leaving the most heavily populated areas

The people who specialize in the preventative disciplines, what seems magical or freakishly unnatural and purely unintentional, the glue between all things, are apathetic (or ordered not to) and are willing (or trained) to see a great amount of horror.

When the liberals get office again, expect some very big things too happen. Thanks to a bias in the media their power will reign unchecked (services will reign for a short while but will soon find themselves both in opposition and obsolete). Because they are easily provoked, expect the counter targets to be in opposition of (the most basics of) American value's and freedoms (not to be used as a political term).

Enjoy, it's almost done.

Side note: The liberals are absolutely corrupt, if they weren't, they'd be picking up the cause of civil rights for men.

Keats "the center does not hold"

Re:Always a way!

[Dogtanian]

Who needs 'liberals' to do all that stuff? It looks like your present government is the most zealous fan of the "use terrorism to suppress civil liberties" technique around.

It proves that the "right wing vs. left wing" is (and always has been) over-simplistic bullshit that leads people to believe "not left wing" means "in favour of freedom".

You think your media are biased? They are. By anyone else's measure, the American press is very pro-government and biased to the right. It's pretty mind-boggling that you consider it otherwise. Although I guess if you listen to Murdoch-mouthpiece outlets that spout that old lie often enough, you come to believe it, right?

Corrupt? The present US administration seems more nakedly partisan than any I've seen so far.

Anyway, I assume you don't lump your present government in with the "liberals", which is odd, because they seem more anti-freedom and pro- their own interests than the opposition. Not that I'm claiming the Democrats are perfect, but to criticise the American "left" (it's all relative I guess, though Clinton was- and the Democrats probably still are- more Republican by most standards) for things that the current right-wing administration are doing more seems pretty strange.

BTW, your opening paragraph doesn't make any sense, some rambling with stuff about liberals thrown in; couldn't make head nor tail of it.

Re:Always a way!

"evangelical christians" - You don't have to make up names... it will happen. Funny how this was written 2k years ago.. and still people are blind..

Re:Always a way!

[netfool]

Law? No, I'm sorry. I came into this world without a chip, I plan on leaving that way to.

Re:Always a way!

[sound+vision]

Fuck the Bible, what about your rights? I don't want to be tracked and monitored every hour of the day, much less involuntarily.

Re:Always a way!

[mcheu]

Aside from the privacy issues of governments, spouses, criminals, corporations, etc tracking people, a GPS device will need to emit a fair bit of EM radiation. We've already got concerns about long term intermittant cel phone use being a potential health hazard.

You're talking about a device stuck under the skin that's going to blast out EM radiation into you 24/7, continuously, or pulsed every few minutes. I can't see that as being very healthy.

Re:Always a way!

[E8086]

" It is possible that one day the imbedded chip under the skin would become law it may even come with a gps and auto feature that disables the user installed in it as well."

yes, there should be a second level of security, I'm not for imbedded in my skin chips, perhaps a 2nd pword/pin or 2nd chip also carried on your person in a place other than where the card is carried. If it's small enough it could be attached to anything you have with you everyday, on a keychain, in a watch, in a piece of jewlery or contained in a cell phone or even in a pair of glasses, anywhere it's firmly attached so it doesn't get lost or fall off. It should be movable so thieves don't know what else to take if they steal your wallet, unless they have a portable scanner, but then all you'll have to do is report the card stolen. If thieves get enough information to print a fake card, that's another problem.

Re:Always a way!

Bzzzt. Wrong! All you have to do is mention "Homeland Security" to get rid of all those "evil" musl^h^h^h^hTerrorists and the sheeple will vote for it in a heartbeat.

Re:Always a way!

[Punkrokkr]

If 'evangelical Christians' are correct (at least those of us who are pre-tribulation), then we won't be here when the 'mark of the beast' happens. So, yeah, I don't fight it (the chip).

Re:Always a way!

[klui]

Way off topic. What if in the far future, when nanotechnology is commonplace, everyone born in "civilized" nations gets some device embedded in them that will automatically kill disease? It also has the side effect of prolonging life. This device has flashable firmware that can be constantly updated (and hackable).

I wonder if people would go for this? Mark of the Beast indeed.

Re:Always a way!

[KaiLoi]

What? you guys don't have a chip already?

I do.

http://tagged.kaos.gen.nz/kai/

And a forum at the above (minus the /kai) for others with them.

It even has onboard storage for carrying some of my info around.

Re:Always a way!

Why would a liberal seek to undermine liberty? Think about the root of the word.

Re:Always a way!

[Dogtanian]

You'll notice I put 'liberal' in quotes. That's because Americans (which I'm not) usually use it to mean "left-wing" rather than "liberal".

Or misuse it, I don't know. It's not a word I'd use with that meaning personally, unless the context made clear that I didn't actually mean liberal, but "liberal". Or something.

Dammit, I'm tired. I'm going to sleep now.

Re:Always a way!

[ScrewMaster]

Hm ... chip off the old block, eh?

Re:Always a way!

[bogd]

You also came into this world without clothes. Are you planning on living (and leaving) the same way also?

Re:Always a way!

[PurpleFloyd]

I would never trust an under-the-skin chip. Why? Nothing to do with Revelations.

Why, then? Consider what happens if someone manages to crack or clone your chip. An identity thief can simply wave his or her hand/limb/whatever across the scanner; with some basic prestidigiation, said thief wouldn't even need to have the chip implanted in his or her body. Meanwhile, I'm running like hell to the doctor's office to get my identity chip removed and cancelled - meanwhile, the identity thief is, well, stealing my identity.

This is a big problem with biometrics, too. After all, you can change a password entered into a computer or terminal as many times as you like. Unfortunately, nature has placed limits on how many times you can change your biometric password. Assuming that you're a human who hasn't suffered any permanant injuries involving the lack of body parts, you've got ten fingerprints, two retinas, one facial geometry, and that's pretty much it. If someone can get a hold of your info and fool the appropriate sensor, you've got one hell of an uphill battle getting a new body.

Sure, identification like biometrics and RFID is handy. Unfortunately, if you don't come back to entering passwords and checking ID, thus removing the quick-and-easy aspect, the security risks increase a great deal compared to current methods. Sure, as long as the authentication methods are secure, they'll work. Then again, wasn't the German Engima machine "perfectly secure" against all attack?

Credit card companies don't care

[bigtallmofo]

Why would anyone think that the credit card companies would ever care about identity theft? Sure, it does cost them some money. But by far the cost of identity theft is placed on merchants. If someone disputes a charge on the credit card bill, the credit card companies merely take the money back from the merchant.

As a glaring demonstration of how unconcerned credit card companies are about theft, on the same credit card I had someone fraudulently use it three times. Each time I asked for a new card with a new number on it. Each time the issuing bank (Citibank) said, "Let's just wait to see if it happens again". I had to insist on the third time because I was sick of dealing with it.

When they can just pass costs onto merchants and consumers, is it any wonder they're designing ineffective solutions?

Re:Credit card companies don't care

[Angostura]

Wrong. In the UK if the merchant users chip and PIN and the transaction is fraudulent, the cost is born by the card company, no the merchant.

Re:Credit card companies don't care

"Let's just wait to see if it happens again"

The words you're looking for are "Then I'd like to close my account please".

Re:Credit card companies don't care

[FireFury03]

Wrong. In the UK if the merchant users chip and PIN and the transaction is fraudulent, the cost is born by the card company, no the merchant.

I could be wrong, but I thought in this case the card owner could be liable because they obviously didn't protect their PIN well enough.

Re:Credit card companies don't care

[David+Horn]

Not so. In the UK, the merchants are now only found liable if they haven't bothered to install Chip and PIN terminals in the store.

Re:Credit card companies don't care

[kraut]

Maybe you need to have switch to a more security-conscious card company? I've had fraud on my natwest and amex cards (in both cases due to cloning at restaurants), and both immediately replaced the cards. They also do callbacks for authorisation if the transaction is unusual - e.g. when buying electronics abroad.

Re:Credit card companies don't care

[Belial6]

That's nothing! I had fraudulent charges made on my card, and when Chase decided to issue me a credit card, there were new fraudulent charges on the card before it was even sent to me. Of course charge dates stared moving around, and new charges appeared on the old card, even though when I tried to use the card, it was declined as invalid. That and Chase mysteriously decided that the one card with the fraud is the one that they would block from being visible on the Internet. They also told me that they couldn't send me an itemized list of all charges, and that I should just pay based on a line entry saying *Charges forwarded*.

Basically, what it comes down to is that sometimes the fraud happens right at the credit card company, and Chase made it quite clear that they were good with that.

embedded identity

[sedyn]

"Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"

I fail to understand how an embedded chip would make identity theft any less of a problem. While it may reduce social enginering which the article defines as a problem, how would it eliminate the technical (and in the case of securing identity information, most important) aspect.

For example, assuming that theives can get around biometric data. What is going to stop them from removing a "read-only" chip and installing a "read/write" chip?

Re:embedded identity

[Frodo+Crockett]

More importantly, what's to stop them from cornering you in a dark alley, holding you down, and cutting out your chip to use for their own purposes?

Re:embedded identity

[arminw]

..... holding you down, and cutting out your chip to use for their own purposes?......

If they did not kill the person, presumeably the incident would get reported and that chip become invalid and anyone who tried to use it would get the cops on the mucho pronto. If such a chip implant were a universal requirement, they would have to remove or re-program their own chip in order to assume the false identity. I suppose all that would be possible, but it would not be easy and the probability of getting caught would be very high. Such an implant for humans is certainly not acceptable yet today, whether a person is a Christian or not. But then are many things that were unthinkable only a generation ago that are commonplace today. Having to show identity to fly on an airline was once unthinkable. I remember getting on an airline's plane was once easier than it is today to get on a transit bus or train in some places.

Re:Credit Card prank -LINK included now

[saskboy]

Pardon me, I left off the link to the Zug.com prank(s).

http://www.zug.com/pranks/credit_card/

Cat & Mouse

[mysqlrocks]

It's always a game of cat & mouse. Everytime they come out with a new technology to protect people's identities then the "bad guys" will come out with a way to break that technology.

Back to basics

[macemoneta]

"Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"

If it does work outside of your body, it won't work inside your body. There is no absolute way to prove identity. It's a bummer, I know.

You can prove (within acceptable limits) that some biometric data (like a DNA sample) comes from you, but there is a gap between that information and identity. Identity is solely a "web of trust" issue. Trying to solve identity theft with some piece of information (like a password) or biometric data (like a fingerprint) will only raise the bar for identity theft.

Re:Back to basics

[macemoneta]

s/If it does work outside of your body/If it doesn't work outside of your body/

human-stupidity-fix.diff

[HG+Slashdot]

@ 1,16 human/brain.txt brain cell brain cell #2 -stupid cell +smart cell

Take my cards, dont' rip my arm away !!!

Considering the level of violence some criminals (drug addicts etc) are willing to use on their victims, I'd rather keep my money/cards on my wallet and don't want to have any hard-to.remove RFID chips at my arms.

Re:Take my cards, dont' rip my arm away !!!

[Nuclear+Elephant]

Most chips already in existence will automatically disable themselves if it senses the host is dead (I believe by way of body temperature).

Re:Take my cards, dont' rip my arm away !!!

Uhh, do you want your chip embedded deep inside your torso? Extremities are the first thing to cool down on a cold day.

Additionally, I wouldn't want passive electronics under my skin, but active ones even less so.

Re:Take my cards, dont' rip my arm away !!!

[MrSteveSD]

New York Times 2010
Eye gougings are up 20% this month since the introduction of the new Visa-Eye card, which owes its high security to the uniqueness of the user's iris pattern.

Re:Take my cards, dont' rip my arm away !!!

[glesga_kiss]

I'd rather keep my money/cards on my wallet and don't want to have any hard-to.remove RFID chips at my arms.

Prior art

Malaysia car thieves steal finger

Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system.

Accountant K Kumaran's ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb. [continued...]

Re:Take my cards, dont' rip my arm away !!!

[EiZei]

Just put it in a random place, I doubt even those kind of people would have the stomach/patience to find the damn thing.

Re:Take my cards, dont' rip my arm away !!!

[Tim+Browse]

I'm sure that's a great comfort when someone's cut your finger off to get past a biometric system.

I mean, you'd be sitting there trying to staunch the flow of blood as they run off with your finger, chuckling to yourself, and muttering "Those fools. They don't even know it won't work. What a bunch of idiots. I'm way smarter than them."

Re:Take my cards, dont' rip my arm away !!!

[Xugumad]

Wish I had mod points, but was about to say exactly the same thing. The people that are going to do this sort of thing aren't the sort of people that are going to know it won't work. Or may just figure they can run really fast to the scanner.

Re:Take my cards, dont' rip my arm away !!!

[GoldAnt]

Hmm, the solution here (for cars at least) is to have the key be the biometric scanner in disguise! Problem is, make more than a few thousand and the secrets out.... :/ Then we'll have to worry about Everyone gettin their fingers ripped off anyways. Or what if they needed to scan your eye!! Well... Good Luck getting that one out %/

Re:Take my cards, dont' rip my arm away !!!

[b5turbo]

you would be suprised. If people will steal a man's dirty draws out of the dryer then they won't think twice about gutting you for the chip.

Re:Take my cards, dont' rip my arm away !!!

[Belial6]

Unfortunatly, you don't even have to have an account that uses your fingerprints to loose the fingers. It seems to me that once about half of the people use fingerprints to identify themselves, it becomes easier for a mugger to just cut off your fingers, and check if it works later. It's a lot safer to hit someone over the head, take their wallet and cut off their fingers than it is to hit them over their head, take their wallet, figure out if you need their fingers, THEN cut off their fingers.

Re:Take my cards, dont' rip my arm away !!!

[fafalone]

(drug addicts etc)

Ok I'm just sick of stereotypes like this. Alcohol causes far more violent crime than drugs, even when comparing per capita to account for the discrepency in use. And,
"Twenty-one percent of violent felons in state prisons committed their crimes while under the influence of alcohol alone. Only 3% were high on crack or powder cocaine alone and only 1% were using heroin alone." Califano, Joseph, Behind Bars: Substance Abuse and America's Prison Population, Forward by Joseph Califano, NCASA at Columbia University (1998).
And since 49% of inmates were violent offenders, that amounts to about 950,000 such offenders (BJS, 2001), and since only 4% of those were addicted to "hard" drugs (see above, no reason to doubt approximate validity over time given incarceration trends), that amounts to only 38,000 violent drug offenders in a population of the ~6 million current drug users of "hard" drugs (stimulants/narcotics) (NHSDA, 2003), it can be roughly estimated that only 0.6% of drug addicts commit violent crimes, which is likely a high estimate. Furthermore, with 950,000/295000000, the violent crime rate in the general population is 0.32%, drug addicts are only twice as likely to be violent criminals than the general population, and I say only because of things like African Americans, who respresent about 50% of all violent criminals (BJS), but only 12.8% of the population, so therefore are nearly 4 times more likely to be violent criminals.
12.9 million of the general population are current heavy drinkers (NHSDA, 2001), and alcohol related violent crime being at 21% (200000), that's 1.55% of heavy drinkers being violent criminals, or 258x more likely to be violent offenders than current users of hard drugs. Bottom line is, get a better grip on reality and stop perpetuating the myth that most drug addicts are violent psychopaths. They make up a tiny minority of violent criminals. The vast majority of the (tiny percentage) of crimes committed by drug users are non-violent property crimes.

BJS = Bureau Of Justice Statistics-Prisons, http://www.ojp.usdoj.gov/bjs/prisons.htm
NHSDA = National Household Survey on Drug Abuse, http://oas.samhsa.gov/nhsda/

Re:Take my cards, dont' rip my arm away !!!

[Afecks]

If you're willing to cut off fingers you can make a lot more money being a hired thug for a local criminal organization.

Credit Cards

[flajann]

Security is an illusion; Credit Card security doubly so.

There is no substitute for hard Commonsense. Signatures are meaningless. Retailers are interested in making the sale and not annoying the customers with suspicion.

In my case, my signature cannot fit on that tiny space provided on the credit card, and so resembles nothing like it. Most clerks will make a perfunctory "check" of signatures, if they even bother.

Regard your credit card like you would cash, since there is little more security involved. Though, most institutions that issue Credit Cards and increasingly Debit Cards will give you a chance to dispute charges and have them removed.

Re:Credit Cards

[zippthorne]

In the US, your liability in the event of loss/theft if your credit card is limited by law to $50 (provided you inform the bank as soon as you realize what happened). Debit cards have no such protection beyond whatever contract you and the bank agree to. Therefore, If you insist on using a debit card where you would previously have used a credit card, it behooves you to not only read the contract thoroughly, but also consult a lawyer as to the enforceability of the contract.

Re:Credit Cards

You are only partially correct on debit cards. While there is no law limiting liability, the Visanet agreement your bank signs to let them issue (Visa) credit and debit cards requires the same liability protections on debit cards as well as credit cards. I don't know if Mastercard requires the same liability limits on debit cards as credit cards but at one time they did not.

Re:Credit Cards

[macemoneta]

While the limit is the same, the impact isn't. If a credit card is used improperly, your credit limit is temporarily reduced by the pilfered amount, until the state of the card can be restored. If a debit card is used improperly, your assets are temporarily reduced until the bank restores the funds.

The result of the first is that you may have to limit purchases for a while. The result of the second is that transactions in progress (bills, taxes, and other debts paid) may fail. You will likely be held accountable by those independent institutions for the failure. Even if the result is that they accept the delay, you will likely spend considerable time correcting the situation.

If you are going to use a debit card, create a separate account exclusively for the purpose. Limit the funding in the account to the amount you feel comfortable being without for an arbitrary period of time.

Remember, a debit card is advantageous to the bank, not to you. All things being equal (payment made when requested, so no interest charged), credit cards allow you to utilize the month of float (a short term interest-free loan). A debit card allows your bank to do the same - with your money, and without paying you for the privilege.

Re:Credit Cards

[theCoder]

If you are going to use a debit card, create a separate account exclusively for the purpose. Limit the funding in the account to the amount you feel comfortable being without for an arbitrary period of time.

Actually, that's not a good idea. My roommate in college used his debit card to purchase something online. The merchant accidentally charged more than should have been charged (I think it was because of a coupon or something). In any case, my roommate's account was overdrawn for several days, acuring overdraft charges as well. IIRC, the merchant paid all the bank charges, but your bank won't reject a charge just because your debit account has no money in it. In fact, because of the fees, they love it when people do it.

Otherwise I agree -- use credit cards whenever possible and pay off the balance every month. Credit cards provide a nice buffer between merchants (especially the unscrupulous kind) and my money. I'd never carry my bank's debit card if it wasn't also my ATM card.

Re:Credit Cards

[macemoneta]

In any case, my roommate's account was overdrawn for several days, acuring overdraft charges as well.

Overdraft is an option; don't enable it for any debit card linked account.

I'd never carry my bank's debit card if it wasn't also my ATM card.

Many banks use the same card as a debit card and ATM card. All the banks I deal with allow the debit card functionality to be disabled, while leaving the ATM functionality intact. By default they combine the functions to make the use of a debit card easy and convenient. I've just had to fill in a form at the branch to have the debit card disabled. If your bank won't allow this, change banks (and tell them why).

Re:Credit Cards

[slashname3]

The signature part of a credit card is ineffective at best. Why would anyone think that a clerk that could not add up your purchase if the cash registered failed is suddenly able to perform the function of analysing signatures? I have to keep from laughing out loud everytime they flip the card over and look at the back and then at what I signed on the slip.

As others have said the credit card company does not care. It does not cost them anything if a card is used fraudulently.

Re:Credit Cards

[arminw]

.......but your bank won't reject a charge just because your debit account has no money in it......

My bank has, and I believe most banks have an overdraft limit, beyond which the WILL reject the debit/check amount. Some banks don't have overdraft protection at all and just reject the debit/check as NSF. Best thing to do is to carefully protect your card, PIN and frequently check your balance online.

Re:Credit Cards

[winwar]

"Overdraft is an option; don't enable it for any debit card linked account."

Well, if it is an option, it seems to one of those virtually impossible to decline. I never asked for that option nor was I given a choice for any bank or credit union account. But I guess I will check.

Now, IIRC, my ATM cards were different, as is using my debit card as an ATM card.

"All the banks I deal with allow the debit card functionality to be disabled, while leaving the ATM functionality intact."

Well, then it is no longer a debit card, is it? If I could be certain I could use such a card everywhere I use a debit card, I certainly would do that. Guess I'll ask...

Re:Credit Cards

[winwar]

"My bank has, and I believe most banks have an overdraft limit, beyond which the WILL reject the debit/check amount. Some banks don't have overdraft protection at all and just reject the debit/check as NSF."

True. But they may still charge a fee for the honor, especially if it wasn't declined :)

"Identity management"

[JackDW]

Dr Finch is particularly concerned about identity cards, as well she might be. If you live in the UK you may be interested in some closely related reading at http://www.no2id.net/ .

human-stupidity-fix.diff (fixed formatting)

[HG+Slashdot]

@ 1,16 human/brain.txt
brain cell
brain cell #2
-stupid cell
+smart cell

Re:human-stupidity-fix.diff (fixed formatting)

See? Even the stupid patch needs fixing.

Re:human-stupidity-fix.diff (fixed formatting)

[Master+of+Transhuman]

Unfortunately the Microsoft patch crashed the system.

But nobody could tell.

"New technology"?

[hotspotbloc]

So the article talks about how technology fails and social engineering takes over but how is it new? Kevin worked this trick like a pro twenty years ago.

Dr Finch says criminals have told her how they now look over people's shoulders to see a person's pin being entered on a keypad and then attempt to steal the card at a later date.

It's called shoulder surfing, hardly new.

Re:"New technology"?

[BeerCat]

It's called shoulder surfing, hardly new.

Very true. The difference is that Chip and PIN now actively encourages shoulder surfing, as the retailer will not worry as long as the PIN is correct. Someone taking the card early on a Saturday will pretty much have all the rest of the day to make valid transactions (at other stores) before the owner notices the loss and gets the card blocked.

One Time and for All

[Doc+Ruby]

Why are credit card companies taking so long to make each transaction covered by its own one-time password? Why do I give the same CC# to a recipient, without security? The card is almost always processed by a machine now, even with a (usually minimum-wage) human handling the transaction. Why should the recipient be trusted not to rerun the charge, or increase it, or share the access info with someone else?

I know that credit card companies cover fraud loss over $50, so they are paying some of these costs of fraud. But automation has made frauds <$50 much more profitable and common. And identity theft comes after one leak in the identity privacy chain, often without direct damage to the leaking organization. And usually in much greater amounts than the original transaction could have allowed - and usually with much further damage to future transactions than even the value of the theft.

One-time password tech is much cheaper than the losses we're suffering. And the necessary automation overhead could make the entire transaction system safer and more efficient for legitimate transactors. Where is it? Are banks just making so much money off all their transactions that new systems like one-time passwords are just to low on their priority list? With all the ID theft running rampant, what crisis could it require to force action to protect us?

Re:One Time and for All

[kevstar31]

i think passwords should change more often like with RSA SecurIDs.

Re:One Time and for All

[tritonic]

You mean like the cahoot webcard? It's an annoying flash page I'm afraid, but basically it generates a new number for each transaction you make, making fraud virtually impossible. (It's a UK bank, BTW)

Re:One Time and for All

[Doc+Ruby]

That's the basic idea. I don't know that its online protocol is secure, or the other reality issues with their implementation, but I wish I had something like that for my bank: a unique new CC# for each transaction.

Re:One Time and for All

[IceFoot]

OK, I'm in a restaurant, or Best Buy, or somewhere, and I want to pay with a one-time password or one-time credit card number.

Ummmm... how does this work?

Re:One Time and for All

[Doc+Ruby]

That's exactly what I asked. I want to see it working - however they make it work - if they actually make it work, not fail somehow.

My idea is that chipcards generate a new transaction password for every transaction. Cardholders can use a $10 reader of their own to generate a transaction if they need to do it over the phone or email, without a direct machine interface. The card authenticates the device it's connected to, and keeps an auditable record of the transaction. Which can be used by the bank to validate transactions later. So, at the restaurant, you might use your own reader to generate the CC# for the waitress, if they don't have their own chipcard reader attached to their CC terminal. BestBuy, no doubt, will have a slot into which you can put your chipcard. Maybe the chipcard can even have its own dinky little "OK", "Cancel", "Exception" lights and buttons, powered by the reader. The tech is well within our ability. But the banks will have to act to make this happen.

Do you like that? Would you like to open an account at my bank?

All the more reason to go cash

[Allnighterking]

No matter how hard you try. You can't steal my ID if I use cash. You might steal my cash. Not my ID. Do transactions indoors at the teller window. (Most banks will not ensure that any deposit made at the ATM will make it into your account.) Get to know your tellers. Facial recognition helps a lot. Saved my Grandfather (according to him) years ago when someone tried to cash a stolen payroll check. The tellers knew him. The cops where called.

Am I alone in noticing that the more protections they build in the easier theft becomes? It would seem that the more you tell people they are too dumb to protect themselves the more they act like idiots.

Re:All the more reason to go cash

[Overzeetop]

It's like anything else...the more safe you make it, the more complacent we will become. I'm convinced that each person has a risk tolerance band, rather than a limit. They will do foolish things to stay above the "minimum risk" line while still staying below the "maximum risk" line. They will also endeavor to raise the lower limit, proving a perceived reduction in risk. This creates a sort of risk-instability, in which the drive to maximize your "return" (aka, stay above your minimum risk)puts you perilously close to your maximum risk line and results in catastrophic failures rather than minor, progresive ones.

I probably shouldn't have used "return" above, as you might think I'm referring to financial investing. I'm not. A return would be to reduce your commute time by 2-5 minutes, allowing you to sleep a bit later. The risk you add is driving faster and closer to the car in front of you than conditions would otherwise permit because you have ABS and air bags. Or reducing the effort required to mow the lawn by getting a self-propelled lawnmower, and then using a velcro strap to lock it in the "on" position so you can mow one-handed, closer to that steep hillside, increasing the chance that you and the (locked-on mower) will careen down the bank, cutting out chunks of your [insert appendage here] and destroying your neighbor's [insert anything valuable here].

Re:All the more reason to go cash

[kraut]

> No matter how hard you try. You can't steal my ID if I use cash. You might steal my cash. Not my ID.

If you were on your way to buy a high spec laptop, for example, I'd be just as happy with the cash, thank you.

I'd also like you to do things like checking into a decent hotel, booking a flight, renting a car without using your credit card.....

Re:All the more reason to go cash

[arminw]

.... if I use cash....

Another good reason to have some cash handy is if there is an emergency where the power is off, cash can still get you stuff you need, whereas ATMs are dead. However, cash is not welcome any longer in many transactions.

Re:All the more reason to go cash

[Allnighterking]

My company rents the car, books the flight, books the hotel. But then it does come down to risk management. With the theft of 1800 in cash (btw I'd never buy that laptop myself it's another company thing.) I lose 1800. With the theft of my ID I can lose my home. ...... personally ....... I'd rather lose the 1800.

In the case of the mugging (which is what it takes to lose the 1800) The police have more to go on, and are better prepared to handle the crime. The time of discovery of the crime is immediate. With the a crime like identity theft there is a tremendous lag in time between the commonission of the crime and the discovery. By the time the crime is discovered the perp is probably long gone and the trail is cold.

Cash is eaiser to trace, ala Where's George Most money counters are capable of both reading the serial number of a bill and counting it almost instantly. Cash is easy to trace. One of the reasons your local congressperson doesn't like it.

Re:All the more reason to go cash

[John+Harrison]

Your protections do you no good. You didn't understand the point of the article. Here it is, spelled out real simple. The smart cards are effective in stopping card duping and card theft. They have no effect on identity theft. Someone will apply as you at a bank that you have never dealt with and receive a card in your name. You cash does not protect you. Verified enrollment would, but the article didn't discuss that. It also didn't mention that as EMV has caused certain types of fraud rates to fall where it is implemented that fraud his migrated to places where EMV is not in place, mainly the USA.

new?

[0olong]

thieves are quickly adapting to new technologies such as chip-and-pin credit cards
Everyone here in the Netherlands has been using PIN cards since about 1970(?). These cards also include "Chip" chips since 1996.

These cards are much less a liability than credit cards of the American type. It's about time you get with the program people (;

Re:new?

[flokemon]

Not as simple as you may think! Chip and pin has finally been introduced in the UK last year, and on a recent trip at the supermarket, as I was about to pay with my debit card (yeah, no credit card for me either!), the cashier asked me: "Do you know your PIN number?". If I'd said no, I could just have signed whatever.

More secure? Not until people start behaving responsibly.

Re:new?

[0olong]

the cashier asked me: "Do you know your PIN number?". If I'd said no, I could just have signed whatever.
Really? Well, there's no way you'd get away with that on this side of the North Sea! Maybe the cashiers in the UK haven't been properly trained yet?

Re:new?

[Incadenza]

These cards are much less a liability than credit cards of the American type.

Did you ever use your card in France? Your seemingly well protected PIN card does not need a PIN there - cashiers will just swipe it, and that's it. A very nice option for card thieves: Paris is just 6 hours by train. Yes, the thieves are with the program, they have been for a long time 8)

And by the way, PIN cards for payment in shops have been around since the early nineties - in 1970 people were still fuzzing about with 'spaarbankboekjes', a paper booklet with your account information that the bank's cashier could modify.

Re:new?

[owlstead]

France? Why go to France? AFAIK, this works as well in Belgium (a country which you can reach in just about 3 hours from anywhere in the Netherlands). Anyway, (again AFAIK) the PIN is encrypted on the magnetic stripe. Not so smart. So it is better than a Credit Card, but not *much* better.

It's all about liability

[slim]

When I was over in the States recently, quite a few cashiers would notice my chip'n'pin card, mention that the US would be moving over to them soon, and saying how nice it will be to have that extra security.

Sometimes I would try and explain the catch.

Since chip & pin supposedly makes fraud impossible, banks have shifted the liability for chip & pin fraud away from themselves and onto the consumer.

That is -- is someone clones your card and forges your signature with a traditional credit card, you can call the credit card company, tell them you didn't make that purchase, and (unless they can prove you were lying) they will refund you the money. They might write the money off, or they might pursue the criminals responsible; it's not your worry. Accepting this risk is all part of their business model. That's what banks are all about.

However, in the UK at least, this changes with chip & pin. If someone shoulder-surfs your PIN, pickpockets your card, and spends money on your card, the bank now says it's YOUR responsibility.

In one way: fair enough, there are precautions you can take to safeguard your PIN, but on the other hand, isn't taking on that liability one of the things we're (directly or indirectly) paying our card providers for?

Re:It's all about liability

It suprises me sometimes that people still don't -really- understand how a bank works.

Banks are corporations. They need to break even to survive, but they -want- to make a profit. In their most basic form, the bank provides a secure means of storing your money. Now, if they just stored your money and gave it back to you whenever you wanted it, without any questions or additional charges, they wouldn't exactly be making much. That's why they use money that people invest for their own investment purposes, to bring in a profit. They also whittle away what you -do- put in there with service charges and other fees, so that more of your money is available for them to spend -- often in the form of loans and mortgages that, once again, tend to cost the customer more money than they initially invested in the first place.

Now take these new cards. As you said, currently the banks assume liability if someone steals your card and uses it for purchases without your knowledge. In other words, every time this happens, they lose money...and that is entirely contrary to what the banks -want- (your money). With these new cards, they can now safely shift liability to the consumer, which means that not only do they get your money, but they don't have to replace it if it's stolen.

Re:It's all about liability

[jrumney]

"Chip & PIN" in the UK doesn't even seem to be implemented securely. Last weekend I used it at Tesco. As I attempted to put my card in the reader on the pinpad, the checkout assistant grabbed it off me and mumbled something about it needing to go through the cash register. He then swiped the card on the old system they used when you had to sign, and asked me to enter my PIN on the pinpad.

When I used to work for a company making magstripe & PIN systems in New Zealand 8 years ago, there was a regulation that the card reader and pinpad had to be in a sealed unit, with epoxy all over the ciruit board making it extremely hard to get an electrical connection to mount a man in the middle attack. All communications out are encrypted. I guess with chip & PIN, some of that encryption is done on the card itself, but I'd still be happier with a sealed pinpad and reader unit with public key encryption to the bank.

Re:It's all about liability

The banks don't sell systems that work as you've described.

Keep in mind that one of many reasons for introducing Chip and PIN is that too many of the young, low paid staff in supermarkets are criminals.

Would you have handed him your wallet so that he could implement a new "store policy" of taking all the high value notes and stuffing them into his pocket?

Re:It's all about liability

[valdean]

When I was over in the States recently, quite a few cashiers would notice my chip'n'pin card, mention that the US would be moving over to them soon, and saying how nice it will be to have that extra security.

What? They asked you that?? And they said they were looking forward to the extra security??? Wow! The only thing cashiers in the States ever ask me is if I want a receipt, and that's the smart ones. I'm shopping at all the wrong places.

Re:It's all about liability

[jrumney]

The banks don't sell systems that work as you've described.

Astoundingly, they do.

Re:It's all about liability

[deathy_epl+ccs]

isn't taking on that liability one of the things we're (directly or indirectly) paying our card providers for?

No, we're paying them because they're already rich and they want to be richer.. I mean, duuuuuh! ;-)

Re:It's all about liability

[JimBobJoe]

When I was over in the States recently, quite a few cashiers would notice my chip'n'pin card, mention that the US would be moving over to them soon, and saying how nice it will be to have that extra security.

I disagree, I don't believe we will see chip and pin in the US.

It's much more profitable for Visa/MC when debit card transactions are debited via Visa/MC systems. In the United States, this is done by selecting "credit" on the hypercom and signing a receipt.

Choosing "Debit" on the hypercom and entering in a PIN has the transaction run through the EFT, skipping the Visa/MC system and all its profitability (though merchants prefer it on many transactions because it's cheaper for them.)

In order for Visa/MC to keep people using their system, they have to encourage people choose credit and sign their receipts...and discourage "Debit" usage with the PIN (and I've seen Visa commercials with this message.) A chip and pin system would resemble the "debit" transaction sequence too much. (In any case, most credit card fraud is online, and there is a PIN available for credit card transactions done online.)

Re:It's all about liability

[fmobus]

One Brazilian bank (namely "banco do brasil") has an incredible password typing system for its ATMs.

When the card is issued to the user, he receives a 3-letter password. Each time you use the card (for any ATM-like transaction) you're presented a screen containing 8 boxes with 3 distinct letters each. Each letter is shown only once on the screen. You then press the button equivalent to the first letter of your password. The screen then redraws/re-sorts again and you press the button equivalent to the second letter. The screen then redraws/re-sorts again and you press the button equivalent to the third letter.
  Brillant! It almost completely kills shoulder-surfing!

Re:It's all about liability

However, in the UK at least, this changes with chip & pin. If someone shoulder-surfs your PIN, pickpockets your card, and spends money on your card, the bank now says it's YOUR responsibility.

I hardly think that that would stand up in court.

Re:It's all about liability

[dan+the+person]

However, in the UK at least, this changes with chip & pin. If someone shoulder-surfs your PIN, pickpockets your card, and spends money on your card, the bank now says it's YOUR responsibility.

I'd find that very surprising, where do you get your information from?

New Zealand has used pins for point of sale transactions for 20 years (and the transactions are instant! They don't take 3 days like in the UK) and shoulder surfing has never been much of a problem and i've never heard of the customer being held responsible

Re:It's all about liability

[dan+the+person]

In fact some fella says the opposite, the banks are now not accepting responsibility for fraud using the old magnetic strip terminals:

"The increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable (as from 1 January 2005) for any fraud that results from non-EMV transactions on their systems."

Re:It's all about liability

[trmcdougle]

I can confirm this, my source... The modified terms and conditions when they issued the chipped card.

I would also like to point out that with a signature you can get an expert witness to determine that you are not the one who signed, but the only possible PIN recourse is if you can prove you were elsewhere AND had your card with you. (Otherwise they can claim it was used with your permission!)

Re:It's all about liability

[slim]

Thank you for making me check my facts -- what I said was "conventional wisdom", but as a result of your challenge I Googled for more evidence, and found this:

THE MYTH: After 1 January, the liability for card fraud losses switches from the banks to the cardholder.

THE TRUTH:
This is absolutely not the case. With the introduction of chip and PIN there is no change in liability for the cardholder. You will remain fully protected from the cost of card fraud and are covered under the Banking Code. From 1 January 2005 there is a shift in liability for some types of card fraud from banks to retailers, but this will not affect cardholders in any way.

Re:It's all about liability

[noims]

I work in the chip&pin indistry, and the US have stated that they will not be moving to C&P at all.

You're right with the rest of your post though. C&P does make transactions safer... for the banks. The liability has merely shifted away from them, and to either the retailer (for non-C&P transactions) or the customer (where the pin was entered).

The banks have several argument about why C&P is safer. For example, the card now never needs to leave the cardholder's presence, and so the retailer cannot put extra transactions through. While this is true to a degree, and the banks require that the C&P device displays the amount before authorisation, the merchant copy of the receipt must contain enough information to reproduce the transaction offline. By definition, this means the merchant gets all required card data.

In any case, a huge percentage of card fraud, over 80% I believe, is card not present (mail order or e-com). C&P does nothing to reduce this.

Personally, my bank hasn't yet released chip cards, and I'm glad of it. I know this won't last for long, another year tops I'd guess, but by then I hope to have a more secure (for me) way of carrying credit easily.

Cheers,
Noims

Re:It's all about liability

[Torne]

They do, actually - the 'swipe' section of the cashier's terminal has been augmented with a smartcard reader at the bottom. So, the cashier swipes the card, it reads the magstripe, and when it gets to the bottom of its travel it clicks into place in the smartcard reader. The chip and pin keypad then acts as just a display/keypad, leaving the reading to be done by the cashier's terminal. The cashiers are not supposed to let the customer put the card into the customer-facing terminal (some even have the card slot on that terminal covered). I have absolutely no idea why.

It doesn't really make it much easier to mount a man-in-the-middle attack - if you are determined enough to install something inline in the cable connection, you are probably determined enough to install something inside the customer-facing terminal anyway (as the terminals are not made to be secure against physical intrusion). It still seems stupid, but it's not the end of the world.

Far more pressing problems with chip and pin would be modifying terminals such that they, say, display a different amount on the screen to the amount they are authorising, or that power cycle the card and replay the user's pin to authorise a second transaction.. these attacks are not really made easier by the separation.

Really? Cool

[Lifewish]

Any chance you could provide a reference for that? If true, you've just made me a hell of a lot happier about chip and PIN - I'd assumed that the aim was to shift responsibility off the CCs' shoulders and onto someone else's.

Re:Really? Cool

[VJ42]

>I'd assumed that the aim was to shift responsibility off the CCs' shoulders and onto someone else's.

No, the aim of chip and pin was to increase security. Because signatures can be forged, pin numbers can't. IMO this reasearh is flawed because actually getting hold of somone's pin is much harder than copying their signature. When I used to sign for my card, my signatire hardly ever looked like that on the back of my card, but with chip and pin my signature (my pin) is always identical, and noone can see it to try and forge.

Re:Really? Cool

The bank is liable for fraudulent transactions iff the retailer used chip-and-pin (otherwise the retailer is liable). A simple Google search confirms this. However, the key word in that sentence is "fraudulent". That is, we are talking about transactions that the bank agrees are fraudulent, rather than the ones where, despite anything the customer may claim, they must have been careless with their PIN, since the technology is secure so how else could they have been defrauded? A Google search for "phantom withdrawals" gives examples of customers' experiences with the latter.

Re:Really? Cool

[TsukiKage]

The bank must show that the customer acted fraudulently or without reasonable care, otherwise the customer is not liable. This text describes some of the potential problems with this.

Re:Really? Cool

[jimicus]

Solution:

"Dear Sir,

Seeing as your card and your PIN were used for this transaction, you must have written your PIN down or something. Your problem.

Kind regards,

Your bank."

Now you have to take the bank to court. Should put off anyone claiming less than a few hundred pounds.

Re:Really? Cool

[Jane_Dozey]

Exactly. If somebody else manages to get your PIN the banks are likely to tell you that you have been negligent and must deal with it.

The other problem with chip and pin cards is that the theif no longer has to go off and practice your sig anymore (giving you more time to notice your cards gone). They can just enter a number and be done with it.

Re:Really? Cool

[v1]

The reason merchants take your signature so casually is because they have no financial responsibility. That's part of the visa and mastercard merchant agreement. If the card is approved on the swiper, the merchant is guaranteed his 97% of the take, or whatever it is for that particular card. (visa, mc, and discover are all different %)

The only responsibility the merchant has is that if he does too many fraudulent transactions percentage-wise, the card handling service he goes through may drop him, and he'll have to find another. I don't know if the card service eats the fraud or if the bank does in those cases. Either way, the merchant is always paid. It's this guarantee that makes a merchant willing to only get like 97% of the purchase price without the right to charge extra for credit purchases. (extra charges for credit purchases are against the credit card processing rules)

Another somewhat unknown fact is that if someone steals your card or through any other circumstances charges to your cc #, you can be held partly liable. The banks can make you pay up to $50 of the balance of "disputed charges". From the three or four people I've seen get their cards stolen though, the bank usually eats the $50 they could otherwise push on the consumer. I find this very odd for a bank to be generous to the tune of $50, but for some reason they do it. They probably make well over $50 in interest for most card holders during any 2 year period, so for them it's probably better to roll on the $50 and keep them using their plastic.

The first thing you need to do if your card is missing is report it lost. The $50 limit applies only to unauthorized charges made before the card is reported lost. Anything after that is entirely the responsibility of the bank.

Re:Really? Cool

[jez9999]

Because signatures can be forged, pin numbers can't.

I have to take issue here. I think PIN numbers can be forged perfectly, and signatures can be forged less perfectly.

What you REALLY mean is that PIN numbers aren't written on the card, signatures are. If they implemented a system of scanning everyone's signature, putting them on a database and having the signature show up on the cashier's register after they scanned the card, instead of having the signature written on the card itself, security also would have been increased.

Signature forgery is drawing something that looks like the source material.
PIN forgery is entering a 4 digit number that equals the source material.

Which is easier to do, given that both source materials are available?

Re:Really? Cool

[CastrTroy]

I really want a 20 digit pin. I realize that not everybody can remember 20 digits, but I can do it pretty easily. I also want something that completely covers my hand, so that shoulder surfers can't see what i'm typing. I can type without looking, I can surely type a 20 digit number. It would make it a lot easier if you offered higher security for those who wanted it.

Re:Really? Cool

[Curmudgeonlyoldbloke]

I strongly suspect that the statements put about to retailers earlier this year (along the lines of "if you haven't installed Chip and Pin kit you're liable for any fraud") were somewhat overhyped.

Actually it would depend on the small print of the Ts and Cs between the bank and merchant, as APACS http://www.chipandpin.co.uk/business/card_payments /ready/shift_liability.html admits:

"If a retailer does not have a chip and PIN acceptance device after January 1, 2005 and the use of such a device could have prevented the fraud from occurring, the retailer may bear the cost of a fraudulent transaction. This will depend upon the terms and conditions between that retailer and its acquiring bank."

Obviously, if the bank can show that the merchant was negligent, they've probably got a case - just the same as they would have in the pre chip-and-pin world.

As to any shift of liability onto the consumer, it's again (notwithstanding applicable laws) down to the agreement between you and your bank. If, in the light of having to effectively disclose your PIN every time you use your card and you're present, you think that you're at risk of getting shafted, it may be time to change your bank (or start paying by cash).

With regard to applicable laws, it's worth mentioning that (in the UK) credit cards are about the safest way to buy stuff remotely thanks to the legal requirements of the distance selling regulations: http://www.dti.gov.uk/ccp/topics1/ecomm.htm

As to whether chip-and-pin is necessarily any more secure than a "signature" I couldn't say. APACS clearly think so, but I'll still be furtively covering my hand while typing a PIN in...

Re:Really? Cool

[patio11]

Its the industry standard in the US to waive the $50 of liability. Its a dirt-cheap bullet point you can put on your credit card solicitations ("You have NO FRAUD LIABILITY!"), and enough of the banks decided to do it that the others basically have no choice but to comply. (There is also a legal angle -- if your cardholder agreement says that you'll always be responsible for every cent of the fraud then, if fraud happens, the customer has no cause of action against you even if some portion of the fraud was theoretically your fault, say for negligence in disclosing customer information or what have you.)

Re:Really? Cool

[1/137]

I hate the credit card industry. I try to pay cash always. But it drives me crazy that I have to pay the same price as people who pay with credit cards.

This essentially means that I am subsidizing their free trip to Hawai (1%) and credit industry profits (99%).

I love how people think they are getting free trips out of these cards. That $300 free ticket cost you about $3000 smarty pants. My only gripe is that we all have to pay for it.

Re:Really? Cool

I got screwed by this in Europe.

I had a 7 digit PIN, and the ATM wouldn't accept more than 4 or 6 digits.

That was a major pain in the ass.

Re:Really? Cool

[VJ42]

>Which is easier to do, given that both source materials are available?

How is somone's pin "available"? I always protect my pin from view eiter at an ATM or when paying by chip and pin; I also always check for skimmers etc. at ATMs. If people were just sensible, a 4 digit pin would be fool proof, but as the sying goes, a fool and his money are eaisly parted.

Re:Really? Cool

[jez9999]

As I said, to protect signatures in the same way as they're protecting PINs right now, they'd take it OFF the card and put it ON to a centralised database. Neither would be available by looking at the card, so you'd have to find a letter with their sig on it or something. Harder, I'd say, than collecting their PIN.

So, I'm saying that assumin the criminal manages to obtain the PIN, or signature of the person, which is easier to forge? A PIN can be effortlessly forged with 100% accuracy, a sig can't. Whatsmore, I'd say it's harder to get hold of someone's sig.

I think the reason they went with PIN is because they know cashier plebs are lazy assholes, most of whom would even take a glance at the sig the customer gave and the sig in the database, whereas they dont HAVE to with PIN as the computer system can reliably check for them.

Re:Really? Cool

[VJ42]

>I think the reason they went with PIN is because they know cashier plebs are lazy assholes, most of whom would even >take a glance at the sig the customer gave and the sig in the database, whereas they dont HAVE to with PIN as the >computer system can reliably check for them.

Actually they went with chip and pin because it's been tested widley on the Europian mainland, and now being rolled out across the rest of the continent.

Also most petty criminals can't get hold of your pin just by stealing you wallet and looking at the card. However they coud get hold of your signature, I still believe that it is more secure than the old system

Re:Really? Cool

[mdwh2]

It's an interesting idea, but I still believe a PIN is better:
  - If someone finds out my PIN or signature, I can easily change my PIN, but not my signature.
  - Given that I use my signature for all sorts of occasions, where people will see my signature, I'd say it's a lot more insecure than a PIN which I don't have to show anyone, and I can have a different one for every card.

I mean, how many people would trust PIN if you have to tell the cashier your number in order for him to check? Your system would be more secure if it was possible for a machine to compare signatures, but even then, I need to show my signature for all sorts of other things.

Re:Really? Cool

[bluGill]

True, but I would spend that $3000 anyway, cash or credit. Dosen't matter how I pay, each month I spend $150 on food, and $150 on gas (numbers made up for example's sake), by paying with my credit card I get $36 (not $360) every year that I wouldn't have before. Now add in all the other little things I buy anyway (internet, computers, little fuzzy dice, ...), and there is a nice chunk of change I'm getting for doing things I'd do anyway.

Note that I'm not one of those idiots who carry a balance on my credit card. I don't buy anything I couldn't pay for in cash, so I always have the money to pay off the bill when it comes. If you can't force yourself to do the same, than a credit card is a bad deal.

Chips in the skin?

Sure, it probably will. And that'll only lead to muggers blowing your brains out and hacking off whatever limb the chip is hidden in, or forcing you to authenticate yourself at an ATM by gunpoint.

Nothing is 100% secure.

chips won't work either. Nothing will

[pair-a-noyd]

You need to see Gattaca and here

They were taking DNA samples in real time from people for access control.

The guy went to extreme measures to defeat the real time DNA sampler.

No matter what they try, no matter what measures they try to take and enforce, there will always be people that will find ways around it.

Personally, I will tell them to stick their chips up their asses. When it gets to that point, I'm leaving civilization and heading for an island somewhere, I'll live off of coconuts and iguana stew.

Reminds me of "Demolition Man"

[Not_Wiggins]

Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?

John Spartan on Simon Phoenix being unable to buy anything because you need an implanted chip:
It would be a waste of time to mug somebody . . . unless he rips off someone's hand, and let's hope he doesn't figure that one out.

reminds me of...

[amcdiarmid]

The problem of this type of security is that it attempts to replace thought on the part of all involved. (see zug.com about credit card fun)

When I and my wife got a joint account, the bank swapped our pictures on our atm cards. We look nothing alike, each being easly taken for our respective genders. I used mine (with her picture) for six months without anyone even glancing at the picture. Eventually, when I got passport photos at a local picture processing shop: the clerk looked at the card and refused to process it.

Literally after hundreds of transactions including a good number in the $250/300 range. Unfortionatly "Security" (tm) is everyones job, but no one wants to do it.

Re:reminds me of...

[FireFury03]

The problem of this type of security is that it attempts to replace thought on the part of all involved.

People are stupid, and security measures must take this into account:
1. The original signature system didn't take this into account because the shop cashiers are stupid and don't check the signature.
2. The new chip & pin system doesn't take this into account because the card holders are stupid and don't protect their pin.

Admittedly (2) can be reduced by having well designed keypads that reduce the viewing angle to see the keys - most of the chip & pin pads I've seen are useless in this respect.

Anyone care to explain why they opted for using pin numbers instead of electronic signature recognition - I was under the impression that signature recognition is quite reliable (it's certainly been around for a while). Signatures are much harder for someone to reproduce than a PIN and this method would remove the need for the cachier to check the signature (which they don't do anyway).

Re:reminds me of...

[karlm]

Anyone care to explain why they opted for using pin numbers instead of electronic signature recognition - I was under the impression that signature recognition is quite reliable (it's certainly been around for a while). Signatures are much harder for someone to reproduce than a PIN and this method would remove the need for the cachier to check the signature (which they don't do anyway).

PIN technology was probably the easiest, cheapest, fastest solution. It's merchants that get hurt the most with fraud. It's my understanding that the credit card company still keeps its transaction fee on fraudulent transactions, the merchant pays back the fraudulent charge to the CC company, and the provider of the merchant account charges a "chargeback fee" to the merchant. The CC company makes the same amount of profit (minus a few minutes of wages for their phone staff), the merchant account provider makes more profit, and the merchant absorbs almost all of the costs.

For fraud prevention, the optimum cost/benefit point for the CC companies is much lower than that for the merchants. Unfortunately, it's the CC companies and merchant account providers that deploy the systems.

Also, people have a small tolerance for false negatives.

People are probably less likely blame a keypad for a false nagative as compared to a signature reader. People will probably get more angry at having to sign three times for a single transaction to succeed than having to input a PIN five times for a single transaction to succeed.

Biometrics cellphones

[jsveiga]

A friend just came back from Japan, where his cousin was paying groceries et all with his cellphone, which had a "sweep-type" fingerprint scanner (and videophone, and fast internet, etc).

I also heard years ago that somewhere in Scandinavia you could pay some soda vending machines just by calling the phone number on its front with your cell phone.

It is interesting to see phone companies grabbing part of the credit card market.

Maybe it'll converge to using your phone/phone account as an ID, driver's license, bank account, credit card, and even to call people!

Instead of money, you'll be paid in talktime credits...

Re:Biometrics cellphones

[The+Cydonian]

Possible here in Singapore. You can get coke cans in some of the vending machines by SMS-ing the number mentioned on the machine. Not quite popular, though, coz only one provider supports /monopolized it.

Re:Biometrics cellphones

[MochaMan]

I actually have it -- the F900iC. You can use it for Edy prepaid debit transactions at lots of convenience stores, supermarkets, airports, etc. Not too bad. The scanner is better than I'd thought, occasionally I get a false negative if I twist my finger a bit, but in general it works beautifully. All transactions are encrypted etc.

Re:Biometrics cellphones

[ElNeo]

Telenor has a system called "Mobilhandel" (Mobile Trade) here in Norway (Scandinavia). If you want to buy a snack, you can send an SMS with some codewords that you find on the machine, and your Mars bar will pop out. This system has been around some time and you can pay car-parking, cinema tickets or even airplane tickets with it. I have never used it since I use another cell-phone operator. The system is not very popular by many reasons (limited number of user-places, hassel to set up - you need a new SIM-card, and limited to one operator).

There is another way of using your phone to pay. Some banks offer access to your bank account via SMS and WAP. I have uses it some times, and it works great, you only have to remember to bring your note with one-time-codes to use it. I prefere to use a computer to pay bills and stuff, but if I am sitting on the train on my way home from work and my brother needs to borrow some money, it's an ok alternative.

In Scandinavia you can use your debit card almost everywere, and that is the most common way to pay; almost all shops, buses, parking-meters, petrol-pumps etc. Transaction speed is very quick (normally 1-2 seconds), and most banks does not charge pr transaction, only a small annual charge. I have not used cash on a weekly basis for years.

Hmm... Inserts

[GreyOrange]

If we insert chips under our skin, that brings us one step closer to getting our [insert body part here] chopped off, as many people are willing to point out.

Security

It was said that security is process and not a product.

One possible solution

[slobber]

Ok, so you make a credit card transaction and before it is approved, you get a call on your cell phone, enter a PIN and only then the transaction is approved. Yes, you need to have a signal for this to work, but I think this gets around many problems inherent to other verification methods.

Considering that

[kilodelta]

Most retailers now use a self-swipe card reader. They don't even look at the card.

Every once in a great while a clerk will ask to see my card at my local supermarket. But those occasions are few and far between.

They don't even cross match the store ID card with the card you swipe. I understand that there are flaws such as a spouse having a store card with the same number on it. But there has to be a better way of checking to be sure the credit/debit card holder is who they say they are.

This is why I'd be much more comforable with a card + thumb print + pin scenario.

Re:Considering that

[Stevyn]

I think these self swipe readers are a huge security hole. Anyone can spend a few hundred dollars for a magnetic card writer and change the information on the card. Getting a credit card number isn't that difficult either. It seems crazy to me that retailers AND credit card companies don't seem to care much about this. Is it really cheaper to let people scam the system than to make the system more secure?

Re:Considering that

[kilodelta]

Having once built POS systems using software and hardware I'm fully aware that a reader/writer is pretty short money.

And most banks haven't yet made the transition from mag-stripe to smart-chip. The entire infrastructure would have to be changed.

As to why there isn't any serious effort to combat fraudulent credit/debit usage that's simple. The people who suffer are the merchants and the card holders. The banks, card issuers, and card processors are competely off the hook when it comes to fraud.

A merchant pays a premium based on his credit rating, rate of charge backs, etc that can range from 2% to 10% of the transaction price. So lets say you swipe for $10.00 - and the merchant is paying that 10%. Then you charge it back and the merchant is out the whole amount but the processor and card issuer got their cut.

It's kind of like foreign ATM fees. I see BofA is now $2.00 per pop, or a full 10% of a $20 withdrawal. You can't tell me that their actual cost even approaches ten cents for the transaction. So it must be profit taking. Nice isn't it.

Re:Considering that

[FireFury03]

This is why I'd be much more comforable with a card + thumb print + pin scenario.

I'm not happy with the idea of using my thumb print / iris scan / etc as part of the transaction - seems to me it would invite the criminals to chip off my thumb or scoop out my eye at the same time as swiping my wallet. I'd be much happier with something like electronic signature recognition - much harder to forge a signature than punch in a pin number and you're nolonger relying on someone to bother to check the signature manually.

Re:Considering that

[kilodelta]

Ah but without the pin it'd be useless. And encrypt the minutae of the thumbprint with the pin. Use challenge-response authentication on the pin.

But most importantly make sure the thumb, iris, etc. is attached to a living, breathing being. Most of the theft of credit/debit cards is non-violent anyhow. Most of it exploits technology or processes .

But signatures are worthless. The signature on my card and on my drivers license is far different from the way I actually sign things. It's why I always make it a point to ask how long a clerk has studied handwriting analysis when they make the effort to check my card signature against what I just signed.

Re:Considering that

[MoneyT]

The problem with sig recognition is that your signature not only changes over time, but changes with the document you're signing the the materials you're signing with. Try it some time. Sign an electronic pad (and try different ones noting how they aren't always good writing surfaces. Then try signing a regular sheet of paper with a ball point pen, and then try a gel ink pen. From there, try signing a form on which you need to press hard to make duplicates. Last but not least, compare the signature on your last reciept to the one on the last legal document you signed.

Re:Considering that

[FireFury03]

Ah but without the pin it'd be useless.

Ok, so after someone has looked over my shoulder and seen my pin, instead of just mugging me for my card they'll take the trouble to cut my finger off too - great.

But signatures are worthless. The signature on my card and on my drivers license is far different from the way I actually sign things.

Signatures are not worthless - signature analyser systems look at the _style_ and order of your pen strokes, not the exact shape of the finished signature. So it doesn't matter that your signature is different every time, you're still drawing it in the same way (just as handwriting analysis can match handwriting to a particular person even though the 2 samples of writing aren't exactly identical).

Re:Considering that

[FireFury03]

The problem with sig recognition is that your signature not only changes over time, but changes with the document you're signing the the materials you're signing with.

Signature analyser systems look at the _style_ and order of your pen strokes, not the exact shape of the finished signature. So it doesn't matter that your signature is different every time, you're still drawing it in the same way (just as handwriting analysis can match handwriting to a particular person even though the 2 samples of writing aren't exactly identical).

Admittedly signatures do change over time, but this isn't usually a sudden change (unless you had a medical condition that prevents you writing correctly, such as a stroke, etc). So each time your signature is verified, the system could be updated so the recorded signature pattern evolves in step with the actual signature.

Re:Considering that

[kilodelta]

So sorry but I've had the chance to play with signature recognition equipment. I can confound it with ease.

Re:Considering that

[arminw]

.....invite the criminals to chip off my thumb or scoop out my eye at the same time....

That and the added complexity and cost of biometric systems means that these will only be employed in specialized, high security applications. An embedded, temperature sensitve chip is much cheaper, as are the readers and the data bases needed for a system to be used for the masses. If such a chip is removed from the body and therefore cools down, it stops working. Also, if such chip removal is not done skillfully, the chip will likely be damaged and no longer work. It is not neccessary to make a system IMPOSSIBLE to break, but only difficult enough to make it unlikely to be broken. Make the cost and effort high enough to break a system, and the problem disappears for all practical purposes.

Re:Considering that

[MoneyT]

But wouldn't such a system rely on a specific set of predetermined factors? I know that the style and overall look is not just minorly different but can be completely different depending on where and how the signature pad is positioned (i.e. the vertical ones at Sams Club).

Re:Considering that

[FireFury03]

I think it would have to be implanted quite deep if you're relying on body temperature - I should think that the few mm under the skin can fall well below core temperature in many "normal" conditions (think skiing, etc. where you're out in sub-zero temperatures).

Re:Considering that

[arminw]

....implanted quite deep if you're relying on body temperature.....

The of all the possible body locations possible for such a chip, the ones mentioned in the prohecy, the forehead and the right hand are both quite accessible for scanning, but also usually protected from extreme cold by a hat/parka and gloves. Temperature may not be the only protective mechanism to make chip fraud difficult. We do not yet know the details of what future technology may be employed, but the possibility of this coming true never existed before the coming of the microchip and all the technologies made possible thereby.

scary!

[TheSHAD0W]

Not only is the idea of having RFIDs embedded into people's skin scary to me, but it also promises to add a new, terrifying meaning to the term "hacking"...

Re:scary!

[Incadenza]

Not only is the idea of having RFIDs embedded into people's skin scary to me, but it also promises to add a new, terrifying meaning to the term "hacking"...

Well, the "hackers" are supposed to be the curious test-the-system type of guys. It is it the "crackers" with their "cracking tools" that you should really be worried about...

Re:scary!

[TheSHAD0W]

Incandenza, I consider myself to be a "hacker" by the old sense of the word, but it's an impossibility to get rid of the new popular definition. Besides, "hacking" when referring to people's limbs and skin produces a much more vivid visualization, and therefore is more likely to be adopted...

Re:scary!

[Halfbaked+Plan]

My cat is a 'hacker' in the old sense of the word.

My dog, on the other hand, just likes scarfing down the hairballs she hacks up.

Re:scary!

[Incadenza]

Besides, "hacking" when referring to people's limbs and skin produces a much more vivid visualization, and therefore is more likely to be adopted...

Must be my perverted imagination, but I get an awful vivid visualization with "cracking", as in "skull". Limbs are redundant and removal of one will merely halve my typing speed, but my skull is a single point of failure.

Re:scary!

[TheSHAD0W]

Yeah, but that's probably not where they're going to implant the RFIDs.

Write "SEE ID" on your credit cards

I don't sign my credit cards. I write "See ID". Then I make it a point of thanking the cashier for asking for my license.

Re:Write "SEE ID" on your credit cards

[sp00nz]

I do that too. However if they don't look I don't talk to them I talk to their manager.

Re:Write "SEE ID" on your credit cards

[rabbar]

Merchants who accept your Visa card which is unsigned (or is signed SEE ID) are in violation of Visa policies. Visa has specificially stated that cards signed with SEE ID must not be accepted for a transaction.

From a letter I received from Visa:

"Please be assured that merchants may not refuse to honor a Visa card simply because the cardholder refuses a request for supplementary information. The only exception is when a Visa card is unsigned when presented. In this situation a merchant must obtain authorization, review additional identification, and require the cardholder to sign the card before completing the transaction."

Re:Write "SEE ID" on your credit cards

Obviously, that would only work for cards that use signatures. It's quite pointless to check the back of the card with chip and pin.

Re:Write "SEE ID" on your credit cards

[e4tmyl33t]

That letter is BS. Any merchant has the right to refuse a card because someone cannot present sufficient ID or whatnot to properly ascertain the identity of the card user. VISA can't force a merchant to take a card because they felt that the card was stolen or being used illegally. That letter basically says "If this card is signed, the merchant MUST take the card, regardless of who is using it. If the merchant wants more info, and the person holding this card says no, they have to take it anyway. If the card is unsigned, they have to get ID before taking it."
I think VISA or someone is yanking you or they have crappy policies...if they say that a store HAS to take your card even if you refuse to show ID, then they need to re-think that. I work at a Best Buy, and we regularly ring transactions that number anywhere from between 1 and 30 thousand dollars at a time. If I ask for ID for your card and you say no, I'll tell you to piss off and come back with ID. I may piss some people off, but I make DAMN sure that who I'm selling to is the person I should be selling it to. Same goes for people who have their spouse's/parent's credit cards. Won't take em. End of story.

Re:Write "SEE ID" on your credit cards

[Ph33r+th3+g(O)at]

So a cashier from Best Buy knows all about Visa policy? Just because Best Buy routinely violates the policy through ignorant employees doesn't mean the policy doesn't exist.

Re:Write "SEE ID" on your credit cards

I work at a Best Buy, and we regularly ring transactions that number anywhere from between 1 and 30 thousand dollars at a time.

Yeah, because I know every time I'm in Best Buy, there's always one guy running up mid 5 digit purchases of consumer electronics.

Re:Write "SEE ID" on your credit cards

[jwl3v]

Yikes, Rabbar!

I've had "Please ask for ID" on my cards for yrs. Only rarely (1 in ~50 times?) am I asked for my ID, and I've never had an experience that looks like sales personnel know about Visa's policy you've documented. (When a clerk does ask, I thank her or him.) So, I checked the Visa Web site and confirmed you correspondence:

Some customers write "See ID" or "Ask for ID" in the signature panel, thinking that this is a deterrent against fraud or forgery; that is, if their signature is not on the card, a fraudster will not be able to forge it. In reality, criminals don't take the time to practice signatures: they use cards as quickly as possible after a theft and prior to the accounts being blocked. They are actually counting on you not to look at the back of the card and compare signatures--they may even have access to counterfeit identification with a signature in their own handwriting. "See ID" or "Ask for ID" is not a valid substitute for a signature. The customer must sign the card in your presence, as stated above.--[Visa PDF for merchants]

So, there appear to be two problems:

1. Clerks don't look at the sig space on cards, and
2. Clerks don't implement card companies' policies.

I feel so much less secure now. My $$ is safe, no? Mayhaps I should sign with the PW for my PayPal account? Nahhh, that changes more frequently than the cards are replaced.

Re:Write "SEE ID" on your credit cards

[Ritchie70]

I find it fascinating that you ask to speak to a manager when a clerk follows the policies of your card issuer, which must, therefore, also be the policies of the merchant.

The point of the signature on the card is to endorse a legal agreement between you and the card issuer. It has little to nothing to do with your identification.

As later posts explain, Visa requires that unsigned cards be signed.

As far as I am concerned, any writing in the signature box should be assumed to be your signature, and, if your signature does not match that, then the manager should be called.

If you don't sign your sales slip "SEE ID" then the manager should be consulted.

Re:Write "SEE ID" on your credit cards

[e4tmyl33t]

Sorry, not a cashier. Computer Sales, actually. To me it seems like Visa's policy is just inviting fraudulent uses of their cards. Why the hell would I have a policy on my card that says "as long as this card is signed, you don't need to see any other ID if the cardholder doesn't feel like giving you any"? That just seems like plain old stupidity on Visa's part. I know about the whole "match the signature" stuff, which works sometimes, but given that we use electronic signature pads, and 75% of the time, the signature on the pad actually ends up nothing like the signature on the card, I always ask ID. I've had people personally thank me for checking their IDs because they know this fact.
Besides, who's going to stop someone from either signing a blank card or practicing enough to forge a signature?

Re:Write "SEE ID" on your credit cards

[LunaticTippy]

The sole merchant I've seen enforce this policy is the US Postal Service.

They must have been audited or something because for several months they had large posters explaining the policy.

They state that "SEE ID" is not acceptable. A helpful clerk told me to rub "SEE ID" off my card and sign it. I showed him my ID and he accepted the transaction. When I asked about this he told me it was Visa/MC policy not USPS policy.

Re:Write "SEE ID" on your credit cards

[Ph33r+th3+g(O)at]

There are numerous and known security problems with the credit card processing system as it exists today. The card companies have decided that it's cheaper to live with those problems than to fix them, leaving merchants and consumers to bear the cost.

In any case, whether the policy on Visa's part is ridiculous or not, it does exist. (MasterCard has the same policy. American Express does not--they allow merchants to check ID at their discretion. Don't know about Discover.)

With respect to Best Buy, it's pretty much a moot point for me because I go out of my way to avoid merchants who have their customers arrested for comparision shopping, using two dollar bills, or daring to demand an item for its advertised price, all of which Best Buy has done. Violating their merchant agreement is the least of their offenses. I hope the store you work for has more ethical management than the ones that have made the press.

Re:Write "SEE ID" on your credit cards

[e4tmyl33t]

We actually do, we have a Circui City not one shopping plaza down from us, a Walmart and a Target not more than a 5 minute drive away, and a large mall across the way. We actually encourage comparison shopping. Same goes for advert prices. If you see something advertised, you'll get it for that price so long as you meet all the requirements.
You'd be surprised how many people come in with an ad that clearly states that a computer is "649.99 after $320 in mail in rebates" and think that they're paying 650 up front. Then again, I live in the middle of an amazingly large concentration of rednecks and old people in Pennsylvania, so...
The two-dollar-bill thing I'm not sure on, but I know I'd accept it because it is legal tender after all...

Easy identity theft

[tsa]

My professor recently had his identity stolen. Apparently the thieves stole some of his mail from his mailbox, and opened a new bank account in his name by his bank. Then they applied for internet banking on his `real' bank account. When they had that, they could easily steal his money. I find it amazing that it is so easy to steal someones identity with this bank.

Re:Easy identity theft

[symbolic]

I'd say it's easy to steal someone's identity, PERIOD. Why? Because thanks to various government and commercial interests, our personal information is ALL OVER THE DAMN PLACE. I cringe every time I hear someone who wants a copy of sensitive information like a driver's license, a social security card, or a passport - it's just one more access point available to thieves. They just don't seem to get it - their methods might actually contributing to a potential breach of the very security they're trying to enforce.

I still prefer signatures.

[caluml]

I would much prefer to be able to carry on using my signature. Someone standing behind me wouldn't be able to knock me over the head, and go to a cashpoint to withdraw cash after seeing me sign my name. Sure you can forge them, but it's a bit harder than punching in 4 numbers.

Re:I still prefer signatures.

[yupa]

Yes but bank often don't check signature...

Re:I still prefer signatures.

I also prefer the signature route, and let's face it, even if you're not looking directly at the pad you can get a damn fair idea of the keys they've pressed.

I think we need some sort of portable finger scanner(PFS) or something. You know you carry it around with your keys or something, you walk in to the shop, you get whatever you want and when you go to pay for it you put in a pin code, your PFS bleeps, you swipe your finger and it confirms your identity. Granted people might feel this as a big brother scenario, but we already live like this anyway with store cards and what not, and to be honest I'd rather have that than be worrying whether or not someone has seen my pin etc.

note: the PFS would only work if you remember to take it with you, but then that's like forgetting your wallet or car keys (or house keys heh).

Re:I still prefer signatures.

[cowbutt]

I don't care. It's not my problem. I can refute a bogus signature, but it's potentially impossible to refute a correct PIN entered by a thief.

Re:chips won't work either. Nothing will

I just hope there will be some islands left then. Maybe these "islands" will be some central europe countries, would be nice, but I doubt it. :(

Oh lets just be controversial...

[kentrel]

...but maybe stupid people deserve to have their identities stolen. Better to have a smarter version of yourself out there if you're too fucking stupid to look after your money.

Re:Oh lets just be controversial...

[mam_bach]

Stupid people - or ill-educated. Or IT-illiterate. Or too broke to live elsewhere than in a part of town where the denizens would quite cheerfully hack off a body part to get enough money for the next fix, and definitely have no qualms about hitting you until you tell them your PIN ... (I don't live that way, but a couple of my students do)

As usual, its the little guy who gets it in the shorts. Like, the ATM in our local bank swallowed everyone's cashcards for a week, on the premise that 'you should by now have recieved your new chip n pin card'. The bank got round to sending them out two weeks later.

So several people were left unable to get at their nice (newly all-electronic) dole cheques.
Technology like this is great until you let it loose on real people and real bureaucracy

Re:Oh lets just be controversial...

Assume you have a chip in you.... I invade your home, point a gun at you or a family member and say give me some money. Are you going to let me kill you or a family member or are you going to give me my money.

It's not very hard to thwart, especially when it all depends on nothing more then a sequence of numbers.

How stupid

[AdamInParadise]

The whole point of the Chip&PIN scheme is that you're authenticated with your PIN, so you must keep this PIN secret. You can't keep your signature secret.

This is like saying "Login & Passwords schemes are insecure! If I give my login and password to my coworker, he can impersonate me! The sky is falling!"

Actually, the Chip&PIN scheme is better than Login/Password schemes since you need a physical device (the smart card) to perform the transaction.

If this new scheme forces thiefs to switch to "Social Engineering", well, it's a good thing, since people can be educated about them.

I love this quote:

She claims this chip and pin technology, as it is called, has not reduced the problem of fraud.

The amount of "card-present" fraud in France (where this scheme is in use for about 20 years) is severals orders of magnitude lower than in other countries with similar caracteristics. Ok, the "Problem of fraud" has not been reduced, but the "Amount of fraud" has, and that's what matters.

Re:How stupid

[macemoneta]

If this new scheme forces thiefs to switch to "Social Engineering", well, it's a good thing, since people can be educated about them.

Be careful what you wish for; social engineering comes in many forms.

[Points gun at head]: Give me your card.
What is the PIN? [Pulls trigger]

You've just been socially engineered out of your funds, and life. Raising the bar on security doesn't always mean it's harder for a criminal, or safer for you.

Re:How stupid

[Buran]

If anyone asks for your PIN, you can always give them a fake one, and they know this.

Re:How stupid

[macemoneta]

If anyone asks for your PIN, you can always give them a fake one, and they know this.

Not if you're standing at the ATM machine or in front of a WiFi connected laptop, and a bad PIN means your kneecap gets the first shot. The expectation that people behave in a certain way in respect to socially accepted norms, makes someone that doesn't abide by those norms very difficult for folks to deal with.

Someone in an earlier post mentioned the article in which a carjacker tried to steal a car protected by a fingerprint reader. The thief simply ripped the owners finger off and drove away.

Re:How stupid

[Buran]

And chances are they'll shoot you anyway, so I don't see an incentive to be honest with someone who isn't being honest to me.

Rip off my finger and I press charges against you for assault and worse.

Re:How stupid

[SuiteSisterMary]

I've said it before, and I'll say it again: Duress code. A PIN number that grants perfectly normal access to the account, but also flags the transaction, trips an alarm, and sets off all of the cameras and what not in the ATM booth.

Re:How stupid

[macemoneta]

I've said it before, and I'll say it again: Duress code. A PIN number that grants perfectly normal access to the account, but also flags the transaction, trips an alarm, and sets off all of the cameras and what not in the ATM booth.

That would be ideal. However, it means your bank would actually have to care about you in addition to your money and implement a duress code. I don't know of any that have. Not to mention that the police would have to care about protecting you; as they've publicly stated many times, it's not their job.

I don't think there's a perfect solution. Until technology can can read our minds to determine intent (and that brings its own problems), this is something that we have to live with.

Next security tech . . .

[SpeedyGonz]

Breath analyzers like in Aliens 4, and it'll get cracked, hacked, etc too like in minutes or something

Re:OFF TOPIC - Wood elves

If you mean the elves living in Lothlorien, then I/6.-8. are your numbers, elves living in Mirkwood are mentioned occasionaly but don't intervene directly (except of Mr. Bloom of curse [no it's not a typo]). Supplement B holds some info on the war on the edges of Mirkwood.
Fine... Took me 10 min.... Lemme check... Some taxes.. Yes.
It's 30$, tax included.Billing information follows.

Where there's a will there's a way...

[kentrel]

and there always will be

Re:OFF TOPIC - Wood elves

[Turn-X+Alphonse]

Thanks.

I'm working on some wood elf model display peices and doing as much research as I can and since I have the book here I figure may as well research it.

Re:chips won't work either. Nothing will

[FireFury03]

They were taking DNA samples in real time from people for access control.

I suggest taking a 2 - 3 litre blood sample per transaction for DNA testing :)

Care to back that up with sources?

[reality-bytes]

The absolute majority of RFID tags that could be embedded under your skin are passive devices with no power source. ie: they only respond when interogated by an external device and they really don't care whether they are alive, dead or even still attached to your body.

Active tags which have a power cell are around the size of a 10 penny piece are wholely unsuitable for placing under the skin and, of course, would require a minor operation every time the battery needed changing. (Oh, and just *pray* the cell never leaks).

Re:Care to back that up with sources?

Which is why pacemakers use a radiothermic power source. (Or whatever it's called.) Basically, you put a small amount of a radioactive substance (preferrably one emitting some relatively harmless radioation rather than gamma rays), and use the heat that gives off to power the pacemaker.

Re:Care to back that up with sources?

[arminw]

.......and they really don't care whether they are alive, dead or even still attached to your body......

Actually, a thermistor, a temperature sensitive resistor about the size of the period at the end of this sentence can send the chip temperature to the reader. No power source is needed in the implant.

Credit cards in the Philippines ...

[minairia]

I recently returned from a trip to the Philippines. One of the most annoying things about the shopping there is that they actually verify credit card signatures, and, if your signature is the least bit different on the receipt than on the card, a manager has to be called over.

Even the most brain 2 dollar a day cashier chicks carefully verify credit card transaction, and, if there's a question, they'll gather another two or three cashier chicks to cluck at the card before summoning a manager, who will then have to summon another manager sometimes.

One thing about the Philippines ... it is hot and Americans sweat like pigs there. On one really bad day, my sweat washed away most of my signature and I couldn't use my credit card until I got back to the States and no-one cared anymore ...

A friend of mine...

[sterno]

There was one friend of mine who simply put an X through everything instead of his name. Honestly it was probably far more secure because it at least gave the cashiers a WTF moment.

But this all does bring me to a question I've had: what's the point of that number on the back of the card? I mean it's just one more piece of information, sure, but it's not any harder to obtain than the card number and expiration date.

So what practical benefit does it really offer?

Re:A friend of mine...

[balloonpup]

Mostly, it's to prevent someone with a credit card recipt (or some such, as they don't include the CVV) from going online and buying stuff...at sites that check the CVV, anyway. Like checking the signature, it's only to get the accepting companies cheaper rates, and to provide a sort of security...at least, a little tiny more than you'd have otherwise. In practice, it's probably not worth much.

Re:A friend of mine...

As it's not physically embossed on the card, means an old-fashioned card receipt swiper won't copy it.

What relevance that has today, of course...

Re:A friend of mine...

[saskboy]

It is only on the opposite side of the card from the other info, so if you only have the image of the front side, you can't use the card in some places.

Re:A friend of mine...

[cowbutt]

Also, the CVC isn't supposed to be stored in databases. Of course, that hasn't stopped some vendors from doing so... shortly before their database was stolen!

Re:A friend of mine...

[ddent]

The point of the number on the back of the card is that it is not on the magstripe, and thus does not get automatically captured as easily.

Incidentally, I believe it is in fact merely some kind of transform of the card number and perhaps also the expiration date.

Re:A friend of mine...

[Carnildo]

It's to prove you have physical possession of the card:
1) It's on the back, so you can't get it by photographing the card
2) It's not in the magstripe, so you can't get it from a reader
3) It's not in raised numbers, so you can't get it by making a carbon impression of the card

New Tech mostly usless

[Efialtis]

The reason that newer technologies fail is the ability of the criminal to adapt to all the security flaws inherant in every new technology...
The only way to be secure is to use more than one security technology...
For instance, you have cards that are read by proximity detectors...all I have to do, as a bad guy, is get a reader and scan people as they walt past me...store the data, and copy it into new cards...bingo!
What we need is more security, not more technology...
For instance, a smart card credit card that has a thumb print scanner pad built in. When you process a transaction, it powers the card, scans your thumb, asks for a PIN, and you complete the transaction. The odds of someone else being able to crack the thumb scan AND the pin go down...
All of these systems can also use handwriting analysis, face recognition, etc...
RIFD is waiting for the right moment to be "scamed", because it is a "reader" technology...get a reader, get an identity...

WHAT'S THAT SUPPOSED TO MEAN??

[ben0207]

...No, I mean what does "exacerbate" mean?

no big threat from 'hackers'

[FruFox]

If the "mark of the Beast" implanted chip is RFID, then it could be put pretty much anywhere on the body, so a potential mugger would have no idea where to find the chip to 'hack it out'.

In the future, a sign of intimacy and trust could be to tell someone where your chip is. And the idea is to reduce fraud. Way fewer people would be willing to murder and dismember someone than are willing to just threaten someone with a weapon and take their money.

Me, I'm too poor to pay to use my money, so I just carry cash and rely on being a big hairy freak to keep me safe! :)

Re:no big threat from 'hackers'

[meringuoid]

If the "mark of the Beast" implanted chip is RFID, then it could be put pretty much anywhere on the body, so a potential mugger would have no idea where to find the chip to 'hack it out'.

Nope. Revelations says it has to be in the forehead or the right hand. Technical considerations are all very well, but if you were to put the chip in the buttocks then not only would you make the whole enterprise a bad joke but you'd make the Bible into a colossal LIE! HERETIC! UNBELIEVER! You will burn in the pits of HELL for your abominable blasphemies! The unforgivable sin against the very Holy Spirit! Loathsome bastard child of Beelzebub, infernal worker of the Adversary's indescribable horrors!

... um... sorry. The doctor says my computer time is up now, and it's time for my pills.

Who needs eyes?

[divisivemind]

While biometrics and/or embedded chips would ensure additional security for the average transaction, I'm not looking forward to purchasing additional dismemberment insurance for when some thug decides he wants to mug me. Biometrics might just make using my credit card harder to do without riping out my eyes or dismembering my fingers/hands/arms. No need to encourage that behavior. Its probably best to keep cash/cards easily accessible so you at least have a chance of surviving the encounter. After all, how safe is your identity if you're dead?

Re:Who needs eyes?

[Detritus]

I've read about a number of local cases where the thug kidnaps his victim and takes him to a cash machine, forcing the victim to make a withdrawal or be shot. These are the same dead-enders who switched to carjacking when it became too difficult for them to steal unattended cars.

Re:Who needs eyes?

[hlh_nospam]

No need to encourage that behavior.

No need to encourage that behaviour, indeed. I live in a state that allows me to carry a concealed handgun, and I am certified to teach the state concealed handgun course. The most effective deterrent is the occasional would-be thief that is shot by his intended victim. This encourages thieves to move to areas that require potential victims to be unarmed.

From the article...

[ttsalo]

"Instead of using stolen cards, criminals are now taking over people's identities and applying for cards in their name. If you think about a credit card application, it doesn't actually require much information about an individual that can't be found out with a little bit of research."

Oh please! Because the authentication of people's credit card applications is completely broken, the problem of cloned and stolen cards shouldn't be fixed? I'm the first to admit that technology alone isn't enough, but this absolute stupidity of authenticating people by "personal" "secret" information has got to stop. (And no, trying to fix that by safeguarding the info better will never work.)

Re:Who says..

[marco13185]

Cash Payments: The return of at the door paying.

At the door paying: The return of lost money in shipping.

Lost Money in Shipping: The return of online credit card payments.

BTW, the point of credit cards is not to have to lug around tons of cash, and not having to have your account full. If you know how to manage your money, you can say goodbye to paying interest on a credit card bill.

Note: Credit Cards not reccommended for those who spend more than they make.

Re:w00h000, my university makes slashdot :- )

[Toby_Tyke]

combined IQ of a single McDonalds worker

If you're so smart, explain how you combine a single item with itself?

Emedding chips will not stop ID theft

[erroneus]

It will only make ID theft more gruesome.

And as another poster has put it so clearly, why do we even NEED credit cards? At present our debit system works well enough. I have stopped using credit cards long ago. I still buy stuff (albeit less stuff I don't need since I have to think more about what I buy) and my bills are paid reliably.

In my view, only two things require credit -- houses and cars. For some people, cars don't require credit either... lucky them. But for anything else, there's cash.

Re:Emedding chips will not stop ID theft

A two reasonable reasons:
*Credit cards have more lenient "insurance" policies in the case of theft and mugging vs. debit.
*Online transactions can only be practically done with credit cards. (And w/ less fraud loss if you have one time amount credit card #s)
And the main (bad) reason:
*It's more convienient, responsibility wise and usage wise.

But debit cards can become like that. They're not although.

Re:Emedding chips will not stop ID theft

[initialE]

Well at least it does reduce the number of people capable of stealing your ID to the people you come in contact with. I mean, it's not like they can do it all the way from nigeria...

Re:Emedding chips will not stop ID theft

[fuzzybunny]

And as another poster has put it so clearly, why do we even NEED credit cards?

You want the lag time; a lot of credit cards give you a security mechanism insofar as it's the merchant's responsibility to verify the identity of the purchaser. You can dispute a fraudulent transaction; the CC company subsequently nails the merchant for it. I doubt that this would be as easy with a direct debit transaction, where the money is already in the hands of the merchant.

CCs are also a very good mechanism for security deposits without having to resort to giving actual money to, say, a car rental company in Mexico; if they decided to screw you and not give back the $500 they've blocked off your card as a deposit (after your holidays ended and you've gone home) you'd probably have a more difficult time getting your bank to retract the payment than just calling Visa and saying "yo, fuhgedaboudit".

Furthermore, a lot of people enjoy having an amalgamated monthly overview of their transactions _before_ actually paying their bills (I do), while CC companies love the exorbitant interest charged for non-payment.

So no, nobody "needs" credit cards, but they sure make life mighty convenient.

cashiers asking for ID

The cashier didn't ask for the coworker's ID probably because he looked like a non-threatening white person.

My experience:
I was standing in line one time and two friendly-looking white women ahead of me used their credit card without the cashier asking for their ID. When it was my turn, the cashier asked for my drivers license to check my signature on the receipt. I guess the cashier assumed two white women are less likely to commit fraud compared to an asian guy. Acting casual and friendly is how con-artists get away with fraud.

I don't mean to turn this into a race issue, but it cannot be ignored.

Re:Who says..

[macmattman]

Note: Credit Cards not reccommended for those who spend more than they make.

Truer words were never spoken.

Re:w00h000, my university makes slashdot :- )

[trickyrickb]

I work in a bookies in Norwich and i can tell you the idiocy of the shop worker is nothing compared to the idiocy of the customer. I have a number of regular punters who have gotten sick of continually entering their pin to pay for their bets so now they have me enter it in for them, they also leave their cards with me. It makes using MY chip and pin very difficult as i can never remember which pin is mine!

Re:chips won't work either. Nothing will

[32771]

Especially from the guy with talking hump syndrome - THS.

Nothing to see here...move on

This article is nothing new. THat chip and pin does not increase security was shown by Ross Anderson (author of "Security Engineering") et al http://www.finextra.com/Finextra-downloads//featur edocs/spin.pdf. That people do not correctly verify credit card signatures was shown by zug.copm http://www.zug.com/pranks/credit_card/

Sig is that you agree to cc contract terms

[amcdiarmid]

not to enforce/validate who you are. I beleive that the seller is supposed to validate your identity with other documents. (not that it is done.)

embedded chips under the skin?

[ElDuderino44137]

I'd be happy if they'd develop a single customer loyalty card. My key ring / wallet can't take much more of this.

Re:Who says..

[rooster9]

True. When I was 14, I also didn't need a credit card. Then I grew up and either had to begin carrying aroud hundreds of dollars cash in my wallet to pay for things such as hotels, rental cars, Blockbuster memberships, etc.

Re:w00h000, my university makes slashdot :- )

Uhm, I'd be a bit careful about that, there's always a small chance it could be a scam where the customer arranges for some "false charges" on his card and tries to set you up for the blame.

Wait one minute, your not Doc Ruby

[infonography]

I know Doc Ruby, you stole his identity!!!

Moderator! Moderator! Moderator!

Take this imposter away!!!!

Re:Wait one minute, your not Doc Ruby

[Doc+Ruby]

OK, Doc Ruby, enough of the jokes. You can stay logged into that web terminal left unattended by infonography, but let's keep our little ruse to ourselves.

Re:Wait one minute, your not Doc Ruby

[infonography]

heh heh

Re:Wait one minute, your not Doc Ruby

I thought you were Duck Rubby.

Re:w00h000, my university makes slashdot :- )

[fallscrape]

gah trollified and made a fool of in one post.

I'll finish this evening by writing 100 lines...

I must only lurk on slashdot
I must only lurk on slashdot
I must only lurk on slashdot

Confindence

The use of a credit card is the same as having "cash", it is the confidence in the idea that is important. If someone flooded the market with millions in couterfeit notes, noone will accept them, hence the notes themselves become worthless. The same applies for credit cards. The point is that the vast majority of transactions are not fraudulent, so we (and the whole system) is happy with the status quo.

Work in progress

[Cash202]

...there is no patch for human stupidity.

They're working on it. It's called Smack-Me-Smart.

They take people who are stupid, like really stupid, can't get any dumber stupid.

Then they hit them, until the stupid comes right out.

This process is often implemented in 3rd World Countries and states like Texas and Florida, onto children and wives.

The process is not yet perfected, but it is a work in progress.

Experts talking complete bollocks as usual

[astonishedelf]

No one ever said that Chip and Pin would totally eliminate fraud. Of course, career criminals would find a way around the system. Perfect systems would be too costly in other ways, such as time taken to verify ID, and so on. What it will do is reduce the amount of casual fraud. Having spent fifteen years practicising criminal law in the UK, my experience is that a lot of credit card fraud is opportunistic. People steal your wallet or purse and then use your credit card. The record in my experience is the card being used within five minutes of being taken. This is now impossible. A large amount of credit card fraud of low value has been committed by drug addicts engaged in casual theft to fund their drug habits. Chip and Pin will reduce this kind of theft. It is not a cure-all and no one ever pretended it was.

Re:Experts talking complete bollocks as usual

[hesiod]

> card being used within five minutes of being taken. This is now impossible

If that's impossible, how is ANY CC fraud possible? How can you not be able to use a card in five minutes, but can later?

Or did I completely misinterpret those two sentences?

Re:Experts talking complete bollocks as usual

[astonishedelf]

Sorry, should have been more specific. I was referring to physical theft of a card and the forging of signatures. The looking over of shoulders for PIN numbers is an overstated possibility. Once people get wise to this, the number of such incidents will drop. The timescale refers to how quickly a simple card fraud can be executed. Of course, you can also take more time. The problem of course is the longer you leave it, the more likely it will be to be reported stolen.

Re:Who says..

It's called a DEBIT card. Takes money right from your bank account.

HTH. HAND.

Who benefits?

Who benefits from the one-time passwords? The banks. Wait, what about the $50 fraud you brought up? That gets eaten by the banks, not the customer. Name one major MC or Visa issuer that does not waive the first $50. While I'm sure you could find a single one, most all issuers do waive that fee. So, the customers don't care. Personally, one-time passwords seem to be a hassle. Why carry around a fat keychain instead of a simple credit card? Why shop around for merchants who have equipment that can support one-time passwords? Pff, I'll just use my card and report any fraud I catch. Not my problem.

Re:Who benefits?

[Doc+Ruby]

The $50 cutoff is the "deductible" that the cardholder is responsible for, and is often not waived. Especially in online fraud. And, because many people know they're supposed to be responsible for those "small" thefts, they often don't try to recover that amount, because they agreed not to hold the banks responsible. Then there's the bigger threat I mentioned, where ID thefts are the setup for a later, bigger theft, often not traceable directly to the CC ID breach.

What makes a pluggable chipcard a "fat keychain"? If a Flash/ROM keychain or card can hold multiple OTP authenticators, or even a single personal one that registers its sequence seed with multiple counterparties, that wallet gets thinner, not fatter - and keeps more of its money. And becomes easier to use than insecure cards which require handling by untrustable, unaccountable intermediaries.

Re:Who benefits?

You're a lying sack of poo, or you're completely ignorant. I've had dozens of those !@#$ credit card applications flood my mailbox in the past month, all that waive the $50 deductable. The only ones that I've seen that don't waive it are the fake credit cards that require a deposit, or the ones marketed for people with really bad credit. By the very act of waiving the fee, the banks are saying that customers are _not_ responsible for the fraud. Duh. Lastly, do you know what the reporting requirements are for fraud? I'll tell you. You must notify the bank anywhere from 24-48 hours _after_ the fraudulent charge comes to your attention. That is one slack reporting requirement. Customers are not responsible for fraud.

Once the infrastructe is in place for OTPs, wake me up. Until then, have fun driving your methane care between the two fuel stations.

Re:Who benefits?

[Doc+Ruby]

You're a fucking asshole, and ignorant, too. When you try to get out of a $45 ripoff, you get hassled at every turn. Some companies offer to waive their liability limit, some don't. Some of the ones who "waive" it make it difficult to do so. Some have reasonable terms for turnaround time, some don't. All are bound by a law which sets their liability only above $50, and some compete by extending that down to $0. But by no means all. And, as I've said in every message in this thread, the bigger threat than the goddamn $50 is the later theft of something really big, after enough time has passed that you're not paying attention to where the original ID theft occurred.

On top of everything else, the bankruptcy bill passed by Congress this year removes liability for ID fraud debts from banks, and leaves it on the consumer - even when the bank is responsible for the ID theft and consequent fraud.

Now, I don't know what the hell you're talking about with your bizarre brainfart about a "methane car". But I'm perfectly happy to leave you nodding off in whatever fumes you're emitting, while the rest of us with sense look for better security in our financial transactions.

Chips under skin, I'd rather not

[azbot]

I prefer the current good old theft of identity. It seems physically less painless. I rather not have to lose a limb/digit/section of skin when a "career criminal" wants my credit.

Simple reason

[infonography]

If the credit companies wanted a signifigant change in the way things were done it would have been changed long ago. So called losses to fraud aside the net gain is on claiming losses against tax and dividends have enriched them beyond all measure. It's all funny accounting you will never read about in the WSJ.

Businesses use the cost of business to determine their profits. Losses from the year are deducted from the companies net profit and they would prefer that the net was as low as possible. In their yearly taxes they 'write off losses' and claim them as part of the cost of doing business.

Weither it's bad debts or some form of thieft. Their net gain is in THIS YEAR's writeoff. Should they collect a bad debt a year or 30 years from now is simply gravy. It won't be counted as part of that years income as it was a past debt and nobody will research it deep enough or even notice. NOBODY CARES ABOUT DELAYED INCOME. Income delayed will be added to the income of the year it was created not the current year. The bean counters will go back and adjust that years books to show a profit then. An audit won't pick it up because the books are in house and the IRS only has what they were given and all the info from that year will jive with the stated amounts. Receipts from different years will be ignored even though they are in context with the debt as a unit.

That's why the debts you may get calls about are marked as written off in your credit reports, but they still want the money.

Re:Simple reason

[Doc+Ruby]

The banks have higher priorities worth more money that take the time of their "business reengineers". Like getting the bankruptcy and estate tax laws rewritten to fleece most Americans to protect the already obscenely rich - including most bankers.

Thanks for the link

[Lifewish]

After clicking through into a few related sites and forums, I am having some trouble getting to sleep...

The bigger mystery

[Beryllium+Sphere(tm)]

is why companies have started to roll out one-time-only credit card numbers but haven't pursued the projects.

American Express Private Payments, Discover's DeskShop, SecureClick from Cyota, MBNA ShopSafe are all hanging fire or dead. The Virtual Mastercard Program has almost vanished from Googlespace.

Here's the problem

[CastrTroy]

The problem is, Credit cards with high limits, and no real security. Why do we really need credit cards with such high limits on them in first place. Maybe it would be nice if they had to go through a couple hoops to pay $5000 for something. Something like the bank cards with a daily spending limit, so that you don't get screwed out of too much if something does go wrong. Also passwords would be nice to protect credit cards. Let me use a 20 digit password too. The human mind is capable of remembering 20 digit numbers. Why can't I use one? People remember thousands of digits of Pi, I think most people could memorize, a 20 digit number, especially with the frequency at which some people use credit cards. The real problem in the end is the amount of credit available to people, without enough real checks as to who you really are. Getting a $10,000 credit card/loan, or a mortgage should require about the same level of security as getting a passport. Most people don't spend that much money that fast. It wouldn't inconvenience too many people.

Re:Here's the problem

A lot of people apply for credit cards almost as a personal loan.

I got a Platinum Amex (now one might argue that with sufficient income to be eligible, I should have been able to save of my own accord, but anyway) to finance an overseas trip.

Card arrived in mail that morning. 15 minutes later I'd rung Amex and activated it. 10 minutes later I was surfing travel.com.au and 10 minutes after that I was typing my new credit card number in, purchasing $5000 in airfares.

Adapting Strategies to Biometric Data

[Takumi2501]

From TFA:

Dr Finch's research leads her to doubt that any scheme for national ID cards will work, even if it is backed up by biometric data such as eye scans - because the criminals will simply adapt their strategies to try to get around the hurdle.

I wonder how that would be accomplished. Steal your eyeball? I think that might look a bit suspicious.

Mark Of The Beast.. NOT!!

[Halvy]

For those who 'claim' to be concerned about not taking the mark of the beast by means of a chip or tatoo, let me remind you of what the Bible says about prophecy.

And that is, NOONE knows about whether a prophet or prophecy is true, until it either comes to pass (or not).

Now this may seem simplistic, but by listening to the majority (of hypocrites) who claim they are 'affraid' to have chips for any reason, I say that God's instruction in the book of Revelation on this matter is vague for a reason. Which is, to make people like the Anti-Christian Church (aka as the 'Christian' churches of today) look like the liers that they are in such matters.

Anyone (as low as 3rd graders) can read the Bible for themselves and see that the people during the time of this 'Mark Of The Beast' will be 'deceived', which is not only NOT a sin, but clearly shows that anyone who claims to know exactly what the Mark acually is, is a deciever and false prophet themself.

As far as the chip implant being hoisted on everyone in the future by the owd (one world government types), there must be other motives lurking here since everyone knows that the cat & mouse game that the cops and so called 'bad guy' play is not going to be any different once the chips are perfected (and or implemented in mass).

To claim or think the chips will be a panacea to protect 'corporations' or consumers from fraud, or parents to protect their children by being able to have them 'tracked' continuelly 24/7, is a fraud in itself which needs to be prosecuted immediately under any applicable conspiracy laws as well.

These chips will still be subject to alteration by the people who 'get them', by the simple means of having new ones implemented and/or re-programming the firmware.

The government is trying to pull the wool over our eyes-- just like they did (and still do) concerning 'irrefutable' DNA evidence.

Most people STILL to this day believe that DNA evidence is a 100% accurate-- sure-fire-way to prove someones innocence or guilt.

Well anyone with enough fortitude to stop and think about how dna is collected will know that this is simply NOT the truth.

For instance, in the 'old daze' cops needed to find a strand of hair, blood or other items to try and 'connect' someone to a crime.

This was hard since these items are 'usually' not left at the scene.

It would be almost imposible for a 'bad' cop or anyone else for that matter to 'set-one-up' this 'old' way of using evidence, because it was so hard to find this things (blood, hair, etc) just laying around.

However with dna.. if a bad-cop wanted to 'frame' you...all he needed to do, is follow you around.. and wait for you to throw a cup away that you drank from, or a tissue you wiped your nose with, or even dirt from your nails (and i think finger print oil).

Sooo what we have INSTEAD of a 'fool proof' way to catch criminals-- we have just the oppposite-- a way for the cops (government) to set up 'malcontents' or any other citizen who a 'over zeolouse' cop may want to 'frame'.

Likewise these chips will therefore be used by governments to 'mess up' malcontents credit at will.

These chips will be used by this same evil government (as we have today) to monitor our children all-right.. but for the same reasons they currently monitor citizens en mass who have not nor will not commit any crimes.

Sadly we will ALL be guilty-- if we let these liers, homosexuals and vicioius killers who currently run our government, to so easily 'keep track' of our children by this so called 'legal' stalking.

yea, excuse me Mr. (anti) 'Christian'..

[Halvy]

Explain your refusal to 'fight' the chip.

Just because you 'believe' that you won't be here to suffer with everyone else (like Jesus did), then why would you be a conspirator to this evil chip system by way of walking away from any responsability in 'fighting' it with all-of-your-might.

I already know the answers.. I am just doing to this to shine the light on people 'like you'-- for those that my actaully consider what you say to be the truth.

Re:yea, excuse me Mr. (anti) 'Christian'..

[Punkrokkr]

I did not say I was a 'conspirator,' just that I don't see much of a point in fighting what (from Biblical prophecy) is bound to happen.

Perhaps my wording made it seem that I was too apathetic about this 'chip.' However, my viewpoint is that God said it's going to happen. I believe that it will happen in His timing. Therefore anything I may do to 'fight' it in coming would be fruitless anyway.

Another reason I don't really see the point to fight the 'chip' is that it needs to happen. Our society is being pushed closer and closer to needing something of this sort (identity theft is rising, etc.). My take on Revelation is not that the 'chip' in itself is bad, but that to take the chip one must worship the beast, which is bad. From a technological standpoint, having an embedded chip seems to be a good idea.

Finch is flat wrong

[swillden]

Not in saying that criminals won't adapt, and I won't comment on whether or not better identity cards will reduce identity theft, but the article says she claims that:

this chip and pin technology, as it is called, has not reduced the problem of fraud.

That is absolutely false. The criminals she talks to may describe ways they try to work around the technology, and there's no doubt that they're frequently successful, but the card issuers and acquirers do keep track of how much fraud they have to deal with, and the statistics show that it has dropped like a rock. Card-present fraud perpetrated by individuals other than the cardholder has dropped by over 95%. Fraud by cardholders (which includes identity theft fraud), both card-present and card-absent, has also declined significantly, which is really significant, since a certain amount of fraud that used to be attributed to non-cardholders is now classified as cardholder fraud.

The chip and PIN program in the UK has been an absolutely fantastic success from a fraud standpoint.

Harrumph

[ScrewMaster]

Social engineering will continue be effective until we can engineer some anti-social people.

C&P is a good development

[ecloud]

I think C&P represents pretty much exactly how much security we need for ordinary transactions. The next obvious step beyond, for extra security, would be biometrics, or implanted chips, and I see 2 big problems with that - 1.) a would-be thief has to escalate from mere theft to assault in order to be successful. That is, if your hand is being used for biometrics, then the probability that some day it's going to get cut off by a mugger goes up quite a bit. The same goes for any other body part. 2.) Obviously biometrics or implants will ring alarm bells in a lot of people's heads (mark of the beast, 1984, whatever). So there just isn't any point in trying that anytime soon. But durable, reliable, multi-purpose smart cards are exactly what we need.

I would like to see multiple cards get replaced with multi-purpose smart cards though. Mixing government, commercial and medical uses would be bad, but at least have a single smart card that can handle all the commercial uses - various credit and cash accounts, public transportation, loyalty tracking etc. There's no reason it couldn't be secure; there simply needs to be strict testing & enforcement of relevant standards to make sure that the information on the card stays partitioned by owner, and that partitioning is physically impossible to violate. E.g. Safeway can't get your Fry's loyalty ID nor your financial stuff nor personal info of any kind without your consent, and without revealing exactly which items they are reading. Every partition must be protected by a different private key, which is only ever stored on the card and never read out. But I think the smartcard standards for this behavior are already in place. Certainly with iButtons it's possible. And iButtons would be another very good alternative to smart cards, but in the end there should be just one good standard.

Another possible step forward from there would be the wireless smart cards, but people have privacy issues with those. But that scenario shown in that commercial where the guy pushes a shopping cart right out the front door and automatically gets charged for everything, is only possible if RFID is used both for tagging the goods and in the debit card.

I'm just sick and tired of carrying so many cards, and having them rub together and destroy each other's magnetic strips. About damn time they start using smart cards.

Of course we'll all have to start using smartcard readers at home, in order to buy anything on the net. I'm surprised it hasn't happened sooner, outside of a couple of trials.

And a good consequence of computers generally having smartcard readers, is that they can be used to log in as well. No more usernames and passwords to remember, potentially! (Except for paranoid sysadmins who inevitably will worry about the cards getting stolen, and continue to require as much extra authentication baggage as they can get away with.) That's the other huge authentication pain-in-the-ass that needs to be eliminated once and for all. I can deal with one card and one PIN for everything, and even with being required to change the PIN every few months, but any more than this is just wrong.

Re:C&P is a good development

[megrims]

I hope that's not a 4 digit PIN you're referring to...

This dipshit has never had a merchant account

[mrmike37]

Wrong dipshit. You've never had a merchant account. The merchant take the loss always. It's easier to file criminal charges then to win in a card holder dispute (true story). The banks act as intermediaries, that's it. Either the card member or merchant is taking the loss, unless you sue the issuer for negligence (which I've done).

Confirmed.

[foxxygirltamara]

I have had zero issues using my boyfriend's debit card, occasionally as credit if debit is not supported. I guess if they always require photo id it's not so much of a possibility but all people really do is compare the name and not the pic. This theory has been tested on multiple occasions and only once did I get challenged (which I simply talked my way out of). It's terrifying.

Look at the facts, UK and Europe

There is absolutely no doubt that chip and pin lowers credit card fraud. Look at the difference in rates, UK and Europe. Up to a few months ago, UK did not have chip and pin, but the Continent did. The Continent had had it for years. The UK press for the most part behaves as if it was a great innovation, and they publish stories about its pros and cons as if it was being implemented for the first time anywhere. You notice that the BBC story makes no reference to the Continental experience. Of course, any security can be bypassed, but that isn't the issue. The point is that if British credit card fraud falls to European levels, everyone will be far better off. Not least, because terrorists will find it harder to fund their habits.

Reading the British press you do sometimes feel the British must be living on an island somewhere in the middle of the Atlantic....

CORRECTION by parent

[slim]

I'm in the slightly embarassing position of having been moderated up a number of times for what turns out to be misinformation.

See here for my correction

This is hardly a new problem. . .

[werfele]

"Would you like me to fill it up, Mrs. Nussbaum?"