Slashdot Mirror
New Identity Theft Technology Fails to Protect
Nuclear Elephant writes "According to BBC News, identity thieves are quickly adapting to new technologies such as chip-and-pin credit cards using human nature tactics rather than cracking the technology. At least that's what Dr. Emily Finch (UEA), who interviews career criminals about their activities, claims. Finch swapped credit cards with a male coworker and performed a number of transactions without being challenged by cashiers. Finch also believes biometric identity cards will only exacerbate the problem. Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"
Wrong. In the UK if the merchant users chip and PIN and the transaction is fraudulent, the cost is born by the card company, no the merchant.
Dr Finch says criminals have told her how they now look over people's shoulders to see a person's pin being entered on a keypad and then attempt to steal the card at a later date.
It's called shoulder surfing, hardly new.
"I hate to advocate drugs, alcohol, violence or insanity but they've always worked for me" - HST
In the US, your liability in the event of loss/theft if your credit card is limited by law to $50 (provided you inform the bank as soon as you realize what happened). Debit cards have no such protection beyond whatever contract you and the bank agree to. Therefore, If you insist on using a debit card where you would previously have used a credit card, it behooves you to not only read the contract thoroughly, but also consult a lawyer as to the enforceability of the contract.
Can you be Even More Awesome?!
This is slightly different from the credit card prank. In the US signatures have never been checked that thoroughly, but in the UK the majority of staff used to be quite careful about checking the card details.
Since chip and pin was introduced they barely look at the card (many don't even take it from you - they just ask you to put it in the card reader).
That makes him sound like a Luddite. I think he was more to the point when he said, "Security is a process, not a product."
You are only partially correct on debit cards. While there is no law limiting liability, the Visanet agreement your bank signs to let them issue (Visa) credit and debit cards requires the same liability protections on debit cards as well as credit cards. I don't know if Mastercard requires the same liability limits on debit cards as credit cards but at one time they did not.
Prior art
"many don't even take it from you - they just ask you to put it in the card reader"
I remember when something similar happened over here. I was working as a cashier at the local supermarket during summer and winter breaks. Up to one summer everything with credit cards was done by us at the register, there is a keypad for entering pins directly across from us. That winter there are card readers installed, the generic for credit and debit cards ones you see everywhere now and they were further away from us, so the only time we even saw the card was when the customer ran it through the reader, no checking of the card. Apparently there was some scare/popular rumors that store employees were stealing credit cards or card numbers at the checkout counters. Yes, when someone's in a hurry and rushes out leaving their card on the counter it was "stolen" by that kid at the counter, not accidentally lost/left by a distracted customer and properly turned in to the management by that kid. As far as stolen numbers, I think it was done by people with assess to the store's database of credit transactions. I can understand the desire to have the card never leave the posession of the customer. Now someone can steal a credit card and walk into a BestBuy or other store with expensive easily resellable items and make a major purchase and not have the payment method checked, there's the assumption that the person with the card and pin is the owner. Don't you just love the tradeoff between convenience and security. Most credit card companies and banks now offer some fraud protection to cover from the time the card goes missing until it's reported lost/stolen. As for shoulder surfing, the keybad should be recessed blocking the view of anyone not using the keypad, too many card readers are too out in the open.
F7 doesn't work, ignore spelling and grammar
Merchants who accept your Visa card which is unsigned (or is signed SEE ID) are in violation of Visa policies. Visa has specificially stated that cards signed with SEE ID must not be accepted for a transaction.
From a letter I received from Visa:
"Please be assured that merchants may not refuse to honor a Visa card simply because the cardholder refuses a request for supplementary information. The only exception is when a Visa card is unsigned when presented. In this situation a merchant must obtain authorization, review additional identification, and require the cardholder to sign the card before completing the transaction."
No need to encourage that behavior.
No need to encourage that behaviour, indeed. I live in a state that allows me to carry a concealed handgun, and I am certified to teach the state concealed handgun course. The most effective deterrent is the occasional would-be thief that is shot by his intended victim. This encourages thieves to move to areas that require potential victims to be unarmed.
Concealed Handgun License Courses in Plano, Texas
I would also like to point out that with a signature you can get an expert witness to determine that you are not the one who signed, but the only possible PIN recourse is if you can prove you were elsewhere AND had your card with you. (Otherwise they can claim it was used with your permission!)