New Identity Theft Technology Fails to Protect

Nuclear Elephant writes "According to BBC News, identity thieves are quickly adapting to new technologies such as chip-and-pin credit cards using human nature tactics rather than cracking the technology. At least that's what Dr. Emily Finch (UEA), who interviews career criminals about their activities, claims. Finch swapped credit cards with a male coworker and performed a number of transactions without being challenged by cashiers. Finch also believes biometric identity cards will only exacerbate the problem. Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"

As the T-shirt says

[Emeye]

...there is no patch for human stupidity.

It was said better...

[greginnj]

and earlier, by Schneier:

"If you think technology will solve your security problems, either you don't understand the technology, or you don't understand the problems."

Credit card companies don't care

[bigtallmofo]

Why would anyone think that the credit card companies would ever care about identity theft? Sure, it does cost them some money. But by far the cost of identity theft is placed on merchants. If someone disputes a charge on the credit card bill, the credit card companies merely take the money back from the merchant.

As a glaring demonstration of how unconcerned credit card companies are about theft, on the same credit card I had someone fraudulently use it three times. Each time I asked for a new card with a new number on it. Each time the issuing bank (Citibank) said, "Let's just wait to see if it happens again". I had to insist on the third time because I was sick of dealing with it.

When they can just pass costs onto merchants and consumers, is it any wonder they're designing ineffective solutions?

Cat & Mouse

[mysqlrocks]

It's always a game of cat & mouse. Everytime they come out with a new technology to protect people's identities then the "bad guys" will come out with a way to break that technology.

Take my cards, dont' rip my arm away !!!

Considering the level of violence some criminals (drug addicts etc) are willing to use on their victims, I'd rather keep my money/cards on my wallet and don't want to have any hard-to.remove RFID chips at my arms.

Credit Cards

[flajann]

Security is an illusion; Credit Card security doubly so.

There is no substitute for hard Commonsense. Signatures are meaningless. Retailers are interested in making the sale and not annoying the customers with suspicion.

In my case, my signature cannot fit on that tiny space provided on the credit card, and so resembles nothing like it. Most clerks will make a perfunctory "check" of signatures, if they even bother.

Regard your credit card like you would cash, since there is little more security involved. Though, most institutions that issue Credit Cards and increasingly Debit Cards will give you a chance to dispute charges and have them removed.

Re:Credit Cards

[macemoneta]

While the limit is the same, the impact isn't. If a credit card is used improperly, your credit limit is temporarily reduced by the pilfered amount, until the state of the card can be restored. If a debit card is used improperly, your assets are temporarily reduced until the bank restores the funds.

The result of the first is that you may have to limit purchases for a while. The result of the second is that transactions in progress (bills, taxes, and other debts paid) may fail. You will likely be held accountable by those independent institutions for the failure. Even if the result is that they accept the delay, you will likely spend considerable time correcting the situation.

If you are going to use a debit card, create a separate account exclusively for the purpose. Limit the funding in the account to the amount you feel comfortable being without for an arbitrary period of time.

Remember, a debit card is advantageous to the bank, not to you. All things being equal (payment made when requested, so no interest charged), credit cards allow you to utilize the month of float (a short term interest-free loan). A debit card allows your bank to do the same - with your money, and without paying you for the privilege.

Re:Credit Card prank

Taking your signature isn't actually a security feature per say, but rather a cost cutting procedure.

Since there is less credit card fraud associated with places that take your signature, they get lower rates to accept credit cards. As opposed to say, someone who just takes your number and your expiration date.

The more "security" policies that you state that you will require, the cheaper you can make your "dues" or "fees" or whatever the CC companies call them.

How stupid

[AdamInParadise]

The whole point of the Chip&PIN scheme is that you're authenticated with your PIN, so you must keep this PIN secret. You can't keep your signature secret.

This is like saying "Login & Passwords schemes are insecure! If I give my login and password to my coworker, he can impersonate me! The sky is falling!"

Actually, the Chip&PIN scheme is better than Login/Password schemes since you need a physical device (the smart card) to perform the transaction.

If this new scheme forces thiefs to switch to "Social Engineering", well, it's a good thing, since people can be educated about them.

I love this quote:

She claims this chip and pin technology, as it is called, has not reduced the problem of fraud.

The amount of "card-present" fraud in France (where this scheme is in use for about 20 years) is severals orders of magnitude lower than in other countries with similar caracteristics. Ok, the "Problem of fraud" has not been reduced, but the "Amount of fraud" has, and that's what matters.

Re:How stupid

[macemoneta]

If this new scheme forces thiefs to switch to "Social Engineering", well, it's a good thing, since people can be educated about them.

Be careful what you wish for; social engineering comes in many forms.

[Points gun at head]: Give me your card.
What is the PIN? [Pulls trigger]

You've just been socially engineered out of your funds, and life. Raising the bar on security doesn't always mean it's harder for a criminal, or safer for you.

New Tech mostly usless

[Efialtis]

The reason that newer technologies fail is the ability of the criminal to adapt to all the security flaws inherant in every new technology...
The only way to be secure is to use more than one security technology...
For instance, you have cards that are read by proximity detectors...all I have to do, as a bad guy, is get a reader and scan people as they walt past me...store the data, and copy it into new cards...bingo!
What we need is more security, not more technology...
For instance, a smart card credit card that has a thumb print scanner pad built in. When you process a transaction, it powers the card, scans your thumb, asks for a PIN, and you complete the transaction. The odds of someone else being able to crack the thumb scan AND the pin go down...
All of these systems can also use handwriting analysis, face recognition, etc...
RIFD is waiting for the right moment to be "scamed", because it is a "reader" technology...get a reader, get an identity...

Who needs eyes?

[divisivemind]

While biometrics and/or embedded chips would ensure additional security for the average transaction, I'm not looking forward to purchasing additional dismemberment insurance for when some thug decides he wants to mug me. Biometrics might just make using my credit card harder to do without riping out my eyes or dismembering my fingers/hands/arms. No need to encourage that behavior. Its probably best to keep cash/cards easily accessible so you at least have a chance of surviving the encounter. After all, how safe is your identity if you're dead?

From the article...

[ttsalo]

"Instead of using stolen cards, criminals are now taking over people's identities and applying for cards in their name. If you think about a credit card application, it doesn't actually require much information about an individual that can't be found out with a little bit of research."

Oh please! Because the authentication of people's credit card applications is completely broken, the problem of cloned and stolen cards shouldn't be fixed? I'm the first to admit that technology alone isn't enough, but this absolute stupidity of authenticating people by "personal" "secret" information has got to stop. (And no, trying to fix that by safeguarding the info better will never work.)

Re:Really? Cool

[v1]

The reason merchants take your signature so casually is because they have no financial responsibility. That's part of the visa and mastercard merchant agreement. If the card is approved on the swiper, the merchant is guaranteed his 97% of the take, or whatever it is for that particular card. (visa, mc, and discover are all different %)

The only responsibility the merchant has is that if he does too many fraudulent transactions percentage-wise, the card handling service he goes through may drop him, and he'll have to find another. I don't know if the card service eats the fraud or if the bank does in those cases. Either way, the merchant is always paid. It's this guarantee that makes a merchant willing to only get like 97% of the purchase price without the right to charge extra for credit purchases. (extra charges for credit purchases are against the credit card processing rules)

Another somewhat unknown fact is that if someone steals your card or through any other circumstances charges to your cc #, you can be held partly liable. The banks can make you pay up to $50 of the balance of "disputed charges". From the three or four people I've seen get their cards stolen though, the bank usually eats the $50 they could otherwise push on the consumer. I find this very odd for a bank to be generous to the tune of $50, but for some reason they do it. They probably make well over $50 in interest for most card holders during any 2 year period, so for them it's probably better to roll on the $50 and keep them using their plastic.

The first thing you need to do if your card is missing is report it lost. The $50 limit applies only to unauthorized charges made before the card is reported lost. Anything after that is entirely the responsibility of the bank.

Confindence

The use of a credit card is the same as having "cash", it is the confidence in the idea that is important. If someone flooded the market with millions in couterfeit notes, noone will accept them, hence the notes themselves become worthless. The same applies for credit cards. The point is that the vast majority of transactions are not fraudulent, so we (and the whole system) is happy with the status quo.

Experts talking complete bollocks as usual

[astonishedelf]

No one ever said that Chip and Pin would totally eliminate fraud. Of course, career criminals would find a way around the system. Perfect systems would be too costly in other ways, such as time taken to verify ID, and so on. What it will do is reduce the amount of casual fraud. Having spent fifteen years practicising criminal law in the UK, my experience is that a lot of credit card fraud is opportunistic. People steal your wallet or purse and then use your credit card. The record in my experience is the card being used within five minutes of being taken. This is now impossible. A large amount of credit card fraud of low value has been committed by drug addicts engaged in casual theft to fund their drug habits. Chip and Pin will reduce this kind of theft. It is not a cure-all and no one ever pretended it was.

Re:Credit Card prank

[arminw]

.....fraud protection to cover from the time the card goes missing until it's reported lost/stolen.....

The obvious answer is to put the chip into the person, rather than into a card the person carries. That makes it a lot harder, although I suppose not impossible to steal. Implantable chips have been in use for animals for a while already. RFID and other readout methods exist for these chips. In combination with biological data, such a system would considerably harder to circumvent.

This sort of thing was predicted in the Bible almost 2000 years ago that some sort of numeric identifier would be implanted in every person by a coming world government run by a powerful dictator.

Revelation 13:16-17 (And he causeth all, both small and great, rich and poor, free and bond, to receive a mark IN their right hand, or IN their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name)

For centuries, before computers were even dreamed of, scholars have scratched their heads and tried to figure out how someone could be prevented from buying or selling if they did not have some kind of mark IN their body. It may still be a while before this prophecy comes true, but it certainly doesn't sound as far fetched now as it did before our modern times. Try to rent a car without a credit card. Paying cash for an Airplane ticket to a foreign country may likely attract extra attention of the suspicious security persons. Walking into an automobile dealer and paying for an expensive car in cash with a suitcase full of money will likely get the attention of the authorities to that transaction.

So, in some ways we are already approaching the kind of thing predicted so very long ago. Making completely anonymous, large amount cash transactions is getting to be quite difficult. Someday, you may not be able to buy so much as a stick of chewing gum that is not recorded.

yea, excuse me Mr. (anti) 'Christian'..

[Halvy]

Explain your refusal to 'fight' the chip.

Just because you 'believe' that you won't be here to suffer with everyone else (like Jesus did), then why would you be a conspirator to this evil chip system by way of walking away from any responsability in 'fighting' it with all-of-your-might.

I already know the answers.. I am just doing to this to shine the light on people 'like you'-- for those that my actaully consider what you say to be the truth.