Slashdot Mirror
New Identity Theft Technology Fails to Protect
Nuclear Elephant writes "According to BBC News, identity thieves are quickly adapting to new technologies such as chip-and-pin credit cards using human nature tactics rather than cracking the technology. At least that's what Dr. Emily Finch (UEA), who interviews career criminals about their activities, claims. Finch swapped credit cards with a male coworker and performed a number of transactions without being challenged by cashiers. Finch also believes biometric identity cards will only exacerbate the problem. Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"
Zug.com and slashdot has shown this gag before.
It's very funny, until you realize the implications. I no longer make my signature on credit card reciepts anything like the one on my card. Why bother?
Saskboy's blog is good. 9 out of 10 dentists agree.
It is possible that one day the imbedded chip under the skin would become law it may even come with a gps and auto feature that disables the user installed in it as well. But taht makes me think about the Bible in the mark of the beast and son on.With all the things you can buy unchallenged with a credit card there will always be a way around any security feature period.
"Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"
I fail to understand how an embedded chip would make identity theft any less of a problem. While it may reduce social enginering which the article defines as a problem, how would it eliminate the technical (and in the case of securing identity information, most important) aspect.
For example, assuming that theives can get around biometric data. What is going to stop them from removing a "read-only" chip and installing a "read/write" chip?
Am I open minded towards open source, or closed minded towards closed source?
If it does work outside of your body, it won't work inside your body. There is no absolute way to prove identity. It's a bummer, I know.
You can prove (within acceptable limits) that some biometric data (like a DNA sample) comes from you, but there is a gap between that information and identity. Identity is solely a "web of trust" issue. Trying to solve identity theft with some piece of information (like a password) or biometric data (like a fingerprint) will only raise the bar for identity theft.
Can You Say Linux? I Knew That You Could.
Why are credit card companies taking so long to make each transaction covered by its own one-time password? Why do I give the same CC# to a recipient, without security? The card is almost always processed by a machine now, even with a (usually minimum-wage) human handling the transaction. Why should the recipient be trusted not to rerun the charge, or increase it, or share the access info with someone else?
I know that credit card companies cover fraud loss over $50, so they are paying some of these costs of fraud. But automation has made frauds <$50 much more profitable and common. And identity theft comes after one leak in the identity privacy chain, often without direct damage to the leaking organization. And usually in much greater amounts than the original transaction could have allowed - and usually with much further damage to future transactions than even the value of the theft.
One-time password tech is much cheaper than the losses we're suffering. And the necessary automation overhead could make the entire transaction system safer and more efficient for legitimate transactors. Where is it? Are banks just making so much money off all their transactions that new systems like one-time passwords are just to low on their priority list? With all the ID theft running rampant, what crisis could it require to force action to protect us?
--
make install -not war
No matter how hard you try. You can't steal my ID if I use cash. You might steal my cash. Not my ID. Do transactions indoors at the teller window. (Most banks will not ensure that any deposit made at the ATM will make it into your account.) Get to know your tellers. Facial recognition helps a lot. Saved my Grandfather (according to him) years ago when someone tried to cash a stolen payroll check. The tellers knew him. The cops where called.
Am I alone in noticing that the more protections they build in the easier theft becomes? It would seem that the more you tell people they are too dumb to protect themselves the more they act like idiots.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
When I was over in the States recently, quite a few cashiers would notice my chip'n'pin card, mention that the US would be moving over to them soon, and saying how nice it will be to have that extra security.
Sometimes I would try and explain the catch.
Since chip & pin supposedly makes fraud impossible, banks have shifted the liability for chip & pin fraud away from themselves and onto the consumer.
That is -- is someone clones your card and forges your signature with a traditional credit card, you can call the credit card company, tell them you didn't make that purchase, and (unless they can prove you were lying) they will refund you the money. They might write the money off, or they might pursue the criminals responsible; it's not your worry. Accepting this risk is all part of their business model. That's what banks are all about.
However, in the UK at least, this changes with chip & pin. If someone shoulder-surfs your PIN, pickpockets your card, and spends money on your card, the bank now says it's YOUR responsibility.
In one way: fair enough, there are precautions you can take to safeguard your PIN, but on the other hand, isn't taking on that liability one of the things we're (directly or indirectly) paying our card providers for?
You need to see Gattaca and here
They were taking DNA samples in real time from people for access control.
The guy went to extreme measures to defeat the real time DNA sampler.
No matter what they try, no matter what measures they try to take and enforce, there will always be people that will find ways around it.
Personally, I will tell them to stick their chips up their asses. When it gets to that point, I'm leaving civilization and heading for an island somewhere, I'll live off of coconuts and iguana stew.
Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?
John Spartan on Simon Phoenix being unable to buy anything because you need an implanted chip:
It would be a waste of time to mug somebody . . . unless he rips off someone's hand, and let's hope he doesn't figure that one out.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
The problem of this type of security is that it attempts to replace thought on the part of all involved. (see zug.com about credit card fun)
When I and my wife got a joint account, the bank swapped our pictures on our atm cards. We look nothing alike, each being easly taken for our respective genders. I used mine (with her picture) for six months without anyone even glancing at the picture. Eventually, when I got passport photos at a local picture processing shop: the clerk looked at the card and refused to process it.
Literally after hundreds of transactions including a good number in the $250/300 range. Unfortionatly "Security" (tm) is everyones job, but no one wants to do it.
A friend just came back from Japan, where his cousin was paying groceries et all with his cellphone, which had a "sweep-type" fingerprint scanner (and videophone, and fast internet, etc).
I also heard years ago that somewhere in Scandinavia you could pay some soda vending machines just by calling the phone number on its front with your cell phone.
It is interesting to see phone companies grabbing part of the credit card market.
Maybe it'll converge to using your phone/phone account as an ID, driver's license, bank account, credit card, and even to call people!
Instead of money, you'll be paid in talktime credits...
Ok, so you make a credit card transaction and before it is approved, you get a call on your cell phone, enter a PIN and only then the transaction is approved. Yes, you need to have a signal for this to work, but I think this gets around many problems inherent to other verification methods.
"You mortals are so obtuse." -Q
Most chips already in existence will automatically disable themselves if it senses the host is dead (I believe by way of body temperature).
My professor recently had his identity stolen. Apparently the thieves stole some of his mail from his mailbox, and opened a new bank account in his name by his bank. Then they applied for internet banking on his `real' bank account. When they had that, they could easily steal his money. I find it amazing that it is so easy to steal someones identity with this bank.
-- Cheers!
Cash Payments: The return of at the door paying.
At the door paying: The return of lost money in shipping.
Lost Money in Shipping: The return of online credit card payments.
BTW, the point of credit cards is not to have to lug around tons of cash, and not having to have your account full. If you know how to manage your money, you can say goodbye to paying interest on a credit card bill.
Note: Credit Cards not reccommended for those who spend more than they make.
Solution:
"Dear Sir,
Seeing as your card and your PIN were used for this transaction, you must have written your PIN down or something. Your problem.
Kind regards,
Your bank."
Now you have to take the bank to court. Should put off anyone claiming less than a few hundred pounds.
The cashier didn't ask for the coworker's ID probably because he looked like a non-threatening white person.
My experience:
I was standing in line one time and two friendly-looking white women ahead of me used their credit card without the cashier asking for their ID. When it was my turn, the cashier asked for my drivers license to check my signature on the receipt. I guess the cashier assumed two white women are less likely to commit fraud compared to an asian guy. Acting casual and friendly is how con-artists get away with fraud.
I don't mean to turn this into a race issue, but it cannot be ignored.
I'd be happy if they'd develop a single customer loyalty card. My key ring / wallet can't take much more of this.
Did you ever use your card in France? Your seemingly well protected PIN card does not need a PIN there - cashiers will just swipe it, and that's it. A very nice option for card thieves: Paris is just 6 hours by train. Yes, the thieves are with the program, they have been for a long time 8)
And by the way, PIN cards for payment in shops have been around since the early nineties - in 1970 people were still fuzzing about with 'spaarbankboekjes', a paper booklet with your account information that the bank's cashier could modify.
I've read about a number of local cases where the thug kidnaps his victim and takes him to a cash machine, forcing the victim to make a withdrawal or be shot. These are the same dead-enders who switched to carjacking when it became too difficult for them to steal unattended cars.
Mea navis aericumbens anguillis abundat