Slashdot Mirror
New Identity Theft Technology Fails to Protect
Nuclear Elephant writes "According to BBC News, identity thieves are quickly adapting to new technologies such as chip-and-pin credit cards using human nature tactics rather than cracking the technology. At least that's what Dr. Emily Finch (UEA), who interviews career criminals about their activities, claims. Finch swapped credit cards with a male coworker and performed a number of transactions without being challenged by cashiers. Finch also believes biometric identity cards will only exacerbate the problem. Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"
...there is no patch for human stupidity.
and earlier, by Schneier:
"If you think technology will solve your security problems, either you don't understand the technology, or you don't understand the problems."
Read the best of all of Slash: seenonslash.com
Zug.com and slashdot has shown this gag before.
It's very funny, until you realize the implications. I no longer make my signature on credit card reciepts anything like the one on my card. Why bother?
Saskboy's blog is good. 9 out of 10 dentists agree.
It is possible that one day the imbedded chip under the skin would become law it may even come with a gps and auto feature that disables the user installed in it as well. But taht makes me think about the Bible in the mark of the beast and son on.With all the things you can buy unchallenged with a credit card there will always be a way around any security feature period.
Why would anyone think that the credit card companies would ever care about identity theft? Sure, it does cost them some money. But by far the cost of identity theft is placed on merchants. If someone disputes a charge on the credit card bill, the credit card companies merely take the money back from the merchant.
As a glaring demonstration of how unconcerned credit card companies are about theft, on the same credit card I had someone fraudulently use it three times. Each time I asked for a new card with a new number on it. Each time the issuing bank (Citibank) said, "Let's just wait to see if it happens again". I had to insist on the third time because I was sick of dealing with it.
When they can just pass costs onto merchants and consumers, is it any wonder they're designing ineffective solutions?
I'm a big tall mofo.
"Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"
I fail to understand how an embedded chip would make identity theft any less of a problem. While it may reduce social enginering which the article defines as a problem, how would it eliminate the technical (and in the case of securing identity information, most important) aspect.
For example, assuming that theives can get around biometric data. What is going to stop them from removing a "read-only" chip and installing a "read/write" chip?
Am I open minded towards open source, or closed minded towards closed source?
Pardon me, I left off the link to the Zug.com prank(s).
http://www.zug.com/pranks/credit_card/
Saskboy's blog is good. 9 out of 10 dentists agree.
If it does work outside of your body, it won't work inside your body. There is no absolute way to prove identity. It's a bummer, I know.
You can prove (within acceptable limits) that some biometric data (like a DNA sample) comes from you, but there is a gap between that information and identity. Identity is solely a "web of trust" issue. Trying to solve identity theft with some piece of information (like a password) or biometric data (like a fingerprint) will only raise the bar for identity theft.
Can You Say Linux? I Knew That You Could.
@ 1,16 human/brain.txt brain cell brain cell #2 -stupid cell +smart cell
j0b.org - A famous domain name for sale
Considering the level of violence some criminals (drug addicts etc) are willing to use on their victims, I'd rather keep my money/cards on my wallet and don't want to have any hard-to.remove RFID chips at my arms.
There is no substitute for hard Commonsense. Signatures are meaningless. Retailers are interested in making the sale and not annoying the customers with suspicion.
In my case, my signature cannot fit on that tiny space provided on the credit card, and so resembles nothing like it. Most clerks will make a perfunctory "check" of signatures, if they even bother.
Regard your credit card like you would cash, since there is little more security involved. Though, most institutions that issue Credit Cards and increasingly Debit Cards will give you a chance to dispute charges and have them removed.
Ruby Neural Evolution of Augmenting Topologies
Dr Finch says criminals have told her how they now look over people's shoulders to see a person's pin being entered on a keypad and then attempt to steal the card at a later date.
It's called shoulder surfing, hardly new.
"I hate to advocate drugs, alcohol, violence or insanity but they've always worked for me" - HST
Why are credit card companies taking so long to make each transaction covered by its own one-time password? Why do I give the same CC# to a recipient, without security? The card is almost always processed by a machine now, even with a (usually minimum-wage) human handling the transaction. Why should the recipient be trusted not to rerun the charge, or increase it, or share the access info with someone else?
I know that credit card companies cover fraud loss over $50, so they are paying some of these costs of fraud. But automation has made frauds <$50 much more profitable and common. And identity theft comes after one leak in the identity privacy chain, often without direct damage to the leaking organization. And usually in much greater amounts than the original transaction could have allowed - and usually with much further damage to future transactions than even the value of the theft.
One-time password tech is much cheaper than the losses we're suffering. And the necessary automation overhead could make the entire transaction system safer and more efficient for legitimate transactors. Where is it? Are banks just making so much money off all their transactions that new systems like one-time passwords are just to low on their priority list? With all the ID theft running rampant, what crisis could it require to force action to protect us?
--
make install -not war
No matter how hard you try. You can't steal my ID if I use cash. You might steal my cash. Not my ID. Do transactions indoors at the teller window. (Most banks will not ensure that any deposit made at the ATM will make it into your account.) Get to know your tellers. Facial recognition helps a lot. Saved my Grandfather (according to him) years ago when someone tried to cash a stolen payroll check. The tellers knew him. The cops where called.
Am I alone in noticing that the more protections they build in the easier theft becomes? It would seem that the more you tell people they are too dumb to protect themselves the more they act like idiots.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
thieves are quickly adapting to new technologies such as chip-and-pin credit cards
Everyone here in the Netherlands has been using PIN cards since about 1970(?). These cards also include "Chip" chips since 1996.
These cards are much less a liability than credit cards of the American type. It's about time you get with the program people (;
When I was over in the States recently, quite a few cashiers would notice my chip'n'pin card, mention that the US would be moving over to them soon, and saying how nice it will be to have that extra security.
Sometimes I would try and explain the catch.
Since chip & pin supposedly makes fraud impossible, banks have shifted the liability for chip & pin fraud away from themselves and onto the consumer.
That is -- is someone clones your card and forges your signature with a traditional credit card, you can call the credit card company, tell them you didn't make that purchase, and (unless they can prove you were lying) they will refund you the money. They might write the money off, or they might pursue the criminals responsible; it's not your worry. Accepting this risk is all part of their business model. That's what banks are all about.
However, in the UK at least, this changes with chip & pin. If someone shoulder-surfs your PIN, pickpockets your card, and spends money on your card, the bank now says it's YOUR responsibility.
In one way: fair enough, there are precautions you can take to safeguard your PIN, but on the other hand, isn't taking on that liability one of the things we're (directly or indirectly) paying our card providers for?
Any chance you could provide a reference for that? If true, you've just made me a hell of a lot happier about chip and PIN - I'd assumed that the aim was to shift responsibility off the CCs' shoulders and onto someone else's.
For the love of God, please learn to spell "ridiculous"!!!
You need to see Gattaca and here
They were taking DNA samples in real time from people for access control.
The guy went to extreme measures to defeat the real time DNA sampler.
No matter what they try, no matter what measures they try to take and enforce, there will always be people that will find ways around it.
Personally, I will tell them to stick their chips up their asses. When it gets to that point, I'm leaving civilization and heading for an island somewhere, I'll live off of coconuts and iguana stew.
Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?
John Spartan on Simon Phoenix being unable to buy anything because you need an implanted chip:
It would be a waste of time to mug somebody . . . unless he rips off someone's hand, and let's hope he doesn't figure that one out.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
The problem of this type of security is that it attempts to replace thought on the part of all involved. (see zug.com about credit card fun)
When I and my wife got a joint account, the bank swapped our pictures on our atm cards. We look nothing alike, each being easly taken for our respective genders. I used mine (with her picture) for six months without anyone even glancing at the picture. Eventually, when I got passport photos at a local picture processing shop: the clerk looked at the card and refused to process it.
Literally after hundreds of transactions including a good number in the $250/300 range. Unfortionatly "Security" (tm) is everyones job, but no one wants to do it.
A friend just came back from Japan, where his cousin was paying groceries et all with his cellphone, which had a "sweep-type" fingerprint scanner (and videophone, and fast internet, etc).
I also heard years ago that somewhere in Scandinavia you could pay some soda vending machines just by calling the phone number on its front with your cell phone.
It is interesting to see phone companies grabbing part of the credit card market.
Maybe it'll converge to using your phone/phone account as an ID, driver's license, bank account, credit card, and even to call people!
Instead of money, you'll be paid in talktime credits...
Ok, so you make a credit card transaction and before it is approved, you get a call on your cell phone, enter a PIN and only then the transaction is approved. Yes, you need to have a signal for this to work, but I think this gets around many problems inherent to other verification methods.
"You mortals are so obtuse." -Q
Most retailers now use a self-swipe card reader. They don't even look at the card.
Every once in a great while a clerk will ask to see my card at my local supermarket. But those occasions are few and far between.
They don't even cross match the store ID card with the card you swipe. I understand that there are flaws such as a spouse having a store card with the same number on it. But there has to be a better way of checking to be sure the credit/debit card holder is who they say they are.
This is why I'd be much more comforable with a card + thumb print + pin scenario.
Not only is the idea of having RFIDs embedded into people's skin scary to me, but it also promises to add a new, terrifying meaning to the term "hacking"...
My professor recently had his identity stolen. Apparently the thieves stole some of his mail from his mailbox, and opened a new bank account in his name by his bank. Then they applied for internet banking on his `real' bank account. When they had that, they could easily steal his money. I find it amazing that it is so easy to steal someones identity with this bank.
-- Cheers!
I would much prefer to be able to carry on using my signature. Someone standing behind me wouldn't be able to knock me over the head, and go to a cashpoint to withdraw cash after seeing me sign my name. Sure you can forge them, but it's a bit harder than punching in 4 numbers.
Get your own free personal location tracker
...but maybe stupid people deserve to have their identities stolen. Better to have a smarter version of yourself out there if you're too fucking stupid to look after your money.
This is like saying "Login & Passwords schemes are insecure! If I give my login and password to my coworker, he can impersonate me! The sky is falling!"
Actually, the Chip&PIN scheme is better than Login/Password schemes since you need a physical device (the smart card) to perform the transaction.
If this new scheme forces thiefs to switch to "Social Engineering", well, it's a good thing, since people can be educated about them.
I love this quote:
The amount of "card-present" fraud in France (where this scheme is in use for about 20 years) is severals orders of magnitude lower than in other countries with similar caracteristics. Ok, the "Problem of fraud" has not been reduced, but the "Amount of fraud" has, and that's what matters.
Nobox: Only simple products.
Breath analyzers like in Aliens 4, and it'll get cracked, hacked, etc too like in minutes or something
and there always will be
They were taking DNA samples in real time from people for access control.
:)
I suggest taking a 2 - 3 litre blood sample per transaction for DNA testing
http://blog.nexusuk.org
The absolute majority of RFID tags that could be embedded under your skin are passive devices with no power source. ie: they only respond when interogated by an external device and they really don't care whether they are alive, dead or even still attached to your body.
Active tags which have a power cell are around the size of a 10 penny piece are wholely unsuitable for placing under the skin and, of course, would require a minor operation every time the battery needed changing. (Oh, and just *pray* the cell never leaks).
Ripping an new rectum in the fabric of spacetime.
Even the most brain 2 dollar a day cashier chicks carefully verify credit card transaction, and, if there's a question, they'll gather another two or three cashier chicks to cluck at the card before summoning a manager, who will then have to summon another manager sometimes.
One thing about the Philippines ... it is hot and Americans sweat like pigs there. On one really bad day, my sweat washed away most of my signature and I couldn't use my credit card until I got back to the States and no-one cared anymore ...
There was one friend of mine who simply put an X through everything instead of his name. Honestly it was probably far more secure because it at least gave the cashiers a WTF moment.
But this all does bring me to a question I've had: what's the point of that number on the back of the card? I mean it's just one more piece of information, sure, but it's not any harder to obtain than the card number and expiration date.
So what practical benefit does it really offer?
This sig has been temporarily disconnected or is no longer in service
The reason that newer technologies fail is the ability of the criminal to adapt to all the security flaws inherant in every new technology...
The only way to be secure is to use more than one security technology...
For instance, you have cards that are read by proximity detectors...all I have to do, as a bad guy, is get a reader and scan people as they walt past me...store the data, and copy it into new cards...bingo!
What we need is more security, not more technology...
For instance, a smart card credit card that has a thumb print scanner pad built in. When you process a transaction, it powers the card, scans your thumb, asks for a PIN, and you complete the transaction. The odds of someone else being able to crack the thumb scan AND the pin go down...
All of these systems can also use handwriting analysis, face recognition, etc...
RIFD is waiting for the right moment to be "scamed", because it is a "reader" technology...get a reader, get an identity...
--E--
In the future, a sign of intimacy and trust could be to tell someone where your chip is. And the idea is to reduce fraud. Way fewer people would be willing to murder and dismember someone than are willing to just threaten someone with a weapon and take their money.
Me, I'm too poor to pay to use my money, so I just carry cash and rely on being a big hairy freak to keep me safe! :)
Michael J. Bertrand, AKA Fruvous or FruFox My
While biometrics and/or embedded chips would ensure additional security for the average transaction, I'm not looking forward to purchasing additional dismemberment insurance for when some thug decides he wants to mug me. Biometrics might just make using my credit card harder to do without riping out my eyes or dismembering my fingers/hands/arms. No need to encourage that behavior. Its probably best to keep cash/cards easily accessible so you at least have a chance of surviving the encounter. After all, how safe is your identity if you're dead?
Blog: http://richardrandomrants.blogspot.com/
Oh please! Because the authentication of people's credit card applications is completely broken, the problem of cloned and stolen cards shouldn't be fixed? I'm the first to admit that technology alone isn't enough, but this absolute stupidity of authenticating people by "personal" "secret" information has got to stop. (And no, trying to fix that by safeguarding the info better will never work.)
If the road to hell is paved with good intentions, where does the road paved with evil intentions lead to?
Cash Payments: The return of at the door paying.
At the door paying: The return of lost money in shipping.
Lost Money in Shipping: The return of online credit card payments.
BTW, the point of credit cards is not to have to lug around tons of cash, and not having to have your account full. If you know how to manage your money, you can say goodbye to paying interest on a credit card bill.
Note: Credit Cards not reccommended for those who spend more than they make.
combined IQ of a single McDonalds worker
If you're so smart, explain how you combine a single item with itself?
"I realise this is not a very popular opinion but it's the truth, and there for needs to be said" -Bill Hicks
It will only make ID theft more gruesome.
And as another poster has put it so clearly, why do we even NEED credit cards? At present our debit system works well enough. I have stopped using credit cards long ago. I still buy stuff (albeit less stuff I don't need since I have to think more about what I buy) and my bills are paid reliably.
In my view, only two things require credit -- houses and cars. For some people, cars don't require credit either... lucky them. But for anything else, there's cash.
The cashier didn't ask for the coworker's ID probably because he looked like a non-threatening white person.
My experience:
I was standing in line one time and two friendly-looking white women ahead of me used their credit card without the cashier asking for their ID. When it was my turn, the cashier asked for my drivers license to check my signature on the receipt. I guess the cashier assumed two white women are less likely to commit fraud compared to an asian guy. Acting casual and friendly is how con-artists get away with fraud.
I don't mean to turn this into a race issue, but it cannot be ignored.
Note: Credit Cards not reccommended for those who spend more than they make.
Truer words were never spoken.
Mattman
Bohemian Free Corps
I work in a bookies in Norwich and i can tell you the idiocy of the shop worker is nothing compared to the idiocy of the customer. I have a number of regular punters who have gotten sick of continually entering their pin to pay for their bets so now they have me enter it in for them, they also leave their cards with me. It makes using MY chip and pin very difficult as i can never remember which pin is mine!
I do that too. However if they don't look I don't talk to them I talk to their manager.
Especially from the guy with talking hump syndrome - THS.
Je me souviens.
not to enforce/validate who you are. I beleive that the seller is supposed to validate your identity with other documents. (not that it is done.)
I'd be happy if they'd develop a single customer loyalty card. My key ring / wallet can't take much more of this.
Merchants who accept your Visa card which is unsigned (or is signed SEE ID) are in violation of Visa policies. Visa has specificially stated that cards signed with SEE ID must not be accepted for a transaction.
From a letter I received from Visa:
"Please be assured that merchants may not refuse to honor a Visa card simply because the cardholder refuses a request for supplementary information. The only exception is when a Visa card is unsigned when presented. In this situation a merchant must obtain authorization, review additional identification, and require the cardholder to sign the card before completing the transaction."
I know Doc Ruby, you stole his identity!!!
Moderator! Moderator! Moderator!
Take this imposter away!!!!
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
The use of a credit card is the same as having "cash", it is the confidence in the idea that is important. If someone flooded the market with millions in couterfeit notes, noone will accept them, hence the notes themselves become worthless. The same applies for credit cards. The point is that the vast majority of transactions are not fraudulent, so we (and the whole system) is happy with the status quo.
They're working on it. It's called Smack-Me-Smart.
They take people who are stupid, like really stupid, can't get any dumber stupid.
Then they hit them, until the stupid comes right out.
This process is often implemented in 3rd World Countries and states like Texas and Florida, onto children and wives.
The process is not yet perfected, but it is a work in progress.
That letter is BS. Any merchant has the right to refuse a card because someone cannot present sufficient ID or whatnot to properly ascertain the identity of the card user. VISA can't force a merchant to take a card because they felt that the card was stolen or being used illegally. That letter basically says "If this card is signed, the merchant MUST take the card, regardless of who is using it. If the merchant wants more info, and the person holding this card says no, they have to take it anyway. If the card is unsigned, they have to get ID before taking it."
I think VISA or someone is yanking you or they have crappy policies...if they say that a store HAS to take your card even if you refuse to show ID, then they need to re-think that. I work at a Best Buy, and we regularly ring transactions that number anywhere from between 1 and 30 thousand dollars at a time. If I ask for ID for your card and you say no, I'll tell you to piss off and come back with ID. I may piss some people off, but I make DAMN sure that who I'm selling to is the person I should be selling it to. Same goes for people who have their spouse's/parent's credit cards. Won't take em. End of story.
--"Hm. It seems the waffle couldn't handle it."
No one ever said that Chip and Pin would totally eliminate fraud. Of course, career criminals would find a way around the system. Perfect systems would be too costly in other ways, such as time taken to verify ID, and so on. What it will do is reduce the amount of casual fraud. Having spent fifteen years practicising criminal law in the UK, my experience is that a lot of credit card fraud is opportunistic. People steal your wallet or purse and then use your credit card. The record in my experience is the card being used within five minutes of being taken. This is now impossible. A large amount of credit card fraud of low value has been committed by drug addicts engaged in casual theft to fund their drug habits. Chip and Pin will reduce this kind of theft. It is not a cure-all and no one ever pretended it was.
Unfortunately the Microsoft patch crashed the system.
But nobody could tell.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I prefer the current good old theft of identity. It seems physically less painless. I rather not have to lose a limb/digit/section of skin when a "career criminal" wants my credit.
If the credit companies wanted a signifigant change in the way things were done it would have been changed long ago. So called losses to fraud aside the net gain is on claiming losses against tax and dividends have enriched them beyond all measure. It's all funny accounting you will never read about in the WSJ.
Businesses use the cost of business to determine their profits. Losses from the year are deducted from the companies net profit and they would prefer that the net was as low as possible. In their yearly taxes they 'write off losses' and claim them as part of the cost of doing business.
Weither it's bad debts or some form of thieft. Their net gain is in THIS YEAR's writeoff. Should they collect a bad debt a year or 30 years from now is simply gravy. It won't be counted as part of that years income as it was a past debt and nobody will research it deep enough or even notice. NOBODY CARES ABOUT DELAYED INCOME. Income delayed will be added to the income of the year it was created not the current year. The bean counters will go back and adjust that years books to show a profit then. An audit won't pick it up because the books are in house and the IRS only has what they were given and all the info from that year will jive with the stated amounts. Receipts from different years will be ignored even though they are in context with the debt as a unit.
That's why the debts you may get calls about are marked as written off in your credit reports, but they still want the money.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
The $50 cutoff is the "deductible" that the cardholder is responsible for, and is often not waived. Especially in online fraud. And, because many people know they're supposed to be responsible for those "small" thefts, they often don't try to recover that amount, because they agreed not to hold the banks responsible. Then there's the bigger threat I mentioned, where ID thefts are the setup for a later, bigger theft, often not traceable directly to the CC ID breach.
What makes a pluggable chipcard a "fat keychain"? If a Flash/ROM keychain or card can hold multiple OTP authenticators, or even a single personal one that registers its sequence seed with multiple counterparties, that wallet gets thinner, not fatter - and keeps more of its money. And becomes easier to use than insecure cards which require handling by untrustable, unaccountable intermediaries.
--
make install -not war
So a cashier from Best Buy knows all about Visa policy? Just because Best Buy routinely violates the policy through ignorant employees doesn't mean the policy doesn't exist.
I too have felt the cold finger of injustice.
After clicking through into a few related sites and forums, I am having some trouble getting to sleep...
For the love of God, please learn to spell "ridiculous"!!!
is why companies have started to roll out one-time-only credit card numbers but haven't pursued the projects.
American Express Private Payments, Discover's DeskShop, SecureClick from Cyota, MBNA ShopSafe are all hanging fire or dead. The Virtual Mastercard Program has almost vanished from Googlespace.
The problem is, Credit cards with high limits, and no real security. Why do we really need credit cards with such high limits on them in first place. Maybe it would be nice if they had to go through a couple hoops to pay $5000 for something. Something like the bank cards with a daily spending limit, so that you don't get screwed out of too much if something does go wrong. Also passwords would be nice to protect credit cards. Let me use a 20 digit password too. The human mind is capable of remembering 20 digit numbers. Why can't I use one? People remember thousands of digits of Pi, I think most people could memorize, a 20 digit number, especially with the frequency at which some people use credit cards. The real problem in the end is the amount of credit available to people, without enough real checks as to who you really are. Getting a $10,000 credit card/loan, or a mortgage should require about the same level of security as getting a passport. Most people don't spend that much money that fast. It wouldn't inconvenience too many people.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
From TFA:
Dr Finch's research leads her to doubt that any scheme for national ID cards will work, even if it is backed up by biometric data such as eye scans - because the criminals will simply adapt their strategies to try to get around the hurdle.
I wonder how that would be accomplished. Steal your eyeball? I think that might look a bit suspicious.
Sent from my computer.
Now GET OFF MY LAWN!
You're a fucking asshole, and ignorant, too. When you try to get out of a $45 ripoff, you get hassled at every turn. Some companies offer to waive their liability limit, some don't. Some of the ones who "waive" it make it difficult to do so. Some have reasonable terms for turnaround time, some don't. All are bound by a law which sets their liability only above $50, and some compete by extending that down to $0. But by no means all. And, as I've said in every message in this thread, the bigger threat than the goddamn $50 is the later theft of something really big, after enough time has passed that you're not paying attention to where the original ID theft occurred.
On top of everything else, the bankruptcy bill passed by Congress this year removes liability for ID fraud debts from banks, and leaves it on the consumer - even when the bank is responsible for the ID theft and consequent fraud.
Now, I don't know what the hell you're talking about with your bizarre brainfart about a "methane car". But I'm perfectly happy to leave you nodding off in whatever fumes you're emitting, while the rest of us with sense look for better security in our financial transactions.
--
make install -not war
Explain your refusal to 'fight' the chip.
Just because you 'believe' that you won't be here to suffer with everyone else (like Jesus did), then why would you be a conspirator to this evil chip system by way of walking away from any responsability in 'fighting' it with all-of-your-might.
I already know the answers.. I am just doing to this to shine the light on people 'like you'-- for those that my actaully consider what you say to be the truth.
I will gladly loose all of life's battles.. in order to win the war..
Not in saying that criminals won't adapt, and I won't comment on whether or not better identity cards will reduce identity theft, but the article says she claims that:
That is absolutely false. The criminals she talks to may describe ways they try to work around the technology, and there's no doubt that they're frequently successful, but the card issuers and acquirers do keep track of how much fraud they have to deal with, and the statistics show that it has dropped like a rock. Card-present fraud perpetrated by individuals other than the cardholder has dropped by over 95%. Fraud by cardholders (which includes identity theft fraud), both card-present and card-absent, has also declined significantly, which is really significant, since a certain amount of fraud that used to be attributed to non-cardholders is now classified as cardholder fraud.
The chip and PIN program in the UK has been an absolutely fantastic success from a fraud standpoint.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Social engineering will continue be effective until we can engineer some anti-social people.
The higher the technology, the sharper that two-edged sword.
I think C&P represents pretty much exactly how much security we need for ordinary transactions. The next obvious step beyond, for extra security, would be biometrics, or implanted chips, and I see 2 big problems with that - 1.) a would-be thief has to escalate from mere theft to assault in order to be successful. That is, if your hand is being used for biometrics, then the probability that some day it's going to get cut off by a mugger goes up quite a bit. The same goes for any other body part. 2.) Obviously biometrics or implants will ring alarm bells in a lot of people's heads (mark of the beast, 1984, whatever). So there just isn't any point in trying that anytime soon. But durable, reliable, multi-purpose smart cards are exactly what we need.
I would like to see multiple cards get replaced with multi-purpose smart cards though. Mixing government, commercial and medical uses would be bad, but at least have a single smart card that can handle all the commercial uses - various credit and cash accounts, public transportation, loyalty tracking etc. There's no reason it couldn't be secure; there simply needs to be strict testing & enforcement of relevant standards to make sure that the information on the card stays partitioned by owner, and that partitioning is physically impossible to violate. E.g. Safeway can't get your Fry's loyalty ID nor your financial stuff nor personal info of any kind without your consent, and without revealing exactly which items they are reading. Every partition must be protected by a different private key, which is only ever stored on the card and never read out. But I think the smartcard standards for this behavior are already in place. Certainly with iButtons it's possible. And iButtons would be another very good alternative to smart cards, but in the end there should be just one good standard.
Another possible step forward from there would be the wireless smart cards, but people have privacy issues with those. But that scenario shown in that commercial where the guy pushes a shopping cart right out the front door and automatically gets charged for everything, is only possible if RFID is used both for tagging the goods and in the debit card.
I'm just sick and tired of carrying so many cards, and having them rub together and destroy each other's magnetic strips. About damn time they start using smart cards.
Of course we'll all have to start using smartcard readers at home, in order to buy anything on the net. I'm surprised it hasn't happened sooner, outside of a couple of trials.
And a good consequence of computers generally having smartcard readers, is that they can be used to log in as well. No more usernames and passwords to remember, potentially! (Except for paranoid sysadmins who inevitably will worry about the cards getting stolen, and continue to require as much extra authentication baggage as they can get away with.) That's the other huge authentication pain-in-the-ass that needs to be eliminated once and for all. I can deal with one card and one PIN for everything, and even with being required to change the PIN every few months, but any more than this is just wrong.
Wrong dipshit. You've never had a merchant account. The merchant take the loss always. It's easier to file criminal charges then to win in a card holder dispute (true story). The banks act as intermediaries, that's it. Either the card member or merchant is taking the loss, unless you sue the issuer for negligence (which I've done).
Really, I'm not trying to be clever with my signature.
I have had zero issues using my boyfriend's debit card, occasionally as credit if debit is not supported. I guess if they always require photo id it's not so much of a possibility but all people really do is compare the name and not the pic. This theory has been tested on multiple occasions and only once did I get challenged (which I simply talked my way out of). It's terrifying.
I'm in the slightly embarassing position of having been moderated up a number of times for what turns out to be misinformation.
See here for my correction
Yikes, Rabbar!
I've had "Please ask for ID" on my cards for yrs. Only rarely (1 in ~50 times?) am I asked for my ID, and I've never had an experience that looks like sales personnel know about Visa's policy you've documented. (When a clerk does ask, I thank her or him.) So, I checked the Visa Web site and confirmed you correspondence:
So, there appear to be two problems:
I feel so much less secure now. My $$ is safe, no? Mayhaps I should sign with the PW for my PayPal account? Nahhh, that changes more frequently than the cards are replaced.
"Would you like me to fill it up, Mrs. Nussbaum?"
I find it fascinating that you ask to speak to a manager when a clerk follows the policies of your card issuer, which must, therefore, also be the policies of the merchant.
The point of the signature on the card is to endorse a legal agreement between you and the card issuer. It has little to nothing to do with your identification.
As later posts explain, Visa requires that unsigned cards be signed.
As far as I am concerned, any writing in the signature box should be assumed to be your signature, and, if your signature does not match that, then the manager should be called.
If you don't sign your sales slip "SEE ID" then the manager should be consulted.
The preferred solution is to not have a problem.
Sorry, not a cashier. Computer Sales, actually. To me it seems like Visa's policy is just inviting fraudulent uses of their cards. Why the hell would I have a policy on my card that says "as long as this card is signed, you don't need to see any other ID if the cardholder doesn't feel like giving you any"? That just seems like plain old stupidity on Visa's part. I know about the whole "match the signature" stuff, which works sometimes, but given that we use electronic signature pads, and 75% of the time, the signature on the pad actually ends up nothing like the signature on the card, I always ask ID. I've had people personally thank me for checking their IDs because they know this fact.
Besides, who's going to stop someone from either signing a blank card or practicing enough to forge a signature?
--"Hm. It seems the waffle couldn't handle it."
They must have been audited or something because for several months they had large posters explaining the policy.
They state that "SEE ID" is not acceptable. A helpful clerk told me to rub "SEE ID" off my card and sign it. I showed him my ID and he accepted the transaction. When I asked about this he told me it was Visa/MC policy not USPS policy.
Man, you really need that seminar!
In any case, whether the policy on Visa's part is ridiculous or not, it does exist. (MasterCard has the same policy. American Express does not--they allow merchants to check ID at their discretion. Don't know about Discover.)
With respect to Best Buy, it's pretty much a moot point for me because I go out of my way to avoid merchants who have their customers arrested for comparision shopping, using two dollar bills, or daring to demand an item for its advertised price, all of which Best Buy has done. Violating their merchant agreement is the least of their offenses. I hope the store you work for has more ethical management than the ones that have made the press.
I too have felt the cold finger of injustice.
We actually do, we have a Circui City not one shopping plaza down from us, a Walmart and a Target not more than a 5 minute drive away, and a large mall across the way. We actually encourage comparison shopping. Same goes for advert prices. If you see something advertised, you'll get it for that price so long as you meet all the requirements.
You'd be surprised how many people come in with an ad that clearly states that a computer is "649.99 after $320 in mail in rebates" and think that they're paying 650 up front. Then again, I live in the middle of an amazingly large concentration of rednecks and old people in Pennsylvania, so...
The two-dollar-bill thing I'm not sure on, but I know I'd accept it because it is legal tender after all...
--"Hm. It seems the waffle couldn't handle it."