New Identity Theft Technology Fails to Protect

Nuclear Elephant writes "According to BBC News, identity thieves are quickly adapting to new technologies such as chip-and-pin credit cards using human nature tactics rather than cracking the technology. At least that's what Dr. Emily Finch (UEA), who interviews career criminals about their activities, claims. Finch swapped credit cards with a male coworker and performed a number of transactions without being challenged by cashiers. Finch also believes biometric identity cards will only exacerbate the problem. Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"

As the T-shirt says

[Emeye]

...there is no patch for human stupidity.

Re:As the T-shirt says

Actually, yes there is a patch for human stupidity. It's called the birth control patch.

It was said better...

[greginnj]

and earlier, by Schneier:

"If you think technology will solve your security problems, either you don't understand the technology, or you don't understand the problems."

Re:It was said better...

[fm6]

That makes him sound like a Luddite. I think he was more to the point when he said, "Security is a process, not a product."

Credit Card prank

[saskboy]

Zug.com and slashdot has shown this gag before.

It's very funny, until you realize the implications. I no longer make my signature on credit card reciepts anything like the one on my card. Why bother?

Re:Credit Card prank

[Gwyn_232]

This is slightly different from the credit card prank. In the US signatures have never been checked that thoroughly, but in the UK the majority of staff used to be quite careful about checking the card details.
 
Since chip and pin was introduced they barely look at the card (many don't even take it from you - they just ask you to put it in the card reader).

Re:Credit Card prank

[E8086]

"many don't even take it from you - they just ask you to put it in the card reader"

I remember when something similar happened over here. I was working as a cashier at the local supermarket during summer and winter breaks. Up to one summer everything with credit cards was done by us at the register, there is a keypad for entering pins directly across from us. That winter there are card readers installed, the generic for credit and debit cards ones you see everywhere now and they were further away from us, so the only time we even saw the card was when the customer ran it through the reader, no checking of the card. Apparently there was some scare/popular rumors that store employees were stealing credit cards or card numbers at the checkout counters. Yes, when someone's in a hurry and rushes out leaving their card on the counter it was "stolen" by that kid at the counter, not accidentally lost/left by a distracted customer and properly turned in to the management by that kid. As far as stolen numbers, I think it was done by people with assess to the store's database of credit transactions. I can understand the desire to have the card never leave the posession of the customer. Now someone can steal a credit card and walk into a BestBuy or other store with expensive easily resellable items and make a major purchase and not have the payment method checked, there's the assumption that the person with the card and pin is the owner. Don't you just love the tradeoff between convenience and security. Most credit card companies and banks now offer some fraud protection to cover from the time the card goes missing until it's reported lost/stolen. As for shoulder surfing, the keybad should be recessed blocking the view of anyone not using the keypad, too many card readers are too out in the open.

Re:Credit Card prank

[arminw]

.....fraud protection to cover from the time the card goes missing until it's reported lost/stolen.....

The obvious answer is to put the chip into the person, rather than into a card the person carries. That makes it a lot harder, although I suppose not impossible to steal. Implantable chips have been in use for animals for a while already. RFID and other readout methods exist for these chips. In combination with biological data, such a system would considerably harder to circumvent.

This sort of thing was predicted in the Bible almost 2000 years ago that some sort of numeric identifier would be implanted in every person by a coming world government run by a powerful dictator.

Revelation 13:16-17 (And he causeth all, both small and great, rich and poor, free and bond, to receive a mark IN their right hand, or IN their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name)

For centuries, before computers were even dreamed of, scholars have scratched their heads and tried to figure out how someone could be prevented from buying or selling if they did not have some kind of mark IN their body. It may still be a while before this prophecy comes true, but it certainly doesn't sound as far fetched now as it did before our modern times. Try to rent a car without a credit card. Paying cash for an Airplane ticket to a foreign country may likely attract extra attention of the suspicious security persons. Walking into an automobile dealer and paying for an expensive car in cash with a suitcase full of money will likely get the attention of the authorities to that transaction.

So, in some ways we are already approaching the kind of thing predicted so very long ago. Making completely anonymous, large amount cash transactions is getting to be quite difficult. Someday, you may not be able to buy so much as a stick of chewing gum that is not recorded.

Always a way!

[usageman]

It is possible that one day the imbedded chip under the skin would become law it may even come with a gps and auto feature that disables the user installed in it as well. But taht makes me think about the Bible in the mark of the beast and son on.With all the things you can buy unchallenged with a credit card there will always be a way around any security feature period.

Re:Always a way!

[FireFury03]

Embedded chips that act like credit cards won't ever happen because too many evangelical christians would never go for something embedded chips.

I would never go for an embedded "credit card chip" either - having your wallet stolen is one thing, but having the part of your body with the chip in it swiped is quite another (I'm being serious - there has been at least 1 case I am aware of in which a carjacker cut off the car owner's finger for the fingerprint because it had a newfangled fingerprint scanner instead of a key to turn on the ignition! I for one would rather have my car stolen rather than losing my finger.)

Re:Always a way!

[mcheu]

Aside from the privacy issues of governments, spouses, criminals, corporations, etc tracking people, a GPS device will need to emit a fair bit of EM radiation. We've already got concerns about long term intermittant cel phone use being a potential health hazard.

You're talking about a device stuck under the skin that's going to blast out EM radiation into you 24/7, continuously, or pulsed every few minutes. I can't see that as being very healthy.

Re:Always a way!

[E8086]

" It is possible that one day the imbedded chip under the skin would become law it may even come with a gps and auto feature that disables the user installed in it as well."

yes, there should be a second level of security, I'm not for imbedded in my skin chips, perhaps a 2nd pword/pin or 2nd chip also carried on your person in a place other than where the card is carried. If it's small enough it could be attached to anything you have with you everyday, on a keychain, in a watch, in a piece of jewlery or contained in a cell phone or even in a pair of glasses, anywhere it's firmly attached so it doesn't get lost or fall off. It should be movable so thieves don't know what else to take if they steal your wallet, unless they have a portable scanner, but then all you'll have to do is report the card stolen. If thieves get enough information to print a fake card, that's another problem.

Credit card companies don't care

[bigtallmofo]

Why would anyone think that the credit card companies would ever care about identity theft? Sure, it does cost them some money. But by far the cost of identity theft is placed on merchants. If someone disputes a charge on the credit card bill, the credit card companies merely take the money back from the merchant.

As a glaring demonstration of how unconcerned credit card companies are about theft, on the same credit card I had someone fraudulently use it three times. Each time I asked for a new card with a new number on it. Each time the issuing bank (Citibank) said, "Let's just wait to see if it happens again". I had to insist on the third time because I was sick of dealing with it.

When they can just pass costs onto merchants and consumers, is it any wonder they're designing ineffective solutions?

Re:Credit card companies don't care

[Angostura]

Wrong. In the UK if the merchant users chip and PIN and the transaction is fraudulent, the cost is born by the card company, no the merchant.

embedded identity

[sedyn]

"Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"

I fail to understand how an embedded chip would make identity theft any less of a problem. While it may reduce social enginering which the article defines as a problem, how would it eliminate the technical (and in the case of securing identity information, most important) aspect.

For example, assuming that theives can get around biometric data. What is going to stop them from removing a "read-only" chip and installing a "read/write" chip?

Re:Credit Card prank -LINK included now

[saskboy]

Pardon me, I left off the link to the Zug.com prank(s).

http://www.zug.com/pranks/credit_card/

Back to basics

[macemoneta]

"Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"

If it does work outside of your body, it won't work inside your body. There is no absolute way to prove identity. It's a bummer, I know.

You can prove (within acceptable limits) that some biometric data (like a DNA sample) comes from you, but there is a gap between that information and identity. Identity is solely a "web of trust" issue. Trying to solve identity theft with some piece of information (like a password) or biometric data (like a fingerprint) will only raise the bar for identity theft.

Re:Back to basics

[macemoneta]

s/If it does work outside of your body/If it doesn't work outside of your body/

Take my cards, dont' rip my arm away !!!

Considering the level of violence some criminals (drug addicts etc) are willing to use on their victims, I'd rather keep my money/cards on my wallet and don't want to have any hard-to.remove RFID chips at my arms.

Re:Take my cards, dont' rip my arm away !!!

[Nuclear+Elephant]

Most chips already in existence will automatically disable themselves if it senses the host is dead (I believe by way of body temperature).

Re:Take my cards, dont' rip my arm away !!!

[MrSteveSD]

New York Times 2010
Eye gougings are up 20% this month since the introduction of the new Visa-Eye card, which owes its high security to the uniqueness of the user's iris pattern.

Re:Take my cards, dont' rip my arm away !!!

[glesga_kiss]

I'd rather keep my money/cards on my wallet and don't want to have any hard-to.remove RFID chips at my arms.

Prior art

Malaysia car thieves steal finger

Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system.

Accountant K Kumaran's ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb. [continued...]

Re:Take my cards, dont' rip my arm away !!!

[Tim+Browse]

I'm sure that's a great comfort when someone's cut your finger off to get past a biometric system.

I mean, you'd be sitting there trying to staunch the flow of blood as they run off with your finger, chuckling to yourself, and muttering "Those fools. They don't even know it won't work. What a bunch of idiots. I'm way smarter than them."

Credit Cards

[flajann]

Security is an illusion; Credit Card security doubly so.

There is no substitute for hard Commonsense. Signatures are meaningless. Retailers are interested in making the sale and not annoying the customers with suspicion.

In my case, my signature cannot fit on that tiny space provided on the credit card, and so resembles nothing like it. Most clerks will make a perfunctory "check" of signatures, if they even bother.

Regard your credit card like you would cash, since there is little more security involved. Though, most institutions that issue Credit Cards and increasingly Debit Cards will give you a chance to dispute charges and have them removed.

Re:Credit Cards

[zippthorne]

In the US, your liability in the event of loss/theft if your credit card is limited by law to $50 (provided you inform the bank as soon as you realize what happened). Debit cards have no such protection beyond whatever contract you and the bank agree to. Therefore, If you insist on using a debit card where you would previously have used a credit card, it behooves you to not only read the contract thoroughly, but also consult a lawyer as to the enforceability of the contract.

Re:Credit Cards

[macemoneta]

While the limit is the same, the impact isn't. If a credit card is used improperly, your credit limit is temporarily reduced by the pilfered amount, until the state of the card can be restored. If a debit card is used improperly, your assets are temporarily reduced until the bank restores the funds.

The result of the first is that you may have to limit purchases for a while. The result of the second is that transactions in progress (bills, taxes, and other debts paid) may fail. You will likely be held accountable by those independent institutions for the failure. Even if the result is that they accept the delay, you will likely spend considerable time correcting the situation.

If you are going to use a debit card, create a separate account exclusively for the purpose. Limit the funding in the account to the amount you feel comfortable being without for an arbitrary period of time.

Remember, a debit card is advantageous to the bank, not to you. All things being equal (payment made when requested, so no interest charged), credit cards allow you to utilize the month of float (a short term interest-free loan). A debit card allows your bank to do the same - with your money, and without paying you for the privilege.

"New technology"?

[hotspotbloc]

So the article talks about how technology fails and social engineering takes over but how is it new? Kevin worked this trick like a pro twenty years ago.

Dr Finch says criminals have told her how they now look over people's shoulders to see a person's pin being entered on a keypad and then attempt to steal the card at a later date.

It's called shoulder surfing, hardly new.

One Time and for All

[Doc+Ruby]

Why are credit card companies taking so long to make each transaction covered by its own one-time password? Why do I give the same CC# to a recipient, without security? The card is almost always processed by a machine now, even with a (usually minimum-wage) human handling the transaction. Why should the recipient be trusted not to rerun the charge, or increase it, or share the access info with someone else?

I know that credit card companies cover fraud loss over $50, so they are paying some of these costs of fraud. But automation has made frauds <$50 much more profitable and common. And identity theft comes after one leak in the identity privacy chain, often without direct damage to the leaking organization. And usually in much greater amounts than the original transaction could have allowed - and usually with much further damage to future transactions than even the value of the theft.

One-time password tech is much cheaper than the losses we're suffering. And the necessary automation overhead could make the entire transaction system safer and more efficient for legitimate transactors. Where is it? Are banks just making so much money off all their transactions that new systems like one-time passwords are just to low on their priority list? With all the ID theft running rampant, what crisis could it require to force action to protect us?

All the more reason to go cash

[Allnighterking]

No matter how hard you try. You can't steal my ID if I use cash. You might steal my cash. Not my ID. Do transactions indoors at the teller window. (Most banks will not ensure that any deposit made at the ATM will make it into your account.) Get to know your tellers. Facial recognition helps a lot. Saved my Grandfather (according to him) years ago when someone tried to cash a stolen payroll check. The tellers knew him. The cops where called.

Am I alone in noticing that the more protections they build in the easier theft becomes? It would seem that the more you tell people they are too dumb to protect themselves the more they act like idiots.

Re:All the more reason to go cash

[Overzeetop]

It's like anything else...the more safe you make it, the more complacent we will become. I'm convinced that each person has a risk tolerance band, rather than a limit. They will do foolish things to stay above the "minimum risk" line while still staying below the "maximum risk" line. They will also endeavor to raise the lower limit, proving a perceived reduction in risk. This creates a sort of risk-instability, in which the drive to maximize your "return" (aka, stay above your minimum risk)puts you perilously close to your maximum risk line and results in catastrophic failures rather than minor, progresive ones.

I probably shouldn't have used "return" above, as you might think I'm referring to financial investing. I'm not. A return would be to reduce your commute time by 2-5 minutes, allowing you to sleep a bit later. The risk you add is driving faster and closer to the car in front of you than conditions would otherwise permit because you have ABS and air bags. Or reducing the effort required to mow the lawn by getting a self-propelled lawnmower, and then using a velcro strap to lock it in the "on" position so you can mow one-handed, closer to that steep hillside, increasing the chance that you and the (locked-on mower) will careen down the bank, cutting out chunks of your [insert appendage here] and destroying your neighbor's [insert anything valuable here].

It's all about liability

[slim]

When I was over in the States recently, quite a few cashiers would notice my chip'n'pin card, mention that the US would be moving over to them soon, and saying how nice it will be to have that extra security.

Sometimes I would try and explain the catch.

Since chip & pin supposedly makes fraud impossible, banks have shifted the liability for chip & pin fraud away from themselves and onto the consumer.

That is -- is someone clones your card and forges your signature with a traditional credit card, you can call the credit card company, tell them you didn't make that purchase, and (unless they can prove you were lying) they will refund you the money. They might write the money off, or they might pursue the criminals responsible; it's not your worry. Accepting this risk is all part of their business model. That's what banks are all about.

However, in the UK at least, this changes with chip & pin. If someone shoulder-surfs your PIN, pickpockets your card, and spends money on your card, the bank now says it's YOUR responsibility.

In one way: fair enough, there are precautions you can take to safeguard your PIN, but on the other hand, isn't taking on that liability one of the things we're (directly or indirectly) paying our card providers for?

Re:It's all about liability

[valdean]

When I was over in the States recently, quite a few cashiers would notice my chip'n'pin card, mention that the US would be moving over to them soon, and saying how nice it will be to have that extra security.

What? They asked you that?? And they said they were looking forward to the extra security??? Wow! The only thing cashiers in the States ever ask me is if I want a receipt, and that's the smart ones. I'm shopping at all the wrong places.

Re:It's all about liability

[trmcdougle]

I can confirm this, my source... The modified terms and conditions when they issued the chipped card.

I would also like to point out that with a signature you can get an expert witness to determine that you are not the one who signed, but the only possible PIN recourse is if you can prove you were elsewhere AND had your card with you. (Otherwise they can claim it was used with your permission!)

Re:It's all about liability

[slim]

Thank you for making me check my facts -- what I said was "conventional wisdom", but as a result of your challenge I Googled for more evidence, and found this:

THE MYTH: After 1 January, the liability for card fraud losses switches from the banks to the cardholder.

THE TRUTH:
This is absolutely not the case. With the introduction of chip and PIN there is no change in liability for the cardholder. You will remain fully protected from the cost of card fraud and are covered under the Banking Code. From 1 January 2005 there is a shift in liability for some types of card fraud from banks to retailers, but this will not affect cardholders in any way.

chips won't work either. Nothing will

[pair-a-noyd]

You need to see Gattaca and here

They were taking DNA samples in real time from people for access control.

The guy went to extreme measures to defeat the real time DNA sampler.

No matter what they try, no matter what measures they try to take and enforce, there will always be people that will find ways around it.

Personally, I will tell them to stick their chips up their asses. When it gets to that point, I'm leaving civilization and heading for an island somewhere, I'll live off of coconuts and iguana stew.

Reminds me of "Demolition Man"

[Not_Wiggins]

Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?

John Spartan on Simon Phoenix being unable to buy anything because you need an implanted chip:
It would be a waste of time to mug somebody . . . unless he rips off someone's hand, and let's hope he doesn't figure that one out.

reminds me of...

[amcdiarmid]

The problem of this type of security is that it attempts to replace thought on the part of all involved. (see zug.com about credit card fun)

When I and my wife got a joint account, the bank swapped our pictures on our atm cards. We look nothing alike, each being easly taken for our respective genders. I used mine (with her picture) for six months without anyone even glancing at the picture. Eventually, when I got passport photos at a local picture processing shop: the clerk looked at the card and refused to process it.

Literally after hundreds of transactions including a good number in the $250/300 range. Unfortionatly "Security" (tm) is everyones job, but no one wants to do it.

Biometrics cellphones

[jsveiga]

A friend just came back from Japan, where his cousin was paying groceries et all with his cellphone, which had a "sweep-type" fingerprint scanner (and videophone, and fast internet, etc).

I also heard years ago that somewhere in Scandinavia you could pay some soda vending machines just by calling the phone number on its front with your cell phone.

It is interesting to see phone companies grabbing part of the credit card market.

Maybe it'll converge to using your phone/phone account as an ID, driver's license, bank account, credit card, and even to call people!

Instead of money, you'll be paid in talktime credits...

One possible solution

[slobber]

Ok, so you make a credit card transaction and before it is approved, you get a call on your cell phone, enter a PIN and only then the transaction is approved. Yes, you need to have a signal for this to work, but I think this gets around many problems inherent to other verification methods.

Easy identity theft

[tsa]

My professor recently had his identity stolen. Apparently the thieves stole some of his mail from his mailbox, and opened a new bank account in his name by his bank. Then they applied for internet banking on his `real' bank account. When they had that, they could easily steal his money. I find it amazing that it is so easy to steal someones identity with this bank.

How stupid

[AdamInParadise]

The whole point of the Chip&PIN scheme is that you're authenticated with your PIN, so you must keep this PIN secret. You can't keep your signature secret.

This is like saying "Login & Passwords schemes are insecure! If I give my login and password to my coworker, he can impersonate me! The sky is falling!"

Actually, the Chip&PIN scheme is better than Login/Password schemes since you need a physical device (the smart card) to perform the transaction.

If this new scheme forces thiefs to switch to "Social Engineering", well, it's a good thing, since people can be educated about them.

I love this quote:

She claims this chip and pin technology, as it is called, has not reduced the problem of fraud.

The amount of "card-present" fraud in France (where this scheme is in use for about 20 years) is severals orders of magnitude lower than in other countries with similar caracteristics. Ok, the "Problem of fraud" has not been reduced, but the "Amount of fraud" has, and that's what matters.

Re:How stupid

[macemoneta]

If this new scheme forces thiefs to switch to "Social Engineering", well, it's a good thing, since people can be educated about them.

Be careful what you wish for; social engineering comes in many forms.

[Points gun at head]: Give me your card.
What is the PIN? [Pulls trigger]

You've just been socially engineered out of your funds, and life. Raising the bar on security doesn't always mean it's harder for a criminal, or safer for you.

New Tech mostly usless

[Efialtis]

The reason that newer technologies fail is the ability of the criminal to adapt to all the security flaws inherant in every new technology...
The only way to be secure is to use more than one security technology...
For instance, you have cards that are read by proximity detectors...all I have to do, as a bad guy, is get a reader and scan people as they walt past me...store the data, and copy it into new cards...bingo!
What we need is more security, not more technology...
For instance, a smart card credit card that has a thumb print scanner pad built in. When you process a transaction, it powers the card, scans your thumb, asks for a PIN, and you complete the transaction. The odds of someone else being able to crack the thumb scan AND the pin go down...
All of these systems can also use handwriting analysis, face recognition, etc...
RIFD is waiting for the right moment to be "scamed", because it is a "reader" technology...get a reader, get an identity...

Who needs eyes?

[divisivemind]

While biometrics and/or embedded chips would ensure additional security for the average transaction, I'm not looking forward to purchasing additional dismemberment insurance for when some thug decides he wants to mug me. Biometrics might just make using my credit card harder to do without riping out my eyes or dismembering my fingers/hands/arms. No need to encourage that behavior. Its probably best to keep cash/cards easily accessible so you at least have a chance of surviving the encounter. After all, how safe is your identity if you're dead?

Re:Who needs eyes?

[Detritus]

I've read about a number of local cases where the thug kidnaps his victim and takes him to a cash machine, forcing the victim to make a withdrawal or be shot. These are the same dead-enders who switched to carjacking when it became too difficult for them to steal unattended cars.

Re:Who needs eyes?

[hlh_nospam]

No need to encourage that behavior.

No need to encourage that behaviour, indeed. I live in a state that allows me to carry a concealed handgun, and I am certified to teach the state concealed handgun course. The most effective deterrent is the occasional would-be thief that is shot by his intended victim. This encourages thieves to move to areas that require potential victims to be unarmed.

From the article...

[ttsalo]

"Instead of using stolen cards, criminals are now taking over people's identities and applying for cards in their name. If you think about a credit card application, it doesn't actually require much information about an individual that can't be found out with a little bit of research."

Oh please! Because the authentication of people's credit card applications is completely broken, the problem of cloned and stolen cards shouldn't be fixed? I'm the first to admit that technology alone isn't enough, but this absolute stupidity of authenticating people by "personal" "secret" information has got to stop. (And no, trying to fix that by safeguarding the info better will never work.)

Re:Who says..

[marco13185]

Cash Payments: The return of at the door paying.

At the door paying: The return of lost money in shipping.

Lost Money in Shipping: The return of online credit card payments.

BTW, the point of credit cards is not to have to lug around tons of cash, and not having to have your account full. If you know how to manage your money, you can say goodbye to paying interest on a credit card bill.

Note: Credit Cards not reccommended for those who spend more than they make.

Re:Really? Cool

[jimicus]

Solution:

"Dear Sir,

Seeing as your card and your PIN were used for this transaction, you must have written your PIN down or something. Your problem.

Kind regards,

Your bank."

Now you have to take the bank to court. Should put off anyone claiming less than a few hundred pounds.

cashiers asking for ID

The cashier didn't ask for the coworker's ID probably because he looked like a non-threatening white person.

My experience:
I was standing in line one time and two friendly-looking white women ahead of me used their credit card without the cashier asking for their ID. When it was my turn, the cashier asked for my drivers license to check my signature on the receipt. I guess the cashier assumed two white women are less likely to commit fraud compared to an asian guy. Acting casual and friendly is how con-artists get away with fraud.

I don't mean to turn this into a race issue, but it cannot be ignored.

embedded chips under the skin?

[ElDuderino44137]

I'd be happy if they'd develop a single customer loyalty card. My key ring / wallet can't take much more of this.

Re:Write "SEE ID" on your credit cards

[rabbar]

Merchants who accept your Visa card which is unsigned (or is signed SEE ID) are in violation of Visa policies. Visa has specificially stated that cards signed with SEE ID must not be accepted for a transaction.

From a letter I received from Visa:

"Please be assured that merchants may not refuse to honor a Visa card simply because the cardholder refuses a request for supplementary information. The only exception is when a Visa card is unsigned when presented. In this situation a merchant must obtain authorization, review additional identification, and require the cardholder to sign the card before completing the transaction."

Wait one minute, your not Doc Ruby

[infonography]

I know Doc Ruby, you stole his identity!!!

Moderator! Moderator! Moderator!

Take this imposter away!!!!

Re:Really? Cool

[v1]

The reason merchants take your signature so casually is because they have no financial responsibility. That's part of the visa and mastercard merchant agreement. If the card is approved on the swiper, the merchant is guaranteed his 97% of the take, or whatever it is for that particular card. (visa, mc, and discover are all different %)

The only responsibility the merchant has is that if he does too many fraudulent transactions percentage-wise, the card handling service he goes through may drop him, and he'll have to find another. I don't know if the card service eats the fraud or if the bank does in those cases. Either way, the merchant is always paid. It's this guarantee that makes a merchant willing to only get like 97% of the purchase price without the right to charge extra for credit purchases. (extra charges for credit purchases are against the credit card processing rules)

Another somewhat unknown fact is that if someone steals your card or through any other circumstances charges to your cc #, you can be held partly liable. The banks can make you pay up to $50 of the balance of "disputed charges". From the three or four people I've seen get their cards stolen though, the bank usually eats the $50 they could otherwise push on the consumer. I find this very odd for a bank to be generous to the tune of $50, but for some reason they do it. They probably make well over $50 in interest for most card holders during any 2 year period, so for them it's probably better to roll on the $50 and keep them using their plastic.

The first thing you need to do if your card is missing is report it lost. The $50 limit applies only to unauthorized charges made before the card is reported lost. Anything after that is entirely the responsibility of the bank.

Work in progress

[Cash202]

...there is no patch for human stupidity.

They're working on it. It's called Smack-Me-Smart.

They take people who are stupid, like really stupid, can't get any dumber stupid.

Then they hit them, until the stupid comes right out.

This process is often implemented in 3rd World Countries and states like Texas and Florida, onto children and wives.

The process is not yet perfected, but it is a work in progress.

Re:new?

[Incadenza]

These cards are much less a liability than credit cards of the American type.

Did you ever use your card in France? Your seemingly well protected PIN card does not need a PIN there - cashiers will just swipe it, and that's it. A very nice option for card thieves: Paris is just 6 hours by train. Yes, the thieves are with the program, they have been for a long time 8)

And by the way, PIN cards for payment in shops have been around since the early nineties - in 1970 people were still fuzzing about with 'spaarbankboekjes', a paper booklet with your account information that the bank's cashier could modify.