Slashdot Mirror
New Identity Theft Technology Fails to Protect
Nuclear Elephant writes "According to BBC News, identity thieves are quickly adapting to new technologies such as chip-and-pin credit cards using human nature tactics rather than cracking the technology. At least that's what Dr. Emily Finch (UEA), who interviews career criminals about their activities, claims. Finch swapped credit cards with a male coworker and performed a number of transactions without being challenged by cashiers. Finch also believes biometric identity cards will only exacerbate the problem. Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"
...there is no patch for human stupidity.
and earlier, by Schneier:
"If you think technology will solve your security problems, either you don't understand the technology, or you don't understand the problems."
Read the best of all of Slash: seenonslash.com
It is possible that one day the imbedded chip under the skin would become law it may even come with a gps and auto feature that disables the user installed in it as well. But taht makes me think about the Bible in the mark of the beast and son on.With all the things you can buy unchallenged with a credit card there will always be a way around any security feature period.
Why would anyone think that the credit card companies would ever care about identity theft? Sure, it does cost them some money. But by far the cost of identity theft is placed on merchants. If someone disputes a charge on the credit card bill, the credit card companies merely take the money back from the merchant.
As a glaring demonstration of how unconcerned credit card companies are about theft, on the same credit card I had someone fraudulently use it three times. Each time I asked for a new card with a new number on it. Each time the issuing bank (Citibank) said, "Let's just wait to see if it happens again". I had to insist on the third time because I was sick of dealing with it.
When they can just pass costs onto merchants and consumers, is it any wonder they're designing ineffective solutions?
I'm a big tall mofo.
"Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"
I fail to understand how an embedded chip would make identity theft any less of a problem. While it may reduce social enginering which the article defines as a problem, how would it eliminate the technical (and in the case of securing identity information, most important) aspect.
For example, assuming that theives can get around biometric data. What is going to stop them from removing a "read-only" chip and installing a "read/write" chip?
Am I open minded towards open source, or closed minded towards closed source?
Pardon me, I left off the link to the Zug.com prank(s).
http://www.zug.com/pranks/credit_card/
Saskboy's blog is good. 9 out of 10 dentists agree.
If it does work outside of your body, it won't work inside your body. There is no absolute way to prove identity. It's a bummer, I know.
You can prove (within acceptable limits) that some biometric data (like a DNA sample) comes from you, but there is a gap between that information and identity. Identity is solely a "web of trust" issue. Trying to solve identity theft with some piece of information (like a password) or biometric data (like a fingerprint) will only raise the bar for identity theft.
Can You Say Linux? I Knew That You Could.
Considering the level of violence some criminals (drug addicts etc) are willing to use on their victims, I'd rather keep my money/cards on my wallet and don't want to have any hard-to.remove RFID chips at my arms.
There is no substitute for hard Commonsense. Signatures are meaningless. Retailers are interested in making the sale and not annoying the customers with suspicion.
In my case, my signature cannot fit on that tiny space provided on the credit card, and so resembles nothing like it. Most clerks will make a perfunctory "check" of signatures, if they even bother.
Regard your credit card like you would cash, since there is little more security involved. Though, most institutions that issue Credit Cards and increasingly Debit Cards will give you a chance to dispute charges and have them removed.
Ruby Neural Evolution of Augmenting Topologies
Why are credit card companies taking so long to make each transaction covered by its own one-time password? Why do I give the same CC# to a recipient, without security? The card is almost always processed by a machine now, even with a (usually minimum-wage) human handling the transaction. Why should the recipient be trusted not to rerun the charge, or increase it, or share the access info with someone else?
I know that credit card companies cover fraud loss over $50, so they are paying some of these costs of fraud. But automation has made frauds <$50 much more profitable and common. And identity theft comes after one leak in the identity privacy chain, often without direct damage to the leaking organization. And usually in much greater amounts than the original transaction could have allowed - and usually with much further damage to future transactions than even the value of the theft.
One-time password tech is much cheaper than the losses we're suffering. And the necessary automation overhead could make the entire transaction system safer and more efficient for legitimate transactors. Where is it? Are banks just making so much money off all their transactions that new systems like one-time passwords are just to low on their priority list? With all the ID theft running rampant, what crisis could it require to force action to protect us?
--
make install -not war
No matter how hard you try. You can't steal my ID if I use cash. You might steal my cash. Not my ID. Do transactions indoors at the teller window. (Most banks will not ensure that any deposit made at the ATM will make it into your account.) Get to know your tellers. Facial recognition helps a lot. Saved my Grandfather (according to him) years ago when someone tried to cash a stolen payroll check. The tellers knew him. The cops where called.
Am I alone in noticing that the more protections they build in the easier theft becomes? It would seem that the more you tell people they are too dumb to protect themselves the more they act like idiots.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
When I was over in the States recently, quite a few cashiers would notice my chip'n'pin card, mention that the US would be moving over to them soon, and saying how nice it will be to have that extra security.
Sometimes I would try and explain the catch.
Since chip & pin supposedly makes fraud impossible, banks have shifted the liability for chip & pin fraud away from themselves and onto the consumer.
That is -- is someone clones your card and forges your signature with a traditional credit card, you can call the credit card company, tell them you didn't make that purchase, and (unless they can prove you were lying) they will refund you the money. They might write the money off, or they might pursue the criminals responsible; it's not your worry. Accepting this risk is all part of their business model. That's what banks are all about.
However, in the UK at least, this changes with chip & pin. If someone shoulder-surfs your PIN, pickpockets your card, and spends money on your card, the bank now says it's YOUR responsibility.
In one way: fair enough, there are precautions you can take to safeguard your PIN, but on the other hand, isn't taking on that liability one of the things we're (directly or indirectly) paying our card providers for?
You need to see Gattaca and here
They were taking DNA samples in real time from people for access control.
The guy went to extreme measures to defeat the real time DNA sampler.
No matter what they try, no matter what measures they try to take and enforce, there will always be people that will find ways around it.
Personally, I will tell them to stick their chips up their asses. When it gets to that point, I'm leaving civilization and heading for an island somewhere, I'll live off of coconuts and iguana stew.
The problem of this type of security is that it attempts to replace thought on the part of all involved. (see zug.com about credit card fun)
When I and my wife got a joint account, the bank swapped our pictures on our atm cards. We look nothing alike, each being easly taken for our respective genders. I used mine (with her picture) for six months without anyone even glancing at the picture. Eventually, when I got passport photos at a local picture processing shop: the clerk looked at the card and refused to process it.
Literally after hundreds of transactions including a good number in the $250/300 range. Unfortionatly "Security" (tm) is everyones job, but no one wants to do it.
A friend just came back from Japan, where his cousin was paying groceries et all with his cellphone, which had a "sweep-type" fingerprint scanner (and videophone, and fast internet, etc).
I also heard years ago that somewhere in Scandinavia you could pay some soda vending machines just by calling the phone number on its front with your cell phone.
It is interesting to see phone companies grabbing part of the credit card market.
Maybe it'll converge to using your phone/phone account as an ID, driver's license, bank account, credit card, and even to call people!
Instead of money, you'll be paid in talktime credits...
This is like saying "Login & Passwords schemes are insecure! If I give my login and password to my coworker, he can impersonate me! The sky is falling!"
Actually, the Chip&PIN scheme is better than Login/Password schemes since you need a physical device (the smart card) to perform the transaction.
If this new scheme forces thiefs to switch to "Social Engineering", well, it's a good thing, since people can be educated about them.
I love this quote:
The amount of "card-present" fraud in France (where this scheme is in use for about 20 years) is severals orders of magnitude lower than in other countries with similar caracteristics. Ok, the "Problem of fraud" has not been reduced, but the "Amount of fraud" has, and that's what matters.
Nobox: Only simple products.
Oh please! Because the authentication of people's credit card applications is completely broken, the problem of cloned and stolen cards shouldn't be fixed? I'm the first to admit that technology alone isn't enough, but this absolute stupidity of authenticating people by "personal" "secret" information has got to stop. (And no, trying to fix that by safeguarding the info better will never work.)
If the road to hell is paved with good intentions, where does the road paved with evil intentions lead to?
The cashier didn't ask for the coworker's ID probably because he looked like a non-threatening white person.
My experience:
I was standing in line one time and two friendly-looking white women ahead of me used their credit card without the cashier asking for their ID. When it was my turn, the cashier asked for my drivers license to check my signature on the receipt. I guess the cashier assumed two white women are less likely to commit fraud compared to an asian guy. Acting casual and friendly is how con-artists get away with fraud.
I don't mean to turn this into a race issue, but it cannot be ignored.
The reason merchants take your signature so casually is because they have no financial responsibility. That's part of the visa and mastercard merchant agreement. If the card is approved on the swiper, the merchant is guaranteed his 97% of the take, or whatever it is for that particular card. (visa, mc, and discover are all different %)
The only responsibility the merchant has is that if he does too many fraudulent transactions percentage-wise, the card handling service he goes through may drop him, and he'll have to find another. I don't know if the card service eats the fraud or if the bank does in those cases. Either way, the merchant is always paid. It's this guarantee that makes a merchant willing to only get like 97% of the purchase price without the right to charge extra for credit purchases. (extra charges for credit purchases are against the credit card processing rules)
Another somewhat unknown fact is that if someone steals your card or through any other circumstances charges to your cc #, you can be held partly liable. The banks can make you pay up to $50 of the balance of "disputed charges". From the three or four people I've seen get their cards stolen though, the bank usually eats the $50 they could otherwise push on the consumer. I find this very odd for a bank to be generous to the tune of $50, but for some reason they do it. They probably make well over $50 in interest for most card holders during any 2 year period, so for them it's probably better to roll on the $50 and keep them using their plastic.
The first thing you need to do if your card is missing is report it lost. The $50 limit applies only to unauthorized charges made before the card is reported lost. Anything after that is entirely the responsibility of the bank.
I work for the Department of Redundancy Department.
I've read about a number of local cases where the thug kidnaps his victim and takes him to a cash machine, forcing the victim to make a withdrawal or be shot. These are the same dead-enders who switched to carjacking when it became too difficult for them to steal unattended cars.
Mea navis aericumbens anguillis abundat