Slashdot Mirror
New Identity Theft Technology Fails to Protect
Nuclear Elephant writes "According to BBC News, identity thieves are quickly adapting to new technologies such as chip-and-pin credit cards using human nature tactics rather than cracking the technology. At least that's what Dr. Emily Finch (UEA), who interviews career criminals about their activities, claims. Finch swapped credit cards with a male coworker and performed a number of transactions without being challenged by cashiers. Finch also believes biometric identity cards will only exacerbate the problem. Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"
...there is no patch for human stupidity.
and earlier, by Schneier:
"If you think technology will solve your security problems, either you don't understand the technology, or you don't understand the problems."
Read the best of all of Slash: seenonslash.com
Why would anyone think that the credit card companies would ever care about identity theft? Sure, it does cost them some money. But by far the cost of identity theft is placed on merchants. If someone disputes a charge on the credit card bill, the credit card companies merely take the money back from the merchant.
As a glaring demonstration of how unconcerned credit card companies are about theft, on the same credit card I had someone fraudulently use it three times. Each time I asked for a new card with a new number on it. Each time the issuing bank (Citibank) said, "Let's just wait to see if it happens again". I had to insist on the third time because I was sick of dealing with it.
When they can just pass costs onto merchants and consumers, is it any wonder they're designing ineffective solutions?
I'm a big tall mofo.
"Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"
I fail to understand how an embedded chip would make identity theft any less of a problem. While it may reduce social enginering which the article defines as a problem, how would it eliminate the technical (and in the case of securing identity information, most important) aspect.
For example, assuming that theives can get around biometric data. What is going to stop them from removing a "read-only" chip and installing a "read/write" chip?
Am I open minded towards open source, or closed minded towards closed source?
Considering the level of violence some criminals (drug addicts etc) are willing to use on their victims, I'd rather keep my money/cards on my wallet and don't want to have any hard-to.remove RFID chips at my arms.
There is no substitute for hard Commonsense. Signatures are meaningless. Retailers are interested in making the sale and not annoying the customers with suspicion.
In my case, my signature cannot fit on that tiny space provided on the credit card, and so resembles nothing like it. Most clerks will make a perfunctory "check" of signatures, if they even bother.
Regard your credit card like you would cash, since there is little more security involved. Though, most institutions that issue Credit Cards and increasingly Debit Cards will give you a chance to dispute charges and have them removed.
Ruby Neural Evolution of Augmenting Topologies
Why are credit card companies taking so long to make each transaction covered by its own one-time password? Why do I give the same CC# to a recipient, without security? The card is almost always processed by a machine now, even with a (usually minimum-wage) human handling the transaction. Why should the recipient be trusted not to rerun the charge, or increase it, or share the access info with someone else?
I know that credit card companies cover fraud loss over $50, so they are paying some of these costs of fraud. But automation has made frauds <$50 much more profitable and common. And identity theft comes after one leak in the identity privacy chain, often without direct damage to the leaking organization. And usually in much greater amounts than the original transaction could have allowed - and usually with much further damage to future transactions than even the value of the theft.
One-time password tech is much cheaper than the losses we're suffering. And the necessary automation overhead could make the entire transaction system safer and more efficient for legitimate transactors. Where is it? Are banks just making so much money off all their transactions that new systems like one-time passwords are just to low on their priority list? With all the ID theft running rampant, what crisis could it require to force action to protect us?
--
make install -not war
No matter how hard you try. You can't steal my ID if I use cash. You might steal my cash. Not my ID. Do transactions indoors at the teller window. (Most banks will not ensure that any deposit made at the ATM will make it into your account.) Get to know your tellers. Facial recognition helps a lot. Saved my Grandfather (according to him) years ago when someone tried to cash a stolen payroll check. The tellers knew him. The cops where called.
Am I alone in noticing that the more protections they build in the easier theft becomes? It would seem that the more you tell people they are too dumb to protect themselves the more they act like idiots.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
When I was over in the States recently, quite a few cashiers would notice my chip'n'pin card, mention that the US would be moving over to them soon, and saying how nice it will be to have that extra security.
Sometimes I would try and explain the catch.
Since chip & pin supposedly makes fraud impossible, banks have shifted the liability for chip & pin fraud away from themselves and onto the consumer.
That is -- is someone clones your card and forges your signature with a traditional credit card, you can call the credit card company, tell them you didn't make that purchase, and (unless they can prove you were lying) they will refund you the money. They might write the money off, or they might pursue the criminals responsible; it's not your worry. Accepting this risk is all part of their business model. That's what banks are all about.
However, in the UK at least, this changes with chip & pin. If someone shoulder-surfs your PIN, pickpockets your card, and spends money on your card, the bank now says it's YOUR responsibility.
In one way: fair enough, there are precautions you can take to safeguard your PIN, but on the other hand, isn't taking on that liability one of the things we're (directly or indirectly) paying our card providers for?
You need to see Gattaca and here
They were taking DNA samples in real time from people for access control.
The guy went to extreme measures to defeat the real time DNA sampler.
No matter what they try, no matter what measures they try to take and enforce, there will always be people that will find ways around it.
Personally, I will tell them to stick their chips up their asses. When it gets to that point, I'm leaving civilization and heading for an island somewhere, I'll live off of coconuts and iguana stew.
A friend just came back from Japan, where his cousin was paying groceries et all with his cellphone, which had a "sweep-type" fingerprint scanner (and videophone, and fast internet, etc).
I also heard years ago that somewhere in Scandinavia you could pay some soda vending machines just by calling the phone number on its front with your cell phone.
It is interesting to see phone companies grabbing part of the credit card market.
Maybe it'll converge to using your phone/phone account as an ID, driver's license, bank account, credit card, and even to call people!
Instead of money, you'll be paid in talktime credits...
The cashier didn't ask for the coworker's ID probably because he looked like a non-threatening white person.
My experience:
I was standing in line one time and two friendly-looking white women ahead of me used their credit card without the cashier asking for their ID. When it was my turn, the cashier asked for my drivers license to check my signature on the receipt. I guess the cashier assumed two white women are less likely to commit fraud compared to an asian guy. Acting casual and friendly is how con-artists get away with fraud.
I don't mean to turn this into a race issue, but it cannot be ignored.