Slashdot Mirror
Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards
schwit1 writes "U.S. banks and merchants are shifting to a more secure way of authorizing credit card transactions in which customers will enter a personal identification number (PIN) at checkout instead of signing a receipt. The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here. The change is especially relevant given the massive fraud perpetrated against customers of Target in the fall. During a Congressional hearing last week, Target CFO John Mulligan said the company is accelerating the $100 million effort to switch to the so-called "chip and pin" system.
The change won't happen all at once. Banks must issue cards with microprocessors and merchants need the right equipment to process the chip and PIN transactions, which is likely to happen gradually. But Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future."
Finally the US banking system is catching up to the rest of the world.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Why the hell has it taken y'all so long?
[FUCK BETA]
Increased expenditures for new card readers and technology has been rebuffed universally because the retailers aren't typically the ones out of the cash when a fraudulent credit card is used.
The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Pretty sure you have no idea what chip and PIN is. It only works with direct electrical contact. You are probably confusing it with RFID which we already have and nobody really uses.
Why the hell would they switch to a pin system, rather than adding it as a second factor? The signature is useful for forensic analysis of the fraud after the fact. It is hard to beleive this is about security, and easy to believe it is about them saving money by not having to deal with signatures and the overhead, etc.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Your credit cards don't even have the microprocessors yet? So you can not use them at cash machines in large parts of the world anymore?
Well the target problem happened because someone managed to install skimming software on all of the computers. If the security of your checkout system is compromised then can't you just skim the pin number instead of trying to forge the signature? Actually it is pretty hard to really forge a signature. But then again they can't have a signature expert look at every signature so if it kindof looks like your name then it probably passes the system. Just like I imagine it will be easy to steal your pin card (for most people it will probably be their birthday.) I guess in the end we just all end up spending more on interest or anual fees (unless you get a card with no interest and pay off your bill every month -- in the industry people like that are called "deadbeats") to pay for all of the credit card fraud. It is not like the credit card companies are going to tap into their profits to pay for this.
And it also happens because US lawmakers refuse to pass any legislation to protect consumers and their privacy which has any teeth, and companies just say "oops, sorry" instead of getting fined.
Because in America, if you do anything which doesn't give businesses license to be incompetent and seek maximum profit, you stop getting paid by corporate lobbyists.
Oh, and you suck because you keep doing farm subsidies and then telling everyone else they can't because you're protectionist douchebags.
In all the time I've spent in America I don't believe I've ever seen anyone really check the signature against the card.. always amazed me how lax and open to fraud that system was. In the UK we switched to chip and pin about 10 years ago.. and we were generally lagging the rest of the EU on that matter.
But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe (http://www.bbc.co.uk/news/technology-21085738) and surely enough of the initial results are in to guide the decision making there.
We use RFID in Canada but the maximum purchase amount is fairly limited and the card needs to pretty much touch the machine. Our credit cards were converted to "Chip and Pin" some time ago and i dont think there are any more of the "swipe and sign" type left.
But it's better than nothing. I've been waiting for a long time for it.
And I think it's a bit incorrect to say that the US is the last major market to not use it. For one thing, some banks do issue chip&pin cards, even if almost no merchants have the equipment to use them. And two, I haven't seen chip&pin in South Africa or India although a google search indicates they're starting to roll out there. Maybe those aren't major markets according to some. I didn't notice when I was in Japan either, but nobody batted an eye when I used my chipless cards – unlike some some shops in Europe where the cashier looked twice at my chipless card.
yeah you try getting people to both sign and enter a pin and wait in line as others do so.
the signing is a FUCKING JOKE. one of the funniest things in USA was self service checkout with a credit card paying option where the "signature" was scribbled on a touchscreen(and captured at maybe 300px80px resolution). perfectly usable for buying stuff with any card you found on the street - on a mighty expensive card processing device.
chip/pin is just how the rest of the world does it. you can pay to pizza guys with it(chip/pin debit cards, cash balance verified on the fly) in finland, they carry portable terminals that cost pretty much nothing(sagem seems to be the biggest manufacturer).
world was created 5 seconds before this post as it is.
Good god, it's been so long since I signed for a credit card transaction I can barely even remember it. Next you'll be telling me that the USA prefers to write on bits of paper to send money, taking ages for it to finally be transacted. I wonder. Are there people who are responsible for driving around a nuclear-powered, one-ton robotic laboratory on another planet, who swing by the supermarket before going home and pay for their goods after signing a little bit of paper?
Mind you, chip-and-PIN is hardly secure. The attitudes and policies of merchants is incredible, if you ever have an insider's view.
Why the hell would they switch to a pin system, rather than adding it as a second factor? The signature is useful for forensic analysis of the fraud after the fact.
Is it? Really?
Claus
I find it interesting that the summary above pushes to point out that merchants will be liable for fraud. As it stands currently, merchants are already liable for fraud. A claim results in the merchant losing the money of the transaction. The bank and user recover the money.
Reading the first linked article indicates that the "weakest link" becomes liable. If the merchant has C&P and the bank has not issued a C&P card, the BANK will be liable for the fraudulent transaction. This is a major difference from the current situation, where the bank would simply extract the money from the merchant and the merchant would take a loss.
@Whee
With the machine that is given out by the credit card companies you need to pretty much touch it, but security researchers have shown that you can use higher powered equipment to read it from up to 15-20 feet away.
Chip and pin is not proximity based. You put your card in a handset and enter your pin to authorise the transaction like at a cashpoint. The handset never gets access to the PIN in the card, only the one you enter on the pad. It's genuinely surprising that there is still somewhere where this is not the standard. I can't remember the last time I had to sign for a card transaction.
Fingerprint is a terrible security mechanism. Not only does it give someone a reason to steal you *finger*, you also leave your fingerprint on everything you touch. Credentials shouldn't be revealed unless you are actually in the process of using them.
I always preferred fish and cushion myself: http://www.youtube.com/watch?v=B80SyRmtbdI
Chip & pin has never been about security. It's about the ability for CC issuers to eliminate the repudiation of fraudulent transactions by claiming that their authorization system is fraud proof and therefore every transaction is a priori an authorized transaction: http://www.thisismoney.co.uk/m...
Nobody really uses RFID but if it's activated in your chip then it's enough for a thief to steal you a small amount just by sitting next to you in the bus.
I worked for a major retailer in Canada and thieves can be very resourceful. I've seen card scanners and pin pad overlays that slot perfectly into place. The only hint was a very subtle color difference in the paint they used and the one used on the machine it was installed on. Most customers couldn't tell the difference. Then, you also have complete unit swaps, mostly at smaller stores where there are no dedicated resources for security.
Most times I don't even sign my cards. Yes, I know I'm supposed to, but I've gone for years without signing it. It always seemed odd to me to give a potential credit card thief a copy of my signature along with my card. Maybe once did someone even look for the signature and even then it was more of a "Oh, you didn't sign it" than a "We can't accept that card unsigned."
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Great. Now instead of having to steal a card and fake a signature, a criminal can just carry around one "super-card" that has a bunch of people's info on it and let it randomly select which one it uses for the purchase.
Coder's Stone: The programming language quick ref for iPad
Ross is a security researcher at University of Cambridge.
In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".
davecb@spamcop.net
Actually, modern cards not only have the contact chip but also a "Contactless" mode that can be used for small payments.
So you can pay for your Starbucks or bus fare instantly just by tapping your Visa card, no need to swipe or insert the card and enter a PIN number. This is all still more secure than Swipe & Sign, because the cards can't be easily cloned and theres a relatively low transaction limit.
Yes, I said we already have RFID (you call it contactless) even without chip and PIN so it is completely unrelated.
That's why when you buy online you have the digits on the back of your card.
It's called CVC or CVV depending on the association (Visa or MC).
Most of all, chip and pin transaction is not only upgrading the system for transactionnal purpose, it allows the issuer to ensure non-repudiationnal transaction, making the holder more liable for his purchase.
The only fraud detected on the rest of the world is based on mag stripe activity
Both are widely used in Canada.
The only card that is swipe and sign is my Costco Amex.
The signature is useful for forensic analysis of the fraud after the fact.
Can you cite a single case of anyone ever being convicted of fraud because of "forensic analysis" of their signature on a credit card receipt? You watch way too much CSI.
Europeans are much more shifty people who steal. This is why you are disarmed, have to register your address with the police, carry an internal passport, go through extensive background checks to be allowed to open bank accounts, register your TV sets, submit to home searches by tax collectors, etc. etc. The data breech motivating this change in the USA was perpetrated by a European lowlife. It's unfortunate that the upstanding people of America couldn't insulate themselves from this foreign pollution.
It allows the Bank to make a good argument for not paying you back, as you must have lost your pin. Previously they had to collect from the merchants, who are much bigger customers of the Bank, and so are listened to more than individuals. This was a problem for years in the UK, until the courts wised up.
davecb@spamcop.net
Pretty sure you have no idea what chip and PIN is. It only works with direct electrical contact. You are probably confusing it with RFID which we already have and nobody really uses.
It's only SUPPOSED to work with direct electrical contact. I'm wearing a badge this minute in a (mostly) optically transparent sleeve. It has a 12-point chip (there's also a magnetic stripe on the back, but the sleeves are only required for the "new" ones - We go to a lot of areas run by other entities that still require a swipe/handprint to get through the door.) We have readers attached to every computer that make electrical contact with this chip and allow us to enter our password to log in. But, even WE have equipment that can read them from 1-2" away outside the sleeve - That's not because there's embedded RFID somewhere in the plastic laminate; it's because, at least with the system we use, you can sufficiently excite them without direct contact. I assure you that the system is not second rate (at least the "powers that be" don't think so) - Our overlords are just as motivated as the big banks to keep things locked down.
I realize that you can claim that if they can be excited remotely that it implies RFID, but at least in this case it's a side effect rather than a design feature.
He's getting rather old, but he's a good mouse.
You're so right for merchants.
This is one weakest link and that's why PCI standard stands for.
However, online shopping on mom and pop's shop does not prevent your card numbers from being hacked, PCI being too complex to setup, a complete program should be set by the EMV companies.
Back to the former question, are we speaking of the security of the protocol here (chip and pin) or the end to end process, including archive..... :)
Do the math it IS two factor authentication.
1) something physical you have (card with chip)
2) something you know (PIN)
So, you might think, "aha, it will be THREE factors, woohoo!". However, chip, PIN, and signature, can't really be considered three factor authentication, unless the signature is checked in real (or near real) time.
- speaking only for myself, as always
I usually just write "Please check ID" in the signature box on my cards, for the same reason you say is odd. Why give a thief your signature to practice and get "close enough", when I have a signature next to a picture of me on my driver's license?
Not that it really matters these days, since every store has a terminal for you to swipe your own card. I've been drawing smiley faces for the past few years when those ask me to sign, and so far, nobody has said anything - not the bank, not the stores, nobody.
It always seemed odd to me to give a potential credit card thief a copy of my signature along with my card.
Yea, it's much better to leave the card blank so the their can sign it themselves so the sig will match.
I browse on +1 so AC's need not respond, I won't see it.
their --> theif
I browse on +1 so AC's need not respond, I won't see it.
Europeans are much more shifty people who steal .... It's unfortunate that the upstanding people of America couldn't insulate themselves from this foreign pollution.
Spoken like a true Native American. Unfortunately you are centuries too late.
As my cousin found out one night in Calgary, AB. When a couple of women got him drunk, took him outside where their boyfriends beat him down and forced his PIN number out of him... The bank used the fact that he gave them his pin as enough reason not to reimburse the losses.
Personally I think thats why they are doing it, likewise if a keylogger gets your PW/PIN and get into your banking you might be left footing the bill.
Most all resellers have a markup of ~3% just to accommodate credit card company fees. Those who pay with cash, are essentially ripped off. Those who use credit cards at least supposedly get the security/extra warranty/insurance/other services they provide.
One must keep a good eye on everything the financial institutions are doing,as every change is in their self-interest.
And if someone hacks your card, they blame you (because you must have given away your PIN) and you have no way to prove it.
Gamingmuseum.com: Give your 3D accelerator a rest.
Chip and pin would be much safer if you entered the pin into the card, instead of into the merchant's equipment.
The only common thing in my signatures are that they are all equally unrecognizable. Give me a keyboard.
You just proved why the world doesn't get America. You are what you make of yourself, not what's in your DNA.
Gamingmuseum.com: Give your 3D accelerator a rest.
Ah yes, "Verified by Visa", because 2-factor authentication is mathematically identical to 1*2-factor authentication
I've never signed my cards either... once, and only once, did a cashier ever notice. And they gave me a pen and said I should just sign the card right then anyway. For security, you know.
Except it just doesn't happen, because the chip and pin system has not been broken yet (not in a meaningful, practical, usable way anyway). And if the card gets hacked from a database leak of some company that had your number stored, it's not chip and pin so you are fully covered. I really have trouble understanding all this opposition to chip and pin from Americans (not that I care a lot).
If the point-of-sale system is compromised, as has been the case in all of the latest high-profile leaks, then the PIN is just as vulnerable as the rest of the transaction data. I'm all for improving the situation, and PIN authentication is long overdue for CC transactions, but this is nothing more than a feel-better move in combating what is entirely a failure to appreciate corporate/institutional security.
I'd like to think that somewhere there's a big pile of your receipts with cows on them, and my receipts with cowboys on them, sitting in a central office and being heavily scrutinized.
Anonymous for obvious reasons, I worked for the security and fraud department of a large European bank.
PIN was introduced mainly as an easy way to move liability of stolen cards from the bank to the consumer. This was a huge cost savings exercise, whole departments responsible of trying to proof a signature was valid did close.
Chip was introduced later for two purposes, to make skimming (adding an attachment to the ATM that reads the pin and magnetic stripe) more difficult and to make offline payments with electronic wallet possible. Offline payments were a lucrative alternative for the bank, parking meters do not need phone/wireless connection and the bank earns interest of the credit in the electronic wallet.
The added benefit of chip is that banks once again could claim that their security is perfect, and that the customer is completely liable if their card gets stolen and full account gets emptied. By connecting the pin and chip with internet banking the customer is fully exposed and the bank has no liability.
If a criminal gets hold of the physical card and PIN there is no limit what he can do. Small camera's mounted by the ATM and brutal home robberies are occurring more and more.
So what happens at a restaurant. The waiter gets the check. You go with him to whether the credit card machine is set up to punch your PIN?
The annoying thing is that Target installed new chip and pin readers before the breach occurred, but the port is sealed and there is no way to use them (and the card companies are not helping, etc., etc.)
Are you? A troll?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
And if someone hacks your card, they blame you (because you must have given away your PIN) and you have no way to prove it.
Incorrect. There are a variety of ways that your PIN can be compromised, and banks are well aware of that. Anything from shoulder surfing to keystroke logging will work.
My credit card (with chip and PIN) was skimmed last year (based on the timing I believe from a restaurant in Winnipeg) and my bank removed all of the charges with minimal intervention on my part.
the NSA has a name for this Tempest
TEMPEST is a National Security Agency codename referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations.
You seem to watch too much CSI. The term forensic analysis in no way implies that David Caruso will arrive on the scene. The signature can be as useful in a forensic sense as this: "Cop brings in check clearly signed by the perpetrator and says: Look kid! We've got you dead to rights! ... (kid who was thinking of trying to weasel out confesses)" Note that in this case, no actual forensic analysis is needed. The perception that it has occurred is enough.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
...don't give two shits about us or the company they work for for credit card security.
Signature vs PIN: The thing you know.
Try signing with a line or an X sometime. Try writing expletives into the signature pad. Try writing "SEE ID" in the signature area of your card with a sharpie. The cashier that will notice and/or comment on this is far or few in between. What difference does it make to them if you're committing fraud? None. They still get paid. They (probably) won't be fired. The pin is marginally more secure, if only because it has a computer actually enforcing it, rather than a minimum wage cashier who can't be bothered to check.
MagStripe vs Chip: The thing you have.
The important part of the "Chip and Pin" system is more the "Chip" part than the "Pin" part. It's meant to make the cards far more difficult to duplicate. Right now, it's trivial to duplicate a magstripe. A few hundred bucks worth of equipment and a strategically placed skimmer and you can have your own private criminal enterprise. As I understand the weakness that's been described, it's a replay attack that only works once. (This may be incorrect. It's just what I remember.) That's a damn sight better than the the mag stripe.
Is this some excuse for the banks to push more responsibility onto their consumers for their own data security? Yeah, it is. But I'll take the higher security.
I admit that I only read the summary, which said switching to pins not switching to pins and a physical token. All that changes in this case is that you still want the signature, but for the reason stated earlier: "It is useful for prosecution purposes".
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Thief, you mean?
"I do not agree with what you say, but I will defend to the death your right to say it"
Not to mention that, in the event your fingerprint does get compromised, how exactly do you change it? Sure, you've got 10 of them to cycle through, but if one of them is compromised, it's highly likely several others will have been compromised as well. So realistically, you might get 2 or 3 shots at, but then what?
And what about people with birth defects, or amputees?
The recent Cartoon channel show, 'Chippy', conceived and sponsored by a joint effort between the Department of Homeland Security and the Internal Revenue Service, has reached a critical mass in terms of viewership according to a recent media rating survey. The show, which advocates the use of the Personal ID Chip and shows DHS agents busting unregistered gun owners, smugglers, drug dealers, black market medical personnel, Constitutionalist terrorists, and non-'Chippers' has become a significant PR success and increased the demand for chip implementation in the core demographic of 8-12 and, surprisingly, adults as old as 70. The show's tagline 'Chippy is your friend!' has spawned t-shirts, window stickers, screen savers, and a host of DRM-free online episodes as well as a counter-culture of subversive anti-Chippie paraphernalia. From the Pacific White House in Hawaii, the President declared the show a clear success and commented that the revised chip requirement under his 14-year old Affordable Care Act was 'a keystone in the future of healthcare, commerce, and continued security in the United States'. The President went onto remind the audience that the 2015 State of Emergency remains in effect and that anyone not adopting the chip would be subject to increasing tax penalties and potential arrest without compliance by the end of 2030. The President, suffering from emphysema, has not yet named his successor but it is believed that one of his daughters may assume the post during the ongoing interregnum.
You mean they're going to replace your hand-written signature with a PIN that can be stored on systems as secure as Target's systems, free for swiping by all? And that is more secure, why?
I live in a decently sized city and I still have to fight with the taxi drivers to get them to accept my credit card. Even though they have swipers and signs that say they accept cards they pretend the machine is broken, make up some minimum charge, or just flat out refuse to accept your credit card. Now we're going to tell them they have to upgrade the machines they resisted getting in the first place?
Of course almost no merchant follows this part of their agreement.
-- Slashdot, making the Left look conservative since 1997.
Visiting the US from Canada is like travelling back in time. Debit cards? What are those? I was stunned that I had to pay for gas at the pump with a credit card - there is NO widespread use of debit cards. Credit card carbon paper and swipers? What year is this? Pay phones that only take one kind of card payment, and no others, because of exclusivity deals between the phone company and a card company. Unheard of. What a crazy messed up system you guys have there. Come to Canada. Come to the future, now.
My (Canadian debit) card has been scanned twice, and both times the bank called me up, notified me of the fraudulent charges on my account, and the money was back in my account in under two weeks.
"Old man yells at systemd"
Now with any luck, you can switch to the SI system of measurement and join the 18th century as well!
It allows the Bank to make a good argument for not paying you back, as you must have lost your pin. Previously they had to collect from the merchants, who are much bigger customers of the Bank, and so are listened to more than individuals. This was a problem for years in the UK, until the courts wised up.
So, those of us in the US are screwed when this goes into effect.
I think you just tried to write a scene for an episode of CSI.
"Old man yells at systemd"
Cash.
PINs have nothing to with microprocessor enabled credit cards. Debit cards in the US have had them for years. What the microprocessor enabled card does is make it more difficult for thieves to steal the card by having a bogus card reader that records the swipe.
If the network hardware was compromised, what would've stopped the hackers from collecting the PINs as well?
With this increase in security encourage hackers to go after debit cards more - which would be worse for consumers (fewer fraud protections there)?
Will there even really be a difference between credit and debit cards anymore?
How will this affect online transactions (especially for web developers)?
This sounds like a bigger change than some people realize.
"Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases" They are already liable. It is called a charge-back. Customers complains that the charge was fraudulent and the credit card company suspends payment to the processor until the merchant can prove that the transaction was not fraudulent. He gets 5-6 of these charge back requests a week, mostly from people who got tipsy and spent far more than they wanted. The processor will find against the merchant if the signature differs even by a little from the one on file. Sometimes the bartenders have to ask a customer to resign 2-3 times before they get one that exactly matches the signature on the card.
That's because the outdated infrastructure had been economically viable to use, so there had been no reason to update it, until now, that is.
Many ways of the US rely on an honor system. There used to be unattended shops where you take the goods and put money in a box. The box didn't use to require a lock. This might be possible in a small town where everyone trusted each other, but in a city where crime is rampant, this business model is simply not economically viable. Public transportation used to allow monthly or weekly pass holders to board from the rear doors without verifying their passes, but they don't allow that anymore because nowadays enough non-paying passengers take advantage of that such that the honor system is no longer economically viable.
The honor system is always able to absorb a small percentage of fraud cases and remain economically viable. It's only when the fraud rate rises past a certain threshold when the system breaks down.
When a merchant displays a credit card logo, you trust the merchant. When the merchant hands you a receipt and you sign it, the merchant trusts you to pay. Again, this is an honor system. The rest of the world also started off with a complete "out of date" manual-imprint or swipe-card honor system. They were forced to upgrade the infrastructure because they suffered enough fraud such that the old system was no longer economically viable. The new smart card system is designed to enforce contractual agreement so that you don't need to rely on the honor system anymore, making credit payments economically viable again.
The US simply held off this long because the honor system had worked until now. Economic viability is the reason. The bad news is that the US has morally declined to the level of the rest of the world. The good news is that the US upheld its morals longer, being the last to abandon the honor system.
I once had a signature.
God dammit I'm going back to bed now.
I browse on +1 so AC's need not respond, I won't see it.
I have to admit, this sort of ignorant racist/nationalist bullshit is usually posted AC, but you put your name on it. Kudos.
US has traditionally had a much lower fraud rate than the UK so there was no motivation.
The UK fraud rate was much higher but chip and pin has helped bring it down to match US levels (in 2010 US cc fraud rate=.085, UK=.070, first time UK was lower)
You never order online or over the phone?
Chip and PIN sounds a lot like security theater, given how easy it is to circumvent.
#DeleteChrome
Another commentator said the US is going to chip-and-signature cards, skipping pins entirely.
davecb@spamcop.net
Biometrics don't deal well with disabled / atypical people. How are you going to validate a wheelchair bound person who can't reach the POS terminal or the veteran who had his hands blown off by an IED or the burn victim with no fingerprints?.
I am becoming gerund, destroyer of verbs.
IF you could clearly sign all of those touch-screen signature pads, AND some system actually compared what was input to your signature on file, then maybe.
The signature has little to do with security and are ridiculously easy to forge. The signature is your acceptance of the cardholder agreement and your agreement to pay. While the clerk can compare signatures, they're hardly a forensic expert.
Frankly how inconsistently I sign my signature (not intentionally), I'm pretty sure no handwriting recognition program could have any confidence it was me.
First, chip & pin is how Europe does not, not the "rest of the world". In my travel around Asia I haven't seen chip & pin cards or machines anywhere (anecdotal evidence it may be, but it definitely isn't universal). I got a (rare) US chip & pin card just in case for my travels a few years ago, and so far had not a single chance to use it - not even on a recent trip to Germany. In places that could "go either way" that card still fell back to signature mode (though, perhaps, that's more of an issue of how VISA presents it).
Secondly, chip & pin has one interesting issue in US market - tipping at restaurants and such places. The (imho vile) practice of inflating one's bill by 20-25% post-consumption is not particularly common in the chip & pin world. Since chip & pin transaction has to be fully concluded at pin entrance, we would have to tip at restaurants through hand-held machines brought to our table, while waiter is standing there looking on anxiously. I am guessing tip rates can then go to 50%?
Don't confuse debit cards (that do have a PIN in US, as anywhere) and credit. The difference is crucial and in principle. With direct debit cards account holder is liable for any losses due to fraud (though banks claim they will help, by law it's the responsibility of account holder). With credit cards card issuer is liable by law for any fraudulent charges. I'll take the second option, thank you.
Why the hell has it taken y'all so long?
You're asking that question to the only large country that has yet to adopt the metric system? We prefer to do things the old fashioned way and then pretend it is better that way.
Tiny Electromagnetic Particles Emitting Secret Things
Chip and pin is not proximity based.
One implementation is not. That doesn't mean that a given new system wouldn't be. However, direct electrical contact is certainly more secure.
I thought American debit cards already used personal identification numbers? You slide the American Express card and then push in the PIN using a keypad? I'm confused.
Why the hell would they switch to a pin system, rather than adding it as a second factor?
Because that is a pain in the ass. Entering a pin and giving a signature adds a lot of annoyance without improving security much. The cost outweighs the benefits. If the clerk is concerned they can always ask for a picture ID.
The signature is useful for forensic analysis of the fraud after the fact.
No it really is not. I have yet to sign on a digital pad that results in a signature that even vaguely resembles my actual signature. Furthermore the signature is mostly about you agreeing to the cardholder agreement. It's value for security is frankly minimal. Much less useful than asking for picture ID.
In all the time I've spent in America I don't believe I've ever seen anyone really check the signature against the card.. always amazed me how lax and open to fraud that system was. In the UK we switched to chip and pin about 10 years ago.. and we were generally lagging the rest of the EU on that matter.
But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe (http://www.bbc.co.uk/news/technology-21085738) and surely enough of the initial results are in to guide the decision making there.
That is because it is cheaper to insure against fraud than prevent it. Same thing at the banks. They only verify signatures above a certain threshold on checks (usually either $5,000 or $10,000 depending on the bank). With credit cards, if a fraudulent charge is made the credit card company isn't out the money, the retailer is. Since the chances of the fraudulent card happening at their local establishment is rare, security is lax.
Most times I don't even sign my cards. Yes, I know I'm supposed to, but I've gone for years without signing it. It always seemed odd to me to give a potential credit card thief a copy of my signature along with my card. Maybe once did someone even look for the signature and even then it was more of a "Oh, you didn't sign it" than a "We can't accept that card unsigned."
A friend who didn't sign his card had that challenged by a clerk who insisted he sign it - thern compared the (fresh) signature with the receipt signature!
The signature is useful for forensic analysis of the fraud after the fact.
Is it really? Most of the card issuers want you to demonstrate your signature right on the back of the card. And then pair that with a low resolution signature pad, and there's really no benefit at all.
In all the time I've spent in America I don't believe I've ever seen anyone really check the signature against the card.. always amazed me how lax and open to fraud that system was.
That's because the signature isn't about security. It is about agreeing to the cardholder agreement. It is a legal acknowledgement of a contract. It's more or less useless as a security measure.
Yes. Only reason it hasn't been deployed is because of the sunk costs and people's resistance to change. I don't think pin & chip will make it here. The former two are too heavy to move. Unless you get someone like Walmart to do it (and they won't, fraud is too small of a write off) it won't fly. Honestly, I don't understand how Target has the capital to make this investment. It would cost them far less to put in the preventative & detective controls in their current systems. Not to mention their shopping base will drop.
Chip and pin is still deeply flawed. You still are required to hand over all the data a 3rd party would need to commit fraud. With today's technology, there is no excuse for this.
A system like this one would allow transactions without ever exposing credentials to a third party.
Will we be limited to the weak 4 digit PINS which the ATMs use, or will the finally break down that barrier?
Even my voicemail p/w allows for more than four digits.
Also, this is relevant:
https://web.archive.org/web/20...
It's a shame that the original web site for this is gone.
Portable terminals cost more than 'pretty much nothing.' They add considerable expense and are, for the most part, completely wasteful. A consumer should be able to complete a card transaction on their own cell phone without every exposing their credentials to somebody else's terminal.
For this to be a new system you need to travel back to 1992 when France adopted it.
Anyway, it can't ever be purely proximity based (like the contactless payments systems that you are presumably worried about) because it requires your PIN to authorise the transaction. Since its challenge/response there is presumably little benefit to eavesdropping on one transaction - you're not going to capture anything that will allow you to perform additional transactions in future.
Disclaimer: I once made and attempted to (failed at) sell(ing) security technology to the banking industry.
The incentives are truly twisted. If a merchant accepts a fraudulent card, the bank will not pay anything . They told the merchant that card number was good, but never signed off on that transaction. So, they get their money back from the merchant. Then, they charge the merchant a fee for wasting their time.
Long story short, banks love chargebacks.
That's why online payment processors (Paypal, Amazon Payments) can justify taking a bigger chunk of the credit card processing fees. They assume that risk (as long as you live up to certain rules), and they charge you for it.
Your ad here. Ask me how!
Given how few merchants have even looked at the signature area of my card, the thief signing the card wouldn't impact whether or not the merchant accepted the thieve's signature as being valid.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
The approximate way that chip and pin works in cards is that unique transaction information is sent to the chip. The chip then signs the response with the entered pin and that's sent for authorization. Even if a particular transaction is sent to the chip from 20 feet away, and the PIN is also sent, the most you'll be able to do is to fraudulently authorize a single transaction. IIRC (may be remembering an obsolete spec, its been a few years) part of the auth is even time-based, so even that's not much use for thieves.
Bottom line though, this isn't new technology. Its used everywhere else on the planet. American's looking at it as if someone's moved our cheese and saying, "This'll never work," just end up looking like Flatlanders in a 3D world - because it totally does work, and has elsewhere for decades. For real.
You're special forces then? That's great! I just love your olympics!
Fingerprint readers also look for a pulse. Chopping off a finger won't work.
I want a list of atrocities done in your name - Recoil
I hope their goal isn't only chip and pin, if they are why bother?. In Canada we have Paywave tech now for credit with debit coming in a few months, and soon the Banks will be introducing single card systems where your debit card, visa, Master Card, etc are all the same piece of plastic. I guess its easier in Canada to move forward due to Regulation that requires that the banks cooperate when it comes to inter-connectivity. And it certainly isn't hampering profits, with most Canadian banks making record profits year after year. Sometimes progress has to be forced on people. Canadians were hesitant about the $1 coin, but now we wouldn't have it any other way.
It's a new system for the US. It can be implemented however the major issuers decide to - whether they already have a presence in other countries or not.
It could certainly be proximity + PIN. Challenge/response does not require anything that NFC chips can't do. You're right that eavesdropping doesn't get you anything special, but it's still somewhat less secure to have the transaction sniffed.
Why haven't any of these articles discussed online CC transactions? How do you use a chip and pin online?
All of this is just theater - I had a CC and charges started appearing on it - no one could ever tell me what happened. I had done nothing different in many years. Same online merchants, same gas station. The CC company just shrugged and issued a new card.
I can change my credit card number with a few phone calls, I can change my PIN after a few clicks at my bank's website, I can change my signature any time I please, but I can't change my fingerprint. It's trivial to spoof fingerprints for most fingerprint scanners once the print itself is captured, and once it's out there, it's out there. Good luck dealing with it after that point.
Ideally, we'd have something that can be altered by the customer, readily recognized by a computer, and dependent only on the customer being able to reproduce it. PIN and signature both accomplish that to varying degrees (signature recognition is essentially non-existent on POS systems), but perhaps something gestural could work. Many Android users already rely on gesture-based locks for their phones, and I could see something similar working in the future, since it'd be a lot harder to transfer electronically than a four-digit PIN, a lot easier to replace than a fingerprint or retinal pattern, and a lot simpler to recognize for a computer than a signature.
> This is why you are disarmed,
Nope.. talk to the Swiss.
> have to register your address with the police
Nope.. unless you're a sex offender maybe.
> carry an internal passport
Nope.. especially not in the UK.
> go through extensive background checks to be allowed to open bank accounts
Not particularly.
> register your TV sets,
Nope... although you require a TV licence in the UK. From which we fund the BBC. You're welcome..
> submit to home searches by tax collectors, etc. etc.
Nope. Search warrants and the usual process of law excepted.
Sigh,
The point is that yes you can get the pin. But without the physical card it is useless because you need both to complete a transaction.
If your card was skimmed the more likely explanation was that the magnetic strip was skimmed and then used at a place that did not use chip and pin verification. Until we can remove the mag strip this will happen.
Places like the States resisting going to chip+pin means that the rest of use are paying
Choose your allies carefully, it is highly unlikely you will be held accountable for the actions of your enemies
Fingerprint is a terrible security mechanism. Not only does it give someone a reason to steal you *finger*, you also leave your fingerprint on everything you touch. Credentials shouldn't be revealed unless you are actually in the process of using them.
And once your fingerprint is stolen, it's stolen forever with no possibility of replacing it!
using cash is great. more people should give it a try
But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe
Probably because we can't get the Chinese to manufacture them cheaply enough for us.
You don't enter a pin using tap to pay here in Canada, since it slows down the process and the point of tapping is to speed up the payment process. Your card usually has a very small tap transaction limit. My credit card has a $50 max charge per tap transaction, thought I would like to get it bumped up to $100 or maybe even $200. I think the banks here are starting with low limits to to see how things work out since its still a fairly new technology.
The thing is the signature on the back of the card isn't for verification by a merchant. The stated purpose of the signature block is that you agree to the terms that come with the credit card. By the rules of Visa and MasterCard a merchant should not accept a card that is blank or has something like see ID.
Of course almost no merchant follows this part of their agreement.
It's amazing to me how many people don't realize this, and think it is somehow safer to leave the card unsigned.
Back when I worked as a cashier (at Target, of all places), I actually had people get offended when I would ask to see their ID because their credit card was unsigned. But I know many/most of my co-workers didn't check...
Also in the category of things the store should check but rarely does -- The merchant is supposed to call the credit card's issuing bank before letting someone else use the card -- this also angered people when I would tell them I had to call the bank to let them use their spouse's card.
But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe
Probably because we can't get the Chinese to manufacture them cheaply enough for us.
I'm sure they could do it cheaply. They are probably so busy making all our other shit that they don't have the time.
Anyone else a little concerned that two companies can snap their fingers and compel the entire country (every bank, every business and everyone with a credit card) to radically overhaul their entire financial infrastructure?
That's two companies with a '2' and nothing after it.
This sudden shift in technology is going to hit merchants hard. Not the large retailers that are having the massive data breaches, but the mom and pop store down the street. Why? Ever seen what card processing companies charge for machines? it's outrageous. Many of these merchants are still using machines from around the turn of the century, or older, because new ones cost far more than they can afford to spend on a device that really has no ROI. Chip and pin wasn't even being seriously discussed in the US until recently, but suddenly everybody is going to have to come up to this new standard by next year? Who's going to pay for this? Are the little guys going to receive subsidies? I do agree we're far behind the rest of the world regarding our processing methods, but the changes being discussed seem a little too sudden as to not be a huge burden on the people who can't afford another hit in this economy.
I sign my card (as required by the card issuer) then print "Ask for Photo ID". When the vendor looks at the back they always ask for photo ID. Do they always look at the back/signature area? Not always.
I guess it's because the patent on smartcard expired
(smartcard are notably safer but US refused to use it beause rights were not owned by US companies)
http://en.wikipedia.org/wiki/Roland_Moreno
The Target thieves ALSO took PINs. So much for PINs solving problems. Silly /.
And today, the PayPal CEO's credit card got stolen and used for a ton of fraudulent purchases -- in Europe. Where they're allegedly so much more advanced.
The pressure on retailers is just to force them to buy new equipment and prop up everyone's sales numbers. That's all.
Chip and PIN is an attempt by financial system to shift responsibility for fraud to the consumer. It did not happen in the US yet since we have stronger consumer protection in general. This is documented: with chip and PIN it is much harder to prove fraud. Banks in UK use chip and PIN as a way to deny consumer claims. Of course it is not any more secure than signature, anyone can steal PIN and it's stolen all over the place.
Just say no to chip and PIN. Let poorer countries have it.
The most sophisticated fingerprint scanners can be defeated with gummy candy. Mythbusters got past one - a brand new design, which included checks for pulse, etc., with a Xerox of the correct fingerprint. The "is it a live finger" feature they defeated by licking the Xerox.
And if you steal someone's card, the odds are, their fingerprints are all over it. The average person can build a fingerprint kit for about $10, if they have access to Google.
I usually just write "Please check ID" in the signature box on my cards,
I've always found that an amusing form of stupidity. Your contract with the card issuer requires you sign it. Period. Any cashier who is aware enough of the rules to know to check the signature will likely know it has to be signed. I've seen credit cards refused because someone wrote "check ID" on the back instead of signing it - and rightly so, as they are required to do so.
The signature (on the card, and on the transaction, both) has nothing to do with security. It is a signature on a legally binding contract.
Here in Singapore my friend's back sends a SMS/text/msg to her phone/tablet anytime she makes a purchase online. She has to type that number into the web page form (or whatever) for the transaction to be approved. I think I wish I had this option. Though as I'm traveling right now I can imagine a few times when I might need the number and not have a signal.
Similarly, why not switch to an (optional?) system like for non-online purchases. Msg me the number. That way there's no PIN for anyone to steal. That number is only good for that transaction.
I used to think the same thing in Canada, but at the same time most merchants were pushed to use chip-and-pin, those awful fricking "paypass" cards (RFID, just pass over the reader with no PIN) came out. A lady at my financial institution was recently mentioning how they just got them in Debit card form rather than just the usual Mastercard... so now a thief can handily steal/fake your RFID and foist money straight out of your bank account. How convenient!
One step forward, two steps back.
My bank has been issuing chip credit cards, but they are NOT full "chip and PIN", but instead "chip and signature". Payment processors have not implemented the full standard here in the US. I don't see how reading the chip is any more secure than the mag stripe without the PIN verification, besides making it harder to clone credit cards.
On the back of all my cards, in the "signature" line I always write, "Please check ID".
I always thank the 1 in 100 clerks that actually ask for my ID, though half of those seem to do it as company policy, not because I had it on my card.
"Unheard of means only it's undreamed of yet,
Impossible means not yet done." ~~ Julia Ecklar
So when a virus is loaded up on the client devices that are scanning the cards, this improves things how?
This may be stupid and naive on my part but...
With a signature style, while anyone can try to sign for it, at least if you contest a fraudulent purchase, you can compare the signature on the stores receipt to your own and say, "that wasn't me that signed it", and then the bank is on the hook rather than the card holder.
With a PIN style system, how the heck is the card holder supposed to prove (to themselves or the bank) that they weren't the one who entered in the PIN number? Thus, the burden of proof of fraud will be harder for the card holder won't it? I can see trying to convince the bank that you didn't enter that PIN number, and the bank telling you that it matches your PIN so it MUST have been you, get lost, your on the hook for it.
The chip and pin system is called EMV, for Europay, MasterCard and Visa. The heart of EMV is chip cards, which allow for the card reading pad to encrypt the transaction before it leaves the pad, using keys from both the card (the chip part) and the merchant service. The cards have to be set up by the merchant service with their key; the merchant at no point has access to that key.
The EMV standard also includes NFC - Near Field Communications. It is similar to RFID, but not the same thing. The main difference is that RFID has a range of a meter or two, while NFC has a range of a centimeter or two.
The are separate standards. One is part of the other. I don't think there is a requirement that merchants deal with NFC, but I haven't see any EMV equipment that doesn't include it.
I always write See ID on my card in place of a signature. Sometimes they even look at it and ask for my ID! When they do I always make sure to thank them for asking. I realize this doesn't help if my credit card number is stolen, but at least it might help somewhat if someone were to steal my wallet. The signature system is a joke.
its not RFID its NFC, RFID is NFCs dumb cousin and has no business being anywhere near a financial transaction.
You just proved why the world doesn't get America. You are what you make of yourself, not what's in your DNA.
Yet 99% of all US comedy is based of racial or gender sterotypes...
So in the near-future, you won't be pickpocketed in the big city, but held at gunpoint until you give over your card and your PIN.
When I read about millions of credit card numbers getting stolen, are they somehow being used in face to face transactions? I don't think so. And PIN numbers are already used in debit card transactions. And what good is a chip in an online transaction?
The way I see it, people are going to have to give up some measure of privacy to obtain better security. That isn't something I embrace.
But why would the US move to chip and pin when it could leapfrog ahead to biometrics.
Because biometrics actually kind of suck. All of the ways of identifying via biometrics change over time: voice, retina, fingerprint, etc. Plus, there's no guarantee of uniqueness. In addition, every finger print reader I've had to deal with usually takes 2-3 attempts before it accepts me. Something that I would not stand for at a checkout.
What does a chargeback have to do with mass credit card fraud? Chip/PIN would actually prevent this sort of behavior...chargebacks have almost nothing to do with liability, just some people are assholes and will try and get away with anything they can. If you are sober enough to enter a 4-6 digit code, end of story.
How do you order cash over the phone? I know you can transfer cash like transactions, but someone has to physically show up at the other end...there's paypal et. al but they would have complete control until it leaves their system and they require a few layers of verification before it gets any where near cash.
But you could skim a bunch of mag stripes or trash a database of card info and clone a bunch of burner cards then mob a city of ATMs with Chip/Pin this is not feasible...
So how is it being circumvented?
Next time there's a Slashdot story where the consensus among the wise, assembled community (who always have mysterious insight above and beyond the people behind the technology in question) is It'll-Never-Work, just remember this article.
We're talking about a technology that is 20 years old, deployed globally and (based on the complete absence of negative comments from current users) a universally accepted improvement upon the system it replaced.
And the running theme from the (let's face it : primarily American) contingent in the comments is It-Can-Never-Work, It's-Hopelessly-Flawed and What-Idiot-Invented-This.
Slashdot is a special place.
This puts the risk entirely on the consumer side.
Whether that is true or not depends entirely on the laws of the particular country and the cardholder agreement.
Your debit card is somehow compromised, someone makes a purchase with it that takes your account to well below the balance you expect to be there, your rent is due and has been set to be paid and the balance in your account is hundreds less than you expect it to be.
Easy solution. Don't use a debit card. Debit cards are a Bad Idea and are completely unnecessary. Use a credit card or use cash. Plenty of banks will give you an ATM card with no debit card features if you ask.
Carry cash and a gun! Cash to pay for your purchases and a gun to protect you from robbers. I don't pay interest rates on CASH!
The Truth is a Virus!!!
the USA had credit cards first any time you are first you build up a system and its hard to change.
Bogus argument. There has been plenty of time to transition to more secure infrastructure. It's not like the US had some massive lead on the rest of the world in credit card infrastructure. This could have easily been done years ago and the longer we wait the more expensive the change will become.
While I'll accept your counter, it should also be noted that most EU countries are much smaller than the US, which does make it a bit easier to change that infrastructure.
The size of the EU is about the same as the size of the US overall. If anything it is more complicated to change things in the EU because of the national boundaries and the need for cross border cooperation. Hell, the EU managed to get all these countries to change currency which is a MUCH tougher thing to do.
You need to read this You are not covered and they don't need your PIN. Possibly from a DB hack you may be safe. All I have to say it's not as secure as you make it sound.
DRM? No thanks, I'll just get it somewhere else...
My (Canadian debit) card has been scanned twice, and both times the bank called me up, notified me of the fraudulent charges on my account, and the money was back in my account in under two weeks.
With a credit card the money wouldn't have left your account at all. What you have described is exactly why debit cards are a bad idea. Even if things work out well, like the did for you, you still are out the money for some period of time.
Has anyone in the US used the NFC features of a new Android phone with Google Wallet? Looking at the setup it looks like it works like these cards, except you have to punch the password into the phone itself, so there is no way for the merchant to know what it is. This seems like it would be more secure. However I did notice the app would let you remember the password, which pretty much wipes out any possibility of security.
There are no merchants near me that support this, or perhaps it hasn't rolled out yet.
I did buy a handful of stand-alone NFC badges to test the phone itself out with. On the Nexus 5 you need to have a 1cm spot on the phone in direct contact with the badge for a few seconds in order for it to read. Way shorter range than RFID badges, which kind of limits the badge's usefulness, but there is no possibility of doing a "pocket read". More like "Right On Top of Field Communication" instead of "Near Field..." And even then, I would need to punch my password in on the app for payment to happen.
Perhaps the range thing is because I am using passive badges, and the active one at a retailer would work from a few inches away. I stuck a badge on my car's docking cradle, and it doesn't read because the badge is touching the edge of the phone instead of that 1cm spot on the back.
I'm a good cook. I'm a fantastic eater. - Steven Brust
It's the vein pattern rather than the fingerprint. You don't leave traces of it over everything you touch, and I have this feeling (that needs confirmation) that if your finger is no longer living (because you're dead or because somebody "helped" you "misplace" it) that vein pattern goes away.
Hmm, found confirmation, but the citation is dead: "The finger vein ID system is much harder to fool because it can only authenticate the finger of a living person."
The reason why they're doing this is to shift the burden of proof of a fraudulent transaction back onto the consumer (or ding the merchant with higher per-transaction fees until they become compliant). Up until this point the consumer bore no responsibility and the merchant took the risk (using Zipcode entry or signature entry would help lower rates because they did reduce fraud activity) to have the credit access. The issuing bank was never out the money because their ability to chargeback was built into their agreements.
Now if the merchant and the processor get secure, then it's ultimately between you and your bank if your account gets compromised. The issuing bank is going to have a harder time getting processors to accept chargebacks; they're going to try to negotiate their rates down on the basis of less fraud. Which will be true! But the issuing banks are now not going to risk angering a network member by issuing too many chargebacks, whereas before they'd bend over backwards to keep a customer. And none of these savings will be passed on to consumers.
OnlyCoin - was a weird idea anyway, throw away batteries piss me off!
Also, Canada has been using chips for a few years, with both debit and credit being seperate (to answer some comments about the "rest of the world").
Wireless Credit/Debit machines, invented 5-10 years ago...
Anyone know of places in the US issuing EMV cards without huge yearly fees, etc?
In the signature line on the back write "See photo ID"
Worst case, a thief now needs to cobble up a phony photo ID for in-person use, perhaps that will delay things enough for you to cancel the card before used if it has been lost/stolen. Offshore USA, pick-pocketed cards are often quickly (within minutes) used to purchase prepaid phone cards before the card can be canceled, the phone cards are then sold on the street for local cash.
The signature is not an authentication mechanism and it is irrational to expect it to be one. Do you really expect a minimum wage store clerk to be a handwriting analysis expert?
I'm not sure you are understanding this at all. Presenting a pre-signed card proves the cardholder once signed the card. Signing at purchase time allows them to compare that signature to the one on the card. Your argument is for, rather than against, the usefulness of signatures. It is true that a cashier can't stop all forgeries, but they can sure in the hell stop the obvious ones.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
So don't pair it with a low res signature card.
You're the one that signatures as we have them now were useful. I had to assume you were referring to current practices.
It is true that a cashier can't stop all forgeries, but they can sure in the hell stop the obvious ones.
It stops the obvious ones, but enables all the rest. I do not sign my cards. They ask to see my ID, then look up at my face to see if it's a match to the photo. That signature could be used anywhere if my wallet were ever stolen. Not just for credit card purchasers.
In the Nehterlands, in the early 2000s, they had an online commerce system that works as follows:
You have a credit card. It has a number.
You want to buy something online. Your vendor, after your cart is totalled, gives you an amount and a vendor code.
You go to your bank's website in your browser. You access your credit card account. You create a payment by entering the vendor code and total. A one-time code is generated that you copy and paste into the vendor's payment form.
This means:
a) The vendor NEVER has your CC number (so can't lose it)
b) The vendor can only charge ONCE against that number
c) The vendor gets paid, your data stays secure
WHERE IS THIS SYSTEM IN NORTH AMERICA?
WHY DO WE KEEP HAVING TO GIVE CC NUMBERS TO VENDORS?
Our banks aren't catching up because they couldn't catch a clue to save their lives.
I once had a friend have fraudulent charges on his CC. He went through the process do get them acknowledged with his CC company and written off. He asked when he'd get a new card with a new CC number. They weren't planning on sending him one. Yes, you heard me....
He asked them to kindly assign him a new number and send him another. They countered with the fact that he could just sign off any other bogus charges and they'd make them go away.
And you wonder where 18% interest rates come from?
Our banks are absolutely hopeless when it comes to innovating or even catching up with what the rest of hte world has been doing forever.
The chip and pin is slightly better (in prevention, but not in dealing with a breach) than the signature. Harder to argue later with your CC company thought because you can't argue 'well, that is clearly NOT my signature you have on file!'.... they'll just say 'they had your pin and chip, so too bad, so sad, you are liable....'.
One time numbers are the way to go for online transactions. I'm not sure what cure there is for CC used at brick and mortar outlets other than DON"T DO IT.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
Damn...I've been avoiding cards with chips in them all these years.
I don't want a smart card.
And what good does this do you when you buy online?
The floppy drive will STILL accept the card, chip or not. It's almost like you've never shopped online before...
Nope. In the USA you are by law only liable for up to $50 in fraudulent charges on a credit card as long as you notify the bank within some reasonable period of time.
Anyone who is aware of this law (which does not exist for Debit cards) would be a fool to use Debit cards.
the European owned Rothschild banking system
I'm more interested in their plans for the next Target scale data leak than face to face transactions. If they want to do it right they should force auto resets on compromised cards regardless of encryption. Look at Target and the ones before a lot of people will fuck off until it's too late and they're already starting to surface on underground forums. Even if they crack 1% that is 400,000 credit cards and you can be sure they'll crack a minimum of 85% but I can see them cracking 97-98% most likely. Force resets means even if 100% cracked it's worthless 100% of 0 is way better than 1% of 400k unless your Chuck Norris of course.
...if the transaction was wholly handled by the bank's infrastructure. When I visited the US, I was mortified when I watched the cashier scan my credit card through their POS terminal. A piece of equipment that might not have received a software update since it was installed, and records who-knows-what for who-knows-how-long. In Australia, since we went away from the old carbon paper imprint machines, your credit/debit transaction was always processed through a separate EFT machine furnished by the company's bank. The credit card number is never taken or stored by the business' equipment, the only interaction is that the POS terminal might send the dollar amount to the EFT machine by serial for convenience. While this doesn't mean your card couldn't be skimmed, it does mean that if the business' computers get compromised, your card number isn't there to be found.
In the rest of the world the credit card machine comes to you.
At The Moment my credit card doesn't have a PIN
I was in the same situation up here in Canada when we switched over 6+ years ago. All the bank did was tell me that the new credit card with the chip used the same pin as my existing ATM card. It might be an issue if your credit card is from a different bank than the one with your account but if not it was a pretty painless process.
The bit I don't like is the new "contactless" payment system. I want any payment system to require purposeful contact on my part and not just require that my card was somewhere nearby since standing in a checkout queue I may well be near someone else making a payment. This has apparently already happened already in the UK where the system has be rolled out for longer. It may be a rare occurence but the amount of time spent getting one incorrect charge fixed will outweigh the time saved per transaction by many orders of magnitude.
Because biometrics is a terrible idea.
How do you change your password? You can't. That's why.
Ultimately you have to have something that is only in the brain of the user.
expandfairuse.org
Actually, modern cards not only have the contact chip but also a "Contactless" mode that can be used for small payments.
So you can pay for your Starbucks or bus fare instantly just by tapping your Visa card, no need to swipe or insert the card and enter a PIN number. This is all still more secure than Swipe & Sign, because the cards can't be easily cloned and theres a relatively low transaction limit.
Wrong.
Contactless is far less secure than magstripe.
"Contactless" is far less secure because it will wirelessly give out all the information on the front of the card (CC number, name, expiry date) to any system that asks for it. I have an application for it on my Galaxy Nexus (and the source code that doesn't censor the CC number is available on GitHub). Now you have the number, exp date and name on the card you can make online transactions with it and the best way to avoid detection by the bank is to make small transactions because they are less likely to be flagged or noticed by the user and the bank will write it off rather than doing any kind of indepth investigation (so as long as it's not directed to a real address, you're safe).
So you don't need to replicate the card to use it for fraudulent purposes. But if you would like to, just follow the specifications that are publicly available from Visa's website (same for MasterCard, haven't checked Amex/Discover, but no-one uses those cards outside the US).
Fortunately chip and pin technology is not dependent on contactless technology (actually it's the other way around).
Calling someone a "hater" only means you can not rationally rebut their argument.
Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future.
Ignoring the fact these companies have allowed fraud to on for years, due to there own arrogance. The problem is the credit card industry is the next "housing bubble".
I don't have a problem [nor should anyone] with this chip-n-PIN system. But these companies have gotten away with for worse then someone stealing my credit card information. So I not going to sit here and give them any praise for this.
What this paper says is only valid if "chip and signature" is an accepted method of payment, which is completely stupid and only caused by the widespread opposition in America to chip and pin. It's really like the story of the snake biting itself.
"The U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash". You really should not insist that the method used in much of the rest of the world, where fraud is 50% lower, is less secure. Because it really isn't.
Though I'm sure if you ever manage to switch, you will make sure to render your implementation completely flawed and useless, starting with idiotic "chip and signature" payments.
I'd rather not screw over local businesses with credit card fees - and some give discounts because Interac charges them less than a cent per transaction - and I don't want to deal with a pocketful of change.
I admire your altruism but I think it will not be reciprocated very often. All you are accomplishing is to subsidize others who aren't so generous by taking risk on yourself by using a debit card. The price of those interchange fees (2-4%) is built in to the price. So you are giving a 1-2% tip to a business that already is charging you what (probably) is a profitable amount while taking on significant risk in the process. I like doing business with local merchants too but I'm not about to risk someone emptying my bank account (even briefly) to support them.
Oh, and the price of processing a debit card is not "less than a cent per transaction". It is considerably higher than that. The cap is presently set at $0.21 per swipe plus 0.05% of the value of the transaction.
"The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here"
Incorrect. The primary weakness is the replicable magnetic stripe. Chip and signature cards are no less secure than chip and PIN cards provided you don't get the card stolen. And in any case card present fraud is much less prevalent than card not present fraud, where the card technology is irrelevant.
Have been common here in Europe for ... what ? The last 30 years ?
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
I have never signed the back of any of my cards. I really don't understand why I should.
Let's say someone manages to get a hold of one of my cards. Do I really want them to have a template to forge my signature from? Wouldn't it be considerably easier for me to dispute charges if signatures that look nothing like my own are found on receipts?
Chuuch. Preach. Tabernacle.
Compared to the United States where many people feel so insecure in the Home of the Free that they have to carry concealed weapons even in their own homes, have a medical care system that can result in people having to go into massive amounts of debt should they have the misfortune to get sick or old, and a disturbing level of xenophobia brought on by extreme ignorance of the world beyond their borders.
What's next? The metric system??
Japan is still using this system and as far as I know isn't switching yet.
And if anyone asks for the number on the back of your credit card, with Amex it's the number printed on the front.
What is holding you Americans back? With the new card you will still be able to do online purchases.
That's not the point. The point is everyone uses the same 4-digit pin for the bank card, CC, or practically anything else that requires a 4-digit number. Passwords are much the same way.
you jest... but, currently, that's the way people act when their favorite political candidate fails to win the primary in the US. "That candidate doesn't agree with me 100%!!! I'm going to let the other guy who I disagree with completely win!"
That's why I have three "hot" bank accounts.
One for ATM transactions/meatspace debit card purchases, one for bill payment, and one for cyberspace debit card purchases.
If your bank doesn't make this easy to manage, switch banks.
Your plan is flawed. Sure, you have three accounts but your comment "If your bank doesn't make this easy to manage, switch banks" implies they are all at the same bank. Which subjects you to many other risks you're likely ignoring:
1. Person with stolen card may be able to social-engineer access to other accounts or online credentials and thus access the other accounts.
2. Your bank may choose to do a "courtesy overdraft transfer" from you other account, to cover thief's new laptop and vacation.
3. An "unusual transaction" on the one account, if unusual enough, may trigger the bank's fraud-bots to put a freeze on all your accounts, at least temporarily. Some stupid institutions do "freeze everything, no messages" as an attention-getting attempt at reaching you, and no, they don't disclose up front that they do that, so you can't "switch banks" based on looking out for that stupidity.
4. Some dispute with a big-enough jerk person, company, or organization may lead to a lawsuit or garnishment against you, and nowadays many banks have an immediate "fire the customer" response to that action. Again, not something they disclose up front. Condo Board (HOA) from Hell got me fired as a customer from a "good local bank". Luckily it wasn't my only bank/bank-alternative.
A much better idea, if you want segregation of accounts between physical world use, online use, and billpay use, is to use three different institutions entirely, picking carefully both for minimal Banksterism and for free external transfer services.
For example, I have (US-centric because that's the topic):
1. A Credit Union membership, in an institution that pays 4% interest (yes, four percent I didn't drop zeros or decimals) on the first $500 in checking and separately on the first $500 in savings. Has totally free 2-3 day ACH "push" to transfer money to any other bank or bank-like-thing (such as a prepaid debit card with a "bank account number" and "routing number" or to "pull" from any other bank-like account. Only if I initiate it. Overnight for a $2 fee. Both checking and savings there to maximize interest, have their Debit MasterCard, have their Bill-Pay but have no current payees set up, deliberately do not have any actual paper checks and never have on this account.
2. A "checking alternative" account with no minimum deposit, no minimum balance requirement, from an online discount brokerage firm (I don't have an investment account with them, just this cash management account.) Has a Visa debit card no added fees for foreign transactions over the Visa conversion fee, full rebate of any ATM-owner surcharge anywhere in the world, deposited back next banking day, no ATM-use fees of their own. Has free printed checks and free check refills. Has free BillPay, free external transfers by ACH. Pushes to my other bank-like institutions typically arrive next banking day despite their saying it is 2 days. Pulls from other accounts usually 2 days.
3. A high-interest (as US interests rates go) online-only savings account with no checking, no bill-pay, no nothing but can be the ACH target for direct deposit from Elance, PayPal, etc. for freelance work, is a transfer source and target for accounts 1) and 2) at those other institutions, has its own ACH external transfer capabilities (typically 2-3 days on pushes, out, a couple more days for funds availability on pulls into it - so I usually push from the other accounts which makes it instantly available when it gets there). Also tied to an online purchases rebates cashback program (Upromise.com - oriented towards savings for students but anybody can use it and get the cashback rebates, no matter what form of payment used, into their Upromise account and then transferred into this bank account.)
There are three parts to security validation, identification, authentication and authorization. Biometrics are identification but have been mistaken for authentication.