Slashdot Mirror

← Back to Stories (view on slashdot.org)

Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards

Posted by timothy on from the upgrade-your-skimmers dept.

schwit1 writes "U.S. banks and merchants are shifting to a more secure way of authorizing credit card transactions in which customers will enter a personal identification number (PIN) at checkout instead of signing a receipt. The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here. The change is especially relevant given the massive fraud perpetrated against customers of Target in the fall. During a Congressional hearing last week, Target CFO John Mulligan said the company is accelerating the $100 million effort to switch to the so-called "chip and pin" system. The change won't happen all at once. Banks must issue cards with microprocessors and merchants need the right equipment to process the chip and PIN transactions, which is likely to happen gradually. But Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future."

35 of 731 comments (clear)

  1. It's about time. by Bill_the_Engineer · · Score: 5, Insightful

    Finally the US banking system is catching up to the rest of the world.

    --
    These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    1. Re:It's about time. by SerpentMage · · Score: 3, Insightful

      I was about to write this as well. We have been using pins for credit cards in Switzerland for the last 10 years...

      --

      "You can't make a race horse of a pig"
      "No," said Samuel, "but you can make very fast pig"
    2. Re:It's about time. by jellomizer · · Score: 5, Insightful

      I don't get why they are trying to catch up, banks are dropping the ball here, and they should focus on exceeding the rest of the world.

      Why is the US behind everyone, well because we were first to come up with the initial infrastructure, by the time something new came along, we had a large complete infrastructure. So now the infrastructure is out of date, this happens. But when it does we need to try to invest into the next step, not the current, otherwise we will always be catching up.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:It's about time. by jareth-0205 · · Score: 3, Funny

      Damn...I've been avoiding cards with chips in them all these years.

      I don't want a smart card.

      You should also avoid cards with magnetic strips on them. Damn dirty electromagnetic field technology!

      And what good does this do you when you buy online?

      Nothing. Of course, any improvement in security that doesn't improve security in every possible case should be discounted completely!

    4. Re:It's about time. by MBGMorden · · Score: 3, Interesting

      And what good does this do you when you buy online?

      Buying online - at least when its physical goods - requires a shipping address. That's a big risk for a thief to take as even if they're using an address they don't live at, if the fraud is discovered while the item is in transit the address may be being monitored by authorities.

      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
    5. Re:It's about time. by N0Man74 · · Score: 4, Insightful

      I was about to write this as well. We have been using pins for credit cards in Switzerland for the last 10 years...

      Yeah, why hasn't the US got on board yet with implementing technology that allows banks and issuers to absolve themselves of responsibility and push the blame onto the consumers?

      If fraud happens on these new cards, it becomes up to the consumers to prove that it was fraud and that they did not compromise their PIN.

      As a bonus, the consumers get to be forced to memorize a new PIN!

      It's Win WIn.

    6. Re:It's about time. by Andrewkov · · Score: 4, Informative

      You don't give them your PIN, you give them the 3 numbers on the back of the card. You only need to have your chip read and PIN entered when using the card at a physical store.

    7. Re:It's about time. by fredrik70 · · Score: 3, Informative

      You can use the chip and pin cards for old-style transactions as well. If I go to the states with my card I just swipe and sign as everyone else.

      --
      if (!signature) { throw std::runtime_error("No sig!"); }
    8. Re:It's about time. by rossdee · · Score: 4, Informative

      "There is no new PIN, it's the same one used for the ATM"

        At The Moment my credit card doesn't have a PIN

      And I don't use it for getting cash, since that transaction costs, and they charge interest straight away.

    9. Re:It's about time. by dr.Flake · · Score: 3, Insightful

      Welcome to the 21st century.

      Now if you guys could do something about the insationable hunger for credit. You guys already live from the credit of the rest of the world. Sure it stimulates the economy, but in the real world you can only spend a dollar once.

      --
      Why are other peoples sig's always more witty ???
    10. Re:It's about time. by SirSlud · · Score: 5, Funny

      "the consumers get to be forced to memorize a new PIN!"

      Sometimes it's funny to hear Americans complain about how difficult life is. Change is so scary!

      --
      "Old man yells at systemd"
    11. Re:It's about time. by Zmobie · · Score: 4, Informative

      Most people don't use their strict credit cards at an ATM (check cards are obviously different...) because of the ridiculous rates they charge for cash advances and therefore have not set up or are even aware of that feature. I have multiple credit lines that I have never done that with because I have no desire to use my card for that purpose.

    12. Re:It's about time. by bberens · · Score: 5, Funny

      In the states we don't use petrol. We use gas.

      /ducks

      --
      Check out my lame java blog at www.javachopshop.com
    13. Re:It's about time. by beelsebob · · Score: 5, Informative

      ... RFID is orders of magnitude less secure than a regular magnetic strip.

      Lucky that chip-and-pin cards don't have RFID on them then ;). They must be inserted into the reader for the chip to be used, and even then, the chip is not (and can not be) read, instead, it's used to encrypt, and sign your PIN, so that the bank can verify that it's really you (or someone who knows your PIN, and has your card – whee, two fold security, something you know, and something you have) there.

    14. Re:It's about time. by Anonymous Coward · · Score: 5, Funny

      no you don't. you use petrol, you just call it gas. even thought it's a liquid. /ducks

    15. Re:It's about time. by orlanz · · Score: 5, Informative

      That is a VERY foolish thing to do on the part of the consumers. You are consolidating and increasing risk. Funny part is that the risk balance shifts to the consumer away from the bank/lender. The overall risk is higher, the lender's is lower, and the consumer's is higher. What a great world.

      The rest of the world isn't ahead of the US in this regard. They are behind. Because the credit risk in the world is higher, lenders want to offload more of their risk to the users. This is why the rest of the world has credit/debit + pin consolidation.

    16. Re:It's about time. by rjstanford · · Score: 4, Informative

      The nice thing is that we don't have to guess.

      You see, this is already in use damn near everywhere else on the planet that uses credit cards.

      They used to use the same cards as the US. They switched. Fraud went down. Vendors and banks did, indeed, opt-in. Nobody's brain melted from having to remember their PIN.

      Just relax. It'll be fine.

      --
      You're special forces then? That's great! I just love your olympics!
    17. Re:It's about time. by suutar · · Score: 5, Informative

      It used to be that way, til November 2009, but now the banks have to actually prove that it was the customer's error (Wikipedia's article on chip and pin mentions this in the "Bank's Liability" and "Criticism" sections).

    18. Re:It's about time. by jaymz666 · · Score: 4, Insightful

      This puts the risk entirely on the consumer side. They have to monitor their account daily now.

      Your debit card is somehow compromised, someone makes a purchase with it that takes your account to well below the balance you expect to be there, your rent is due and has been set to be paid and the balance in your account is hundreds less than you expect it to be.
      Rent bounces, you're charged a fee. Or better yet, your bank approves the rent to go through and you are negative, all your other charges go through for lunch, for groceries, whatever. You get hit with fees for all these transactions. Then you have to fight with the bank.

      Yeah, no risk at all.

      This may sound hypothetical but I assure you, it's not.

  2. Better late.... by rmdingler · · Score: 3, Interesting
    The anti-counterfeiting technology implementation for currency was delayed, in part, by lobbying companies involved in vending.

    Increased expenditures for new card readers and technology has been rebuffed universally because the retailers aren't typically the ones out of the cash when a fraudulent credit card is used.

    The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:Better late.... by SJHillman · · Score: 5, Funny

      "The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire."

      But with a name like that, surely they were asking for it...

  3. Re:Tin foil hats! by cryptizard · · Score: 5, Informative

    Pretty sure you have no idea what chip and PIN is. It only works with direct electrical contact. You are probably confusing it with RFID which we already have and nobody really uses.

  4. Umm.. just as Europe moves beyond chip and pin... by tobe · · Score: 4, Interesting

    In all the time I've spent in America I don't believe I've ever seen anyone really check the signature against the card.. always amazed me how lax and open to fraud that system was. In the UK we switched to chip and pin about 10 years ago.. and we were generally lagging the rest of the EU on that matter.

    But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe (http://www.bbc.co.uk/news/technology-21085738) and surely enough of the initial results are in to guide the decision making there.

  5. Re:Skim software by cryptizard · · Score: 4, Informative

    Chip and PIN cards use a challenge-response protocol so even if you skim all the information you can only make one charge before it becomes invalid. There is actually a microprocessor on the card that does crypto so the credentials transferred only allow a single authorized transaction. So if the charge goes through for the thing you were supposed to be buying, then you know you aren't getting scammed. Technically they could block the charge and do another one that gives the money to them, but that is a lot harder and more likely to be noticed.

  6. Re:I guess they have never heard of two factor aut by gl4ss · · Score: 5, Informative

    yeah you try getting people to both sign and enter a pin and wait in line as others do so.

    the signing is a FUCKING JOKE. one of the funniest things in USA was self service checkout with a credit card paying option where the "signature" was scribbled on a touchscreen(and captured at maybe 300px80px resolution). perfectly usable for buying stuff with any card you found on the street - on a mighty expensive card processing device.

    chip/pin is just how the rest of the world does it. you can pay to pizza guys with it(chip/pin debit cards, cash balance verified on the fly) in finland, they carry portable terminals that cost pretty much nothing(sagem seems to be the biggest manufacturer).

    --
    world was created 5 seconds before this post as it is.
  7. Re:One question by alen · · Score: 4, Insightful

    the USA had credit cards first
    any time you are first you build up a system and its hard to change. if you adopt a tech later in its lifecycle you go with the latest tech at the time

  8. Misleading liability claim by KitFox · · Score: 5, Informative

    I find it interesting that the summary above pushes to point out that merchants will be liable for fraud. As it stands currently, merchants are already liable for fraud. A claim results in the merchant losing the money of the transaction. The bank and user recover the money.

    Reading the first linked article indicates that the "weakest link" becomes liable. If the merchant has C&P and the bank has not issued a C&P card, the BANK will be liable for the fraudulent transaction. This is a major difference from the current situation, where the bank would simply extract the money from the merchant and the merchant would take a loss.

    --

    @Whee

  9. Re:Tin foil hats! by cryptizard · · Score: 3, Informative

    With the machine that is given out by the credit card companies you need to pretty much touch it, but security researchers have shown that you can use higher powered equipment to read it from up to 15-20 feet away.

  10. Re:One question by Alioth · · Score: 3, Insightful

    That isn't a good explanation in this case. The UK (and pretty much every European Union country) for instance had a swipe and sign credit card infrastructure just like the United States decades before the introduction of chip and PIN, yet the UK changed to chip and pin 10 years ago despite having the same infrastructure issue as the US.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  11. Re:Umm.. just as Europe moves beyond chip and pin. by jareth-0205 · · Score: 3, Insightful

    Fingerprint is a terrible security mechanism. Not only does it give someone a reason to steal you *finger*, you also leave your fingerprint on everything you touch. Credentials shouldn't be revealed unless you are actually in the process of using them.

  12. Sorry, it's horribly insecure, by davecb · · Score: 5, Interesting
    One of Ross Anderson's 2010 highlights was a paper on why Chip and PIN is brokenfor which he got coverage on Newsnight and a best paper award. Later, the banks tried to suppress this research.

    Ross is a security researcher at University of Cambridge.

    In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

    --
    davecb@spamcop.net
    1. Re:Sorry, it's horribly insecure, by boristdog · · Score: 5, Informative

      In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

      IF you could clearly sign all of those touch-screen signature pads, AND some system actually compared what was input to your signature on file, then maybe. But very few of those are properly positioned or are properly sensitive enough for anyone to sign more than a few squiggly lines. I used to just draw a picture of a cow on them and my signature was always accepted.

    2. Re:Sorry, it's horribly insecure, by west · · Score: 4, Informative

      The fact that EMV (chip & pin) is not perfectly secure is *massively* less of a problem than credit/debit card skimming.

      ATM fraud has been squeezed out of pretty much the rest of the world and is migrating to the USA in droves. When Canada switched, ATM fraud basically killed organized rings. These rings are reluctantly moving to the US (a draconian justice system does have *some* upside) and along with an small army of engineers working on whisper thin skimmers and business ideas like ATM fraud franchises, things look pretty scary if the US doesn't switch.

      The downside is, unlike Canada, there's no single inter-branch network like Canada that can kick members off who don't upgrade. Instead there's thousands of banks who may not want the expense of switching to EMV. And as long as there are any mag-stripe only ATMs on the network you belong to, you're vulnerable to having your cards skimmed. So, the US will have it much tougher. (POS fraud is not nearly as big a problem. It's pretty hard to get $100K out of one POS terminal using 2,000 cards without the operator getting suspicious. And then you take a massive loss fencing the goods. ATM is what organized crime goes after.)

      On the upside, the US is on the forefront of real-time risk assessment of transactions. They're getting better and better at assessing suspicious transactions. Still, there'll be more and more false positives as fraud goes up, so remember to carry multiple cards...

  13. Re:Tin foil hats! by __Reason__ · · Score: 3, Insightful

    Actually, modern cards not only have the contact chip but also a "Contactless" mode that can be used for small payments.

    So you can pay for your Starbucks or bus fare instantly just by tapping your Visa card, no need to swipe or insert the card and enter a PIN number. This is all still more secure than Swipe & Sign, because the cards can't be easily cloned and theres a relatively low transaction limit.

  14. Economic viability is the reason by pikine · · Score: 3, Interesting

    That's because the outdated infrastructure had been economically viable to use, so there had been no reason to update it, until now, that is.

    Many ways of the US rely on an honor system. There used to be unattended shops where you take the goods and put money in a box. The box didn't use to require a lock. This might be possible in a small town where everyone trusted each other, but in a city where crime is rampant, this business model is simply not economically viable. Public transportation used to allow monthly or weekly pass holders to board from the rear doors without verifying their passes, but they don't allow that anymore because nowadays enough non-paying passengers take advantage of that such that the honor system is no longer economically viable.

    The honor system is always able to absorb a small percentage of fraud cases and remain economically viable. It's only when the fraud rate rises past a certain threshold when the system breaks down.

    When a merchant displays a credit card logo, you trust the merchant. When the merchant hands you a receipt and you sign it, the merchant trusts you to pay. Again, this is an honor system. The rest of the world also started off with a complete "out of date" manual-imprint or swipe-card honor system. They were forced to upgrade the infrastructure because they suffered enough fraud such that the old system was no longer economically viable. The new smart card system is designed to enforce contractual agreement so that you don't need to rely on the honor system anymore, making credit payments economically viable again.

    The US simply held off this long because the honor system had worked until now. Economic viability is the reason. The bad news is that the US has morally declined to the level of the rest of the world. The good news is that the US upheld its morals longer, being the last to abandon the honor system.

    --
    I once had a signature.