Slashdot Mirror

← Back to Stories (view on slashdot.org)

Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards

Posted by timothy on from the upgrade-your-skimmers dept.

schwit1 writes "U.S. banks and merchants are shifting to a more secure way of authorizing credit card transactions in which customers will enter a personal identification number (PIN) at checkout instead of signing a receipt. The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here. The change is especially relevant given the massive fraud perpetrated against customers of Target in the fall. During a Congressional hearing last week, Target CFO John Mulligan said the company is accelerating the $100 million effort to switch to the so-called "chip and pin" system. The change won't happen all at once. Banks must issue cards with microprocessors and merchants need the right equipment to process the chip and PIN transactions, which is likely to happen gradually. But Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future."

24 of 731 comments (clear)

  1. It's about time. by Bill_the_Engineer · · Score: 5, Insightful

    Finally the US banking system is catching up to the rest of the world.

    --
    These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    1. Re:It's about time. by jellomizer · · Score: 5, Insightful

      I don't get why they are trying to catch up, banks are dropping the ball here, and they should focus on exceeding the rest of the world.

      Why is the US behind everyone, well because we were first to come up with the initial infrastructure, by the time something new came along, we had a large complete infrastructure. So now the infrastructure is out of date, this happens. But when it does we need to try to invest into the next step, not the current, otherwise we will always be catching up.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:It's about time. by N0Man74 · · Score: 4, Insightful

      I was about to write this as well. We have been using pins for credit cards in Switzerland for the last 10 years...

      Yeah, why hasn't the US got on board yet with implementing technology that allows banks and issuers to absolve themselves of responsibility and push the blame onto the consumers?

      If fraud happens on these new cards, it becomes up to the consumers to prove that it was fraud and that they did not compromise their PIN.

      As a bonus, the consumers get to be forced to memorize a new PIN!

      It's Win WIn.

    3. Re:It's about time. by Andrewkov · · Score: 4, Informative

      You don't give them your PIN, you give them the 3 numbers on the back of the card. You only need to have your chip read and PIN entered when using the card at a physical store.

    4. Re:It's about time. by rossdee · · Score: 4, Informative

      "There is no new PIN, it's the same one used for the ATM"

        At The Moment my credit card doesn't have a PIN

      And I don't use it for getting cash, since that transaction costs, and they charge interest straight away.

    5. Re:It's about time. by SirSlud · · Score: 5, Funny

      "the consumers get to be forced to memorize a new PIN!"

      Sometimes it's funny to hear Americans complain about how difficult life is. Change is so scary!

      --
      "Old man yells at systemd"
    6. Re:It's about time. by Zmobie · · Score: 4, Informative

      Most people don't use their strict credit cards at an ATM (check cards are obviously different...) because of the ridiculous rates they charge for cash advances and therefore have not set up or are even aware of that feature. I have multiple credit lines that I have never done that with because I have no desire to use my card for that purpose.

    7. Re:It's about time. by bberens · · Score: 5, Funny

      In the states we don't use petrol. We use gas.

      /ducks

      --
      Check out my lame java blog at www.javachopshop.com
    8. Re:It's about time. by beelsebob · · Score: 5, Informative

      ... RFID is orders of magnitude less secure than a regular magnetic strip.

      Lucky that chip-and-pin cards don't have RFID on them then ;). They must be inserted into the reader for the chip to be used, and even then, the chip is not (and can not be) read, instead, it's used to encrypt, and sign your PIN, so that the bank can verify that it's really you (or someone who knows your PIN, and has your card – whee, two fold security, something you know, and something you have) there.

    9. Re:It's about time. by Anonymous Coward · · Score: 5, Funny

      no you don't. you use petrol, you just call it gas. even thought it's a liquid. /ducks

    10. Re:It's about time. by orlanz · · Score: 5, Informative

      That is a VERY foolish thing to do on the part of the consumers. You are consolidating and increasing risk. Funny part is that the risk balance shifts to the consumer away from the bank/lender. The overall risk is higher, the lender's is lower, and the consumer's is higher. What a great world.

      The rest of the world isn't ahead of the US in this regard. They are behind. Because the credit risk in the world is higher, lenders want to offload more of their risk to the users. This is why the rest of the world has credit/debit + pin consolidation.

    11. Re:It's about time. by rjstanford · · Score: 4, Informative

      The nice thing is that we don't have to guess.

      You see, this is already in use damn near everywhere else on the planet that uses credit cards.

      They used to use the same cards as the US. They switched. Fraud went down. Vendors and banks did, indeed, opt-in. Nobody's brain melted from having to remember their PIN.

      Just relax. It'll be fine.

      --
      You're special forces then? That's great! I just love your olympics!
    12. Re:It's about time. by suutar · · Score: 5, Informative

      It used to be that way, til November 2009, but now the banks have to actually prove that it was the customer's error (Wikipedia's article on chip and pin mentions this in the "Bank's Liability" and "Criticism" sections).

    13. Re:It's about time. by jaymz666 · · Score: 4, Insightful

      This puts the risk entirely on the consumer side. They have to monitor their account daily now.

      Your debit card is somehow compromised, someone makes a purchase with it that takes your account to well below the balance you expect to be there, your rent is due and has been set to be paid and the balance in your account is hundreds less than you expect it to be.
      Rent bounces, you're charged a fee. Or better yet, your bank approves the rent to go through and you are negative, all your other charges go through for lunch, for groceries, whatever. You get hit with fees for all these transactions. Then you have to fight with the bank.

      Yeah, no risk at all.

      This may sound hypothetical but I assure you, it's not.

  2. Re:Tin foil hats! by cryptizard · · Score: 5, Informative

    Pretty sure you have no idea what chip and PIN is. It only works with direct electrical contact. You are probably confusing it with RFID which we already have and nobody really uses.

  3. Umm.. just as Europe moves beyond chip and pin... by tobe · · Score: 4, Interesting

    In all the time I've spent in America I don't believe I've ever seen anyone really check the signature against the card.. always amazed me how lax and open to fraud that system was. In the UK we switched to chip and pin about 10 years ago.. and we were generally lagging the rest of the EU on that matter.

    But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe (http://www.bbc.co.uk/news/technology-21085738) and surely enough of the initial results are in to guide the decision making there.

  4. Re:Skim software by cryptizard · · Score: 4, Informative

    Chip and PIN cards use a challenge-response protocol so even if you skim all the information you can only make one charge before it becomes invalid. There is actually a microprocessor on the card that does crypto so the credentials transferred only allow a single authorized transaction. So if the charge goes through for the thing you were supposed to be buying, then you know you aren't getting scammed. Technically they could block the charge and do another one that gives the money to them, but that is a lot harder and more likely to be noticed.

  5. Re:I guess they have never heard of two factor aut by gl4ss · · Score: 5, Informative

    yeah you try getting people to both sign and enter a pin and wait in line as others do so.

    the signing is a FUCKING JOKE. one of the funniest things in USA was self service checkout with a credit card paying option where the "signature" was scribbled on a touchscreen(and captured at maybe 300px80px resolution). perfectly usable for buying stuff with any card you found on the street - on a mighty expensive card processing device.

    chip/pin is just how the rest of the world does it. you can pay to pizza guys with it(chip/pin debit cards, cash balance verified on the fly) in finland, they carry portable terminals that cost pretty much nothing(sagem seems to be the biggest manufacturer).

    --
    world was created 5 seconds before this post as it is.
  6. Re:One question by alen · · Score: 4, Insightful

    the USA had credit cards first
    any time you are first you build up a system and its hard to change. if you adopt a tech later in its lifecycle you go with the latest tech at the time

  7. Misleading liability claim by KitFox · · Score: 5, Informative

    I find it interesting that the summary above pushes to point out that merchants will be liable for fraud. As it stands currently, merchants are already liable for fraud. A claim results in the merchant losing the money of the transaction. The bank and user recover the money.

    Reading the first linked article indicates that the "weakest link" becomes liable. If the merchant has C&P and the bank has not issued a C&P card, the BANK will be liable for the fraudulent transaction. This is a major difference from the current situation, where the bank would simply extract the money from the merchant and the merchant would take a loss.

    --

    @Whee

  8. Sorry, it's horribly insecure, by davecb · · Score: 5, Interesting
    One of Ross Anderson's 2010 highlights was a paper on why Chip and PIN is brokenfor which he got coverage on Newsnight and a best paper award. Later, the banks tried to suppress this research.

    Ross is a security researcher at University of Cambridge.

    In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

    --
    davecb@spamcop.net
    1. Re:Sorry, it's horribly insecure, by boristdog · · Score: 5, Informative

      In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

      IF you could clearly sign all of those touch-screen signature pads, AND some system actually compared what was input to your signature on file, then maybe. But very few of those are properly positioned or are properly sensitive enough for anyone to sign more than a few squiggly lines. I used to just draw a picture of a cow on them and my signature was always accepted.

    2. Re:Sorry, it's horribly insecure, by west · · Score: 4, Informative

      The fact that EMV (chip & pin) is not perfectly secure is *massively* less of a problem than credit/debit card skimming.

      ATM fraud has been squeezed out of pretty much the rest of the world and is migrating to the USA in droves. When Canada switched, ATM fraud basically killed organized rings. These rings are reluctantly moving to the US (a draconian justice system does have *some* upside) and along with an small army of engineers working on whisper thin skimmers and business ideas like ATM fraud franchises, things look pretty scary if the US doesn't switch.

      The downside is, unlike Canada, there's no single inter-branch network like Canada that can kick members off who don't upgrade. Instead there's thousands of banks who may not want the expense of switching to EMV. And as long as there are any mag-stripe only ATMs on the network you belong to, you're vulnerable to having your cards skimmed. So, the US will have it much tougher. (POS fraud is not nearly as big a problem. It's pretty hard to get $100K out of one POS terminal using 2,000 cards without the operator getting suspicious. And then you take a massive loss fencing the goods. ATM is what organized crime goes after.)

      On the upside, the US is on the forefront of real-time risk assessment of transactions. They're getting better and better at assessing suspicious transactions. Still, there'll be more and more false positives as fraud goes up, so remember to carry multiple cards...

  9. Re:Better late.... by SJHillman · · Score: 5, Funny

    "The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire."

    But with a name like that, surely they were asking for it...