Slashdot Mirror

← Back to Stories (view on slashdot.org)

Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards

Posted by timothy on from the upgrade-your-skimmers dept.

schwit1 writes "U.S. banks and merchants are shifting to a more secure way of authorizing credit card transactions in which customers will enter a personal identification number (PIN) at checkout instead of signing a receipt. The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here. The change is especially relevant given the massive fraud perpetrated against customers of Target in the fall. During a Congressional hearing last week, Target CFO John Mulligan said the company is accelerating the $100 million effort to switch to the so-called "chip and pin" system. The change won't happen all at once. Banks must issue cards with microprocessors and merchants need the right equipment to process the chip and PIN transactions, which is likely to happen gradually. But Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future."

14 of 731 comments (clear)

  1. It's about time. by Bill_the_Engineer · · Score: 5, Insightful

    Finally the US banking system is catching up to the rest of the world.

    --
    These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    1. Re:It's about time. by jellomizer · · Score: 5, Insightful

      I don't get why they are trying to catch up, banks are dropping the ball here, and they should focus on exceeding the rest of the world.

      Why is the US behind everyone, well because we were first to come up with the initial infrastructure, by the time something new came along, we had a large complete infrastructure. So now the infrastructure is out of date, this happens. But when it does we need to try to invest into the next step, not the current, otherwise we will always be catching up.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:It's about time. by SirSlud · · Score: 5, Funny

      "the consumers get to be forced to memorize a new PIN!"

      Sometimes it's funny to hear Americans complain about how difficult life is. Change is so scary!

      --
      "Old man yells at systemd"
    3. Re:It's about time. by bberens · · Score: 5, Funny

      In the states we don't use petrol. We use gas.

      /ducks

      --
      Check out my lame java blog at www.javachopshop.com
    4. Re:It's about time. by beelsebob · · Score: 5, Informative

      ... RFID is orders of magnitude less secure than a regular magnetic strip.

      Lucky that chip-and-pin cards don't have RFID on them then ;). They must be inserted into the reader for the chip to be used, and even then, the chip is not (and can not be) read, instead, it's used to encrypt, and sign your PIN, so that the bank can verify that it's really you (or someone who knows your PIN, and has your card – whee, two fold security, something you know, and something you have) there.

    5. Re:It's about time. by Anonymous Coward · · Score: 5, Funny

      no you don't. you use petrol, you just call it gas. even thought it's a liquid. /ducks

    6. Re:It's about time. by orlanz · · Score: 5, Informative

      That is a VERY foolish thing to do on the part of the consumers. You are consolidating and increasing risk. Funny part is that the risk balance shifts to the consumer away from the bank/lender. The overall risk is higher, the lender's is lower, and the consumer's is higher. What a great world.

      The rest of the world isn't ahead of the US in this regard. They are behind. Because the credit risk in the world is higher, lenders want to offload more of their risk to the users. This is why the rest of the world has credit/debit + pin consolidation.

    7. Re:It's about time. by suutar · · Score: 5, Informative

      It used to be that way, til November 2009, but now the banks have to actually prove that it was the customer's error (Wikipedia's article on chip and pin mentions this in the "Bank's Liability" and "Criticism" sections).

  2. Re:Tin foil hats! by cryptizard · · Score: 5, Informative

    Pretty sure you have no idea what chip and PIN is. It only works with direct electrical contact. You are probably confusing it with RFID which we already have and nobody really uses.

  3. Re:I guess they have never heard of two factor aut by gl4ss · · Score: 5, Informative

    yeah you try getting people to both sign and enter a pin and wait in line as others do so.

    the signing is a FUCKING JOKE. one of the funniest things in USA was self service checkout with a credit card paying option where the "signature" was scribbled on a touchscreen(and captured at maybe 300px80px resolution). perfectly usable for buying stuff with any card you found on the street - on a mighty expensive card processing device.

    chip/pin is just how the rest of the world does it. you can pay to pizza guys with it(chip/pin debit cards, cash balance verified on the fly) in finland, they carry portable terminals that cost pretty much nothing(sagem seems to be the biggest manufacturer).

    --
    world was created 5 seconds before this post as it is.
  4. Misleading liability claim by KitFox · · Score: 5, Informative

    I find it interesting that the summary above pushes to point out that merchants will be liable for fraud. As it stands currently, merchants are already liable for fraud. A claim results in the merchant losing the money of the transaction. The bank and user recover the money.

    Reading the first linked article indicates that the "weakest link" becomes liable. If the merchant has C&P and the bank has not issued a C&P card, the BANK will be liable for the fraudulent transaction. This is a major difference from the current situation, where the bank would simply extract the money from the merchant and the merchant would take a loss.

    --

    @Whee

  5. Sorry, it's horribly insecure, by davecb · · Score: 5, Interesting
    One of Ross Anderson's 2010 highlights was a paper on why Chip and PIN is brokenfor which he got coverage on Newsnight and a best paper award. Later, the banks tried to suppress this research.

    Ross is a security researcher at University of Cambridge.

    In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

    --
    davecb@spamcop.net
    1. Re:Sorry, it's horribly insecure, by boristdog · · Score: 5, Informative

      In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

      IF you could clearly sign all of those touch-screen signature pads, AND some system actually compared what was input to your signature on file, then maybe. But very few of those are properly positioned or are properly sensitive enough for anyone to sign more than a few squiggly lines. I used to just draw a picture of a cow on them and my signature was always accepted.

  6. Re:Better late.... by SJHillman · · Score: 5, Funny

    "The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire."

    But with a name like that, surely they were asking for it...