Slashdot Mirror
Target Moves To Chip and Pin Cards To Boost Security
jfruh (300774) writes "U.S. retailers must accept chip-and-pin charge cards by the end of 2015 or become liable for fraudulent purchases made with chip cards. Target, still smarting from its recent embarrassing security breach, is moving to get ahead of that trend. The company will be installing chip-and-pin terminals in all its stores, and will also be issuing chip-and-pin versions of its own branded cards, which account for about 20 percent of Target sales. Will this move by a huge retailer push the U.S. into parity with the rest of the world?"
A bit off topic, but how will this changeover affect companies like square that depend on swipe and sign for most transactions?
Other than that, it's about fucking time!
Sick of finding out every other month that some retailer that I frequent has been hacked.
I'm tired of constantly changing my credit info to avoid being ripped off...
"Helping to keep you two steps ahead of the Thought Police!"
Meanwhile in Finland, everything and everybody has a wireless payment terminal. I once even saw a street musician with one for tips...
They might as well announce they're getting Yettie insurance. They had their payment system compromised by people that got access to their point of sale system at one of their stores and then used that to gain access to their central system.
That has nothing to do with chip and pin.
And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field? So indifferent to chip and pin, that is going to keep working. And I suspect that indifferent to chip and pin, somewhere in the target billing system there will be a list of credit card numbers, expiration dates, and security codes. A hacker gaining access to that database isn't going to care if the cards were chip and pin or not. Because by that point the data is prepared for processing. The only way chip and pin would be effective is if the security code were different for each transaction. That seems extremely unlikely but if you could some how pull that off then snagging the numbers might not get the thieves anything. Of course, how you'd get that to work with online retail is anyone's guess.
TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.
Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.
Please read my Canon EOS tech blog at http://www.everyothershot.com
The U.S. is finally catching up with Bulgaria on this one.
It boosts their profits and nothing else as Chip & Pin helps to shift the liability to the customer.
We've had Chip & Pin for a while in the UK and there has been a lot of serious security problems.
Walmart started doing this about a month ago in my area. Unfortunately for me the chip doesn't
work on my card so every time I go to walmart they have to manually key in my credit card number.
Didn't Target already had Chip and Pin back in 2005 or 2004? What happened to all of those?
I remember I got a Chip and Pin card from Fleet around that time (just on the edge of them being acquired by B of A); Fleet has even sent me a free card reader, which I've never used, actually.
but how will this changeover affect companies like square that depend on swipe and sign for most transactions?
Your card will likely continue to have a magnetic stripe for non chip and pin terminals. Canada's deadline for "liability shift" was March 31 2011 for credit.
Chip and Pin in the USA will go the same way Concorde did
Back and forth to Europe twice a day?
We will not gain parity simply because Target said "make it so". Sadly the cheap and easy CC system the US uses is the easy thing to stay with. Expect an extension of the current system just before it expires in 2015. Nobody want to spend money to be more secure - "that won't happen to us" mentality rules here in the States...
Was recently in Italy and had to beg a kindly local woman to buy me a train ticket with her card as the ticket machine would not accept either cash (in the wrong denominations) or my magnetic stripe card. They're probably used to us visiting 3rd-worlders.
Chip-and-PIN terminals are found across the EU, whose overall population and amount of businesses is perfectly comparable to the US.
Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.
Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.
Well, it really depends. Without chip and pin, the vendor assumes all responsibility for chargebacks. It will be a decision for each square user as to whether it is more profitable to assume liability or pay for the more expensive reader. upgrade.
My wife has a retail store and a credit card reader.
If I wandered into the bank and asked how I get a C&P terminal for the store, they would stare at me blankly. It simply isn't available. The terminals exist, but the bank isn't going to talk to it until they're good an ready to, which at the current rate of progress is 'never'.
Target has more leverage, but small retailers have to take what the bank makes available.
For this and other reasons, we will probably switch banks, but people should be under the impression that retailers in the Us can 'just switch'. They can't. The bank decides which terminals it will work with. This is bizarre given that the terminals are completely generic.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
On the user side, all cards are not only backwards compatible with not only magnetic stripe but mechanical impression on carbon paper.
On the processor side, presumably Square will have a new unit next year that can read the chip unless they want to absorb the costs of chargebacks themselves.
I think your bank is probably more tired of it than you are as by law they are required to eat most of the liability. The good banks give you zero liability (as in, you aren't ever responsible for losses.)
I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers (wouldn't bother me, but buying things via smartphone or tablet will need some revamping.)
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
If the chip doesn't work, just get a new card issued?
...
Why is it always reactionary in US business? It's frustrating.
FTFY.
'cause other countries took care of this years ago.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
Don't you just need a simple ISO7816 card reader? I remember paying $10 for those 8 years ago back in my directv hacking days. The communication method is simple serial/RS232, of which there is a Bluetooth standard for (and it works rather well with Android phones too, I've used it for OBD2 serial communication to avoid needing a wire connected under the dash.)
PayPal Here could likewise do ISO7816 via a bluetooth dongle and ask for the pin on the device itself. I don't imagine the whole thing would cost the same if not less than the present dongle they have. (My bluetooth OBD2 dongle cost me $20, and apparently the manufacturer makes a profit on it.)
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
It isn't the merchants dragging their feet. Chip and Pin has not been available to merchants in the US. The thing most people don't realize is that credit card fraud is a profit center for Visa/Mastercard/etc. Do you think Visa is eating the cost of a fraudulent transaction to cover the "$0 Fraud Liability" they offer to their customers? Of course not. It goes right back on the merchant. Now the merchant is out their merchandise, out the money they would have received from the sale, and they are hit with a fee (that goes to Visa) for the chargeback. Have a massive breach like Target? Now there are big fines to pay to the card companies on top of it all.
The entire security of the credit card system is based on keeping a 16 digit number secret. That same 16 digit number you have to share with everyone you give money to. Making it TONS more secure would be cheap and easy, and most merchants are already set up to handle it... A simple rotating PIN that is only valid for a length of time is all it would take. Have merchants run all transactions as Debit, and give the customer an app on their phone (or even a periodic SMS with a new PIN.) The card companies could use the fraud liability as an incentive to use the system. No rotating pin? $1000 fraud liability. Monthly? $500. Weekly? $100. Daily? $25. Rotating PIN app or new SMS after each transaction? $0. This would also secure online purchases as well.
Every time I see a story relating to credit card security, I laugh to myself over how much more secure my World of Warcraft account is than my credit card accounts.
Why is it always reactionary in American business?
FTFY. As to answer the question: it used to not be that way, but the companies discovered that if they gave enough money to the politicians, the regulator would let them get away with making arrangements like: "if none of us makes the first step to innovate, the others won't be force to follow, and we all can save ourselves the financial investment of the innovation".
Target is huge? I'm not so sure about that. But it will be fait accompli when Walmart changes.
Other than that, it's about fucking time!
Sick of finding out every other month that some retailer that I frequent has been hacked.
That won't change in the long run. In the short run maybe some benefit, while the crooks come up to speed, but chip and PIN is also hackable. It's not as easy, to be sure, but technology marches on and both PIN harvesting and stolen card use are both happening in Europe today (though not with the frequency of the US problems yet).
One place we might gain advantage form our late start is that no one will have the older-tech cards where PIN-extraction from stolen cards is possible (and done) due to flaws.
Socialism: a lie told by totalitarians and believed by fools.
How about taking bitcoin online? Make a deal with BitPay or Coinbase.
No information to steal except for shipping information. And the public fact that it was paid with bitcoin.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
That's clearly part of it, but there is a lot of backoffice related stuff that needs to be present for it all to work as there is encrypted information that needs to get passed back and forth from the card to the issuer.
But a small merchant might not have that much to do in that I am guessing that their own bank would handle all of that.
The US almost always suffers from the early adopter problem. That is, we get the earlier versions of standards merely because we adopt them first, and by the time Europe gets around to adopting them the technology has improved based on what was learned in the US. Note similar things like T1 equivalent E1 being faster, and given that superseding technologies (such as optical carrier) are sold in multipliers of T1 speeds, the Europe versions tend to be speced higher.
Broad adoption of standards is like a marriage: You're stuck with it, flaws and all, and changing to another incompatible one requires a lot of pain and sacrifice, with there being more pain the longer the marriage has lasted. For another perspective on this, look how much of a PITA it was to switch to digital TV, which the US actually did faster than most of the world.
And yes, I know Europe also had magnetic stripe. But like the marriage analogy they didn't have it for as long nor was it adopted as broadly before chip and pin came along, likewise switching wasn't as difficult.
There is a silver lining to our system though:
One time I saw somebody commenting on how much he hates chip and pin because it was supposedly only being pushed so that banks can force you to pay for fraudulent charges, whereas magnetic stripe they supposedly can't. The article was referring to the US adoption, and so I told him that we already have laws that strictly limit liability for consumers that mostly just make banks liable, and they aren't going away. He then lambastes me that "the rest of the world" doesn't do it that way, therefore chip and pin is evil, and I'm a stupid ignorant American for thinking that, even though the article was specifically about the US where such a problem doesn't exist.
Why doesn't it exist? Well, because us backward Americans have been on magnetic stripe for so long, that it was born out of necessity. (Which by the way, looking in his profile revealed he lived in Europe, which isn't "the rest of the world" as other non-European countries do have similar laws to the US, for the same reasons.)
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.
Most US cards being issued with a chip are Chip and Signature, not Chip and PIN -- because banks have trained Americans to think PIN means debit so banks fear applying a PIN to a credit card would confuse people.
I have one of these Chip and Signature cards and on my last trip to UK it was a real PITA, especially at self-checkouts. Like at ASDA there was a signature signing pad but I had to wait for a clerk to come over to give me the pen and then she checked my signature real closely. Same thing at the duty free at the airport. The self-checking stopped and alerted the clerk to come over to check my signature. Then at other stores the clerk couldn't find a pen, or was surprised when paper spit out and had to ask a manager what was going on.
(I had one clerk hand me the slip to sign, checked my signature, then put the signed slip into the bag with the receipt! If I was an "arse" I probably could have disputed the charge and gotten away with it because they couldn't produce a signed slip)
At the ASDA (far away from where tourists usually go) the clerk remarked it's been years since she saw someone have to sign for a charge. I apologized, said I was an American, and that our banks think we are too stupid to remember a PIN. She got a good chuckle out of that...
Chip-And-Pin has the annoying side-effect of requiring a PIN instead of a signature. I don't understand why you need a PIN at all, honestly.
My suggestion nearly a decade ago was straight PKI. An embedded IC would contain a burned, non-readable, unique private key and certificate. The certificate would be bank-signed, and verified dynamically with the bank.
When you insert the card into the reader, a command stream is sent. This includes the transaction, a time stamp, and a block of random data. The bank accepts each data set once (manageable by a bloom filter of large hashes per hourly time stamp and a database indexed by time stamp). The whole block of data [TIME(now),RANDBITS(1024),Transaction[]] goes to the card, gets signed by the private key on the card through a dedicated RSA4096+RC4 specified to avoid weak IVs (bank rejects if the IV is weak), and is returned to the terminal.
In this way, you must physically possess the card to carry out a transaction. Transacting with Amazon? Plug a USB reader into your computer, plug it in. Reader contains a display which can list the charge, the merchant, and the transaction. You see "$315.09 AMAZON" and a listing, can accept that. You see "$45 XXX TOOLBAR EROTIX INC" and you reject that. Nothing goes to the card until you press the "accept" button on the reader.
I don't see a need for a PIN. If someone steals your card, deactivate your card.
Support my political activism on Patreon.
And cloned cards were a major vector of fraud in the Target attack.
Best Slashdot Co
Not really. Chip might be kinda easy to read using commodity hardware, but pin entry must be done through a PCI certified device (as in, lots of money for certification, passed on to you, the consumer)
https://www.pcisecuritystandar...
That is great and all, but are there any banks in the US supporting chip and PIN cards for Visa/MasterCard currently? I'd love to get one even if I only use it at Target just to help push things along, but I don't know of any cards that are supporting it now (and I really don't need a Target card).
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
This is the most ridiculous things I have ever heard and the fact that people buy into it is what is wrong with America. Chip and pin cards, are you kidding me? I hate to give in to the hype of an overused buzzword, but we do find ourselves coming into an age where big data has massively amplified the stakes of security as companies are pooling all of their assets into one giant "data lake" so that it can be analyzed. Yes, I agree that it is great that they now can "glean valuable insights from the connections between xyz..." by aggregating all of the information into one giant store of structured or unstructured data to be analyze, rinse, repeat and analyze again, but then guess what - one hole in your security means the whole house of cards comes tumbling down and all of your data "assets" and people's "private" information is now exposed. Chip and pin cards are a joke to placate the public - this is a good blog on what companies are putting in place right now that are actually a step in the right direction at least. http://sqrrl.com/big-data-secu... The thing that is interesting: the one with the most all encompassing security architecture was created at the NSA.... So do we not trust that approach because the database was created by evil government spies and will abuse our information somehow, or trust them because maybe they actually know how to keep information secure. All I know is that it's interesting that at least they built their "big data" analyzation tools as a secondary priority to security, and as the blog shows the other databases are now implementing different security measures to their information warehouses which is at least a step in the right direction....My two cents. To all of the big companies like this that think "that won't happen to us".... That first step off your high horse is going to be a bitch honey. Tuck and roll.
I still have a Target-branded chip-and-pin card and USB reader from 10+ years ago from an early pilot they did with a well-financed crypto startup. I would imagine some of their executives are kicking themselves now for having shut the project down then.
It's nice to see the US finally catching up with what Europe has been doing for a very long time.
The terminals that had the problem were their new (few months old) chip and PIN-capable EMV terminals.
Chip and PIN doesn't fix the breach Target had. Only Chip and PIN with tokenization does.
I already have one Chip and PIN card from my bank (US bank) and I'm trying to get my other one switched too. But it doesn't fix this problem.
Target, if you replace your terminals again, please get ones that do Chip and PIN and also NFC and PIN please?
http://lkml.org/lkml/2005/8/20/95
Interestingly enough, EMV (c&p) cards work like this. However the card and the cardholder are both authenticated - either PIN or signature.
If someone steals your card, deactivate your card.
Ok, isn't it a bit stupid to design a system that can be circumvented by someone stealing your card? And no card deactivation for sure doesn't solve the problem
1) Click on "Forgot Password?" Link
2) Click on link to reset password in email just received
3) Create new password
4) Use new password before you forget it. If you forgot it, return to step 1
It still has to be swiped in Europe.
You need a Chip and PIN card. Wells Fargo issues them now. And Chase does for some cards too. You really should be getting one of those before you go.
If you don't have the PIN for your card, you don't have a Chip and PIN card and you'll be in a slightly worse boat in Europe than a card that doesn't have a chip because you'll usually have to tell them "ignore that chip, you have to swipe that" every time you use the card.
http://lkml.org/lkml/2005/8/20/95
http://en.wikipedia.org/wiki/E...
Although most of these attacks require you be able to clone the data reaped from EMV onto a stripe card and use it in a place that accepts stripe swipes. If the US stops accepting those, it will reduce fraud by presenting less opportunity. But it won't be because EMV prevented data extraction, but because you can't (currently) clone onto an EMV card.
http://lkml.org/lkml/2005/8/20/95
The primary fraud problem with the current system isn't a window between a stolen card and its deactivation; it's stolen card numbers sold on an open exchange. Bruce Schneier covers ATM pin stealing mechanisms fitted over the card slot fairly often: read the mag stripe, record the pin with a camera, transmit wireless signal to a laptop in a nearby coffee shop.
A hardware verification process removes this possibility entirely: a person must physically gain control of your card to use it. The current system detects when you swipe in New York, then California an hour later; it also detects large geographical changes in gas station use without travel tickets--you won't drive from New York to California without hitting gas stations along the way. A PIN system does nothing to cover the majority threats; it covers a tiny stolen card threat which almost never happens, at the expense of annoying people who swipe credit cards because punching in 3387 or 4129 or whatever the hell the PIN for this card was usually ends in the card being deactivated.
Personally, I've had my HSA deactivated a few times because I couldn't remember the PIN. I had 3 debit cards and an HSA credit/debit card at the time, and the HSA always defaults to debit. The first time, I hadn't actually set a PIN. My solution was to unlock the card (wait an hour--even support can't unlock it) and press "CANCEL" on the PIN pad, then sign.
My solution with C&P will be to write the PIN on the back of the card or, more subtly, use 0(CVV). I don't do this with debit cards because I use them as credit cards to avoid entering a PIN ever.
Support my political activism on Patreon.
The company accepting payment bumps the user off to an outside service such as "Verified by Visa" or mastercards equiv and let them handle the problem. These are run by the payment processors and as a card user you generally have to sign up to them seperately. They tend to use seperate information that is not on your card.
Then visa takes responsibility for fraud.
This has been going on since the days of the US having 120 volt electricity and Europe having 240VAC/50 Hz.
Chip and PIN is a necessity. Without it, the only thing actually preventing fraud are the anti-theft algorithms that banks use to detect out of place transactions and either call the person up for approval, or just put the kibosh on them. Long term, it is a good thing that chip and PIN is making its way here to the US. This will reduce CC fraud by a large amount [1].
[1]: Of course, there will be unexpected consequences. In the 1980s, anti-theft key ignitions stopped wholesale car theft, but what replaced it were carjackings. Same with burglaries being replaced by home invasions. I wouldn't be surprised to see muggings go up (only reason they went down in most areas is because people stopped carrying cash.) However as a whole, it presents a lot higher barrier to criminals succeeding at credit card fraud.
I've wondered about just having a small e-Ink display on credit cards similar to the authentication card I use with PayPal/eBay. Press a button, up pops a number, and because e-Ink only needs power when changing state, the battery in the card has lasted a good number of years.
In combination with chip/PIN, this would protect transactions done online (basically turning CNP or card not present transactions into CP, or card present) because the user just enters the number on the card when checking out.
I do agree with the parent poster -- the security on my Gmail or World of Warcraft account is light-years ahead of the security on my credit card account, or even my bank account.
Yep I've seen the same silly argument.
Europe wide the only thing that has changed is that the retailer is now responsible for any fraud using C&P cards if they are not used as C&P (say just swiped as that is the normal fallback). Non C&P cards (such as amerians visiting) are still the liability of the card processor/bank.
The client has never been responsible for fraud. Although I think there is a lower limit for credit cards they normally wave it unless the item was very expensive. But that is a slightly different set of liabilites then you have with debit cards.
My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.
Remember that under US law, when you pay via credit card, you have rather strong protections that largely take your side when you dispute whether a merchant delivered what you ordered. No such provisions exist when you pay using PayPal. This is especially valuable in the era of internet ordering, rather than brick-and-mortar purchases.
Against stupidity, the Gods themselves contend in vain. --Friederich Schiller
That exists right now - it's called a "Card Not Present" transaction and the transaction fees ARE higher as a result. I believe Square charges like 3.5% instead of 2.5% for those kind of transactions. because of the increased risk.
Paypal fees mirror the credit card processing fees, so Paypal knows how to do Card Not Present transactions (and they do tons of verification as well that reduces their risk).
I'm still waiting for the metric system to catch on =)
"If any question why we died, Tell them because our fathers lied."
It's been done, multiple times in various countries. For example, Ukraine uses NSMEP (National System for Mass Electronic Payments) which requires a terminal for purchases. Turns out, that users don't like it that much.
http://www.digitaltransactions...
"Security experts say data still can be transmitted unencrypted, or in plain text, during an EMV transaction."
So this is going to help Target how?
Online sales use a challenge-response system to ensure you have the card and know the PIN. You don't enter the PIN into any website, though, just the little card reader. The challenge-response system is run by the bank, I think. You're redirected there as a part of the sale to verify. Kind of like the Verified by Visa thing, but instead of just entering a password, you do the whole challenge-response thing with your card and reader.
This is how it's done in Europe, at least.
In POS systems, the PIN never leaves the card reader, so it's can't be stored to be stolen later.
Yes, you'd have to have the card reader if everyone implements a challenge/response type system like in Europe. I have one at work and keep one at home. When I travel I throw one in the bag just in case. You get used to it.
Do you have any links to chip & pin flaws? The one I saw I thought allowed you to enter any PIN and have it return as valid, so the transaction would be charged. You had to have a programmable card hooked up to a laptop and a valid card, I think. Doable with a jacket and backpack, but not quite clone & go. Curious what else is out there.
I agree the Visa and MC programs are a pain. They come up so infrequently that I never remember what the password is. Plus with varying rules as to what constitutes an acceptable password, I can't even count on it using a password I'm familiar with.
If implemented like in Europe,though, you only have to remember the PIN. Which you use everywhere, so that's not an issue. There's a challenge-response part of the online purchase that generates a code to confirm you have possession of the card and know the PIN to validate the transaction. Yes, everyone has to have the little card reader available. I've only made a few online purchases with my European card, but they've all been that way so far.
With the terminals, the bank issues you a challenge code based on the transaction and you use the terminal, card and PIN to generate a response that validates your the authorised card holder. It's worked pretty well the few times I've bought someone online with it.
Sure, but in the meantime, the PIN prevents the card from being used since the thief doesn't know what it is. It also prevents the card from being cloned (assuming that's possible) and used elsewhere even though you have your card in your wallet. It's the whole "something you have" and "something you know" security model.
The card I was issued from my bank does not allow the PIN to be changed. It could be because they don't have physical branches/ATMs anywhere, though. Maybe if this catches on a lot more, you'll be able to change it at any ATM.
It's becoming more common, although slowly. I have a C&P from my US bank. Reading through the thread here, there appear to be several other banks that issue the cards upon request, too.
Smart card uses challenge response technique, based on cryptographic protocols, implemented on a processor on teh card.
No shit? Well, guess what? So was OpenSSL!
Its not like magstripes where fucking assholes can just copy the shit and scam.
Correct.
Fucking tired of the god damn FUD
And I'm pretty tired of people telling me I'm feeding them FUD when it's not FUD. Try reading about it a little.
As a US citizen who has never seen a vending machine with a card swipe option, I feel left out.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
That theory would be great except that the EU has a larger population than the USA and it's not like magstripe cards were exactly rare here, or get harder to drop the longer you have them.
The reason the USA hasn't upgraded is just that there's no willpower to do it in the banking sector. Perhaps because there are so many small banks. It's got nothing to do with being an "early adopter", lol. That's nearly as good as the explanation some poor VISA spokeswoman gave once - the USA doesn't need EMV because it had the internet earlier, and Chip/PIN was mostly useful for offline transactions, which only occur in stone age places like Europe. Hilarious.
I think your bank is probably more tired of it than you are as by law they are required to eat most of the liability. The good banks give you zero liability (as in, you aren't ever responsible for losses.)
No, the banks don't have to cover the cost of fraudulent credit card transactions (although I bet they love basking in the warm glow of the widespread misconception that they do). It's the retailers who get screwed when that happens, both in the US (I assume that reference to Newegg means it's American) and in the UK.
As I posted in this comment, the banks don't give a **** because they don't have to; they're not the ones paying for it. Fraud report? Yank the money back from the retailer (even if they've performed reasonable diligence (*))
Even though chip and pin is very common in the UK (I can't remember the last time I used a swipe-and-signature terminal), credit card fraud still exists and it's the retailer that gets screwed.
(*) In fact, as far as I'm aware, retailers- in the US, at least- are suposedly *prohibited* from checking ID, which makes this even worse
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
That's not how it works.
As a US citizen who has never seen a vending machine with a card swipe option, I feel left out.
You will commonly see them in the USA in major airports, and in business hotels. They'll feature things like iPods (or whatever, I haven't been in a business hotel in a while and the last airport I was in just had brookstone racks everywhere) and cellphone chargers and of course headphones.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
the PIN vs signature subject (the cardholder verification methods) has more to do with who pays when the fraud happens. Signature is by far easier to use, and this is the reason why in europe it is usual for good customers (cards with expensive subscription fees etc.) to get chip and signature and low end cc and debit cards get chip and pin.
To me the problem is not the PIN, but the magstripe itself, which for europe is kept there for legacy reasons (and at this point, yes I am looking at you US...). If the magstripe was completely disabled then there would be no way to skim the card because you would lose one of the 2 required pieces of information (PAN/CVV).
The second problem is that even with the PAN/PIN, the card should be useless but again there are 2 problems.
1. is again legacy reasons. You steal the PAN, write it in a new card, enter the stolen PIN, bob's your uncle. This should not be possible if the cards where full EMV as the card itself is authenticated against Visa/Master PKI.
2. Internet purchases! Now this is a biggie. You don't want to inconvenience anyone so you keep it as easy as possible. No card authentication, no cardholder authentication. Everything goes. To me this problem can be best tackled with one time passwords/tokens generated by a smartcard.
As you understand this is not a technical problem - and I can assure you that the technology exists and it is solid, but an adoption problem and a backwards compatibility problem.
btw: Come on, you can't read Bruce Schneier and at the same time write the PIN on the back of the card. This is like writing your password on a postit and stick it on the screen. Sure, it's annoying but have some standards!
Credit card fraud liability in the US is limited to $50 by federal law as long as the theft of the card is reported within 3 days of discovering it.
Except Target Canada's card readers are giant antiquated-looking things that are awkward to use, have a completely useless touchscreen/stylus for some reason (to do what with, exactly?), and don't support contactless payments (which all cards support at this point).
It's not just the card readers that work poorly. Their self-checkout terminals also have issues. They're unilingual French (in Montreal), even in English neighbourhoods, which doesn't really matter because the volume level is below a whisper and is inaudible (although the screen is also in French). They're more complex to use than comparable machines at other stores, and instead of just showing you a list of what you've scanned, they show a strange "stacked deck of cards" that makes it tough to see anything other than the most recent thing you scanned.
Vending machines here in Montreal never take any sort of cards, but when I was recently visiting Boston, many of the machines had contactless readers, so the PayPass/PayWave on our Canadian credit cards worked fine.
What wasn't so nice is when you come across a machine in the US that doesn't take credit cards... Because the Americans don't have any useful denominations of coins, you basically can't use vending machines if you don't have any $1 bills. Even putting a $10 bill into the machine to buy a $2 drink would spit out 32 coins, which is insane.
See also: getting rid of pennies, or replacing the $1 bill with a coin. Both are amazingly easy things to do (you simply stop making pennies and/or $1 bills and eventually everybody has migrated), but they still can't get either done.
Admittedly, it took Canada until last year to ditch the penny, but when they did it, it was a complete non-event.
I got a new visa with a smart card built in. But I don't know what my pin is... I think I last gave one for my visa 12 years ago.
retailers- in the US, at least- are suposedly *prohibited* from checking ID
I don't have a link handy, so I'm going from memory here, but I think they are prohibited from requiring ID. They can ask, and that might be enough to ward off some folks trying to pull something, plus most legitimate people will show it. However, supposedly you could refuse (or lie saying you don't have it with you) and they are still supposed to run the transaction. It reduces down to largely the same thing in the end for anyone who knows what they are doing.
Back in the 1980's the European phone network was a lot less reliable than the North American one so Europe needed various systems for off line validation of card charges, hence the wide spread use of smart cards. In North America vendors could all use online terminals to verify the validity of the mag stripe cards so there ws no need for costly smart cards. Current Chip and PIN systems are not as secure as people think as there was a major problem a few years ago in the UK where people were being charged with fraud for contesting various charges made on their chip and PIN cards which were assumed to be secure. Turns out a compromised point of sale terminal could get all the information necessary to make additional transactions without the card or re-input of the users' PIN. So yeah, if you own the point of sale system you own the cards. Chip and PIN would not have helped Target.
http://www.telegraph.co.uk/tec...
BTW the E carrier is faster than T carrier because the AT&T engineers didn't want the phone company to sell the housekeeping bandwidth so they reduced the number of bits available for housekeeping so that it could not support an additional voice channel. Turns out their fears were justified as in Europe the extra housekeeping channel was quickly just turned into an extra data channel and the their engineers were left with nothing.
Writing passwords down is not a security problem.
Say it with me: Writing passwords down is not a security problem.
Writing passwords down in a place where they can be obtained within the bounds of your threat model is a security problem. My passwords are written in invisible ink in a book kept inside a locked filing cabinet at my desk; likewise, I have a password safe that double-encrypts with a long password (all lower case and spaces) as a symmetric key for the real key used in two passes of AES+Blowfish. If someone is in here looking through my cabinet with the foresight to bring a UV flashlight, locate my password book, shine the light on it, and interpret the passwords (i.e. know what to use them for), we have other problems.
Now if I were to take the book from the office and lose it somewhere, that's different. In fact, the book should not leave the office. Any password list which travels should contain only passwords; it should not contain an explanation that they are passwords, or what system they're for, or to what entity they belong. Depending on security needs, it may be inappropriate to ever move a password list.
I'm quite used to a threat model where losing my card results in compromise. I know how to handle that. Having the PIN written on the card is the same threat model; it's acceptable to me.
Support my political activism on Patreon.
Speaking from Europe, where we've been using Chip&PIN for nearly a decade, it is only used for in person purchases.
Internet purchases fall back on the old card number plus 3 digit "security number" from the back of the card, plus the need to specify a delivery address who's digits have the correct hash value. Same as presumably happens now in the US.
I guess the point is that's it's trivial to "clone" a mag-stripe card, but not a chip and pin one. Just because it doesn't also solve internet frauds doesn't mean the cloning problem isn't worth dealing with.
Dear inane moderator: I didn't think I would need to explain this, but the point GP was trying to make is exactly the opposite of economies of scale. And there's a word for that as well: diseconomies of scale. Only it does not apply here; there's no reason why there should be a diseconomy associated with switching a larger number of outlets to chip-and-pin. As demonstrated by all developed nations other than the USA and some emerging nations as well. The post I was replying to is simply an apologist of US business' inertia and unwillingness to innovate.
No, but according to the Smartcard Alliance's FAQ (http://www.smartcardalliance.org/pages/publications-emv-faq), the transaction will contain signatures proving the card is genuine, the correct PIN was used to access the chip, and "Third, even if fraudsters are able to steal account data from chip transactions, this data cannot be used to create a fraudulent transaction in an EMV or magnetic stripe environment, since every EMV transaction carries dynamic data." So while it doesn't include a key fob or rotating key the user must enter, it sounds like it implements it on a virtual level, thereby accomplishing the same goal. If the card data is intercepted, it is useless for future transactions.
I remember reading a magazine article (possibly even an ad) years back with some company touting this exact technology. It went so far as to mask the card number itself or even allowing selection of multiple card numbers based on the buttons. Sadly I never saw anything past that initial piece.
Currently that is true. I could see that being changed if the sliding scale were introduced. I believe it would still be effective if the max was $50, but slid to $0 with additional measures being taken by the cardholder.
Well, I can't confirm they did it back in 2001, but I do recall they were still on it in 2005 or so.
It could prevent the security breach -- in England, Chip and PIN cards cannot be swiped in the presence of a Chip and PIN terminal.
But, yeah, it's kinda funny how things turn out. :-)
There you go again - apologizing for the US by making up some nebulous nonsense to explain why the US simply can't adopt modern standards. First you were defending using imperial units in an article about flight (because, according to you, flight was invented in the US), and now you're defending the US's inability to adopt a basic technology that the rest of the world has been using for over a decade. Guess what? Europe has been using magnetic swipe cards for ages, too, and seemed to be able to change without everyone losing their minds. You seem to think that the EU got magnetic swipe cards 6 months before chip+pin was invented. You must be, otherwise your entire post is just gibberish nonsense. You are clearly an intelligent person, so this behavior of yours of defending this nonsense is worrying.