Credit Card Fraud Could Peak In 2015 As the US Moves To EMV

dkatana writes Some analysts expect fraud to increase this year as thieves will step up their efforts to capture more credit card details before the Europay, MasterCard and Visa (EMV) standard conversion goes into full throttle. The next time U.S. cardholders receive a new card it will probably be equipped with an EMV chip, and most likely be contactless. The U.S. is finally making the transition to secure cards based on the European EMV standard, mostly because the liability shift imposed by the three big credit card brands — Visa, MasterCard and American Express. The European Union, where EMV became standard ten years ago, has the lowest level of credit card fraud in the world, while the U.S. accounted for 47.3% of the worldwide payment card fraud losses but generated only 23.5% of total volume.

someone explain for the ignorant

[bhcompy]

...like me

Re:someone explain for the ignorant

[gutoandreollo]

Your next creditcard (in a couple years) will probably have a chip-and-pin system, which can not be easily cloned as the magstripes of today can. The analysts cited believe fraud will escalate soon, while most people still DON'T have a chip-and-pin card, since defrauding those people will be harder in a couple years.

Re:someone explain for the ignorant

Everything on a normal credit card is easily readable, because it's either printed on it or encoded on the magnetic stripe. That can be used for making copies of credit cards or for using the information to pay online. With EMV, there's a computer chip (with CPU, memory, operating system, etc.) on the card. It has secret keys programmed inside of it which it only uses to cryptographically sign transactions after a secret PIN has been entered via a terminal, but never reveals the keys to a reader, hence it can't be copied. These chips are also hardened against a multitude of physical attacks, so even if a card with such a chip is stolen, it is exceedingly difficult to get at the embedded information. These chips used to have the same kind of gold contacts which you know from phone SIM cards, but the same protocols are now the basis of contactless NFC cards. There are several other kinds of cards with the same interfaces.

Re:someone explain for the ignorant

[ArmoredDragon]

I've already got two, both of which I acquired this week after switching from a card that yielded a lower cash back reward percentage. Neither have a contactless component (which I assume means some kind of RFID/NFC chip.)

Haven't yet seen any vendors with an ISO7816 reader though. Last time I used one of those for a payment method was when I was in the Army, and that was over 13 years ago. Obviously the technology hasn't caught on anywhere besides AAFES stores.

Re:someone explain for the ignorant

[bhcompy]

I enter the pin when I use it? Or I initialize the card with a pin when I get it and that creates some type of cipher key for encrypted transactions?

Re:someone explain for the ignorant

[stevel]

Chip yes, PIN, no. In the US, "Chip-and-signature" is what we get, with extremely rare exceptions. It is more secure than the magstripe to stop massive hacks such as Home Depot and Target, but does nothing to stop stolen card fraud. Note that if your card does not support chip-and-PIN (it can support it even if it's not the default, but US banks aren't doing this), then you can't use the card at many automated kiosks (train stations, etc.) outside the US.

I disagree with the summary that contactless goes along with the chip - it doesn't. There are some banks offering contactless payment cards, but this is not common right now.

Re:someone explain for the ignorant

[Nutria]

I received an updated CC from Bank Of America, and it's got a chip-looking thing, but didn't receive a PIN, and don't remember seeing anything where I had to request one.

Re:someone explain for the ignorant

[Nutria]

One thing that I wonder about is the definition of "fraud".

If C&P isn't as secure as banks say, can the bad guys steal people's money but the banks deny it, saying that C&P is secure?

Re:someone explain for the ignorant

[Harlequin80]

As at the 1st of August last year you were no longer able to sign for purchases on your credit card in Australia. A pin became required for every transaction.

With regards to a contactless payment system, it is referred to here universally as paywave (even though that is Visa's name for it) and my AMEX, Visa and Mastercards all support that functionality. They contactless system allows an up to $100 purchase just by tapping your card on the reader. Kinda scary if you lose your wallet but soooooo convenient. Total transaction time is around 1 second.

Re:someone explain for the ignorant

[farble1670]

Your next creditcard (in a couple years) will probably have a chip-and-pin system

most likely chip and signature. the difference being what you'd expect ... no pins, but signature verification required. the reason being that the big three are afraid people will spend less if they are forced to remember a PIN (yes, really).

chip and signature is arguably less secure, but it does prevent credit card cloning ... you can't clone the chip.

Re:someone explain for the ignorant

[radarskiy]

Chip and pin: You enter a pin with each transaction and the chip on the card generates a separate key for every transaction.
But in the US we'll get chip and signature most of the time.

Re: someone explain for the ignorant

Actually, I see it more commonly referred to as PayPass.

Re:someone explain for the ignorant

[rickb928]

EMV is NOT contactless. If your new card(s) include electrical contacts, It's EMV .

Re:someone explain for the ignorant

[dAzED1]

and I really, really don't see how that's an improvement to security. Why the fark are we doing contactless, and not just going with the chip+pin?

Re:someone explain for the ignorant

[mlts]

Sad thing, the PIN part here in the US is optional. However, it does stop the sales clerk who swipes the card and uses it for mail order stuff.

As for mail order, I'm sure Visa/MC will continue to have a web object that pops up, asks for a PW or PIN, which is used for shopping via the Internet.

Is this a security increase? Yes, and much needed. Cloning a chip is a heck of a lot harder than writing down numbers or writing a magnetic strip on a blank.

However, because PINs are an option in the US, it won't be as big a security boost as it is in Europe.

Re:someone explain for the ignorant

[rickb928]

Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.

Britain has had a lot of trouble with this.

Re:someone explain for the ignorant

[Nutria]

so if your account is compromised, you're assumed to be at fault.

Even if C&P isn't secure. That's what I was afraid of.

Re:someone explain for the ignorant

[stevel]

Yes, in fact they can, and this has happened in Europe. One problem with C&P is the "offline PIN" mode which doesn't exchange data with the bank. In the UK, at least, the consumer is liable for any fraud with a C&P card as it is assumed that if the PIN was entered correctly it was by the cardholder. In the US, all the card issuers assume liability for fraud, no matter what, so there is less incentive to require a PIN.

The article you linked to is informative, but as the US transitions to EMV, it will become harder for thieves to use magstripe cards.

As I noted earlier, the biggest benefit of EMV, with or without PIN, is that merchants and payment processors aren't holding on to vast quantities of card numbers, and card skimming becomes far more difficult.

Re:someone explain for the ignorant

[Harlequin80]

Chip & pin is more secure than chip and signature. Simply because your average pleb can't tell a genuine signature from a forgery.

The setup in Australia means a pin is not required for transactions of under $100 but is required for transactions over. I assume that the risk assessment from the card companies is that under a $100 exposes them to a small risk for the increased usage that using contactless creates. Anecdotal evidence is that when my mastercard went contactless but my amex wasn't I pretty much stopped using the amex even though I got twice the points (money even comes out of the same account). It took 3 months before an shiny new amex card arrived in the post. Also everywhere here has a card machine, even the pubs, & clubs accept card at the bar so a lot of people have stopped carrying cash.

Honestly they are not aimed at the same problem. I had a credit card scanned and the used when I was travelling. The crim did a small transaction first and then bought 25k worth of flights. My bank immediately locked the card and while it was a pain to have my card stop working I wasn't out of pocket and I had a new card in 3 days. I think there is now a physical risk if you lose your wallet but the card companies have said they will cover any transactions that occur after you have lost the card as long as you notify them within 48 hours.

Re:someone explain for the ignorant

[farble1670]

but does nothing to stop stolen card fraud

i guess you are talking about physically stealing a card. that's almost almost zero percent of the problem. that requires physical theft which criminals don't want to risk for the most part.

Re:someone explain for the ignorant

[darthsilun]

Simply because your average pleb can't tell a genuine signature from a forgery.

If the standard plebe even looked at the signature panel on any of my cards, they'd see it says "CHECK ID" in big bold block letters. Sometimes when the plebe doesn't check, I point it out to them. Before long it's not going to be sometimes – I'm going to fscking point it out to them every frikken time they don't check.

Re: someone explain for the ignorant

[Harlequin80]

Maybe it is a state or region thing then. Everyone I know in Brisbane calls it PayWave. PayPass is the Mastercard brand name

Re:someone explain for the ignorant

[Harlequin80]

Hmmmmm. I wonder how I would have responded to that when I was a checkout operator back in the day. My understanding is that the signature on the authorisation had to match what was written on the card. If it said CHECK ID and you hadn't signed like that I'm not sure I would have been comfortable putting the transaction through without getting my boss to authorise it.

Re:someone explain for the ignorant

[gstoddart]

Honestly, it means what Europe was using 20 years ago, and what much of the world has been using for at least 10 years is slowly being adopted by American banks.

In the mid 90's we talked about chip-and-pin cards in a crypto class, and I knew people from France who had them. I've had one in my pocket for at least 10 years.

Essentially American banks move at glacial speed, and are taking up what is now fairly old technology.

Why American banks move so slowly? I can't say.

Re:someone explain for the ignorant

Technically, they should refuse to even accept your card. The signature isn't for comparison, it's to say that you agree to the cardholder agreement. If you don't agree, you shouldn't be able to use the card.

Re:someone explain for the ignorant

[rlwhite]

Yeah, I don't get this either. I choose debit just about everywhere because it's faster and more secure. It would be tempting for me to move my bank account specifically to get chip and pin if a bank were using that as a competitive advantage, but I don't know if that's even possible given the standard they've adopted.

Re:someone explain for the ignorant

[Jane+Q.+Public]

I've already got two, both of which I acquired this week after switching from a card that yielded a lower cash back reward percentage. Neither have a contactless component (which I assume means some kind of RFID/NFC chip.)

What that guy said: it's not contactless. It has contacts which look kind of like those on the back of a SIM card.

Further, you DON'T WANT it to operate by NFC, or anything RF for that matter. RFID, NFC, and other RF technologies have all been broken for some years now. I can't imagine what Apple is thinking, with its Apple Pay, but maybe they think they've gotten around the security holes in NFC. Remains to be seen.

That being said, chip-and-pin also has known vulnerabilities, and isn't that damn much more secure than magnetic stripes. They've been compromised in UK for years, and though the banks have tried to play hushup about that, it's well known among those who pay attention to security news.

Re:someone explain for the ignorant

[jordanjay29]

My state's driver's license still has my signature on it. Not sure if some have dropped it, but that used to be a thing. It's a fallback method for comparison, if my signatures don't match, my face better match the one on the card, or I'd expect the store to call the cops.

Sadly, most clerks these days will even look at the "CHECK ID" on the back of my card and ignore it anyway. It pisses me off, but it's actually the rare person who will check it, so pointing it out just gets tiring.

Re:someone explain for the ignorant

[Jane+Q.+Public]

Even if C&P isn't secure. That's what I was afraid of.

You missed part of what GP implied here. It ISN'T secure, and yes the banks HAVE hushed it up. When that didn't work very well, they tried shifting the responsibility.

They do have known vulnerabilities which have been exploited by fraudsters for years. It might be a while before U.S. fraudsters catch on to the new tricks, but you can count on that being a short time indeed. All they have to do is buy the information if they don't want to figure it out themselves.

Re:someone explain for the ignorant

[Fnord666]

As for mail order, I'm sure Visa/MC will continue to have a web object that pops up, asks for a PW or PIN, which is used for shopping via the Internet.

This is truly where credit card fraud is going to go in the next few years. As EMV rolls out in the US (finally!) credit card fraud is going to move online. Card not present transactions will be the next target and participation in multifactor authentication schemes like Verified By Visa and MasterCard SecureCode will become critical and possibly even mandatory.

Re:someone explain for the ignorant

[Harlequin80]

In the 8 years I worked in a supermarket I never saw Check ID written on a card. In fact I had never heard of the practice till now, so I think it must be a US centric thing. But I potentially would have refused the card as the card says Authorised Signature. That would have ESPECIALLY been the case if you were getting cash out with the transaction.

Re:someone explain for the ignorant

[Hadlock]

I got a warning message in Spanish when I took out money from the ATM in Cartagena, Colombia (Caribbean edge of northern South America). Since my money came out ok I didn't pay it much attention. My buddy who spoke Spanish, however, was pretty amused.
 
He said,
"Did you see that warning message," "Yeah?" "That warning message is telling you your card only has a magnetic stripe, and no secure chip-and-pin system which is really insecure and you should ask your bank to upgrade it for you. This is the same system the Europeans use. Fuckin' Colombia's banks, in South America is a decade ahead of the United States banking system when it comes to technology. Typical."

Re:someone explain for the ignorant

[An0nymous+Coward]

Apple can get away with securing NFC payments because there is a processor on both ends. The reason you can't secure an NFC card, is that you can't generate enough power using an antenna to power up a chip which can do crypto. The most you can do is read/write a ROM, so it's not much better than an magnetic stripe. With metal contact chips, a tiny chip powers up which can do proper challenge-response crypto.

Re:someone explain for the ignorant

[ArmoredDragon]

Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.

This is not at all the case in the US.

When TFS says liability shift, they're referring to the merchants (at least, in the context of the US anyways.) The merchants have an agreement with visa, mastercard, et al (and the banks) that determines who is liable in the event of fraud. Presently mastercard/visa/amex assume most of the liability (and they very well better for the transaction fees they charge.)

Visa and mastercard have issued an ultimatum of sorts to the merchants saying that this will only continue for magnetic stripe until the end of 2015, after which the merchant assumes liability for fraud. The merchant can avoid that by simply replacing their POS systems with a chip and pin system, in which case visa/mastercard assume most of the liability.

For you as the card holder however, nothing has changed in that regard: The law in the US still stipulates that credit card holders can only be liable for up to $50 (which most banks waive these days.)

Re:someone explain for the ignorant

[jordanjay29]

Here in the US, if you are getting cash you're using the card as debit. And debit cards, by and large, don't allow signatures (pin only). If you're signing, it's more than likely credit, and no cash withdrawal is allowed.

And you'd have the signature. One on your pad or paper, and one on my license. It's much harder to fake the signature on my license, that's an official government document, whereas the signature on the back of my card was something I just did myself on my desk at home. If I was a criminal who just copied someone's card, you can be sure that I'd sign the card the way I would write the signature, and poof, there's your authorized signature that conveniently looks like the one I just signed for on your pad or paper receipt.

Re:someone explain for the ignorant

[Baloroth]

Not in the US, and not in Britain (I think) since they changed the laws. The liability shift is to the merchants if they don't support EMV.

Re:someone explain for the ignorant

[mjwx]

Your next creditcard (in a couple years) will probably have a chip-and-pin system, which can not be easily cloned as the magstripes of today can. The analysts cited believe fraud will escalate soon, while most people still DON'T have a chip-and-pin card, since defrauding those people will be harder in a couple years.

All of this relies on the notion that the majority of credit card fraud is from cloned cards, not organised criminals using card numbers for online transactions in vast quantities.

Re:someone explain for the ignorant

[Harlequin80]

Don't disagree with your logic. I'm however not sure as to where that would leave me, as the cashier, liability wise given I was trained that I had to compare the signature on the paper to the signature on the card. The signature on the paper would not match what was on the card involved in the purchase. If you had signed it and then ALSO put CHECK ID next to the signature I would have been fine with it. But no signature on the card and I would have baulked at making the call to be responsible.

What happens when you get home and call your back and dispute the transaction? The signature receipt I have accepted is copied and sent to the bank, then your card is checked for verification. On the back of your card is CHECK ID and it looks absolutely nothing like the signature on the piece of paper. What happens then?

Re:someone explain for the ignorant

[sjames]

But what will really happen is they'll switch to online fraud where the chip and pin do nothing.

Re:someone explain for the ignorant

[Jack+Griffin]

Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.

You sort of imply that this shouldn't be the case? I'm no expert but just wondering how a crook could get a PIN other than lack of reasonable protection from the owner? It seems a whole lot more secure than a scribble which is extremely trivial to imitate.

Re:someone explain for the ignorant

[Jack+Griffin]

it is referred to here universally as paywave (even though that is Visa's name for it)

Thanks for speaking for the whole country, but in my monkeysphere we call it paypass, the Mastercard brand This would likely depend on what card you have, or advertising brainwashing you have been exposed to, so maybe not so universal as you think.

Re:someone explain for the ignorant

[jordanjay29]

This may be a case where identity verification is different in the US than elsewhere. I'm not sure. In the US, a government-issued ID (driver's license, state ID, passport, military ID) is a valid form of identity verification that trumps quite a bit. If you can compare a name on a card to the name, signature and photo on a government-issued ID, you're pretty well indemnified against issues unless the ID is an obvious fake (or you happen to be in a line of business, such as a bar, where detecting fakes is more critical).

As a side note, if I put my signature and CHECK ID on the back of the card, the CHECK ID would get completely and totally ignored.

Re:someone explain for the ignorant

[Rebelgecko]

The only EMV card readers that I've seen in the wild have been at McDonald's. AAFES might've had the readers for CAC cards (although I don't think they were issuing those 13 years ago)

Re:someone explain for the ignorant

[Harlequin80]

Sorry as I added before it must be regionally different. In Brisbane I haven't heard it ever referred to as Paypass.

Re:someone explain for the ignorant

[Kobun]

Absolutely correct. In fact, merchants should not (cannot, in practice) ask for your drivers license to compare to your credit card. Visa's rules don't allow them to base a decision off of that. Once they touch a drivers license, they have now colored any future decision to reject the card as a payment type.

See the top of page 34: http://usa.visa.com/download/m...

Re:someone explain for the ignorant

[ZipK]

Visa and mastercard have issued an ultimatum of sorts to the merchants saying that this will only continue for magnetic stripe until the end of 2015, after which the merchant assumes liability for fraud.

Visa and Mastercard will be splitting the shift in liability between the bank issuing the credit card and the merchant accepting the card. If the bank hasn't issued a chipped card, the bank's will be on the hook for fraud; if the bank's issued a chipped card and the merchant hasn't upgraded their POS, the merchant will be on the hook.

Re:someone explain for the ignorant

[blackraven14250]

Card not present transactions will be the next target and participation in multifactor authentication schemes like Verified By Visa and MasterCard SecureCode will become critical and possibly even mandatory.

Card not present transactions are already the primary target, as far as I can tell. I've never replaced a card for an in-person fraud, but I've had at least one replacement, if not more, for each of my cards (including ones never used online) on online orders.

Re:someone explain for the ignorant

[Nutria]

just wondering how a crook could get a PIN

Software is hackable.

Re:someone explain for the ignorant

[hjf]

I'm in Argentina. My CC terminal (VeriFone VX520, issued by Visa since visa has this racket that you can only rent, and not own, CC terminals from them or Mastercard) has an EMV reader. Only really new cards in Argentina have this, and out of pure curiosity I tried it with a client's instead of the mag stripe and it worked fine.

Visa has been issuing these units for a couple of years and before that they had another model which also had an EMV reader. It's right under the keyboard. You stick the card in (like you do on an ATM) and you feel it "clicks" on a little switch that enables the chip.

So probably you have seen EMV readers. You just don't know you have.

Re:someone explain for the ignorant

[hjf]

In Argentina, Visa has magstripe (or chip, in newer cards) + signature. Debit Mastercard (called Maestro for some reason), have magstripe, pin, and signature. The PIN is the same as your ATM PIN.

And for both you have to show ID (required by law, which shocks a lot of US clients in tourist areas).

Re:someone explain for the ignorant

[hjf]

I stand behind you in the line, see you type your PIN into the terminal, wait for you outside, mug you, then use your card.

Really? You couldn't think of that one? It is that easy. They sell little "shades" for CC terminals to avoid this, but they are accessories. Most CC terminals don't have them.

Re:someone explain for the ignorant

[liquid_schwartz]

By many measures including inequality, public infrastructure, primarily exporting agriculture, bought and paid for politics, etc the US *is* a third world country

Re:someone explain for the ignorant

[hjf]

> Have the world's most secure currency made of plastic.
> People refuse to use it

wtf australia.

also, i love those city dweller types. One day they leave the city, stop at some place not even 10 minutes away from it, and find the place is cash only.

Re:someone explain for the ignorant

[Jane+Q.+Public]

Apple can get away with securing NFC payments because there is a processor on both ends. The reason you can't secure an NFC card, is that you can't generate enough power using an antenna to power up a chip which can do crypto.

NO.

NFC was first cracked on cell phones. In fact it was cracked on some of the first cell phones to include it. It wasn't even common yet. Which made me wonder why the other manufacturers went ahead with it. It was already broken.

Researchers were able to snarf NFC credentials from cell phones from several feet away, using concealed body-worn equipment that only cost a few hundred $. And it only required that NFC was turned on; no transaction was required.

I have not turned the NFC on my cell phone on even once, and don't plan to.

In case you want to look it up, the researcher's name was Christopher something. He's the same guy who read RFIDs from passports from his car, 30 feet away. And later used the data to clone them.

Re:someone explain for the ignorant

[hjf]

At my shop the bulk of card operations is Debit mastercard, which in Argentina has a PIN. And most of those people are low level government employees. Dumb as they come.
The dumber the people, the more they spend. And they can easily remember their 4-digit PIN.

Re:someone explain for the ignorant

Being Canadian, I was recently shocked to learn on the radio that PIN credit cards are coming to the US soon. I thought, is this some kind of vintage news program?

Here's a tip for Canadians traveling to the US. Sometimes, credit card purchases require to enter the ZIP code for verification. Just enter the 3 digits from your postal code and add 2 zeros to make 5 digits. This should be accepted the vast majority of the times.

Re:someone explain for the ignorant

[Cyberax]

Bing! Wrong.

Each financial transaction over NFC includes a cryptographic signature. All the attacks on NFC basically involve signal interception and/or retransmission. The next generation of NFC systems will include distance-bounding protocols to combat even that possibility.

Re:someone explain for the ignorant

[Hadlock]

Driving through the gulf coast from Houston to Miami was a real eye-opener for me. I've been to 20+ countries and the closest thing I can compare their standard of living is to rural Peru.

Re:someone explain for the ignorant

[An0nymous+Coward]

It was cracked because it use a shitty algorithm and sloppy crypto handshakes. There is nothing inherently wrong with "NFC on cell phones". It's just a way to send bits. That's it. Smart software can make it secure, as long as there is software on both sides. This is not even close to the same case as RFIDs, which can always easily be cloned because it's impossible to do proper crypto on an RFID.

Just because that specific early implementation was broken, it does not by any means mean that "NFC" is broken forever.

If it's as simple as cloning what goes over the air, then yes, it is utterly flawed and insecure. That is how RFIDs work with current technology. NFC between processors does NOT have this same problem. Everything over the air can be random-number challenges and cryprographic responses, and when done properly with sufficiently strong crypto, it can be damn near impossible to break.

Re:someone explain for the ignorant

[Z00L00K]

According to some sources the US has opted for chip on the cards with a hand-written signature.

That leads me to believe that frauds in the US will continue to be high.

Re:someone explain for the ignorant

[Z00L00K]

It's not the card that contains the PIN on the European solution, the PIN is validated by the bank.

The reason the US has opted for signature instead is because they think people will have problems remembering the PINs.

So this means that if you lose your wallet - tough luck because many shops don't check signature validity.

Add to it the stupidity that if someone matches the signature it's the signature on the card, not the signature on your photo ID.

Re:someone explain for the ignorant

[aardvarkjoe]

While it's common in the US, both Visa and Mastercard policies say that merchants should not accept a card with "see ID" or similar instead of a signature. Technically, the merchant could be on the hook for fraudulent charges if they accept a card without a signature.

From a practical point of view, I've only heard of refusal to accept a payment because of that once or twice. But the cashiers aren't obligated to check your ID to validate the signature, so you don't have much call to get mad at them because of that.

Re:someone explain for the ignorant

[Z00L00K]

It's still better than the magnetic stripe. But I agree - it's not as secure as it can be.

Compromised card readers are one item that can be used to spoof cards.

Re:someone explain for the ignorant

[Z00L00K]

I'm surprised that it's not the merchants that shall take full responsibility for fraud. That would raise the stakes on them to request photo ID or for online sales other means of supplementary identification.

Re:someone explain for the ignorant

[plover]

Apple jumped on this as a ploy to get customers before EMV completely locked them out of the payment market. EMV is going to render a lot of crappy, insecure technologies obsolete (things like Coin, LoopPay, NFC, and many of the smartphone based "wallet" apps.) But Apple is making their bank on the iPhone 6, and their loyal customers always forgive them for just about anything.

American customers aren't going to like the weird way EMV works, because it will be different and slow, and they don't like change. They will have to learn to put their cards in the reader when the cashier hits total, and keep them in there until the payment is complete; and I bet many of them will forget their cards in the readers a time or two. But at least the transactions will be secure, and they won't have to worry if the waiter is skimming their card, or if there's a data breach at the store.

Online is a completely different unsolved problem, as are recurring payments, and other card-not-present transactions. There are niche technological solutions, but none that are widespread.

Re:someone explain for the ignorant

[Z00L00K]

Cameras at ATMs.

Re:someone explain for the ignorant

[plover]

Chip and PIN is now relatively secure. The cases that Ross Anderson has exploited generally don't scale beyond a single hacked card. The notable exception was a particularly crappy ATM, with a non-random random number generator. But hacks on the scale of Home Depot and Target will not be possible on EMV transactions. (Card-Not-Present transactions, such as any online transactions, will continue to be at risk).

Re:someone explain for the ignorant

I also haven't turned on NFC on my phone, because of the men in black who follow me in cars 30 feet away trying to clone my phone and passport. But I've heard that covering your phone and passport in tinfoil helps protect them from being cloned. Have you considered trying that?

Re:someone explain for the ignorant

[ihtoit]

I never signed the cards. It's not a verification sample anyway - it's a tacit acceptance of any liability from misuse. Read the T&Cs properly.

Re:someone explain for the ignorant

[ihtoit]

either use your old pin or ask your card issuer to send a new one (not the bank, they don't issue the cards).

Re:someone explain for the ignorant

[Psyko]

Just about a month ago I got a emv chipped card from my bank. The grocery stores and a few other shops near me have that same type slot reader under the keypad you mentioned. I've been sticking my card in all of them when it prompts for an insert/swipe but I don't know if they're just not enabled around here or what because it never works and I always have to fall back to the mag strip.

The thing I don't like about it, is on the signature block on the back of the card I just write check id, then I put clear tape over the sig block and the cvv so it doesn't wear off (I've worn off the cvv #'s before...). Anyway, so my old card had a picture of me on the front of it. The new one doesn't. So now if someone actually does bother to read where it says check ID, instead of just me saying look at the picture, I have to pull id as well (which is either an RFID Drivers license, or an RFID enabled passport card). So for now, I kind of miss my old photoid card, vs my emv chipped card that doesn't work. I already had to buy a faraday cage wallet because of my drivers license & passport card (I'm paranoid about the rfid stuff), and then another rf blocking pouch for my regular full size passport.

Re:someone explain for the ignorant

[ihtoit]

my wife has Verified By Visa on her card already, has done for several years now. Thing is, it *doesn't bloody work*. It's supposed to prompt for password every time (which you set the first time you use it), yet the next time you use your card for online purchasing it just runs through the verification theatre without ever asking for the password.

(I've used it to buy coach and train tickets, mail order and courier deliveries online, all sorts - only ever got asked for VBV password the ONCE back in September 2009, which was the second time it was used to buy something over the net).

What does work for me is when you make an online purchase, when the bank calls your registered number within a minute or three of completing the purchase and asks you to verify that you just made a transaction. That's all they'll ask. Ring. "This is XXXXX Visa Debit, we'd like you to confirm that you just made a transaction for X amount?" If you say no or fail to pick up, they will fail the transaction. "Thank you for using Visa Debit." Click. They'll generally do that for any online purchases that fall outside your normal withdrawal pattern.

Re:someone explain for the ignorant

I've seen the equipment at Smith's, Costco, Sam's Club, Wal-Mart, Shell, and a lot of other places. They're also all standard models-little to no variation in color, form factor, etc.

I swiped my chip-equipped (Chase Hyatt) card at WalMart and the reader told me to use the chip portion.

Interestingly, the receipt didn't just say "VISA *1234" or whatever, it actually had the issuer on it, eg., "Chase VISA *1234"

Re:someone explain for the ignorant

Your next creditcard (in a couple years) will probably have a chip-and-pin system, which can not be easily cloned as the magstripes of today can.

The analysts cited believe fraud will escalate soon, while most people still DON'T have a chip-and-pin card, since defrauding those people will be harder in a couple years.

That's a nice mixture of truth and bullshit right there.
Yes, chip-and-pin are much harder to clone than a mag stripe. But most credit card fraud today does NOT involve actually cloning the card itself.

So while it's a step in the right direction, it's still playing catch-up with methods that fell out of widespread use 20+ years ago. What they need to move to is secure 2-factor authentication, so in the event someone finds a way to use your information, YOU will still get notification and a chance to halt it before it occurs.

Re:someone explain for the ignorant

[whoever57]

Your next creditcard (in a couple years) will probably have a chip-and-pin system,

My Citibank card (issued a year or more ago) has a chip, but it's not a chip-and-pin card: it's chip-and-signature. That's right, push the card into a chip reader (not in the USA, naturally) and the machine prints out a form to sign.

Re:someone explain for the ignorant

[Harlequin80]

I always have cash in a zipped section of my wallet. But it is only used in the off chance that the place I am going doesn't accept card. It happens so rarely that I often completely forget that I keep the money there.

As for 10 mins from the city, I live semi-rural. I'm close to an hours drive to the city and every where around here takes card.

Re:someone explain for the ignorant

[whoever57]

The thing I don't like about it, is on the signature block on the back of the card I just write check id

Massive FAIL there, Psyko. If your card is ever stolen, instead of the CC company being responsible for losses you are!

Re:someone explain for the ignorant

[fahrbot-bot]

EMV is NOT contactless. If your new card(s) include electrical contacts, It's EMV .

Cool, cool, cool. I'm not a fan of contact-less and don't really see the point/benefit. My VISA card has Pay Wave - or, rather, had until I got a hole punch and hammer...

Re:someone explain for the ignorant

[hcs_$reboot]

Your next creditcard (in a couple years) will probably have a chip-and-pin system

Oh you mean what has been used in France for more than 30 years? (And that was not implemented in the US because it was an European patent)

Re:someone explain for the ignorant

[whoever57]

On the back of your card is CHECK ID and it looks absolutely nothing like the signature on the piece of paper. What happens then?

The bank laughs at you and tells you that, because you were using the card without signing it, you are responsible for any losses.

Re:someone explain for the ignorant

In the 8 years I worked in a supermarket I never saw Check ID written on a card. In fact I had never heard of the practice till now, so I think it must be a US centric thing. But I potentially would have refused the card as the card says Authorised Signature. That would have ESPECIALLY been the case if you were getting cash out with the transaction.

It's not extremely common, but not all that rare. I worked retail for about 10 years and saw plenty of them.
There's no reason to refuse the card, if you read the fine print simply using the card is the same as signing it- it's some kind of legal thing surrounding the credit card contract with the Vendor, it has nothing to do with the card being valid to use or not.

That would have ESPECIALLY been the case if you were getting cash out with the transaction.

If you're giving cash back on a credit transaction then you are violating your merchant agreement. Cash Advances on a credit card are not the same as purchases, and if the vendor/merchant discovered you were advancing cash as part of a purchase transaction, you could potentially become fully liable for any fraud (among other penalties). Cash back via a card can only be done if it's a Debit card transaction where they are actually entering their PIN, even if the card is a dual use (debit/credit) card.

Re:someone explain for the ignorant

[gnasher719]

Further, you DON'T WANT it to operate by NFC, or anything RF for that matter. RFID, NFC, and other RF technologies have all been broken for some years now. I can't imagine what Apple is thinking, with its Apple Pay, but maybe they think they've gotten around the security holes in NFC. Remains to be seen.

There is plenty of information around about how Apple Pay works. All the communication can be in clear text and recorded by a dozen hackers, it doesn't make a difference, because the actual data sent through the insecure channel is safely encrypted.

Re:someone explain for the ignorant

[amxcoder]

Same here, none of my cards are actually signed. I think my first one I put "Check ID", but after that, I just neglected to sign them. Signing them, just gives a thief a sample of your valid signature to try to duplicate as well.

Re:someone explain for the ignorant

And this is why the Republicans are pushing for it. They hate us and want to force us to pay for fraud rather than the corporations. This will mean that no one other than the rich that can afford to take the risk of having to pay for fraudlent charges can be able to afford a credit card. It takes us back to the 70s when Nixon ruled this country with an iron fist. That is what they want. They hate us.

Re:someone explain for the ignorant

[JonathanR]

Residual hand heat on the keypad tends to identify the numbers (and sequence) contained in the PIN. This is easily seen with FLIR cameras (there's an iPhone FLIR adapter available), apparently.

Re:someone explain for the ignorant

[thegarbz]

A hole punch in what? Did you kill the chip? There's better ways.

Simply hold the card up to the light and you'll see the antenna connections run around the outside of the card. A simple cut through the antenna will render the contactless payment inoperable without affecting the chip and the ability to use the chip+pin features.

Re:someone explain for the ignorant

[thegarbz]

[ citation needed ]

Re:someone explain for the ignorant

[thegarbz]

but I don't know if they're just not enabled around here or what because it never works and I always have to fall back to the mag strip.

That's a function of the bank. Mag stripes are a fallback if the bank won't support the transaction. Machines with slots appeared in Australia about 2 years before they started working. Then suddenly as each bank implemented we received the opposite message, when you swipe it asks you to insert the card. For us the magnetic strip is now a fallback, and it will still require a pin.

Re:someone explain for the ignorant

[thegarbz]

Speed and convenience, not security.

We're getting to the point of abandoning cash altogether. The lines at places where small transactions are common (restaurant, grocery store etc) now move at lightning pace unless there's some complicated interaction (stacking bags, chatting up the girl behind the counter etc).

Re:someone explain for the ignorant

Why? It's not like the bad guys technology is at a standstill. People forget that a hackers most powerful tool is not technology it's social engineering. All the security in the world will not protect you if you unwittingly hand a hacker your keys to the kingdom and usually by the time you realize that you fucked up it's too late.

Re:someone explain for the ignorant

The article claims that fraud could escalate this year as thieves will try to get as many mag-stripe credit card numbers before EMV goes mainstream.

Re:someone explain for the ignorant

[Richard_at_work]

We haven't had a lot of trouble, we have had a very small amount of trouble that some people want to big up.

Re:someone explain for the ignorant

[thegarbz]

City dwellers? You don't seem to realise just how little cash is used in this country.

Re:someone explain for the ignorant

[dave420]

Practically every single terminal where I live (Germany) has a shade. They're usually thick rubber which extend a few centimetres from the keypad, obscuring anyone's view of it. Some are hard plastic in a similar configuration. These are also present on the vast majority of ATMs. Each terminal also has a sticker advising the user to cover the keypad when entering their PIN.

Re:someone explain for the ignorant

[Neil+Boekend]

Thes guys are quite crafty: The official reason we switched to pin and chip
As you can see in the images there are some ways.
1. A sensing and transmitting layer over the keypad.
2. A camera drilled into the ATM, aimed at the keypad.
3. Good old fashioned looking over a shoulder. (could be called lack of reasonable protection).

Re:someone explain for the ignorant

[Carewolf]

Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.

Britain has had a lot of trouble with this.

That is not how it works, but banks can tell if a withdrawal was done with correct PIN or with an old PINless fallback. If it was done with PIN, you will have a maximum personal liability of around 500EUR they won't cover, but they still cover the rest.

Re:someone explain for the ignorant

[Carewolf]

Don't let other see what you type. It is not that hard and is what you told and they print on every terminal.

Re:someone explain for the ignorant

[Dorianny]

I'm surprised that it's not the merchants that shall take full responsibility for fraud. That would raise the stakes on them to request photo ID or for online sales other means of supplementary identification.

When a charge-back is initiated because of a claim of fraud the payment-processor will hold payment to the merchant and ask them to provide documentation that the transaction is legitimate. On most businesses that would be a copy of the receipt with a matching signature but high risk business such as night-clubs they are (informally) asked to make photocopies of the credit card and drivers license for transactions over a certain amount. More often than not the payment-processor will find some "irregularity" and fault the merchant. If the processor finds the transaction is valid than it informs the CreditCard issuer and they will often write it off as cost of doing business. In conclusion with the pin and chip there will be little change for the merchant but I suspect it will become harder for consumer to initiate a fraud charge-back.

Re:someone explain for the ignorant

[TheRaven64]

But at least the transactions will be secure

This has been repeated a number of times in the thread and I really have no idea why. I find it odd that the USA deploys a technology that was shown to be insecure five years ago and has since been shown to be broken in a lot more ways.

Re:someone explain for the ignorant

[Xest]

No Britain hasn't. The transition has been wholly transparent, card fraud has dropped, and consumer protection against credit fraud is as strong as ever - the principle here in the UK is that the whole point of a bank is to keep your money safe, and if the facilities they give you to access your money fail regardless of the reason then they failed in their job.

The only time they can shift the burden onto you is if they can prove you were entirely negligent, and that's been the same whether you were signing or entering a pin. There's no increase in the amount of burden pushed onto the consumer. This remains true even with the drastic increase in the use of contactless we've seen in the last couple of years too, in fact, so much so that the maximum contactless amount per transaction is being increased from £20 to £30. Consumers haven't seen a worrying rise in fraud as a result of it, and the banks haven't either. Everyone seems happy to keep expanding the scheme.

What problems did you think we'd had here in the UK exactly?

Re:someone explain for the ignorant

[TheRaven64]

It's not the card that contains the PIN on the European solution, the PIN is validated by the bank.

Well, it's validated by someone. Unfortunately, it turns out that the card reader doesn't contain anything to validate that the remote party is actually the bank, making it vulnerable to all sorts of MITM attacks. Especially fun as a lot of them use poorly-secured WiFi for their last hop...

Re:someone explain for the ignorant

[Your.Master]

I grew up 4 hours away from the nearest city.

The only people who don't take credit cards are teenagers (for babysitting and mowing lawns, generally). And even that looks like it's changing.

I have emergency cash at home or when I travel, in case disaster strikes and takes down the credit network. That's about it.

Re:someone explain for the ignorant

[TheRaven64]

it means what Europe was using 20 years ago

Well, some of Europe. The patent was owned by a French company, so most of Europe waited for it to expire around 10 years ago. Want a good example of the patent system causing economic damage? There's one.

Re:someone explain for the ignorant

Some US banks have elected to use chip and no PIN. Because PIN's are too hard for Americans to remember.

Re:someone explain for the ignorant

[IamTheRealMike]

The reason you can't secure an NFC card, is that you can't generate enough power using an antenna to power up a chip which can do crypto. The most you can do is read/write a ROM, so it's not much better than an magnetic stripe.

Your info is a couple of generations out of date. Contactless EMV cards do ECDSA on chip.

Re:someone explain for the ignorant

[gl4ss]

..which version of chip and pin?

it's a damn more secure than magstripe. in multiple ways. if you want to sign an pay without pin they need to check your ID.

you can't just steal a card and start using it either, except if you go travelling to USA, hey hoo.

on the minus side, people can eavesdrop your pin by looking at the keypad in a crowded bar.

it fucks up squares business though.

Re:someone explain for the ignorant

[Skylinux]

Happened to my mother. She forgot her wallet in a taxi and lost a few thousand Euro in the process.
She tried to contact the cab company to trace down the driver instead of immediately registering the card as lost/stolen ... stupid move.

She did not have the pin written down but the pin was still cracked within a few hours. The thieve went to different banks and withdrew as much money as the limit allowed (each bank has their own limit).

The police and bank told her that she is at fault because these cards are not crackable. Apparently this has been challenged in court but the court confirmed the "uncrackable" claim of banks.

http://www.finanzen.de/news/15...

Re:someone explain for the ignorant

[IamTheRealMike]

You sort of imply that this shouldn't be the case? I'm no expert but just wondering how a crook could get a PIN other than lack of reasonable protection from the owner?

There are ways but they are all incredibly convoluted. One famous scam in the UK involved a complicated phone hack involving several actors. It worked like this.

Scammer A calls the victim and claims to be from the police department. They say that there has been an outbreak of carding fraud and the victim's card needs to be replaced. Now at this point many people's BS meters go off because fraud requiring card replacement is practically non-existent. But the scammers have a neat trick - they say, you're quite right to be skeptical, why don't you call the police department back and ask for $NAME.

So the victim hangs up the phone. But unknown to them, the other side doesn't hang up and in the UK the line only closes if both sides hang up. Now the victim picks up the phone again and hears a fake dial tone played by the other side. They dial the number of the police department and hear a fake ringing. They talk to another scammer (different voice) who pretends to be a switchboard operator, who then routes them through to yet another scammer who pretends to be a detective. All on the same phone call as the first one.

The victim is now convinced that the fraud is real, because nobody could beat the callback check right? And the switchboard sounded very convincing. The detective tells them that a courier from the bank will come round to their address and issue them a replacement card soon, and the bank will be in touch shortly. At this point they hang up, now convinced. Yet another scammer phones them and claims to be from the bank. They ask for the PIN so the replacement card can be programmed correctly. Victim gives them the PIN. Then the final scammer rocks up on a motorbike with some fake delivery company logos and hands the victim a real-looking but useless card, taking their real card (with PIN) from them. Emptying the card up to its limit via an ATM happens shortly afterwards.

I don't recall who ended up being considered liable in this case, but I think the banks covered it just to avoid the bad PR. IIRC the crooks got caught anyway.

Re:someone explain for the ignorant

Quit making shit up!

Re:someone explain for the ignorant

[IamTheRealMike]

The card signs the transaction data once the PIN is presented (the ARQC). The PIN never goes to the bank, and a MITM should not be able to modify the signature on the transaction data. So I'm not sure why you think it's vulnerable to MITM.

Re:someone explain for the ignorant

Hi, I work for a company that makes ATMs, card terminals etc. What you said is completely wrong...

Re:someone explain for the ignorant

[jez9999]

You still sign to *ahem* "verify" that it's really the owner of the card that made the transaction? I remember when we used to do that... when I was too young to actually own a credit card. *snicker* :-)

Re:someone explain for the ignorant

[jez9999]

The reason the US has opted for signature instead is because they think people will have problems remembering the PINs.

People in the US will have trouble remembering 4 digits? Hahahahahaha :-D

Re:someone explain for the ignorant

[Alioth]

We've had chip&pin here now for over a decade, and people still forget their cards.

However: in nearly every system you can put your card in while the cashier is still ringing up your goods, you don't have to wait for the total to come out. When the total does come out the wait for the transaction to complete after entering the pin is normally well under a second on any remotely modern system.

Re:someone explain for the ignorant

Says who? Please point to a cardholder agreement that actually says that or shut up.

Re:someone explain for the ignorant

Wrong, the liabilty shift concerns the merchant first and not the cardholder. Any merchant with a terminal that makes magstripe transactions with cards that 'prefer' chip transactions is then liable for any fraud and not the card issuing bank anymore . OTOH if the fraud happens with a chip & (whatever) transactions it's still the issuing bank that's liable.

Re:someone explain for the ignorant

[Alioth]

I lived in the US for a few years. We all knew it was the richest country in the world (and much richer than the country I'm from) but I was astonished by how common obvious poverty was. I thought our inner cities were bad, but I'd never seen things like trailer parks and some of the small towns in the south that look like they belong in the third world.

Re:someone explain for the ignorant

[OldCodger]

It doesn't matter if it's broken or not. The point is that the banks state that If chip&pin was used and it's fraudulent we'll take the hit, if swipe was used then the merchant takes the hit. It's that simple statement that gives the merchants the incentive to pay up for the POS upgrade.

Re: someone explain for the ignorant

[rickb928]

There were complaints from many a pensioner that their accounts were emptied, no idea how. Mostly because these old sods were forced into debit cards and had a hard time with the pin. Not hard to shoulder-surf these victims.

Adding shields and such to the ATM didn't maker it easier for the incompetent.

Re:someone explain for the ignorant

[MrL0G1C]

BBC newsnight - UK chip and pin credit and debit cards are insecure Feb2010

Part of the flaw is that the pin is confirmed by the card and not the sellers equipment / card network. That seems like an odd way of doing things since a fake card can simply lie about the pin.

Re:someone explain for the ignorant

[MrL0G1C]

I'm no fan of big corps but credit where it's due, Mcdonalds card readers are really fast in the UK with near instant pin confirmation, why can't all readers be this quick.

Re:someone explain for the ignorant

[TomGreenhaw]

>>>Presently mastercard/visa/amex assume most of the liability (and they very well better for the transaction fees they charge.)

I have no idea why everybody thinks this.

I've been in the card processing business for over 15 years. I have never seen a card brand take the hit on a fraudulent charge. Its always the merchant who pays with a chargeback, unless they can absolutely prove the real cardholder made the charge. Each merchant has an acquiring bank for their card processing merchant account, and the only risk these financial institutions take is the case of card fraud with a chargeback to a merchant who has disappeared with the money.

Also, most of the fees go to the card issuer Chase or Citibank for example. They are taking the risk that a card holder will not pay. The merchant pays these fees that are generally passed on in the form of higher prices.

The reality of the liability shift is more complicated than anybody really appreciates. Whoever the weakest link in the chain is will assume the liability. If a merchant sticks with the old mag strip reader and the consumer has an EMV card, the merchant will always assume the responsibility. If a merchant accepts chip & signature when the consumer is capable of chip & pin, again the merchant will take responsibility. The banks and processors will never be the weak link in the chain because they all support the strongest forms of the new protocols.

Certain card issuers already have a large number of chip & signature cards in the field - Citibank for example. The other issuers realized that if they all issued chip & pin, grandma would just start using her old chip & signature card because she wouldn't bother to get a pin number and use it. By the new rules, merchants who can take chip & pin, but issuers only offer chip & signature are not the weak link in the chain - the card issuer will be. I am sure there will be law suits making sure the card issuers are held liable for their making the decision to being the weak link in the chain.

This is where the law of unintended consequences will rear its ugly head. With EMV, counterfeit cards go away. This means that card fraud will require a real card. Ladies & gentleman - watch your wallets and purses - those cards will be like cash to a thief. You can bet that the rules for reporting lost & stolen cards will greatly tighten, and the consumer will totally be held liable for charges made on lost & stolen cards.

Re:someone explain for the ignorant

[neokushan]

EMV is NOT contactless.

EMV is not contactless in the same way that TCP/IP is not wireless. EMV is a payment specification, it can be done contact or contactlessly. There are contactless specifications based on EMV from all of the big card brands.

Re:someone explain for the ignorant

[umghhh]

You are probably right about insecurities in pin&chip but it is still better than what Muricans still have now?
The road of progress is long, boring and difficult.

Re:someone explain for the ignorant

[guyniraxn]

Check your contract. If you don't sign your card when you activate, you're responsible. Merchants are supposed to refuse cards without a signature, ID or not. How does everyone not know this already?

Re:someone explain for the ignorant

[AmiMoJo]

Saying NFC has been "cracked" is like saying that ethernet has been "cracked". It doesn't make any sense. NFC is just a transport layer, it doesn't have any encryption or security at all. You have to build that in at the application level that uses NFC to transfer its data.

NFC payment cards are secure. They have been in use in other parts of the world of ~15 years now. Japan started using them around 2000. There have been no mass thefts by people with big antennas or readers hidden under their jackets. The hacks you heard about were attacks on the phone's NFC software stack, similar to a bug in the TCP/IP stack of some desktop operating systems. Again, we didn't say that ethernet was "cracked" when that happened, we recognized that the implementation of the TCP/IP stack was broken.

Re:someone explain for the ignorant

I like how the summary and you appear to confuse the fact that nearly half of the victims are from the U.S., much (possibly most) of the fraud still takes place in other countries (looking at you Russia and China).

I have had my cards information used illegally 6 times in my life. Twice the transaction came from Russia, three times from China (and no, I have never physically been to either, and I have never knowing used a Russian or Chinese online store).

The other time a cloned card was being used in Florida (again, not within years of having visited that state), and they caught the lady trying to use the card at a Wal-Mart. And yes, she was Russian.

Re:someone explain for the ignorant

[AmiMoJo]

The terminals have number pads, you can type one handed on them. Then you use your other hand to cover the pad so no-one can see what you are typing.

Out of interest, how do YOU avoid this problem when using an ATM? I believe that the ones in the US require your PIN number to withdraw money, right?

Re:someone explain for the ignorant

[houghi]

Each case will be decided upon. One case will not be the same as another. If somebody puts a gun to your head asking yout PIN will be treated differently to somebody who writes the PIN with a sharpie on the card.
And then there is skimming. That will still happen (just as fraude from mearchands, customers and others.)

What you should NOT do is give your PIN to anybody. Not your kids, not your spouce, nobody, because that could mean that you will be held accountable. Just get them their own card with their own code. The kids who can't have a card could get a pre-paid card, if it is needed.

You should NOT even know the pin code of your kids, to teach them the PIN, just like any other password, is personal and should not be shared.

I just hope many would drop the 4 number PIN code and go to the 6 number one.

Re:someone explain for the ignorant

[fahrbot-bot]

This is an RFID only card - "VISA PayWave" - not a smart card so there's no chip+pin. Using the hole-punch on the RFID chip was very satisfying. Contact-less CCs are a gimmick to encourage thoughtless purchasing.

Re:someone explain for the ignorant

[lars_stefan_axelsson]

Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault. Britain has had a lot of trouble with this.

Yes, but that was long before chips were ever fielded, in the eighties and nineties. And the setting wasn't credit card fraud but debit card ATM "ghost" or "phantom" withdrawals.

Now, in the US the government said to the banks, "it's your problem, you fix it". In the UK the banks managed to say to the government "It's the customer's defrauding us, we'll nail them". Yes, it was a hard time being a customer in the UK, actually being convicted of attempted fraud for reporting a phantom withdrawal, but it didn't have anything to do with PINs. You used pins at your ATMs as well, and you still do. Using a PIN for a normal transaction would't change your liability laws one iota. You'd still be in the clear (as we by and large are in Europe today as well).

P.S. Cambridge security researcher Ross Anderson has written quite a bit on this subject, he got the policeman that was convicted cleared of the charges on appeal.

Re:someone explain for the ignorant

[AmiMoJo]

What do people who can't use a PIN number do? In the UK they kept the ability to sign available for those people, e.g. the numerically dyslexic.

Re:someone explain for the ignorant

I've been sticking my card in all of them when it prompts for an insert/swipe but I don't know if they're just not enabled around here or what because it never works and I always have to fall back to the mag strip.

Same here, but I put my wallet through the wash right after getting my new card so I wasn't sure if I had damaged the chip or not.

Re:someone explain for the ignorant

[Skater]

Gah. I had the opportunity to visit Vienna, Austria for work last summer, and my chip-and-signature cards were useless for automated kiosks. Fortunately a friend had lent me a few euros before I left, so I was able to use cash to purchase U-Bahn fare. Thanks to reading Slashdot comments, I knew about this problem and asked before the trip, and the credit card company (the one contracted by my employer for our company cards) said, "Errr, what? We have European travelers all the time and you're the first to ask!" But the same damn company has issued a chip-and-signature (personal) card to me for years. Yearrgghhh.

Austria seemed to be more of a cash operation anyway. I got a few odd looks when I pulled out the card, and I quickly realized cash was the norm. I even ran into one place that refused the card. The people were awesomely friendly, though. Austria is definitely on the list for a second visit.

Re:someone explain for the ignorant

In general, credit cards are nowhere near as popular in Europe as they are in the U.S. (France being an obvious exception). Instead, Europeans tend to pay by direct debit card.

Re:someone explain for the ignorant

[spire3661]

The only people this helps is the banks. Its SLIGHTLY more secure. IM not convinced that the extra BS that goes along with it (all new readers everywhere, new methods, and retraining are worth the moderate bump in security for the CC company.

Re:someone explain for the ignorant

[spire3661]

You realize the ONLY people this helps is the banks.

Re:someone explain for the ignorant

[darthsilun]

But the cashiers aren't obligated to check your ID to validate the signature, so you don't have much call to get mad at them because of that.

Wrong. The merchant's agreement says they are required to check. There's anecdotal evidence that CC companies audit merchants for compliance.

Re:someone explain for the ignorant

[spire3661]

Not when you consider the cost of new equipment and re-training everyone. Banking is based on TRUST, not ultra hardened security.

Re:someone explain for the ignorant

I got a c&p card this week. Someone ripped off my old number.

Thing is *NONE* of the readers around are c&p. All are still magstripe. I saw new kiosks being installed that are only magstripe. Brand new 800 dollars per station... It is sort of sad they are not thinking ahead at all.

What I found amusing was the dude who ripped off my card went on a buying spree at dollar general and food lion. I could just see the reasoning here "got me a high limit credit card lets hit up the most crap stores around"

Re:someone explain for the ignorant

[IndustrialComplex]

When it comes to infrastructure, the frontrunner rapidly becomes the laggard. Someone building up their infrastructure from nothing can look at the forerunners and avoid their mistakes and include the latest technology while the forerunner has become dependent on the existing infrastructure so it must be maintained while the new system is built.

Consider a 'modern' road built in 1790. It would be wide enough for two carriages to pass, it would be paved in cobblestone, and would have amazing drainage that let the water flow off to the side rather than puddle up. Imagine you built out this road system for your entire city. Now Mr. McAdam comes along with his new paving system and your neighboring town that didn't get around to 'modernizing' their roads when you did now starts their own project. Their roads will be better in many respects. Do you tear up your old cobblestones and repave your roads? Or do you live with your system until it becomes a problem?

Fast forward 200 years. The amazing two lane carriageway is barely wide enough for a single modern car, the rights of way/easements have been established so houses are built up to the edge, and any upgrade to this road system is going to require not just regarding, but purchasing/condemning hundreds of properties. Compare that to a third world nation putting in their highway system. Lots of open space to utilize, no underground utilities to worry about rerouting or damaging, No overhead bridges built 60 years ago that require replacing (since they were only wide enough to span a 2 lane road not a 4 lane divided highway.

So something as simple as adding a new lane to an existing highway for 10 miles can end up costing more than putting in an entire 4 lane expressway for 50 miles if one was in a developed country and the latter was in an undeveloped country.

It's great to get new technology, but trailblazing is always more difficult than following the trailblazer.

Re:someone explain for the ignorant

[darthsilun]

What happens when you get home and call your back and dispute the transaction? The signature receipt I have accepted is copied and sent to the bank, then your card is checked for verification. On the back of your card is CHECK ID and it looks absolutely nothing like the signature on the piece of paper. What happens then?

I've disputed transactions in the past. I've never had to show them the signature panel on my card. If you had checked my ID and confirmed it was actually me, then I'd say the odds of me disputing the transaction are exactly zero.

Re:someone explain for the ignorant

[TheRaven64]

Here's a nice list of EMV vulnerabilities. The latest one 'wedge' involves a MITM between the card and the bank. Since publishing with a prototype device, the authors have found people manufacturing much smaller ones that can just have a chip from a stolen card popped in them to do fraudulent transactions.

Re:someone explain for the ignorant

[darthsilun]

In the 8 years I worked in a supermarket I never saw Check ID written on a card. In fact I had never heard of the practice till now, so I think it must be a US centric thing.

No doubt because you have chip-and-pin and the occurrence of fraud is practically nil.

Re:someone explain for the ignorant

[spire3661]

Gotta love when the court ignores the laws of probability completely.

Re:someone explain for the ignorant

[Applehu+Akbar]

Which is both less secure and less convenient than resting the top of your iPhone 6 on the NFC logo, authenticating a purchase with your thumbprint, and having the phone send a one-time CC number to the merchant's register.

Re:someone explain for the ignorant

[Applehu+Akbar]

Walmart also uses them. Look under the keypad for the slot where you insert your card.

Re:someone explain for the ignorant

[darthsilun]

If it said CHECK ID and you hadn't signed like that I'm not sure I would have been comfortable putting the transaction through without getting my boss to authorise it.

And if you and/or your boss declined, I'd have been perfectly comfortable walking out, leaving my multi-hundred dollar purchase on the belt for you to reshelve, and taken my business to someone who has a brain. Just sayin'. No merchant who has ever checked my card, seen my "CHECK ID" 'signature', and checked my government issued photo ID has ever declined the sale. Some of them have even said "good idea." Despite whatever T&Cs the credit card issuer has between the merchant, or with me.

Re:someone explain for the ignorant

[spire3661]

You dont compare sigs. You are just looking to see if the INFORMATION matches (name, etc). ANY mark i put on paper and declare as my signature is my legal signature and it can vary wildly. I dont have to consistently give the same signature for it to be considered legal.

Re:someone explain for the ignorant

[Applehu+Akbar]

I was able to get the EMV version of my Chase Visa a year early because I had a European trip last summer, and needed a payment system that would be acceptable there. Using conventional US credit cards elsewhere in the world is like trying to pay at McDonalds with doubloons.

Re:someone explain for the ignorant

[claar]

Just found this -- not so bad for Square, it seems: https://squareup.com/emv

Re:someone explain for the ignorant

[Phreakiture]

They are harder to replicate, but there's more. The card holds a secret key, which it will never divulge, and has the capability of producing a cryptographic signature using that key. As such, a transaction gets signed by the card on your behalf, with enough information included in the signed field that duplicates become obvious, preventing replays, and that alterations become computationally untenable. As such, capturing the information, regardless of whether it is captured in transit or in situ, doesn't give you the ability to commit fraud with the stolen data.

Of course, as long as the magstripes continue to exist and be honoured, you can always go around the system. This will be the case for a few years at least while the transition is made. If data from a chip terminal is successfully intercepted, it will sometimes possible to recover enough to regenerate track 2 from a magnetic card (the only track that is required, and the one that is read by card reader dongles like Square) plus the PIN. That's enough to create and use a functioning magstripe ATM card.

Re:someone explain for the ignorant

[TomGreenhaw]

It would be great if all consumers demanded chip & pin. I like your idea - I'm going to call and tell them I need cards that do chip & pin for the same reason you did.

Re: someone explain for the ignorant

[Xest]

And is there any evidence that there was an actual increase in fraud here or are we talking a few anecdotes? because all the evidence I've seen has shown nothing but a marked decrease in fraud.

It sounds more like a story cooked up by whining pensioners who can't deal with change and like to vote UKIP to prove it. I'm sure UKIP would undo chip and pin and take us back to the dark ages of banking. Because things were better back then. Or something.

Re:someone explain for the ignorant

[Kjella]

One problem with C&P is the "offline PIN" mode which doesn't exchange data with the bank. In the UK, at least, the consumer is liable for any fraud with a C&P card as it is assumed that if the PIN was entered correctly it was by the cardholder.

Fairly sure this is not so in Norway, liability is put on the merchant because they are the only ones who can invest in systems to bring and keep terminals online. Even waiters at the table generally have online wireless terminals for this, apart from one bus company that apparently haven't updated their terminals in ages, a few old parking meters and a few remote cabins selling coffee and snacks to cross country skiers it's all online. I've used it if their line is down, but then it's in their interest to fix the line and get the sales validated ASAP. Particularly many teens only have VISA Electron, if it's not online they can't pay at all, no backup for them.

Re:someone explain for the ignorant

[omnichad]

EMV includes a contactless variation that Apple Pay implements.

Re:someone explain for the ignorant

[omnichad]

Target has them. So does Wal-Mart and my local grocery store. Anyone who's replaced card readers in the last year or so most likely has them. Otherwise, why buy the equipment early if so few people have the cards? The liability shift doesn't happen until this fall.

Re:someone explain for the ignorant

[omnichad]

If the card is stolen, the retailer is liable instead of the CC company. Read up on the liability shift.

Re:someone explain for the ignorant

[omnichad]

They are wrong

Re:someone explain for the ignorant

[operagost]

This is why the statistics on this article are bogus. The banks in Europe claim C&P is foolproof, so if your money is stolen it's "the user's fault", and it's not "fraud". Kind of like how our unemployment rate in the USA is so low because they decided that people who gave up looking for work don't count, and people who are working 20-30 hours a week do.

Re:someone explain for the ignorant

[omnichad]

little "shades" for CC terminals

Yeah, that rubber thing that forces me to type my PIN more slowly making it more likely someone can see me enter the numbers even if they can't see the keys. I enter my PIN on the order of about 1 second total without the shade and about 3 seconds with it.

Re:someone explain for the ignorant

[jbengt]

i guess you are talking about physically stealing a card. that's almost almost zero percent of the problem. that requires physical theft which criminals don't want to risk for the most part.

Bullshit. Use of lost & stolen cards is still one of the most common types of credit card fraud, even if on-line identity theft has gained ground. Not all criminals are tech-savvy.

Re:someone explain for the ignorant

[omnichad]

PINs, plural. I have five different cards just because the banks are willing to give me free money to open a credit account and make one purchase - even if I pay it off immediately. Most of those cards haven't seen use in years, but it's hard to say no to free money.

My wife signed up for a brand new American Express card to make a bit of a larger purchase we were going to make anyway this month. She's getting a year of Amazon Prime for free and a $200 statement credit in a couple months for spending less than $2000 at no interest.

Re:someone explain for the ignorant

[omnichad]

At the very least, you can't get your card number stolen from the chip reader. That data is encrypted between you and the payment processor. But if the clerk then physically takes the card to compare with a signature, they can take a discreet photo of the number (not an imprint - embossing is done for good). Chip and PIN gives you a little more security in this regard.

Re:someone explain for the ignorant

[dave420]

Keep telling yourself that and see how well it does you. The US wasn't the trailblazer of infrastructure, so your argument kind of immediately falls flat. I know it might hurt you to admit the US is terrible when it comes to infrastructure, but until people start to admit it, nothing will improve. You can come up with as many time-travelling explanations as you want, but the facts remain - the US under-invests in infrastructure, public health, and social security and it shows.

Re: someone explain for the ignorant

[rickb928]

The reports were genuine. Trying to link this to some imagined Luddite revolution involving the UKIP is a sad attempt to politicize genuine problems.

I haven't seen too many of that reports lately, but during the introduction ATM fraud was just common enough that the banks largely gave in and restored funds.

Yes. The old women trying to withdraw their pension at the ATM were being defrauded. No, it wasn't millions. Are you defending the banks, or the chip&pin rollout, or just chiming in to be contrary?

Re:someone explain for the ignorant

[John.Banister]

Walmart is also now supporting swipe with no pin or signature for transactions under $50 w/o cash back. I was frightened the first time this happened to me. http://www.reddit.com/r/walmar...

Re:someone explain for the ignorant

[VGPowerlord]

4 different Credit Card companies in the US (Visa, MasterCard, American Express, and Discover) will no longer cover fraudulent charges on non-chip transactions starting in October 2015.

Visa:

Effective 1 October 2015, Visa's global counterfeit liability shift will be instituted in the U.S for POS transactions. With this liability shift, the party that is the cause of a chip transaction not occurring (i.e., either the issuer or the merchant's acquirer processor) will be held financially liable for any resulting card present counterfeit fraud losses. The shift helps to better protect all parties by encouraging chip transactions that use unique, dynamic authentication data.

-- Source (PDF)

MasterCard:

The April 2013 acquirer readiness date is the first step in preparation for MasterCardâ(TM)s liability shift, which takes effect October 1, 2015. This liability shift directly affects acquirers and issuers as it pertains to counterfeit fraud. This means that the party, either the issuer or merchant, who does not support EMV, assumes liability for counterfeit card transactions. In addition, MasterCard supports a liability shift for lost, stolen, and never received or issued (NRI) cards to the party that does not support PIN as a cardholder verification method. If neither party supports PIN, only the counterfeit liability shift rules apply. The liability shift does not apply to Automated Fuel Dispensers (AFDs) until October 1, 2017

-- Source (PDF)

American Express:

Effective October 2015, American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. U.S. fuel merchants will have an additional two years, until October 2017, before the FLS takes effect for transactions generated from automated fuel dispensers.

-- Source

Discover:

In alignment with U.S. EMV migration timelines, Discover is introducing Fraud Liability Shift for Discover Network (in the U.S., Canada and Mexico) and PULSE (in the U.S.), effective October 1, 2015 at point-of-sale terminals and Oct. 1, 2017 at automated fuel dispensers. This Fraud Liability Shift policy will be a risk-based payments hierarchy that benefits the entity that leverages the highest level of available payments security. As Fraud Liability Shift is already in place for Diners Club International (effective December 31, 2012 for mandated Participants), Discover will have one standard liability shift policy in place across all networks by October 1, 2015.

-- Source

So, I expect everyone in the US will start seeing new cards issued this year even if their card isn't set to expire.

Re: someone explain for the ignorant

[rickb928]

This was still happening in 2012

Re: someone explain for the ignorant

[rickb928]

500EUR is a lot to a pensioner. Often devastating.

Re:someone explain for the ignorant

[aardvarkjoe]

Wrong. The merchant's agreement says they are required to check. There's anecdotal evidence that CC companies audit merchants for compliance.

This is false. (Where are you getting your information from?) Not only are they not required to check, both Visa's and Mastercard's policies say that although the merchant may ask for ID, they cannot refuse a transaction if you refuse to show it.

Discover apparently does say that they should check alternate ID if there are any suspicions, although it doesn't require it all the time.

Sources:
http://usa.visa.com/download/merchants/card-acceptance-guidelines-for-visa-merchants.pdf
http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf

Re: someone explain for the ignorant

Smell the fking roses. The chip and pin system may not be perfect, but as the summary even states, it's far better than the magstripe system. Frankly, I hope America doesn't change and you continue to get defrauded because of your ignorant arrogance.

Re:someone explain for the ignorant

[cayenne8]

What I'm wondering is...

Am I now going to have to memorize a bunch of different PIN numbers for each of my credit cards?

I've got enough to remember with passwords to websites and applications, and now more numbers to remember?

I can now start to picture everyone having sticky notes on the backs of each car with the PIN number, which pretty much renders them useless, since when stolen, the thieves will have the PINs right there with the card.

Re: someone explain for the ignorant

So yes. You're going with anecdotes picked out of thin air. There were reports that water is dry, so it must be true.

Re:someone explain for the ignorant

[darniil]

I worked at an Army HQ between '00 and '04 (IT contractor), and at some point in that range we were all (soldiers, civilians, and contractors) getting CAC cards.

Re:someone explain for the ignorant

"The reality of the liability shift"

I can appreciate banks/credit card companies wanting to prevent fraud, but chip n pin is at best a minor improvement over standard mag strips, at worst it is a thinly veiled attempt to saddle customers/businesses with credit card fraud. I don't mind taking a little bit of responsibility for fraudulent charges, but I also want the tools to stop them in their tracks. My bank texts my phone in literally about 3 seconds after I make a withdraw. Why can't credit card companies do the same and allow consumers to stop a debit/credit?

Re:someone explain for the ignorant

EMV is NOT contactless. If your new card(s) include electrical contacts, It's EMV .

Actually, EMV Contactless is one of the EMV specifications. It was developed later than the original EMV chip technology, but contactless is very much part of EMV today. I think what you are trying to say is that the original EMV chip & pin specification did not cover contactless.

http://www.emvco.com/specifications.aspx?id=21

Re:someone explain for the ignorant

[sexconker]

The thing I don't like about it, is on the signature block on the back of the card I just write check id

Massive FAIL there, Psyko. If your card is ever stolen, instead of the CC company being responsible for losses you are!

Wrooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.
An unauthorized charge is an unauthorized charge and you are not liable for unauthorized charges.

Re:someone explain for the ignorant

That's better than it is now where they can either get the card or they can just get the details. In both cases they have to get past the retailer to actually use the card. Which reminds me, this is an excellent reason why you should have that 1-800 number for the issuer in your phone along with the details necessary to report it as stolen the moment you lose your wallet. Additionally, it's a good idea, to have a spare CC that you leave at home for the possible case where you're without your other cards if that happens.

Having to have a physical card drastically cuts down on the amount of fraud they can get away with as they have to get the card and use the card before somebody notices that it's been stolen and hope that the credit card issuer doesn't pick up on the unusual activity.

That's not to say that it's not going to be possible to steal a card and use it, but calling it like cash is a gross overstatement. I've found my CC issuers to be pretty good at picking up suspicious activity even in cases where it's just me making unusual purchases.

Re:someone explain for the ignorant

Well, the drug cartels need secure storage for their money, too. Why are you surprised?

Re: someone explain for the ignorant

How else do you explain dry ice?

Re:someone explain for the ignorant

[sexconker]

That's all avoidable by GPs "reasonable protection from the owner".

I wouldn't deal with the police at all. I'd deal with my card issuer. (They could design the scam this way, but I for one would be going to my card issuer's website and contacting them via whatever shitty webform they have.)
I wouldn't believe the card issuer would hand deliver a new card to me.
I don't think I've ever had to tell a rep my pin.
I would never hand my old card in to some courier, I'd destroy it.
I would not be reusing my pin.

Re:someone explain for the ignorant

How do you tell the difference between somebody choosing to be unemployed, like a housemaker and somebody that's given up on getting a job? That's why they don't include people that aren't looking for work, 50 years ago you probably had 40-50% of the US adult population "unemployed" when really they wouldn't get a job even if offered one because they weren't interested.

Re:someone explain for the ignorant

[phorm]

Yes, and considering that all somebody needs to do to check your pin is read the heat signature on a pad after you've used it that's a pretty low bar.

Re: someone explain for the ignorant

[rickb928]

Well, legitimate news reports and court cases, but you're welcome to your opinion of journalism and the legal profession.

Re:someone explain for the ignorant

[Cimexus]

Neat trick, though since it relies on the way the landline phone system works, it has a pretty limited target audience. Many (most?) people only use mobiles these days. Also most banks impose daily ATM withdrawal limits which aren't that high, so it seems like a lot of effort for relatively little gain. I don't think most people would fall for it if they thought about it for a second:

- Wouldn't it be your bank initially calling you about your card needing replacement, not the police? How would the police even know who had an affected card?

- Most people would know that a bank would never ask you for your PIN over the phone. And even if they didn't know that, needing it to "program your new card" makes no sense, since every replacement card I've ever received always has a new PIN with it anyway (which you can keep, or go and change it back to something you want)

Still goes to show you how inventive some of these guys are!

Re:someone explain for the ignorant

[Cimexus]

Weird that each bank has their own limit. Every bank account I've ever had imposes a daily ATM withdrawal limit ~for the account~, irrespective of how many ATMs you use to do it or who owns those ATMs...

Re:someone explain for the ignorant

[Cimexus]

I don't see an issue with offering the contactless. You can disable it if you want by contacting your bank. But frankly I couldn't live without it now. Took a trip to the US recently and it was like going back to the dark ages.

Contactless makes a substantial improvement to the time it takes to do transactions and I've actually seen the reduction in lines at checkouts as a result. So as long as it's not mandatory I don't really have a problem with it. Convenience has a price sometimes.

Re:someone explain for the ignorant

[Cimexus]

It's usually generically referred to as Paypass down here in Canberra too. Either way people know what you're talking about though. From my personal experience, I had contactless on my Mastercard (BankWest, Paypass) a long time before I had it on my Visa (CBA, Paywave), so maybe that's why.

Re:someone explain for the ignorant

[Cimexus]

This makes no sense anyway as everyone already has a ATM/debit card right? Which has a PIN. If they can remember that PIN, they can remember another (or in many cases, it will be the same physical card with the same PIN).

Re:someone explain for the ignorant

[Cimexus]

Sigh. Why does the US always lag everywhere else when introducing new systems, and when they do finally do it, implement something that's different from the rest of the world. Seriously, it's the same way they do everything - slowly and half-assed.

I'm Australian but currently live in the US and banking here drives me up the wall. There's no universal bill payment system. There's no way I can instantly send money to another person's bank account (unless they're with the same bank) - I can set up a link between two accounts but that takes time, I can send a wire transfer but that has fees and is slow, or I could write a check/cheque, which is something no-one has had to do in Australia since ~1990! Argh. And yeah - no chip and PIN and virtually no penetration of contactless card readers (which I use for ~everything~ back home and love it). Oh and their paper money is, well, paper (linen actually, but its insecure and easily destroyed compared to our polymer bills).

Re:someone explain for the ignorant

How many cards do they have? I have 2 debit cards and 4 credit cards all that would have to have their own PINs to go with them. What's more, that's not including my library card and 2 foreign ATM cards that have 6 digit PINs as well and the hundreds of passwords that I'm also supposed to keep memorized.

Suggesting that it's just a 4-digit pin and therefore not a big deal neglects to factor in all the other things that we need to memorize and the alternate use of resources that you're not going to be able to do because you're memorizing the number.

Re:someone explain for the ignorant

[plover]

This problem was addressed in v4.3 of the protocol. Also note that this particular problem only enabled theft from the store by a dishonest customer, but it does not enable the large scale skimming or cloning attacks that have been the subject of headline news.

A fake card can't lie about the PIN because it doesn't have the key needed to sign the packets the card sends to the merchant's terminal. The merchant terminal has a bunch of certificates in it and authenticates the messages coming from the card. In this specific attack, Ross' team discovered the message that said "Transaction Approved!" coming from the card in an offline sale was unsigned, so they had their tampered card send the same unsigned "Transaction Approved!" message at the right time in the protocol. The change to V4.3 (or was it 4.2?) fixed this problem, so it should not be an issue for the US market.

Ross likes to get EMV flaws in the news. While this benefits us all in that the protocol's security is tightened each time a flaw is uncovered, poor news reporting and the claims repeated by ignorant people (and fomented by organizations who don't want to see EMV succeed) are causing counterproductive hysteria. On one hand, EMV is a complex mess that was made worse by all the compromises stuffed in there by competing interests (banks, card associations, terminal manufacturers, card manufacturers, merchants, and payment processors), but on the other hand it's converged onto a remarkably secure solution to a problem that has plagued the industry for over 20 years.

The real crime here is that all the competing interests have resulted in foot-dragging by all the players who see changing over to EMV as too expensive, too hard, too risky; worse are the disruptive elements delivered by those who see EMV as a threat to their current business model. For example, EMV yields a system so secure the merchant's terminals are no longer the weak link, so why should merchants pay for expensive secure terminals? This makes companies like VeriFone nervous, because they'll soon be trying to peddle devices that only serve to secure the merchant's interest, not the cardholders or the banks. The PCI assessors are also finding ways to whip up hysteria and make bank now, because EMV will ultimately render their services unnecessary, too. Meanwhile, the completely non-secured mag stripes continue to deliver fraud around the globe, and the fraud won't stop until the mag stripes are dead and buried.

Re:someone explain for the ignorant

[hjf]

You're just a special little snowflake.

Re:someone explain for the ignorant

[hjf]

In Argentina,central bank regulations require a separation between ATMs, and they should have dividers (like bathroom stalls? just much smaller. Enough for the next person not seeing you).

And out of curiosity, human tellers are now facing a wall, not the whole bank. You have to wait outside and only enter after they call NEXT (or your number). So if you're withdrawing a lot of cash into a purse no one else can see you.

Re:someone explain for the ignorant

Just FYI, using the EMV when possible might just get you a better discount rate on transactions. I've been out of the payments loop for a few years now, but I remember entering CCV codes and getting ZIP info from customers got us a better discount rate than simply running the stripe.

Re:someone explain for the ignorant

But you're OK with having the same signature clearly readable on the back of every card?

Re:someone explain for the ignorant

[Andy+Dodd]

Actually, EMV can be either. There are standards for both. Both methods meed the credit card company requirements for avoiding the fraud liability shift in October.

IIRC, it's ISO 7816 for contact-based EMV, and 14443 for contactless

Also, I'm surprised that ArmoredDragon hasn't seen vendors with an ISO7816 reader, considering that most of the retailers involved in MCX have installed those and not contactless readers as a way of starting to prep for the liability shift without encouraging contactless-based payment systems (Google Wallet, Apple Pay) that compete with CurrentC.

For example, every Walmart I've been to in the past 3-4+ months has had ISO7816 readers, and in fact refused stripe-swipes from my father's card that supported 7816 back in September. (but the 7816 reader was broken, so he had to use a different card... nice one Walmart...) I believe Target's card readers also do 7816. They've also got 14443 capability built in (it's under the screen on that model of VeriFone terminal) but it's not enabled due to MCX/CurrentC.

Re:someone explain for the ignorant

[Andy+Dodd]

"EMV is going to render a lot of crappy, insecure technologies obsolete (things like Coin, LoopPay, NFC, and many of the smartphone based "wallet" apps.)"
WAT? Yes, LoopPay and maybe Coin will be rendered obsolete, since I know LoopPay is magstripe based and hence it's going obsolete in October.

But for the rest, "EMV is going to render itself obsolete" - makes NO sense whatsoever. Apple Pay, Google Wallet, and all other known NFC payment methods ARE EMV!!!! In fact many of them are more secure than the "plastic card" based EMV since both Apple Pay and Google Wallet use time-limited/geographically-limited or one-time-use transaction tokens, wherease "plastic card" EMV can fundamentally not be limited in time to anything other than the expiration date and can't be geographically limited.

In the case of Wallet, IIRC the method used since Google Wallet moved to HCE with KitKat is to generate a time/geography limited credential when you unlock Wallet with your PIN (which is why HCE-based Wallet needs a network connection for unlock, while the previous SE-based Wallet did not).

Re:someone explain for the ignorant

[Andy+Dodd]

Many of VeriFone's units now implement contactless EMV with a reader that is below the screen... So you tap your payment device to the screen itself, and it is also frequently NOT obvious that the unit is contactless-capable. When Wegmans first deployed them I was really disappointed they eliminated contactless, until I noticed the contactless payment logo appear briefly at the end of the checkout process.

I've seen these VeriFone units at:
Wegmans
Firehouse Subs
Target (contactless is currently disabled though due to the CurrentC mess)
Hershey's Chocolate World (these units were lower-end/smaller than the three above, but still had contactless-under-the-screen support)

Unfortunately, it seems like VeriFone gives retailers a LOT of flexibility as to the UI/UX of these new readers, and every single one of them has an utterly shitty workflow for contactless.
For example, Wegmans allows you to scan a barcode for their loyalty card or swipe the card via magstripe. If you swipe via magstripe, it will prompt you for desired payment method. If you scan the barcode, there's a beep and no other indication that anything happened. The contactless reader is not activated until you select "Credit" after a Shopper's Club magstripe swipe... So you can't use contactless payment without mag-swiping your loyalty card!

Re:someone explain for the ignorant

You assume that criminals would have difficulty stealing the pin or that the even need it period. Hardware, software & spying exploits have demonstrated in Europe for years to either steal or bypass the pin all together. People have broken into ATM's/pumps and attached logging devices & store clerks have snuck in loggers at cash registers.

Re:someone explain for the ignorant

[pseudorand]

> For you as the card holder however, nothing has changed in that regard: The law in the US still stipulates that credit card holders can only be liable for up to $50 (which most banks waive these days.)

Nothing has changed yet. But why would you think the banks won't target consumers once they've made merchants bend over?

Even judges and politicians understand simple technology like the magnetic strip. The banks wouldn't get away with arguing that the consumer was at fault if someone steals his credit card or credit card number because it's obvious that signatures are easily faked and never checked anyway and cards can be copied just like those old floppy disks.

But now we have this "magic" chip/paywave/etc. Your Honor, the technology ensures that the card can only be use by the authorized user. Cryptography and all that. So the "technology" protects consumers. We don't need silly, job-killing things like laws and regulations. Let's repeal these unnecessary liability limits. It will bring prices down and "economic efficiency" and that's how the Gipper woulda' wanted it. (Anyone with common sense, and economists [mutually exclusive groups] know the price bit is bunk, but..)

We technology professionals know the technology protects nothing if the POS terminal (which tells the clerk the user really has paid), the card itself (where a private key is stored), and all the algorithms and algorithm implementations (which ensure approval can't be faked) are secure. All of which the consumer has zero control over (we may have the card, but we didn't design its tamer-resistant features that erase rather than reveal the private key).

Someone duplicated my card in Mexico one time. The bank said it was a card-present transaction, but I had my card and my airline record verified that I wasn't even in Mexico when the transactions occurred. So I paid nothing. But what happens when a chip-based card is duplicated. The bank says I must be lying because their technology makes that impossible. The judge believes the bank's pin-striped-suit-wearing IBM security consultant even though everyone knows that no one who wears a suit can possible be a technology expert. And consumers are stuck with the charges.

It happened with bankruptcy in 2005. Bankruptcy is no longer a fresh start. Student loans can't be discharged and your creditors can garnish your wages for the rest of your life (since the interest rate will ensure you never pay off the loan). And what happened? Student loan rates aren't much lower, tuition is MUCH higher, and the banks lent like gangbusters to anyone with a pulse (which, at the same time, drove up prices, draining the savings of anyone who didn't borrow from into their coffers in the form of stock dividends). They obviously never expected to make the money they loaned back on the original terms. They wanted guaranteed income from the wages of everyone who defaulted, a slow and steady trickle of cash from the poorest among us (an ever larger percent of the population). After all, why should government be the only entity allowed to levy taxes?

Credit card law will change the same way. In fact, the 2005 BAPCPA was a precursor to these changes. Without it, a shift of liability to consumers would just push consumers into bankruptcy, drying up the bank's revenue stream. But now all they lack is shifting the liability to consumers. They then have not only no incentive to prevent fraud (even though, since they control the technology, they're the only ones who could), but an incentive for it to happen (undischarged debt). And incentives work.

The 2005 BAPCPA ensures we have to pay whatever debts they say we owe.
Checks are already almost a thing of the past, not accepted at many stores, so you pay with your credit card.
The shift of credit card liability and further shift of debit card liability to consumers will happen next. When it does, start using cash. And start carrying a gun to protect you now cash-laden self.

Until, if course, the courts invalidate the 2nd amen

Re:someone explain for the ignorant

[Harlequin80]

Not back then it wasn't ('94-02). The system then was mag stripe and pin or sign. I was working at a Coles (large supermarket chain) while at highschool and Uni.

Re:someone explain for the ignorant

[Harlequin80]

No idea. What do they do for people that are blind currently?

All I know is that you can't sign any more and have to use a pin. Also I wouldn't have though numeric dyslexia would stop you entering a pin in the same what normal dyslexia doesn't stop you writing. The challenge comes in the reading.

Re:someone explain for the ignorant

[david_thornley]

There's a lot of places around here with electronic signatures: slanted small touch screens which you write on with a stylus. Any similarity between the signature in ink on the back of a physical card and the signature with a stylus on a touch screen is often only coincidental.

Re:someone explain for the ignorant

[Jack+Griffin]

So therefore we should never ever use software? Cool story...

Re:someone explain for the ignorant

[Jack+Griffin]

You mug me, liability is no longer mine.
Next.

Re:someone explain for the ignorant

[farble1670]

Lost/Stolen card:

Distinguishing characteristic: The smallest source of fraud on cards. Consumer generally knows immediately or is alerted by bank to suspicious transactions, which often involve small test transactions to see if the card is still active — such as at automated gas station pumps.

source,
http://krebsonsecurity.com/201...

common sense friend. you can hack and get a million cards, or risk a going to jail as a violent offender to get one card. duh?

got anything else to say? colorful words? anything?

Re:someone explain for the ignorant

[Nutria]

So therefore we should never ever use software?

That in no way shape or form derives from what I wrote.

Re:someone explain for the ignorant

[Jack+Griffin]

I'm sure there's some stupid people out there who fell for this, but quite frankly they deserve it. Even if you fell for all the other shit, the giving your card to a courier is as stupid as it gets.

Re:someone explain for the ignorant

[Hadlock]

Or you could be Cartagena, which has absolutely zero city planning, and a failed public transit system that was still born (transit stations are overgrown with weeds, etc, built but never opened). Compare to Bogota and Medellin which have thriving public transit systems and well laid out cities. All three cities were established at the same time, only two were truly successful and became world class livable cities.

Re:someone explain for the ignorant

[thegarbz]

Does it say what my signature is supposed to look like?

Yeah didn't think so.

Re:someone explain for the ignorant

How is that even remotely relevant? You sign a contract with the credit issuer, the merchant signs another. Both say a signature is required.

Re:someone explain for the ignorant

[danlock4]

I grew up 4 hours away from the nearest city.

That depends on how fast you're moving toward the nearest city, of course. Flying? Driving? Walking? :)

Re:someone explain for the ignorant

[ArmoredDragon]

Well aware of that.

Re:someone explain for the ignorant

[AK+Marc]

EMV is going to render a lot of crappy, insecure technologies obsolete (things like Coin, LoopPay, NFC, and many of the smartphone based "wallet" apps.)

The countries that have used EMV for years still have those obsolete and insecure payment options. NFC is growing, not shrinking, even where EMV is used.

Re:someone explain for the ignorant

EMV stands for Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions.

https://en.wikipedia.org/wiki/...

There, was that so fucking hard? You'd think not one slashdot editor has ever read a formal style manual.

Re:someone explain for the ignorant

[micahraleigh]

Notice how its the countries with bad economies that are "decades ahead".

Re:someone explain for the ignorant

[j-beda]

I had a credit card scanned and then used when I was travelling. The crim did a small transaction first and then bought 25k worth of flights. My bank immediately locked the card and while it was a pain to have my card stop working I wasn't out of pocket and I had a new card in 3 days.

I got a call from the credit card people saying my card was compromized somehow and that they were sending me a new one, but that the old one would continue to work for chip+pin transactions, just the swipe and "tap" transactions would no longer work. I hadly noticed the inconvenience while the replacement was "in the mail".

That card has been compromized a few times over the last few years - it is the one used the most as it has the best rebate program. Finally last year I got tired of needing to contact the dozen places that automatically bill that card, so we moved them all over to my wife's card on the same which gets used much less often and has never been compromized. I guess she doesn't shop in all those shady places that I evidently frequent.

Re:someone explain for the ignorant

[j-beda]

Yeah, I don't get this either. I choose debit just about everywhere because it's faster and more secure. It would be tempting for me to move my bank account specifically to get chip and pin if a bank were using that as a competitive advantage, but I don't know if that's even possible given the standard they've adopted.

Call your current provider and ask for them - it might be possible for them to flip a switch somewhere to move your chip and signature to chip and PIN. Certainly if you are planning on travelling in Europe you want C+P since that is what everyone outside of the tourist market will be expecting.

Re: someone explain for the ignorant

[SeanQuaint]

We use EMV in Canada. It's great. No more sending your credit card away to be copied and used by corrupt restaurant owners. You can wave the touch less functionality turned off by your bank. I have mine all turned off.

Re:someone explain for the ignorant

We have chip+pin in Canada for years. Works great. No different than magstripe+pin except now the card can't get hacked. You are still responsible for safeguarding your pin!

Re:someone explain for the ignorant

[wellsdm]

One relevant topic is the difference between chip and pin versus chip and signature. There seem to be two ways to implement the chip technology and each has their own security concerns. The U.S. seems to be more focussed on chip and signature which would appear to be the less secure of the options. Here is a good article talking about the differences. http://krebsonsecurity.com/201...

Re:someone explain for the ignorant

[JimFive]

My recollection is that the card issuers were trying to use withholding chip and pin as leverage to move the liability for fraudulent transactions to the customer. However with the high profile exploits at Target (et al?) they agreed to switch to chip and signature with the liability staying between the merchant, the bank, and the card issuer.
--
JimFive

Re:someone explain for the ignorant

[Jane+Q.+Public]

Saying NFC has been "cracked" is like saying that ethernet has been "cracked". It doesn't make any sense. NFC is just a transport layer, it doesn't have any encryption or security at all. You have to build that in at the application level that uses NFC to transfer its data.

You're being too literal. We all know what we're discussing here, and that's the use of NFC for making electronic payments. Agreed, it was the NFC payment system that was cracked, but I felt that pretty much went without saying.

NFC payment cards are secure.

NFC payment cards can only be counted on to be secure ONCE. You're talking to somebody who knows a little bit about security here. Any transactions that take place via RF can be intercepted. And they can be intercepted from essentially any distance; the only limitation is the hardware available.

Obviously, it is the nature of the data exchange which must be secure, but I repeat: so far they haven't been. As I stated way back up the comment chain, Apple may have solved that particular problem. What I have been saying is that if so, they're the first.

Re:someone explain for the ignorant

[Brulath]

In Australia with the Commonwealth Bank the purchases are (afaik) limited to $100 before requiring a pin and are covered by the bank in the event of fraud. As long as the cards come with the guarantee that unauthorised payments charged if it is stolen are not your responsibility, what's the problem? It makes paying for things easier, which probably increases the amount you spend and thus works out well for those companies.

Re:someone explain for the ignorant

[AK+Marc]

Nope. ID never required. To do so would be a barrier to using credit, and they want to have no barriers. Visa/MC want every transaction to be on a card.

Re:someone explain for the ignorant

[AmiMoJo]

When was "NFC payments" cracked? You do realize that there is no such thing, but rather a number of competing systems, right?

To my knowledge the only time any NFC based payment system has been "cracked" was when researchers found out how to add funds to some European travel cards. Not steal money from users, just add funds to their cards. The flaw was due to the crypto implementation at the application layer, not NFC itself, and would have been the same if a contact reader had been used.

Do you have any evidence of other hacks? I searched but the only "contactless" hacks I could find were of barcodes or were actually hacks of other parts of the system, not the NFC part.

Re:someone explain for the ignorant

[lsatenstein]

My Bank has had the chip in the card for at least 8 years. All the handsets at the stores we frequent have card chip readers.

When I make an internet purchase, my Visa provider (bank) intercepts the transaction to present me with a personal question. Examples are: Pets name, your school name, your favourite expression. etc.

When this is provided correctly the vendor gets a OK signal. Otherwise, the transaction fails. Some vendors failed the transaction within 5 seconds, as they expect a dumb VISA response within that time. Too bad, it is their loss.

Re:someone explain for the ignorant

[Jane+Q.+Public]

Please read further up. It was the same researcher who read (and later cloned) passport RFID chips in San Francisco from 30 feet away in his car. His name is Christopher Paget. You can Google it.

NFC payment credentials were snarfed from cell phones with NFC turned on, and no transaction was necessary.

Re:someone explain for the ignorant

[AmiMoJo]

The passport thing misses the point - there is no encryption or security because there isn't supposed to be any, the idea is that it is easy for any immigration official to read anywhere in the world. It's just another thing that makes cloning passports a bit harder, like putting foil strips in paper money. It's not impossible to counterfeit or a big secret, it's just one more thing they have to get right.

I agreed previously that privacy is an issue, but that's got nothing to do with NFC being "cracked". It's not even NFC, it's RFID.

I couldn't find any link to NFC payment credentials being stolen, except there being a possibility if the NFC stack were compromised. Again, that is exactly the same as if the operating system's TCP/IP stack were compromised. If it were running in kernel space and the exploit was bad enough it could be used to steal credentials, but that's hardly a flaw in NFC itself. To put it another way, do you disable TCP/IP because it has been "cracked"?

Re: someone explain for the ignorant

If losing EUR 500 is 'devastating', you are doing something seriously wrong.

Re: someone explain for the ignorant

[rickb928]

Or you live on a pension. I wouldn't like to lose even $500.

Re:someone explain for the ignorant

[Kobun]

I didn't say they were looking at signatures (and really, how many cashiers are trained in handwriting analysis to tell the difference between my variable scribbling and a forgery). Visa (and MC and Amex) disallow either a customers willingness to produce an ID or anything about the ID itself as a legitimate factor in refusing to accept someones card.

Re: someone explain for the ignorant

[Xest]

Yes I'm defending the chip and pin rollout because all evidenec shows that it reduced fraud. The fact that fraud still exists and some luddite grandma on the news was a victim is neither here nor there, she was a victim whatever the system because some people just can't be helped, but most people have seen safer banking because of it, so it's a good thing.

If it showed a matched increase in fraud I'd be with you, but individual anecdotes make good news stories for luddite baby boomers and not much else.

Worry it not...

[zoffdino]

Worry it not, minions. We won't steal money from you again. We will steal it directly from the source - the big fat banks. And we will grab your password and purchase history and personal details along the way. -- signed, the Internet Barron.

Re:Worry it not...

[ArmoredDragon]

Well they never did steal from "minions" using this method anyways. For the last 40 years or so, the law has put a limit of $50 on credit card liability, but almost all banks these days just give you zero liability (technically as a courtesy, but if they don't, their competitors do, which is why almost all of them offer zero liability anyways. You have to have really absolutely terrible dog shit credit to not be able to find somebody that offers it.)

Well...

[duck_rifted]

Time to make a Faraday Cage wallet.

Re:Well...

[Nos.]

Just because it has the chip and pin portion doesn't mean it has to have the contactless part as well. My debit and credit card for years (in Canada) were chip and pin, but not contactless. I just recently got cards that are contactless. Given that the maximum transaction size is $50 and it's a one time thing, I'm not really that worried about it, especially when it comes to my credit card where I have $0 liability.

Re:Well...

[jonwil]

You dont need to make one, just buy one of the many varieties of metal credit card wallets already on the market that do the job of blocking the cards just fine.

Re:Well...

[w_dragon]

One of my RFID-enabled cards came with a blocking sleeve for it. We've had these for years in Canada.

Re:Well...

I'm /really/ annoyed at the decision to include RFID in cards, especially as most systems that use that are designed to not require the PIN if you do it.
GLARING security hole.

Re:Well...

[ArmoredDragon]

Honestly speaking, those little sleeves are snake oil products sold by people praying on your fears of "them hacker kids." Much in the same vein as those "radiation blocking" stickers for cell phones.

Sure, it can be used to pull the card numbers on the older contactless cards, but those alone aren't sufficient for a transaction. On the newer ones it has to establish an active two-way communication with a card, and at some point a PIN has to be entered as well in order for an actual transaction to happen.

Still though, no amount of saying this from people like me will stop people from buying them in the near future, nor will it stop people from wearing those stupid QRay wellness bracelets or buying books written by Kevin Trudeau.

Re:Well...

[Harlequin80]

Actually I don't think you need to. All my cards have contactless capability and the net effect is that the readers seem to be unable to separate 1 card from the other. It is also the most common cause of failure of the contactless systems that I have encountered. It picking up more than 1 chip.

Re:Well...

[dAzED1]

except for the fact that many of the current (and EMV compliant) cards still offer the magstrip fallback info FROM THE RFID ITSELF, because...stupid (see the many hacking demonstrations of such cards). And as others have pointed out, most of the RFID systems don't require a pin. And I also don't want to deal with letting a machine pick which of the 6 cards in my "wallet" I want to use to pay with, since a contactless tap won't tell the difference. Yes, I have 3 different Visas, 2 AMEXs, and a MC. And that's not at all unusual. I really really hate, on a security and convenience level, that the RFID "contactless" stuff is being pushed so hard on unwilling people.

Re:Well...

[LessThanObvious]

I've added a full wallet sized sheet of Mylar. I need to test that theory since it isn't fully enclosed, but maybe an easy solution. I'd much rather not have any stupid RFID cards at all, not that I'm even sure any of them are such, as I don't use it to pay.

Re:Well...

[marka63]

The readers are very low powered so unless you actually put your wallet against the reader with multiple cards in it this isn't a issue. Just pull the card you want to use from the wallet. Yes, I have multiple contact less cards on me. A couple of credit cards and travel cards.

Re:Well...

[ArmoredDragon]

You are VASTLY overestimating the capability of those contactless receivers.

- They don't even have the capability of picking which card to use, they just begin the transaction with the first one they see.
- The range is so small that it doesn't work beyond about a half an inch away, meaning you'd have to place your wallet almost directly on the reader (this is by design.)
- None of these hacks have performed an actual transaction. In order to do such a transaction, you'd have to have a merchant account first, and Visa/Mastercard would have to carry it out (which is unlikely because they have a lot of anti-fraud monitoring systems.)
- The information obtained from a contactless transaction isn't useful for future transactions. So for example you can't skim the card and then use the information obtained at another merchant to buy an ipad.

However let's suppose you have a merchant account, and Visa/Mastercard approve the transaction: You as the merchant are probably going to get caught REAL fast, long before you even have the chance to withdraw the ill gotten funds as cash or even transfer to another account as there's typically a clearing period for merchants to receive credit card funds (unless you're big and well known like Best Buy or something.) You'll probably go to jail too.

But let's assume none of that happens and you cash out before somebody notices: The law still protects the card holder from fraud. Maximum liability is $50, which most banks reduce to zero. All you as an end user have to do is call your bank within 30 days, and notify them that you didn't make that transaction. Just like that, that transaction disappears.

Long story short, you don't need a snake oil sleeve for your credit cards.

Re:Well...

[duck_rifted]

People buy those? I hate to say it, but had I known that then I'd already be selling them. That isn't to prey on fears, but stupidity. How hard can it be to braid copper wire? A Faraday cage isn't anything fancy. People *that* easily taken advantage of will be, inevitably. If it's not a wallet Faraday cage then it will be impulse buys at the gas station.

Re:Well...

Just use a metal business card holder. It's plenty big enough for drivers license + a few cards (which is all most people need to carry 99% of the time), has a much smaller footprint than a wallet, and as a bonus it's a faraday cage.

My wallet most of the time is this with some notes wrapped around the outside held by a hair-tie, plus a few coins in my coin pocket. Infinitely more convenient than a bulky wallet!

Re:Well...

[jenningsthecat]

Time to make a Faraday Cage wallet.

Time to permanently disable contactless payment on all your cards.

Apparently the banks and credit card companies in some countries will send you a new card without the RFID on request. But here in Canada at least one company simply refuses to do this. My bank DID disable contactless payment on my new debit card in their records, but of course the RFID is still physically intact so there's no guarantee that it won't suddenly start working as a result of some administrative fuckup. I'm going to call about my new credit card, but I'm pretty sure they'll tell my politely to piss off. At that time I plan to get out my drill, put a hole in the appropriate place, and test. If it disables Tap and Pay, then all of my cards will get the same treatment.

Re:Well...

[duck_rifted]

That's much better than a Faraday cage. But alas, now I shall never know the feeling of walking around with an electromagnetic dead spot on my butt.

Re:Well...

[fahrbot-bot]

One of my RFID-enabled cards came with a blocking sleeve for it. We've had these for years in Canada.

As I posted earlier, I blocked the RFID chip in my VISA card with a hole-punch and hammer. It's very secure now.

Re:Well...

I hadn't thought of killing the coil before.

Re:Well...

[thegarbz]

They don't even have the capability of picking which card to use, they just begin the transaction with the first one they see.

Both this comment and the parent's comment of letting the machine pick are wrong. The machines do not complete a transaction if more than one card replies. They display an error saying "please use one card".

Anecdote: They even picked up the fact that my girlfriend had two cards, on opposite sides of her purse, with a shitload of coins, receipts and customer loyalty cards in-between (you know how girls are). The purse is more than an inch thick and through the mess it still picked up that there were cards on opposite sides.

They are both stronger and smarter than you think.

Re:Well...

[Neil+Boekend]

Kill the antenna, not the chip. The chip is used in contact based payment too.
The antenna is usually located on the edge of the card. Get a hole punch to punch a hole in the middle of each edge of the card. Now RFID is dead but chip payment is alive.
Test it with a contactless payment point if you come across one. It should not detect anything.

If your cc is used for contactless while you have emails or papers stating that contactless should be disabled then there is no way you are liable. As for how to prove it, well I can't help you there.

Re:Well...

[brunes69]

While it is common for your card issuer to bundle them, EMV has nothing at all to do with RFID cards. Many EMV cards have no RFID chip at all.

EMV == "Chip and PIN". There is a private crypto key on the chip on the card and a two-way live handshake done at the terminal, and you must enter a PIN. No signature is used.

RFID == MasterCard PayPass and Visa PayWave. Again there is a private key on the card but there is no PIN used to guard it. Transactions done by RFID are normally limited to $50.

Re:Well...

[AmiMoJo]

When they disable contactless payment they actually just de-authorize it. The NFC chip is still there and working, which is a privacy issue since it can be read at some distance. The information that can be read can't be used to steal your money or get your name, only to identify the card.

Of course you probably have other radio identifiers on you anyway. Mobile phone with wifi or Bluetooth turned on, or any Bluetooth devices. Of course you can protect your phone, but retailers are using facial recognition now anyway.

Re:Well...

and a foil hat. In our country there are contactless cards at least two years a norm and i have not seen a single newspaper or internet article on someone abusing this nearfield communication chips to rip off someone.

Re:Well...

sorry tin foil hat

Re:Well...

Stop that. You have no idea what you're talking about.

They don't even have the capability of picking which card to use, they just begin the transaction with the first one they see.

Singling out an individual device among many in range is part of the protocol. A reader will first address all cards, and if it receives a garbled response (due to multiple cards sending at the same time), then it will split the address space in half and address both halves individually. It continues until it either receives no response (address space segment is empty) or a single response, in which case the reader has found a card and can address it directly. If that's not the card it wants, it can continue searching the rest of the address space. Cards which are not addressed are silent and don't disturb the communication with the addressed card(s).

The range is so small that it doesn't work beyond about a half an inch away, meaning you'd have to place your wallet almost directly on the reader (this is by design.)

The range of the standard readers is small, but better and more powerful readers can and have been built to allow communication from at least three feet away. Again, it is no problem that there may be many cards in that radius, because a way for selecting a single card is built into the protocol.

None of these hacks have performed an actual transaction. In order to do such a transaction, you'd have to have a merchant account first, and Visa/Mastercard would have to carry it out (which is unlikely because they have a lot of anti-fraud monitoring systems.)

None of the hacks need to demonstrate an actual transaction, because if they can show reliable communication with the card, then anything beyond that can not rely on the card being used with authorization. You only need a merchant terminal if you want to get money directly. If you're content with using someone else's card to pay for something (ideally something that you can then easily sell for money), you only need to be able to relay the communication from a merchant terminal to that card.

The information obtained from a contactless transaction isn't useful for future transactions. So for example you can't skim the card and then use the information obtained at another merchant to buy an ipad.

Again, you don't need to be able to use the card later on if you're just using it to pay for something while you can talk to it. With Chip+PIN, you'd need to know the PIN, which complicates things, but with Chip+Signature, what's going to stop you?

There's also the issue that many of these cards will use unique IDs and give their IDs to any reader, which allows for tracking in the real world. And that's despite the fact that commonly used chips do have a feature to randomize the ID until the reader has authenticated to the card. But I guess turning that on is too much of a hassle.

Re:Well...

[dAzED1]

I'm not overestimating it - the only usefulness they'd have, is if they could do that, and that's the hollywood version of it. If I have to take my card out of my wallet and tap it individually, why the hell not just do it more securely as a contact card, since you've made me go through the trouble at that point? Contactless cards have already been demonstrated to be hackable. You can keep calling it "snake oil" all you want, but having to call and contest it is a hassle, as is losing $50 for some people. If you want to blow off proven hacks, just for a moment consider the possibility that you're the one not looking at the security issue the right way.

Re:Well...

[omnichad]

EMV has nothing at all to do with RFID cards

Yes, it does. EMV specifies both a contactless and a direct chip contact method. It just so happens that contactless EMV matches the specifications of PayPass and PayWave. Which makes sense, considering they are the M and V of EMV.

Re:Well...

[brunes69]

*sigh*

YES, there is a specification for it.

NO, it is NOT mandatory for an EMV card to have contactless payment.

To imply as such is misleading.

MANY EMV cards do not have contactless payment, it is up to the issuing bank if they want to do that.

Re:Well...

[omnichad]

NO, it is NOT mandatory for an EMV card to have contactless payment.

That doesn't make contactless payment any less of an EMV standard. Not THE standard. A standard. Saying "EMV has nothing at all to do with RFID cards" is ridiculous.

You can't even say Chip and PIN has nothing to do with RFID cards, because it's the same chip running either operation if the antenna is there. It's true that not all Chip and PIN cards implement contactless, but they are highly related.

Re:Well...

[ArmoredDragon]

Good to know.

Re:Well...

[ArmoredDragon]

cards have already been demonstrated to be hackable

What are you defining as hackable? Just pulling a string of numbers from it? Because none of these demonstrations have successfully performed a transaction that was capable of bilking somebody out of their money.

US: Welcome to the present

EU

Re:US: Welcome to the present

[DiSKiLLeR]

Ya, no shit. As someone who is from downunder, holy CRAP America is in the dark ages when it comes to its banking and communications systems.

Jesus christ.

And the funny thing is, they are so blissfully unaware things are better elsewhere in the world because none of them ever go anywhere anymore.

Re:US: Welcome to the present

What really freaks me out is: the US anti-fraud system seems to rely on computer systems that analyze each consumer's buy habits and can apply that so quickly to an incoming transaction that they can most times block a fraudulent transaction before it authorizes. This system actually works so well ... that it fails only twice as much as the cryptographically secure one with cards that cannot be cloned.

That's actually kinda spooky.

Re:US: Welcome to the present

[Harlequin80]

Lol. Given that chip and signature is no longer allowed in Australia it seems kinda funny that the US is moving to a system that was abandoned because it wasn't secure enough.

Re: US: Welcome to the present

[dg41]

We have neither the money nor the vacation time to go anywhere.

Re: US: Welcome to the present

You're 1/2 wrong. I have > 100 hours of vacation time!

Re:US: Welcome to the present

[rickb928]

When EMV is fully deployed in the US, then fraud detection will be most effective for card-not-present transactions. You know, Amazon, PayPal, your water bill. Those are the databases to go after.

And eventually most merchants will go to tokenization, converting the card data to an encrypted version that requires a key to decrypt, and said key and encryption method being limited to the intended parties. It can work well.

Re:US: Welcome to the present

[rickb928]

The premise behind chip & signature in the US being the initial deployment is that card holders are not ready to abandon their signature for credit transactions.

Having seen what passes for a signature leads me to doubt this will last very long.

Re:US: Welcome to the present

[Harlequin80]

They did the same here. Chip and signature or pin for a 2 year period and now pin only. It just strikes me as funny / odd that it hasn't rolled out to the US already.

Re:US: Welcome to the present

[ColdWetDog]

Having seen what passes for a signature leads me to doubt this will last very long.

This. I've been signing various cards with a smiley face for years. Or George Bush. Or just an 'x'.

Nobody cares.

Re:US: Welcome to the present

[Black+Parrot]

Ya, no shit. As someone who is from downunder, holy CRAP America is in the dark ages when it comes to its banking and communications systems.

And if this works, we might try the metric system.

Re:US: Welcome to the present

And the funny thing is, they are so blissfully unaware things are better elsewhere in the world because none of them ever go anywhere anymore.

Nonsense! They go lots of places! Kuwait, Iraq, Afghanistan, just to mention a few. But I guess it's a different kind of credit they've been using up there.

Re:US: Welcome to the present

It has nothing to do with the card holders and everything to do with the stupid TIP based economy. With chip & pin the transaction amount cannot be changed once authenticated by the chip. With chip & sign it can. All those poor servers and bartenders in the restaurants.They will still continue stealing as they did before.

Re: US: Welcome to the present

You don't have a vacation. A proper vacation starts at 160 hours.

Re:US: Welcome to the present

[darthsilun]

And the funny thing is, they are so blissfully unaware things are better elsewhere in the world because none of them ever go anywhere anymore.

Wow. I wonder what it is then that I've been doing. My trips to Japan, India, Belgium, Czech Republic, England, Ireland, France, South Africa, etc., etc. must all be my imagination. Stereotypes FTW.

Re:US: Welcome to the present

We tried it. Then we flew into Mars. Bah. We went to the moon on slide rules and fractional inches.

  'A 'alf litre ain't enough. It don't satisfy. And a 'ole litre's too much. It starts my bladder running.

15 points if you get the literary reference.

Re:US: Welcome to the present

[Dutch+Gun]

Yeah, different societies are sort of weird that way, with varying levels of technology in specific areas, even if they're otherwise roughly equivalent. One example: I've heard that many Japanese homes use minimal insulation and don't have central heating. Instead, they use portable kerosene heaters or heated tables called a "kotatsu", which always struck me as rather primitive, if somewhat quaint. Then again, they'd probably laugh at how primitive our toilets are, despite all our other high-tech gadgets.

Here in the US, we have decades-old credit card systems that refuse to go anywhere, probably because any fraud was taken care of by the card issuers. As such, there was no real consumer pressure to fix it - from our perspective, it was mostly fine. My guess is that the credit card companies figured the fraud costs were not worth the upgrade hassle. Notice how fast things change once the rules of liability change.

Re:US: Welcome to the present

[tquasar]

Faraday Wallet I have one, it's woven from stainless steel http://www.amazon.com/Stewart-... I worked for a local city government and knew the man who worked on all the police and other radios. His workplace was a 20X20X20 shielded, grounded cage. He was smart and enjoyed his work. It's spelled yeah.

Re:US: Welcome to the present

[misexistentialist]

Maybe because Americans carry 10 cards? How the fuck are they supposed to remember which PIN goes with which, not very secure to set the PIN the same for all them

Re:US: Welcome to the present

[An0nymous+Coward]

Canada too. Every time I travel to the US, I cringe at the antiquated horribly-insecure feeling banking system.

I mean... gas pumps which don't need a pin? Really?

The easiest thing in the universe "buy" with a stolen credit card is expensive gasoline. This no longer works in Canada, but it sure as hell works in most of the USA. Zip codes are not secure like pins either for the pumps with offer "security" through zip codes.

Re:US: Welcome to the present

[misexistentialist]

Less convenient card usage is "better"? You foreigners do have an upside-down perspective on life.

Re:US: Welcome to the present

[Harlequin80]

Why carry 10 cards? I carry 3, a visa, mastercard and an AMEX. They all hit the same credit account and from the mastercard and the visa I can also access my savings and my cheque account.

When I go to a shop I get the option of contactless which will always hit the credit account, or using the chip and choosing Cheque, Savings or Credit. In which case I use a pin. Also if I use the Cheque or Savings option it bypasses the credit card network so there is no charge to the merchant so in a lot of places we have a 2 or 3% surcharge for credit, none for the other accounts (which we call eftpos)

Given that all my cards hit the same accounts I do use the same pin on all of them. Also I think 1 shared pin across 10 cards is still more secure then the dodgy signature.

Re:US: Welcome to the present

In Canada, most restaurants and bars use wireless payment terminals. The customer punches in the amount for the tip before the charge is authorized.

Re:US: Welcome to the present

[mjwx]

Lol. Given that chip and signature is no longer allowed in Australia it seems kinda funny that the US is moving to a system that was abandoned because it wasn't secure enough.

When my new Shitibank card arrived, it didn't even have a magstripe. Just some grey coloured plastic where the magstipe used to go.

Australian BTW.

Re:US: Welcome to the present

[Harlequin80]

Really?!?!? Have you tried to to see if it still works? The mag strip on my cards are silver and still work. There are enough times I have come across broken chip readers that not having a mag stripe would be a massive pain. Not to mention when travelling over seas...

Re:US: Welcome to the present

Stereotypes FTW.

That doesn't mean you should try to prove true the 'muricans are dumb stereotype. What he said refers to 'muricans in general, not every single one of you. For future reference, here on Earth we often say "none" where it should be "very few". For instance, if someone says they have no money chances are what they really mean is they have almost no money to spare, not that they have not a single coin.

Re:US: Welcome to the present

[redback]

just because its not black doesnt mean its not a mag stripe.

Re:US: Welcome to the present

[tepples]

Why carry 10 cards?

Because different branded cards give rewards at different places.

Re:US: Welcome to the present

and why in hell should we travel when we already own the entire world? Get back to work Serf or it's the stocks for you

Re:US: Welcome to the present

Hey, watch what you say! A lot of them do go... to prison.

Re:US: Welcome to the present

[thegarbz]

Is it more or less secure than scribbling a signature that no one reads?

Re:US: Welcome to the present

[dargaud]

'rewards'. Yeah, right...

Re:US: Welcome to the present

[IamTheRealMike]

That's not correct. You can tip using chip and pin.

Re:US: Welcome to the present

[houghi]

They still use paper checks to pay things. I have not seen a personal check in (I think) 20 years or so.

The only downside I see in Belgium is that when you transfer money to a business account it takes 2-3 working days. This due to the fact that the US wants the time to save the children and read everything first.

In Belgium from person toperson it happens on the same day. It is working days, because computers can't work on weekends. :-/

Re:US: Welcome to the present

[jratcliffe]

Since I get, at minimum, 2.2% cash back on everything I spend on my credit cards, yes, rewards.

Re:US: Welcome to the present

[Phreakiture]

About 20 years ago, I (an American) worked for a US company installing servers to backend this type of system. Needless to say, it involved flying to Europe and Asia a lot because that is where most of our customers were.

Re:US: Welcome to the present

Eh, that's a solved problem. Card readers in restaurants here make you type the sum before accepting the card.

Re:US: Welcome to the present

[MeNotU]

Not contesting, just curious: Which cards offer 2.2% for general transactions (not gas, groceries)? The highest I've seen is 2% for a no-fee card.

Re:US: Welcome to the present

[jratcliffe]

Barclays Arrival Plus card. There is a $89 annual fee.
The 2.2% is a bit convoluted. You get 2 points per $ spent, and you can then use the points to pay off any travel-related charges on the card at $0.01/point. You then get 10% of those points back.

So, example: Spend $1000 on the card, get 2000 points. Use 2000 points as a credit against a $20 travel-related charge. Get 200 points back. Net, 1800 points spent, $20 back on (effectively) $900 in spend, so 2.2%.

Only makes sense vs. no-fee 2% back cards like the Fidelity Amex if you're going to spend more than $45k/year on it.

So no chip and pin?

Just crappy pin free RFID beeping. Great. A slight step up from the magstrip, but still missing the "something you know" component. Still not going to use my credit card in the US when I visit until I see the new fraud levels.

Re:So no chip and pin?

[green1]

Actually, RFID with no PIN is a massive step backwards from mag-stripe, sure mag-stripe could be easily copied, but RFID doesn't even have to leave your pocket to get copied, and there are many proof of concepts in the wild for this already.

I live somewhere where ALL credit and debit cards have chip and pin, unfortunately almost all the credit cards also have RFID. I've had long arguments with my banks and finally managed to get non-RFID cards, but it's really hard to get back up to the level of security provided by mag-stripe

And to be clear, although all our cards have chip and pin, they also all have mag-stripe, so the cards themselves aren't actually any more secure than they were before, but because most stores (not all) also use chip instead of mag-stripe, you don't generally give away your card to let the staff skim them anymore.

Re:So no chip and pin?

[thegarbz]

Convenience vs security trade off.

There's limited damage you can do with a copy of the RFID chip. I think it's in the order of $50 / vendor / day and even that is covered by fraud protection.

But don't pretend that this is a step backwards. Anything + signature was orders of magnitude worse for you than anything + pin. With a copy of your magstripe you were effectively robbed of whatever your credit limit was without the borderline not worth your while limit.

Re:So no chip and pin?

[green1]

Look at some of the proof of concept hacks in the field.

With RFID people are able to copy enough details to generate a mag-stripe without your card ever leaving your pocket. Meanwhile, merchants are trained that if the chip on a card doesn't work to revert to mag-stripe.

So now we have exactly the same insecure mag-stripe transactions, and at the same time we can now copy the mag-stripe without even seeing the card.

Sure, chip and pin is more secure, but only if you get rid of RFID and mag-stripe, neither of which is happening.

Re:So no chip and pin?

[thegarbz]

Oh yeah I fully know that, but it is entirely irrelevant.

The introduction to chip+pin is just step one of the process towards security. So someone copies my RFID and generates a magstripe as a result. Here is what happens:

They swipe the card and it says insert chip. That's it. There's nothing they can do about it. It's not the merchants decision on what to do with the card, it's the terminal and issuer's decision. The only time a swipe is accepted is if the chip fails to read and the bank approves the swipe.

Okay next step down the rabbit hole: 2 years after the introduction of chip+pin, signatures are now no longer valid. If I go through the process and the device approves the swipe I STILL NEED A PIN. There's no two ways about it now. You cannot complete a transaction over $50 (although another comment hear said $100 so I'm not sure anymore) without a pin number.

That's what we're going towards. The liabilities still fall on the banks for fraud and even with chip+pin+RFID+mag we in Australia and Europe are now in a much better place than the USA has ever been with how complicated credit card fraud has become.

EMV standard?

These three companies run a cartel, and that's what the world is standardizing? Wow.

Re:EMV standard?

>These three companies run a cartel, and that's what the world is standardizing? Wow.

And this surprises you, Grasshopper?

Re:EMV standard?

[DarenN]

Two companies. Mastercard bought (or merged with) Europay, so the E and M in EMV are the same company now.

Captial One started awhile ago...

[Miguelito]

The next time U.S. cardholders receive a new card it will probably be equipped with an EMV chip, and most likely be contactless.

When I got my 2nd new card in a year (Target & Home Depot hacks) it came with the chip. Also the numbers are no longer the pressed-in type and are on the back. Every time I've used it I have to let the person know the last 4 numbers are on the back.

I'm still hoping more NFC in terminals and more support for Apple Pay. The handful of times I've used that, it's been much faster and it is more secure.

Re:Captial One started awhile ago...

[dAzED1]

"and it is more secure" why on g-d's green earth would you possibly think that, when it can be hacked by someone standing next to you on the bus (as demo'd many times)?

Re:Captial One started awhile ago...

[farble1670]

The handful of times I've used that, it's been much faster and it is more secure.

and how did you determine that?

Re:Captial One started awhile ago...

[TFlan91]

Someone already commented about this.

http://yro.slashdot.org/commen...

Re:Captial One started awhile ago...

[Miguelito]

I was referring to Apple Pay in that line, which has not been hacked in any way that I've read. At the very least, not by simply sniffing your phone via the NFC bits since it's tied into the AppleID fingerprint reader to authorize a payment, using a token on the phone vs your CC info.

Re:Captial One started awhile ago...

[thegarbz]

And how much money can they extract?

Re:Captial One started awhile ago...

[thegarbz]

Give me a copy of your old mag stripe card and a copy of your new chip card, and then see how much money will be left in each account after say 30 minutes.

Re:Captial One started awhile ago...

[mjwx]

I was referring to Apple Pay in that line

And I suspect so did the GP.

Why do you think Apple Pay is remotely secure. Apple is good at keeping its users hemmed in and docile, not security.

Re:Captial One started awhile ago...

[gnasher719]

Why do you think Apple Pay is remotely secure. Apple is good at keeping its users hemmed in and docile, not security.

Quite a pathetic comment. My Mac has unbreakable full-disc encryption. So does my backup drive. Built into the operating system. You can't get into my iPhone. Apple can't get into my iPhone anymore with iOS 8. Actually, nobody can get in. You can't even reset it and use it if I don't want you to. iMessage has end-to-end encryption that is unbreakable.

"Keeping users docile" is of course the common idiotic stupid geek prejudice of people who think they are smart because they use something that is hard to use. You are not smart, you are stupid!

Re:Captial One started awhile ago...

[amxcoder]

I have a Samsung phone you insensitive Clod! Seriously, apple doesn't rule the cell phone market anymore, so Apple pay will only be helpful to a handful of the population. Not to mention, I refuse to put any payment information, or banking info on my phone, period. Too easy to loose, get stolen, and get's upgraded every so often. I can't micro-shred my old cell phone with all my banking info on it, like I can an old credit card when I get an updated one.

Re: Captial One started awhile ago...

[Miguelito]

Because the credit card companies say it is, and are willing to charge smaller fees due to it being secure. They wouldn't do that if they didn't have a ton of faith in that security.

Re:Captial One started awhile ago...

[omnichad]

so Apple pay will only be helpful to a handful of the population

That depends - all it requires is NFC so they could offer an Android app if they wanted to truly be competitive.

Your card number isn't stored on the phone with Google Wallet or Apple Pay. It just relays the one-time pad to link payment to the remote end. You don't have to do any more than uninstall an app and deauthorize the device.

I don't use it, but I don't see it as being as bad as you say.

Re:Captial One started awhile ago...

[jo_ham]

I was referring to Apple Pay in that line

And I suspect so did the GP.

Why do you think Apple Pay is remotely secure. Apple is good at keeping its users hemmed in and docile, not security.

If you assume the GP meant that Apple pay "when it can be hacked by someone standing next to you on the bus (as [sic] demo'd many times)" then where can we see these "many" demonstrations of the hacking of Apple Pay?

I think it's more likely that the GP is talking out of his arse. It's pretty common to see sweeping Apple-bash posts that have almost zero basis in reality on here that rely on groupthink to get positive moderation. For example - a sweeping assertion that Apple Pay is trivially hacked and that many demos of said hack exist. It's simply an outright falsehood.

Re:Captial One started awhile ago...

[jo_ham]

I have a Samsung phone you insensitive Clod! Seriously, apple doesn't rule the cell phone market anymore, so Apple pay will only be helpful to a handful of the population.

Not to mention, I refuse to put any payment information, or banking info on my phone, period. Too easy to loose, get stolen, and get's upgraded every so often. I can't micro-shred my old cell phone with all my banking info on it, like I can an old credit card when I get an updated one.

It's a good thing that you don't put any banking info on your phone when you use Apple Pay then, isn't it?

It's almost like they thought of that when designing it!

The information on your phone is a one-way hash generated from a combination of factors - the phone's ID, a salt, your credit card number, etc. The phone only needs to see the number once to generate the key, but it doesn't store the actual number on the phone or use it during the payment process.

If you lose your phone you can log into iCloud and immediately invalidate the key, but there's no way that someone in possession of your phone can recover your banking information. The worst you'll have happen to you if you lose your phone is that someone will try to use it to buy something, but unless they know your PIN or have your fingerprint, they won't be able to do that either. The merchant also never knows your CC number, and nor does Apple, plus the way the system is set up, Apple also doesn't know what you are buying or where you're buying it from - the transaction is between your card issuer and the merchant, all the phone does is provide a key that authorises it.

Re:Captial One started awhile ago...

[farble1670]

man, did you read your post? i didn't ask for evidence that chip cards are more secure than MSR cards. you said this,

I'm still hoping more NFC in terminals and more support for Apple Pay. The handful of times I've used that [Apple Pay], it's been much faster and it is more secure [than chip cards].

let me restate, can you describe why you think apple pay is more secure than a chip card?

Efficiency and Progress!

[fuzzyfuzzyfungus]

I, for one, welcome this innovation!

As the US demonstrated during the recent massive-clusterfuck-in-a-casino financial meltdown, advances in technology and worker productivity now allow the production of enough fraud to supply the entire industrialized world by a relatively small number of highly trained knowledge workers!

Why, then, should we have an inefficient, unproductive, labor force of blue collar criminals laboriously committing fraud, by hand, like some sort of pre-industrial master/apprentice nonsense, when we have massively more efficient fraud production technology available?

Black Hat 2014: A New Smartcard Hack ..

[lippydude]

According to new research, chip-based "Smartcard" credit and debit cards - the next-generation replacement for magnetic stripe cards - are vulnerable to unanticipated hacks and financial fraud ref.

Re:Black Hat 2014: A New Smartcard Hack ..

[green1]

The difference is that because these cards are "fraud proof" the bank will refuse to reimburse you for the fraud, and will instead leave you on the hook for the bill. In some cases the banks have actually had people arrested for daring to say that they were the victims of fraud.

The credit card companies aren't doing this for you, they aren't doing it for security, they're doing it to shift the risk.

Re:Black Hat 2014: A New Smartcard Hack ..

[Harlequin80]

Rubbish.

I have had credit card fraud on a card of mine that had a chip and pin. The crim racked up $25k in flights in a couple of hours. I got a call from my bank asking me about the transactions as it had set off alarms, I said it wasn't anything I had done. Card got cancelled immediately, new card arrived 3 days later and the $25k was immediately refunded. The bank then went through every transaction for the last 3 months and flagged ones they thought were suspicious and once I confirmed they were nothing to do with me those too were refunded.

My experience has always been very positive when it comes to issues with my cards.

Re:Black Hat 2014: A New Smartcard Hack ..

[rahvin112]

In the US the maximum fraud liability for any fraud reported within 24 hours of discovering the card is lost (not from when it was lost) is $50.

This is federal law, they try to stick you with anything more than $50 and they would be up for some serious penalties and as a result they won't. Most just wave the transactions because alienating a customer for $50 isn't worth it.

It doesn't matter what the technology or fraud prevention is because they simply can't charge the customer if the customer reports the fraud when it's discovered.

Re:Black Hat 2014: A New Smartcard Hack ..

[Nutria]

once I confirmed they were nothing to do with me

You have a computer and it's the second decade of the 21st century. How did you not see them?

Re:Black Hat 2014: A New Smartcard Hack ..

[Harlequin80]

Because I have a wife whose card hits the same account and I don't go through my back statements each month. I put EVERY transaction on my credit card, from buying a coffee to parking to supermarket and everything else in between. That means my credit card statement is LONG. Yeah I know I should keep every receipt and check it against the statement at the end of the month but no.

Re:Black Hat 2014: A New Smartcard Hack ..

[thegarbz]

The difference is that because these cards are "fraud proof" the bank will refuse to reimburse you for the fraud, and will instead leave you on the hook for the bill.

This is false in pretty much every country in the world. Your liabilities are limited to a very small amount by law.

Re:Black Hat 2014: A New Smartcard Hack ..

[Jack+Griffin]

The difference is that because these cards are "fraud proof" the bank will refuse to reimburse you for the fraud, and will instead leave you on the hook for the bill. In some cases the banks have actually had people arrested for daring to say that they were the victims of fraud.

The credit card companies aren't doing this for you, they aren't doing it for security, they're doing it to shift the risk.

What a load of shit. I've had case of the bank calling me while on holiday overseas to verify it is actually me using the card in a different location. I had a friend have her card swapped by dodgy taxi driver and racked thousands which was all refunded immediately by the bank.
Maybe it's different in the US, because you're still living in the credit card dark ages, but in most advanced economies, anti-fraud systems are quite effective.

Re:Black Hat 2014: A New Smartcard Hack ..

[mjwx]

Rubbish.

I have had credit card fraud on a card of mine that had a chip and pin. The crim racked up $25k in flights in a couple of hours. I got a call from my bank asking me about the transactions as it had set off alarms, I said it wasn't anything I had done. Card got cancelled immediately, new card arrived 3 days later and the $25k was immediately refunded. The bank then went through every transaction for the last 3 months and flagged ones they thought were suspicious and once I confirmed they were nothing to do with me those too were refunded.

My experience has always been very positive when it comes to issues with my cards.

I suspect you're Australian.

We kept the laws that state banks are responsible for security, so in order to blame you for fraud, they need clear evidence that you either co-operated with the crooks or allowed the crooks to get access to your details through an act of gross stupidity (and by this I mean beyond Tony Abbott levels of gross stupidity).

However in the US, it's part of a push by credit issuers to shift the responsibility for security from them to merchants and users.

As a side note, I find it alarming that so many Australians are victims of credit card fraud. Its obvious why though, Australians just dont take care with their cards. they'll happliy stick it in anywhere, into any hole without a second thought. Sure you get the money back but having gone through the process for a mere $40 it's a complete pain in the arse (especially since they cancel your card immediately and you have to wait for them to send you a new one, and GE Money aren't quick about it either)

Re:Black Hat 2014: A New Smartcard Hack ..

[Nutria]

My wife and I use debit cards that hit the same checking account for just about everything. I keep an eagle eye on it, though, so that we can stay in budget. (Kids are expensive.)

Re:Black Hat 2014: A New Smartcard Hack ..

[Harlequin80]

I don't know how they got my card details. I was in Australia and my card number was used with someone signing in person in Spain. Westpac had a new card in my hands 3 days later.

As for why I don't care where I stick my card. It is because I am protected. I have more than one card so it is the total inconvenience of getting a different card out. I have had the fraud detected automatically and the total lost time was about 30 minutes.

If I was responsible for insuring the security of every step of the money transfer chain I would go back to using cash.

Oh and yes - Australian.

Re:Black Hat 2014: A New Smartcard Hack ..

[Harlequin80]

We seem to be pretty good to sticking to the budget - usually out by only a couple of hundred plus or minus across a month. We also have 2 kids so the volume of transactions is quite high.

Re:Black Hat 2014: A New Smartcard Hack ..

[Nutria]

We seem to be pretty good to sticking to the budget

You're better than us, then... things go off the rails when I don't watch.

Re:Black Hat 2014: A New Smartcard Hack ..

[mjwx]

As for why I don't care where I stick my card. It is because I am protected.

And here in lies the problem with many Australians.

You dont seem to get that even though you dont pay directly, you still pay for credit card fraud. Its socialised somewhat across all the banks customers so the people who are responsible end up paying for those who aren't, like yourself. Fraud costs Australia 1.4 Billion annually, this money doesn't come from nowhere.

Because of this, I think that people should be afforded less protection than they currently are as people are being too irresponsible.

If I was responsible for insuring the security of every step of the money transfer chain I would go back to using cash.

Many of us still use cash for our day to day transactions. Not only is it safer, faster and more convenient, we save a small fortune. The cash discount is alive and well in Australia because credit is very expensive for the merchant.

Re:Black Hat 2014: A New Smartcard Hack ..

[Harlequin80]

Not all of that fraud figure is credit card. And I am also well aware that the cost of the losses are socialised across all people. And I am ok with that. I know that I am paying an insurance premium when I use credit cards, however that cost is acceptable to me for the convenience of using credit cards.

As for cash discounts I absolutely make use of them. Cash is great for transactions with individuals, especially service providers over goods sellers. In those instances I use cash. But those make up the minority of my transactions because my grocery bill, my phone, electricity, petrol, etc are not open to a cash discount. My local butcher on the other hand is, but it is a small % of my overall bill.

As for more convenient. Not in a month of sundays. Cash requires either you to receive cash directly for a service or to go to an atm. I don't need to do that to use a card AND paywave / paypass is a lot faster than cash. 95%+ of the places I frequent use the contact payment method and those that don't accept card anyway.

Re:Black Hat 2014: A New Smartcard Hack ..

with every transaction i get an email.my wife finds it annoying that i can see every transaction, but i find it useful.
a friend's credit card has been used by some guy to buy world of warcraft stuff, and he found out just because he regularly checks transactions.

Re:Black Hat 2014: A New Smartcard Hack ..

[MobyDisk]

From another perspective, to someone who has had chip-and-pin for a decade this could sound like a terrible experience. With a more secure system, this would never have happened. No phone call, no new card, no need to go through 3 months of charges.

Re:Black Hat 2014: A New Smartcard Hack ..

In theory, at least, you do not need to try very hard to know that charges for airline tickets, when neither you nor your wife have flown anywhere, should be suspicious.

"I don't go through my bank statements each month."

No shit! Do you think you'll learn anything from this experience? (I suspect not. Hooray for living in an average world of average people!)

Re:Black Hat 2014: A New Smartcard Hack ..

[JesseMcDonald]

And I am also well aware that the cost of the losses are socialised across all people. And I am ok with that. I know that I am paying an insurance premium when I use credit cards, however that cost is acceptable to me for the convenience of using credit cards.

Your opinion is irrelevant here. Of course you're OK with it; you're one of the negligent freeloaders driving up costs for everyone else! It's the more careful credit card users who don't deserve those costs that are harmed by this system.

For that reason, the laws requiring a high default level of protection should be repealed. You would still be free to get a card from a bank offering "gold-plated" fraud protection, for an unsubsidized premium fee, while others who are more responsible with their cards can forego the fees in exchange for performing their own due diligence.

Re:Black Hat 2014: A New Smartcard Hack ..

[Harlequin80]

This was on a chip and pin card. It occurred 18 months ago with a Westpac visa card. Apparently I signed for the credit card payment in person somewhere in spain despite living in Australia. It was because they knew from other transactions that that was almost impossible it got flagged.

I don't know how they got the credit card details but the person I spoke to said it happens regularly, that there is usually 1 or 2 small transactions that are most likely to a small charity before 1 big transaction is put through. In my case it was exactly that, 2 under $5 transactions to random micro charities then 2 days later $25k.

Apparently they use the charities because they tend to be poorly managed or policed.

Re:Black Hat 2014: A New Smartcard Hack ..

[MobyDisk]

Sorry! Yes, I see you said that in your post. Interesting.

Re:Black Hat 2014: A New Smartcard Hack ..

[j-beda]

Because I have a wife whose card hits the same account and I don't go through my back statements each month. I put EVERY transaction on my credit card, from buying a coffee to parking to supermarket and everything else in between. That means my credit card statement is LONG. Yeah I know I should keep every receipt and check it against the statement at the end of the month but no.

We also put virtually everything onto the card, but fortunately my wife doesn't do that much purchasing so her items are not too difficult to figure out.

I use MoneyDance for our accounting, and it has a mobile app that syncs with the desktop software. I try to enter transactions on my phone as they occur (and often take a photo of the recipt at the same time) which makes reconciling against the data file downloaded from the card's website and the montly statement much easier.

http://moneydance.com/

Contactless

Is there actually a push for contactless EMV as the article surmises? I assumed a lot of people had reservations about the security of these implementations.

I'm sure this presentation next month won't help that perception:
https://www.blackhat.com/asia-15/briefings.html#relaying-emv-contactless-transactions-using-off-the-shelf-android-devices

Re:Contactless

[rickb928]

There is NO CONTACTLESS EMV. That is something else, RFID or NFC.

And not at all the same thing.

Re:Contactless

Seriously ?

What is this then : http://www.emvco.com/specifications.aspx?id=21

Re:Contactless

Have you thought perhaps about looking at the contactless EMV spec - available to the public for free? You are talking transport layer. EMV is a standard for communication with a SIM, which is also a base technology.

Re:Contactless

[omnichad]

The EMV web site disagrees with you. Just because they used existing communication standards for their specification doesn't mean it's not contactless EMV.

Re: Contactless

[rickb928]

Yes I have read the specs. Contactless mode is not an EMV communication. It doesn't use the chip. It is essentially a mag stripe transaction via RF, similar to NFC.

In contactless mode, mag stripe mode must always be supported, while EMV chip mode is optional.

it looks like book C-5 fully described this, going past the mag stripe mode.

Feh. I wonder if all cards will have RF-activated chips.

What about the online use of these cards?

[serbanp]

Same 16 digit code, expiration date and CCV?

Re:What about the online use of these cards?

[Harlequin80]

Yes no change.

Australia has had chip and pin systems for the best part of a decade. And prior to that were magstripe and pin. Purchasing online is still just the numbers. same with ordering over the phone.

Re:What about the online use of these cards?

[pla]

Great question! I had wondered about this myself - How does C&P really make the card more secure if you still basically just need a photocopy of it to use it? Or do they have an entirely different mode of operation when used online (like easy generation of disposable one-use card numbers)?

Not that it matters - US vendors will fight this to the bitter end. I already have cards with a chip in them (not sure about the "pin" part, since I certainly don't know any pin to use with them), one of which I've had for over five years. And I have *never* found a merchant that it works in any mode other than "swipe and sign". My local supermarket actually has readers compatible with them - And have intentionally disabled that feature because it "confuses" people - Damned straight, it confuses people! It confuses the hell out of me that you've intentionally made your readers insecure, and that after a major breach a few years ago!

Fuck the PCI, and fuck merchants. Give me security or pay me real penalty-money when your latest data breach results in my identity getting stolen. None of this "$50 maximum liability" bullshit - You lose my identity, BAM, $100k in my pocket. Anything less, and we'll keep hearing about the latest record-breaking breach-of-the-week.

Re:What about the online use of these cards?

[Harlequin80]

My bank has an additional layer of security for when you purchase online. When you purchase with the credit card it spawns a page that comes from my bank. I gave it a personal statement that it uses to show that it is real - ie "Your wife's favourite food is potato chips" and then it asks for a password. If I give the correct password the transaction will go through.

Re:What about the online use of these cards?

[marka63]

It a combination of things. Sure you can photocopy a card if you can get access to it for long enough but
requiring a pin forces the customer to go to the card reader or the card reader to be brought to you. This
reduces the window when the card can be photocopied or the magstrip being fraudulently read. Add to
that the CC# is tagged as requiring a pin so you can't just put the details onto a blank and use it.

Online transactions still need the CCV.

No security is perfect.

Re:What about the online use of these cards?

Online transactions require a little more than the card: they also verify the billing address. That said, getting an address for a name is probably not terribly difficult unless it's a very common name.

Re:What about the online use of these cards?

I don't think I've ever had a debit card with CCV. It just can't be used that way around here, chip and pin only.

For online transactions, you opt-in by generating a code in an ATM that you then use to create an account at a specific website, run by the same entity that runs all ATMs around here.

Using that website, you create "disposable" cards when needed, choosing what's the expiration date (like, next month) and setting how much it can be charged. It then gives you a 16 digit code, exp date and CCV for that "card".

If Steam wonders why I seem to have a large supply of cards always on the brink of expiring, they've never mentioned it...

Re:What about the online use of these cards?

My bank has an additional layer of security for when you purchase online. When you purchase with the credit card it spawns a page that comes from my bank.

It's far from manditory. Very few online merchants support that system.

Re:What about the online use of these cards?

[thegarbz]

There's additional protections in place. The process is the same. Code + CCV. However the modern cards are now linked to the bank.

For example depending on the transaction price:
For small transactions I click through and I end up at my bank's webpage. If the transaction is small it automatically approves, but just like paypal it is visibly directed through the bank.
For large transactions I click through and my bank's webpage requires token identification. With a previous bank that was and SMS code sent to my mobile, with my current bank it's an RSA token code.

This however is not related to the hardware on the card, so I'm not sure how you will see this rolled out in America. I'm not sure if it's part of the EVM standard but in Australia both the Chip+Pin cards and the new online verification systems were rolled out concurrently.

Re:What about the online use of these cards?

Pity that extra layer ("Verified by Visa" or the mastercard equivalent) is completely indistinguishable from a phishing scam. You go to $merchant's site, and suddenly the merchant's website is asking you for your banking details (it's an iframe thingy embedded in it). Nice one.

Re:What about the online use of these cards?

[whoever57]

Great question! I had wondered about this myself - How does C&P really make the card more secure if you still basically just need a photocopy of it to use it? Or do they have an entirely different mode of operation when used online (like easy generation of disposable one-use card numbers)?

If I want to send money from my UK bank account to a destination account that I haven't sent money to recently (using the bank's website), I have a little card reader that reads my card, validates the PIN (offline) and then processes a number from the website into a response that I put back into the web page to validate that I have the physical card and know the PIN.

Re:What about the online use of these cards?

[A+Friendly+Troll]

My bank has an additional layer of security for when you purchase online. When you purchase with the credit card it spawns a page that comes from my bank. I gave it a personal statement that it uses to show that it is real - ie "Your wife's favourite food is potato chips" and then it asks for a password. If I give the correct password the transaction will go through.

Password?

Like, really?

Please don't tell me your bank account uses a password, instead of OTP tokens...?!

Jesus christ...

Re:What about the online use of these cards?

The way it's done with my bank is that you set a phrase that only you know, which is displayed when the page is spawned. That way you "know" it's a legit one and not a fake one.

Re:What about the online use of these cards?

[Harlequin80]

On an online credit card purchase you get a OTP token generated for that transaction? How is it implemented? Do you need to be logged in to your bank to have access to a generator or some kind of app on your phone?

Re:What about the online use of these cards?

[dave420]

Here in Germany it's a bit weird. Any online banking done through my bank's website requires the use of a separate TAN-generator device. One inserts the card into the side, presses a button, and holds it against a flickering pattern on the screen. After a couple of seconds the device shows the last few digits of the payee's account number and the amount to be transferred/paid, and then a TAN which is typed back in to the website. It gets weird with things like Netflix or Amazon - one can simply enter the bank account details, and payment is taken from your account that way. This is only available to compliant companies, and any fraud can be reported to your bank for them to take care of (which they do - with zeal). It comes from Germany's love affair for invoices. Back in the early days of online commerce, when Germans purchased goods from the net, they would be sent the goods with an invoice to pay - payment was accepted after the goods had arrived in the hands of the customer. It's a cultural thing, I guess.

Re:What about the online use of these cards?

[alexhs]

On an online credit card purchase you get a OTP token generated for that transaction? How is it implemented?

My bank (in France) sends me an SMS with the OTP.

Re:What about the online use of these cards?

[Neil+Boekend]

The sites that work with Ideal (my preference) send me to my bank's site to sign the transaction with a simple challenge-response OTP verification involving a separate device where I can insert my card and need to use my PIN to get to the challenge-response part.
Safe, but not too cumbersome. I love it.

Re:What about the online use of these cards?

[Your.Master]

Genuine question: how do they authenticate you so that they know to send the OTP to you?

Do they just assume you have physical possession of your phone? i.e. just "something you have"? If so, why would you imagine that's better than having a password?

My naive guess would be that there's both a password and phone authentication going on at some point in your banking process. Such two-factor authentication is not absolutely required by all banks in the US, it's not uncommon and it's pushed hard by many of them, and usually it goes password-first, then phone auth.

Re:What about the online use of these cards?

[pla]

The way it's done with my bank is that you set a phrase that only you know, which is displayed when the page is spawned.

Bruce Schneier (IIRC) described the obvious hack for that the day Visa came out with it...

The attacker (whether a fake merchant, or a MitM) waits for a request for you to verify your identity. It then presents your information to the real site (keep in mind the attacker builds this connection, so encryption doesn't mean a damned thing). The real site responds with your known prompt-phrase, so you "know it's legit". Attacker then prompts you with that phrase, and waits (and records) your response. Attacker passes your response on to the bank, and the transaction goes through successfully.

Except, that the attacker now has everything he needs to produce as many fraudulent charges as he wants.

Re:What about the online use of these cards?

it's called 3D-secure IIRC developed by VISA.

Re:What about the online use of these cards?

[Eugene]

In fact it's has been done and implemented long time ago using the existing EMV chip card.
http://en.wikipedia.org/wiki/C...

there are various implementations (offline PIN, passcode, display card...)

Re:What about the online use of these cards?

[houghi]

I have 3d secure. There are several ways to go about it. Sending an SMS with a code to a pre-destined number, login and password outside of the merchant, card reader that gives a number.

It is still not 100%. A card I never use or have ever used before has been hacked. Fortunatly the bank saw this happening, blocked the payment to verify and contacted me. Others I know have been payed back in full when abuse of external parties was obvious.In other cases it depends.

Re:What about the online use of these cards?

[MobyDisk]

My credit card gave me that option years ago. It would generate a temporary CC number. Great idea, but terribly implemented. You would think it would just display a web page that said "This is you temporary CC#, pin, and expiration date - good for 1 hour." Instead, it opened a pop-up window that tried to monitor where I was browsing in the other tab. I think it was trying to fill-in the form for me, or verify the web site or something. It probably worked just fine on IE + Windows XP with all the security settings turned down and no HTTPS.

Re:What about the online use of these cards?

[Cochonou]

They do not authenticate.
The point is that you usually know when your phone is compromised, because you do not have it anymore.
Meanwhile, you usually do not know when your password is compromised.

Re:What about the online use of these cards?

[A+Friendly+Troll]

On an online credit card purchase you get a OTP token generated for that transaction? How is it implemented? Do you need to be logged in to your bank to have access to a generator or some kind of app on your phone?

It depends.

You can get a physical key fob, some new fancy credit cards include a small display and a keypad, or you can get a phone app to generate the token. All are PIN-protected.

Can't login to e-banking without a token, can't do anything inside it without a different token (called APPLI-2 here, whereas the OTP is APPLI-1).

Re:What about the online use of these cards?

[j-beda]

The way it's done with my bank is that you set a phrase that only you know, which is displayed when the page is spawned.

Bruce Schneier (IIRC) described the obvious hack for that the day Visa came out with it...

The attacker (whether a fake merchant, or a MitM) waits for a request for you to verify your identity. It then presents your information to the real site (keep in mind the attacker builds this connection, so encryption doesn't mean a damned thing). The real site responds with your known prompt-phrase, so you "know it's legit". Attacker then prompts you with that phrase, and waits (and records) your response. Attacker passes your response on to the bank, and the transaction goes through successfully.

Except, that the attacker now has everything he needs to produce as many fraudulent charges as he wants.

You are correct that this is defeatable, but it requires more work by the attacker and I don't think anyone has bothered to do so yet because there are enough easier targets to work on. It is a little bit like house security - your locks and other things do not need to be perfect, they just need to be good enough to cause the "bad guy" to give up and try some other place - the vast majority of thefts from homes end up being from homes with unlocked doors.

Since it requires more work to defeat, the merchant can have higher confidence that transactions authorized by this mechanism are less likely to be fraudulent.

Re:What about the online use of these cards?

My bank asks for 3 random letters of the secret phrase. (i.e: enter chars 3, 7 and 15).

It's going to take a long time for a MITM to work out the full phrase, and it's unlikely they will get lucky with the same combination, as three incorrect attempts, locks out the card from online transactions until the phrase has been changed, and it's a pain to change, as the security is super strict when doing so.

chip and signature, not chip and pin

pretty sure that most US banks are issuing chip and _signature_ cards - probably because people can't remember many PINs

given the general lack of signature checking, this change seems like it might address CC cloning, but stolen cards will be continue to be useful until reported

as for online purchases, I'm not sure much will change

Re:chip and signature, not chip and pin

[cheesybagel]

How many credit cards do you have? Plus you can change the PIN to whatever you want.

Env is hacked, story is wrong

[goombah99]

Chip and pin is an obsolete solution. Sure point of sale in person fraud went way down in Europe but online and telephone fraud went way up making total fraud almost the same. Meanwhile merchants lost the ability to contest fraud and had to pay for card readers. Bits expensive to replace lost cards. And it's been hacked multiple times already so it's not secure .

The only silver lining here is that forcing merchants to pay for new point of sale terminals will force an upgrade that can slipstream in apple pay which is the right solution. Tokenized one time payments that can be used for Internet sales or provided with parental controls and instantly replaced by the end user if lost are the safe modern aproach

Re:Env is hacked, story is wrong

[blackraven14250]

Meanwhile merchants lost the ability to contest fraud and had to pay for card readers.

Seems like a regulatory problem, more than a problem with chip-and-pin. You can always just legislate away credit card issuers' responsibility, regardless as to whether they use chip-and-pin or not.

Got one of those cards

[JakFrost]

Chase Visa Freedom sent me one of those chipped credit cards a month after I thought about asking for it for upcoming trip to Europe on vacation.

The instructions that came with it said that there is no pin code for the card and that it still comes with the magmatic strip and can be used normally like that. So it appears that the presence of the chip is only for compatibility and compliance with a new standard not actual security since it falls back to the insecure magmatic strip or even less secure numbers or legacy's embossed raised numbers for carbon copy. The RFID contactless feature is now gone also.

In the popular car analogy meme for this site, using the chip is like pressing the car door open button on your wireless car key fob; but you could also use the physical key to open the door normally, or why bother when the car is unlocked in the first place since the embossed card number is easily stolen and can be used to charge online, still without even the name or CCV2 on some merchant plugins.

I feel that the chip might be used against the consumers and merchants since when it becomes compromised or copied the card company will shift the blame to them claiming that the physical cards must have been present since their infallible security chip is uncopiable.

Re:Got one of those cards

[Jack+Griffin]

In the popular car analogy meme for this site, using the chip is like pressing the car door open button on your wireless car key fob; but you could also use the physical key to open the door normally, or why bother when the car is unlocked in the first place since the embossed card number is easily stolen and can be used to charge online, still without even the name or CCV2 on some merchant plugins.

I feel that the chip might be used against the consumers and merchants since when it becomes compromised or copied the card company will shift the blame to them claiming that the physical cards must have been present since their infallible security chip is uncopiable.

Maybe in the USA your paranoia is justified, but we've had such systems for years with much less issues than the system it replaced. I think it has less to do with the technology and more to do with the political power some institutions have to avoid regulation. You want the land of the free, this the price you pay. Sometimes regulations are a good thing.

Re:Got one of those cards

[thegarbz]

The instructions that came with it said that there is no pin code for the card

The cards don't have the pin code. The bank does. I had a chip in one of my credit cards for a while. When the rules changed to require chip+pin the bank sent me a letter including a pin code. No new card.

compliance with a new standard not actual security since it falls back to the insecure magmatic strip or even less secure numbers or legacy's embossed raised numbers for carbon copy.

Compatibility and compliance always comes before standardization. We've had chip+pin available for years. Only now is it mandated, are signatures no longer accepted, and the practice of embossed lettering is gone for good.

Baby steps man, baby steps.

If they attempted to switch how the systems worked overnight without a period inbetween where equipment is upgraded by attrition there would be a major outcry.

I feel that the chip might be used against the consumers and merchants since when it becomes compromised or copied the card company will shift the blame to them claiming that the physical cards must have been present since their infallible security chip is uncopiable.

Even a backwards country like the USA has laws that protect against that.

Re:Got one of those cards

[jez9999]

Chase Visa Freedom sent me one of those chipped credit cards a month after I thought about asking for it for upcoming trip to Europe on vacation.

In the UK at least, I doubt that card will be accepted. Chip and PIN payment is the only thing accepted (in person) these days - chip and signature has long been phased out. I'd be interested as to what happens if you try to use that card.

Re:Got one of those cards

[Eugene]

the card you just received most likely still supports PIN, just it's not preferred using PIN as the primary method for authorization (i.e. signature preferring). In most of the situation you will not notice any difference (especially in US).

you can still use the magnetic stripe as it's a requirement for credit card, however magnetic stripe is now a *backup* method for using your credit card. Again in US you won't notice any difference as most of the terminals only support magnetic stripe, however overseas in most other countries that already migrated to EMV, during a card transaction if you swipe the magnetic stripe the terminal will prompt operator to use the chip instead. Only when terminal has problem reading the chip then it'll allow physical magnetic stripe transaction for those chip enabled cards.

If it's a chip transaction, it's really close to impossible to clone the card assuming following good implementations, unlike magnetic stripe which can be easily duped

Re:Got one of those cards

What happens is that you put the card in the reader and a strip of paper comes out of the back for ytou to sign. It'll also cause confusion and puzzle everyone because they've not seen that happen before, don't have a pen, and when you finally do sign it they won't know what to do with the paper.

online sales of major purchases

Plus these days third parties hold your online and recurring charge cards. Amazon, alibaba pay pal, google pay, and all your favorite porn sites and stores often retain your credit card info for future purchases. So online threats are growing by leaps and bounds. None of those are protected by chip and pin.

Credit Versus Cash

[tquasar]

I used to vacation around the Southwest US. At that time there wasn't credit fraud like today. Use Cash. It's accepted everywhere.

poor solution 10 years ago, poor solution now

All that is going to happen is that criminals will be forced to move forward with newer schemes. Chip and pin was never secure and never designed right. Cards should include a code generator on them that connects up with their bank to release funds. The cards should then have a pin on them and a screen to protect the card owner. They would work online and off-line and there would be no opportunity for fraud. Every transaction can be connected to the actual owner and the owner could approve / decline a transaction on the device itself. You can't trust a third party merchant terminal and yet that is exactly what users have to enter there pin into. If you reveal your pin to EVERY merchant its no longer a security measure. The only "security" merchant payment processing systems have is via obscurity and we all know that is not real security.

With a proper system merchants would not be vulnerable to payment card fraud. The problem with eliminating payment card fraud is it'll probably lead to more violent crime as the easy-peezy nature of it now will be eliminated. Right now anybody can commit fraud with no technical skill required.

PayWave and PayPass - Totally insecure.

[sectokia]

I don't think many people realise that the contactless system wide spread in credit cards is not secure. It's ironic that the system implemented by visa/MasterCard does not even pass PCI DSS standard. There is no encryption or authentication. Only the more expensive chips on passports have encryption. Wireless credit cards give out: -Your name. -Your account number. -Your transaction history (usually last 64 transaction amounts, times and dates, and payment terminal identifier). -All credit card numbers excluding CCV. Also the claims that you cannot read from more than a few inches away are bull crap. The standard readers have to have antenna and signal strength to read only upto 5cm. However you can put any high gain antenna and transmit amplifier you want. It uses standard EMV which you can buy for $20. A small backpack concealed system can work upto 1.5 METERS. A large antenna setup on the card reader could extend this to 50m+!

Re:PayWave and PayPass - Totally insecure.

I call BS:

http://www.smartcardalliance.org/publications-contactless-payment-security-qa/

Your card should have a private key that is used to generate a card verification value that is sent to the issuer who can cryptographically ensure that it was generated by your card. The private key is never transmitted so unless someone issues a card without a private key on it (not sure if that's an only in america thing) it should be impossible to clone a contactless card without having access to the card itself - the best you may be able to do is fake a one transaction with a stolen card verification value.

Re:PayWave and PayPass - Totally insecure.

[sectokia]

I never said anything about cloning. You are being misled by corporate double speak. It is true that the cards cryptographically generate a key, similar to a CCV, so you cannot read a card to make a copy of it, nor use it for fake transactions (which is all banks care about). All other information however is available, including your name, card number, expiry, Mag stripe data - all in the clear, along with a memory block of past transactions. That info can be made to make online transactions (by brute forcing the 3 digit CCV - which only has 1000 combinations). Not to mention you can make a complete working magnetic version from that info. It is secure for thier point of view in that you can't clone a card and do fake transactions. However from a privacy point of view its wide open. It was actually made to transmit in open all the info you can see or read magnetically to mirror the physical card.

Re:PayWave and PayPass - Totally insecure.

The only different is that a EMV terminal will not accept a EMV card to be run by the mag stripe. A magnetic version of a EMV card can only be used on magnetic only terminals. Sure you can still use it at gas stations in the US, which liability shift doesn't kick until 2018

Why so long?

[dacullen]

I have 5 credit or debits cards in my wallet. And 1 EMV card. 1 company that takes security seriously. And whose card is that? Of course, it's the card that I use to operate the laundrymat. Not Bank of America. Not my credit union.

Re:Why so long?

[Strider-]

In Canada, we've been Chip & Pin for at least 5 years ago. I was actually surprised when I was down in the states and had to grab some socks from Walmart. When I swiped my card (which I'm used to in the states) instead it had me insert it and do the usual chip & pin.

The contactless is for small, quick transactions. Buying coffee, a pack of gum, whatever. While Chip & Pin is more secure, it's also significantly slower. So, to move a lot of people through the line quickly, they do the paypass thing. When you have the lunch rush at Timmies, you need to move people quickly. ;)

Re:Why so long?

[LinuxIsGarbage]

In Canada, we've been Chip & Pin for at least 5 years ago. I was actually surprised when I was down in the states and had to grab some socks from Walmart. When I swiped my card (which I'm used to in the states) instead it had me insert it and do the usual chip & pin.

The contactless is for small, quick transactions. Buying coffee, a pack of gum, whatever. While Chip & Pin is more secure, it's also significantly slower. So, to move a lot of people through the line quickly, they do the paypass thing. When you have the lunch rush at Timmies, you need to move people quickly. ;)

I'm Canadian and found the same thing when I went to Walmart in the US in June. In one case I used a self checkout and was instructed to insert the card after swiping. In the second case it was through a regular cash, I swiped the card, then the cashier walked all the way around, grabbed the card and inserted it, instead of saying "please insert your card". Now when traveling in the US I default to inserting my chip at Walmart.

In Canada the Walmart POS machines say "Swipe or insert card". In the US it just said "Swipe card", so there was no reason to believe it was actually chip enabled.

Travel tip to the US: If you're at a pay at the pump in the US, and it asks for your ZIP code, do the following: Take the 3 numbers from your postal code, add 2 zeros: A2B 3C4 becomes: 23400 http://www.mastercard.ca/educa...

Links on how to scam chip and pin

[goombah99]

EMV is hacked not because EMV is theoretically secure but the implementations of it are botched. Predictable unpredictable numbers, transactions not testing cypher validity or the incrementing number are hacks in widespread use right now. The easiest hack of all is to move the card number from europe to any country that does not yet use EMV. all the EMV cards work in those countries by reverting to just mag stripe signature cards. yeah you could implement geo-locking but once again, they haven't done the implementation right. Chip and pin on ATM cards is also being exploited by card snatchers in false facia of ATM machines (they video your pin, then physically steal the card unlike the mag stripe which don't have to be physcially inserted all the way into the machine to work).

http://krebsonsecurity.com/201...

http://www.telegraph.co.uk/new...

http://krebsonsecurity.com/201...

http://krebsonsecurity.com/201...

http://www.banktech.com/fraud/...

Re:Links on how to scam chip and pin

[TheRaven64]

You're missing the latest EMV attack (published around November last year), which relies on the fact that the EMV protocol doesn't authenticate the bank, only the card, making it possible to MITM.

Less than 50% reduction in fraud, more liability

Since 1/2 of all fraud is card-not-present fraud (that is internet/ phone purchases) the maximum reduction in fraud rates is 1/2. And in the future even more transaction will occur on line. Furthermore at present a lot of card cloning fraud is low tech not massively organized. internet fraud can be automated. If you cut off the low tech hustlers from their quick cash opportunities they will just sell the credit card numbers online to the organized crime operations providing even more fraud.

The real problem is that now the end user is responsible if their card is somehow used. You are now presumed guilty because you did not protect your pin. (which can easily be scooped with a video camera or a rigged terminal.)

http://www.creditcards.com/cre...

There's no concern using RF

[Brannon]

if you're using one-time pad encryption, which Apple Pay does.

Maybe because he knows how it works?

[Brannon]

It's a one-time pad-based system and the merchant never gets the real account number or even the user's name. They get a one-time code for a specific purchase amount at a specific time. You could intercept the RF transmission and publish it on a billboard in Times Square and it would still be unhackable.

My experience is that smug Apple-bashers are pretty ignorant about technology in general, thanks for reinforcing that opinion.

Re:Maybe because he knows how it works?

[mjwx]

It's a one-time pad-based system and the merchant never gets the real account number or even the user's name. They get a one-time code for a specific purchase amount at a specific time.

Because maybe I know that MITM attacks aren't the only way things become compromised.

Software flaws are becoming increasingly attractive attack vectors for criminals.

Also perhaps its also because Apple has a terrible track record for taking responsibility for stuff ups and blaming the user when it all goes horribly wrong.

My experience is that smug Apple-bashers are pretty ignorant about technology in general, thanks for reinforcing that opinion.

My experience is fanboys tend to ignore the facts and go after the person making the statement, ad hominmem is easier than rational argument. Thanks for reinforcing that.

Translation

[jd]

US businesses are as incompetent and insecure as Sony, but can be provoked into taking absolutely minimal action when their profits are under direct threat by sufficiently powerful financial organizations. You mean nothing, you never have, you never will. You have no say, you have no power, you have no rights, you cannot walk away. You aren't the customer, merely the product. Easily replaced if damaged.

You aren't getting security because security matters. You aren't getting security because you matter. You're getting it because two vendors and a trading bloc said so.

Fraud prevention

[bcoinbilly]

This is why a move towards digital e-currency could provide an added protection for consumers. They have a secure backbone that prevents fraud from taking place.

Re:Fraud prevention

[DrXym]

Just like bitcoin? And bitcoin is a fraud free libertarian paradise as we all know.

Do the major card issuers benefit from the fraud?

Do the major card issuers benefit from the fraud? I ask because there are multiple ways of reducing fraud, but have been ignored, and the fact that we in the USA are so slow about fixing t makes me wonder...

For example, I used to use a service offered by my credit card company as well as PayPal, that created temporary credit card numbers. I have seen this stop fraud attempts first-hand! THIS SERVICE HAS BEEN DISCONTINUED BY ALL OF THEM! Why?!?

I have a credit card-sized security device called a SAFEPASS for my Bank of America, with a digital security code display. It generates a new security code when ever its pressed and used whenever I need to process a wire/money transfer from my account. Why cant they use this device to dynamically generate pins or even whole credit card numbers for each purchase?

Something just doesnt feel right about the US's "efforts" to stop fraud...

Liability shift to merchants

[bradley13]

My wife has a small company that accepts credit cards. As the parent comment points out, the credit cards want to push liability for fraud onto the merchants. This has two aspects

- First, the physical card: Chip and pin is standard here, which would be fine, but don't think your fees go down when they hand you the liability. My wife has, to my knowledge, never had a case a fraud in 20 years, but that doesn't matter either. Mastercard/Visa are completely in collusion, there is no competition, they can demand whatever fees they want.

- Second, the Internet: I wrote her first web-shops, including the payment processing. This has become completely impossible. The credit card companies impose ever more impossible rules. Ultimately, if you handle credit card numbers electronically, they began insisting on quarterly audits of your IT infrastructure. We used an ISP - so they were going to insist on auditing the ISP infrastructure. Our ISP was - shockingly - actually ok with this, but the whole nightmare just got too complicated. In the end, the rules appear to be nothing but a way of forcing you to use their approved payment processors - yet another way to suck money out of merchants.

Will some Internet payment service please, please spring up and actually give Mastercard/Visa some real competition? Paypal has been largely co-opted, Bitcoin is a joke - we need something that your average Joe can and will use. So far, nothing...

Re:Liability shift to merchants

[IamTheRealMike]

Will some Internet payment service please, please spring up and actually give Mastercard/Visa some real competition? Paypal has been largely co-opted, Bitcoin is a joke - we need something that your average Joe can and will use. So far, nothing...

You might think Bitcoin is a "joke" but it's all you're gonna get. PayPal wasn't co-opted - they settled down into the state you would expect given that they have little competition and ultimately still rely on the banking / credit card infrastructure. Why do you think any other outcome would be different? Apple isn't going to help. They aren't exactly famous for aggressively passing along cost savings to their customers, or being flexible with their policies.

The reason lots of people are working on Bitcoin, myself included, is that when you examine the problems underlying the current financial system it becomes clear that a slightly better credit card processor isn't going to cut it.

Re:Liability shift to merchants

When businesses switch to bitcoin they will only have to worry about the value of bitcoin dropping 50% by one day and various Bitcoin exchanges going belly up and stealing all their money. Yeah. Bitcoin is so much better than credit card processors.

Re:Liability shift to merchants

Consumer still not liable with chip-and-pin. Court cases have sided with the consumer because it has been demonstrated that a pin could be stolen (e.g. camera on atm, etc.) without the victim's knowledge.

Other researches have demonstrated the ability to trick a terminal into thinking a cloned card provided a valid pin as well.

So while the processors wanted to stiff consumers with the liability the courts found they could not prove based solely on a chip-and-pin transaction that the purchase was not fraud.

Re:Liability shift to merchants

[IamTheRealMike]

Most businesses pass those worries along to payment processors like BitPay or Coinbase. It's still better because you can always in-source if you want to, so they have little leverage over you.

But yes, Bitcoin isn't an immediate replacement for cards for all online commerce. At least not yet. Volatility is a pain, but the current price is only about 5% off where it was a year ago. Presumably as Bitcoin gets older wild press-driven hype cycles will become rarer and the bubble/burst cycle of the past few years will calm down a bit. We'll have to wait and see.

Re:Liability shift to merchants

How is BitCoin going to help? You going to require high speed network access at every merchant, and force the customer to wait 6-10 mins while their coins are verified to protect against double spending?

Re:Liability shift to merchants

Your going to need some system that offers a benefit to customers, you know, the people spending their money. Credit cards offers protection against fraud - merchants and card issuers can argue over who pays what fees and whatever BS else, but I can tell you regular people aren't going to be spending BitCoins when there is no recourse for theft, fraud, or errors in general. Other than people losing money. That won't fly at all.

Re:Liability shift to merchants

If you think Bitcoin is the cure you're deluding yourself. Keep up the good work though.

Re:Liability shift to merchants

[Toshito]

In the end, the rules appear to be nothing but a way of forcing you to use their approved payment processors - yet another way to suck money out of merchants.

I work on aquiring systems for a big bank, and we are bound to those rules as well. They are there for a good reason, I don't want my credit card information handled carelessly by any system half assed together by anybody who calls himself a web developper. Those audits are there to check that some minimum requisits of security are in place.

And believe me it's very costly even for us, but it's much cheaper than having your business name on the news...

Re:Liability shift to merchants

paypal kinda sucks but when it works it works well. they have a card reader product for in-person transactions, as does intuit, amazon, and squareup. switch to one of those for in-person transactions and use paypal web payments or similar for online stuff, problem solved.. mostly. for smaller volume businesses it makes more sense than a separate merchant account with all the hoops to jump and red tape to cut.

Some U.S. banks are

[SuperKendall]

My wife just got a new card with a chip and PIN. I forget the bank, either Chase or Barclay I think.

Mostly though, you are right - we are getting cards with chips and no PIN.

Re:Some U.S. banks are

[stevel]

Barclay had been doing chip-and-PIN in the US, I had read that they stopped but maybe not. Chase doesn't do PINs and are proud of it. The United Nations FCU offers a chip-and-PIN Visa card - anyone can join through a rather convoluted method.

How is what Apple doing a ploy?

[SuperKendall]

Apple Pay works just as well as using a traditional CC for payment, only it's even MORE secure than chip+PIN (and way more secure than the old number only system).

Apple has also solved online payments too since you can use ApplePay with websites. That's slower to roll out but I see that making big gains in just a year or two since again, it's easier and more secure than using a "real" credit card to pay online, with zero risk of a hack letting thieves be able to charge to your card.

It's no wonder fraud is rife in the US

[DrXym]

My typical experience as a traveller - I walk up to checkout with an item, present my card, it's swiped, I scrawl a signature on a (usually broken) digital capture device but the cashier never bothers to authenticate the card, or look at the name on it, or ask for id, or match the signature to the card. In a restaurant, the card might even be taken away to be swiped and it doesn't occur to either the restaurant or customers why this might be a bad thing.

So it's hardly surprising if the US receives the highest amount of fraud. It's trivial to skim the details because it's all stored on the magstripe, stores hold the info in arcane systems, there is no authentication and there is no financial burden on the store if fraud occurs.

Chip and pin isn't perfect but it's FAR better than the US system. In Europe every business has a chip and pin device. Restaurants have a portable chip and pin device. Supermarkets and stores have one at the cashier. You pay by sticking the card in the device and authenticating with it. There is less scope for the card to be skimmed because the card never leaves the customer's hands. There is less scope for a malicious store because authenticating and authorisation is via a secure payment system.

Ideally cards wouldn't even have a mag stripe any more. Give businesses 5 years to replace their decrepit equipment and banks to upgrade their ATMs and then get rid of them. Chip and pin and NFC cover the same use cases and provide better security into the bargain.

Re:It's no wonder fraud is rife in the US

[tlhIngan]

My typical experience as a traveller - I walk up to checkout with an item, present my card, it's swiped, I scrawl a signature on a (usually broken) digital capture device but the cashier never bothers to authenticate the card, or look at the name on it, or ask for id, or match the signature to the card. In a restaurant, the card might even be taken away to be swiped and it doesn't occur to either the restaurant or customers why this might be a bad thing.

You don't understand what the signature is for.

Signing the slip does nothing - the cashier is neither an expert in handwriting nor is expected to be one.

The purpose of signing the card is to enable a contract - the card signature signals that you agree to your cardholder terms and conditions (aka cardholder agreement). Cashiers are required to check the panel to make sure a valid signature is present (to be reasonably sure that such a transaction is valid).

The little slip you sign again isn't for verification. If you look closely, it has a line that states "By signing this slip, cardholder agrees to pay the amount shown". This means that you agree that the amount billed is correct, so if a dispute happens, the merchant can reasonably show that yes, you did agree to that amount (in case they transcribed the price wrong, say the slip was marked $13.10 instead of $11.30 - by signing the slip. you agree that $13.10 is the right amount). It's why if they ever bill you incorrectly, you can sign the slip and sign a refund slip, or tear the slip up and contest the charge (without a signed slip, there's no proof of the transaction - merchant loses).

This is more about contracts than actual security (which there is none).

Re:It's no wonder fraud is rife in the US

[DrXym]

How can a contract be worth any value at all if the store didn't even bother to validate the identify of the person signing? How can my signature by valid if I scrawl "Mickey Mouse" or draw a dick because they're not looking.

Whatever tenuous reason they might have for a signature, it's not a very good one. If they cared for the strength of their contract they would do the minimum necessary to verify it was the person with authorisation to use the card.

As for the cashier, that's part of the reason for chip and pin. It takes the authentication and authorisation out of their hands. Either the transaction goes through or it doesn't but at least some security is applied.

Re:It's no wonder fraud is rife in the US

[Cochonou]

What is the purpose of signing the card when I already signed a paper saying that I agreed to the terms and conditions in order to get the card ?

Re:Less than 50% reduction in fraud, more liabilit

[DarenN]

Yes, it's easy to manufacture and attach fake ATM fronts....

EMV means that card present fraud effectively disappears overnight. The liability shift is not to you, it's to merchants that do not accept Chip and PIN, or Banks that do not issue it. Your position is exactly the same as it was before the shift. The difference is that payment networks will no longer accept liability for insecure card-present payment methods which is not unreasonable.

Online/card-not-present transaction fraud is entirely different and EMV is not designed to deal with it, so it's no surprise it doesn't. For THAT all the networks are implementing payment token support which I expect to see become mainstream over the next couple of years. The tokens will be limited time use alphanumeric strings that have specific values - basically "ApplePay" is re-branded Visa Tokenization. Mastercard already have PayPass Online but that is a digital wallet and their newer solutions will abstract the path to the cardholder's account, Discover and AMEX are also implementing something similar, as are the regional switches in the States.

Shortwave frequencies = over-the-horizon snooping?

[An+dochasac]

Unfortunately, peak fraud is ahead of us with the widespread adoption of a poor implementation of RFID. The EU and ROW were wise to jump to chip and pin while the US dragged its feet for a decade with cashiers expected to be CSI signature verification specialists. But the move to pinless RFID rolls security back to the days when cashiers were expected to peer through lists of bad credit card numbers. Actually it's worse than that because card dup information is conveniently broadcast on 13.5 MHz, in the 22 meter amateur radio band. This is a great frequency for over the horizon broadcasting in summer. Not so good for secure communication over a distance that is supposed to be in the range of a few centimeters.

Its sad because properly implemented RFID has the potential for enhancing the security of paypoint transactions. This implementation will have so much fraud, people will forever associate RFID with fraud.

progress?

In US of A??? I am deeply shocked.

There's not copying only

[nospam007]

I'm from Europe and I have had such cards for 10 years.

I was hit twice by thieves, once an hotel reception guy in Rome copied my card details and bought stuff for 4500€ online, another time it was a restaurant in London who did it the same thing.

Both times a simple email was enough to avoid having to pay, but chips don't help there.
They only make copying the cards themselves a bit more difficult.

You still have to check your account carefully each time.

Re:There's not copying only

[MobyDisk]

These things won't be secure until you type the PIN into the card. As long as you type it into a pin pad provided by a merchant, a malicious merchant, or the guy with a camera nearby, can nab the pin. Instead, the pin should be entered into the card, causing the card to generate a unique number.

Apple Pay = One time card numbers

[Aqualung812]

NFC was first cracked on cell phones.

It doesn't even matter. NFC can send the number in plaintext for all I care. The Apple Pay app generates a one-time card number. After it hits the reader, it is useless.
http://techcrunch.com/2014/09/...

Re:Apple Pay = One time card numbers

[Andy+Dodd]

Yup, and even the units that can't do that (since they're a standalone chip in the card) have, at a minimum, a monotonically increasing transaction counter that is incremented every time the chip is read.

Skips in the counter are allowed (failed reads, accidental reads, etc.), but any "out of order" transactions will trigger an instant fraud alert.

For example:
Your card is at transaction counter 1000
A thief reads your card. He gets 1000, your card increases to 1001
Thief chooses a transaction counter of 1005 and makes a purchase
You try to use the card, payment processor sees transaction counter drop from 1005 to 1001 - instant fraud alert trigger

Most importantly here is that you can easily prove it was fraud and will not be liable for the charges. You can't prove this with magstripes, which is why credit card companies are shifting fraud liability for magstripe transactions from them to the retailer (who is likely to pass the pain on to you) in October.

Re:Less than 50% reduction in fraud, more liabilit

No the liability shift is de facto to you. That's what happened in Britain. You now have to prove you did not let someone know your pin--- how do you do that? After all in your view and the banks view EMV is 100% secure if only you know your pin. Of course that assumes the pin pad is secure too. If EMV can't stop CNP fraud then it is worthless since that's the majority of fraud world wide.

holy smokes... 23%?!

[funkymonkjay]

is that right? how do they make money?! they must unloading that burden on the merchants or selling the customer's data out for major bucks. bitcoin! we need you to spread.

This card just shifts the liability, cost.

[Bonzoli]

The cost for fraud is shifted to the merchant if their technology is not up to the level of the banks. If the retailer has high enough tech level, the liability is shifted to the customer.
The day of you denying charges is about over, even if someone used a PIN device to fool the retailer.

This does improve some security for the retailer network/software when dealing with the CCs but its a lot like saying DVD's are secure because they are encrypted. Is it secret, is it safe? No, its not. .

Shifting Liability

Hasn't the whole switch to Chip n Pin been nothing more than an attempt to shift financial liability for fraudulent charges onto the customers? Criminals all over Europe have already found many a method of getting money out of it despite the "security" while it took years before card companies would even acknowledge that it was possible. Eventually after being confronted with a mountain of evidence they reversed and went to a standard card based model for now, but I know that wherever Chip-n-pin is being introduced they are trying to shift liability to consumers.

Credit card?

Bah, I use American Express charge card. :p No need to pay my balance over time with interest.

EMV terminals?

If the cards are compliant for EMV in October, will transaction terminals be compliant for EMV too? I did not see any mention of terminals in the article. I haven't seen any terminals with the Visa Pay Wave logo at my local stores.

Its Chip & SIGNATURE in the US!!!

Capitals and three exclamation marks to show how annoying this is. I've been trying to get a card for a decade at least, trying all the major companies each year - and recently they've been sayting that yes, you'll get a card with a chip on it - but it'll not have a PIN. So what use is it? There's no additional security and it's getting really difficult to using a none Chip & PIN card anywhere but good ol USA.

Payment cards in Japan

[phorm]

Payment cards, as in train passes etc perhaps, but my experience has been that overall Japan has a comparatively low credit-card penetration compared to North America, and in many areas is still very cash-centric. It's a bit of a shock to find that even many major chains (McDonalds, etc) don't necessarily take Visa in Japan.

Re:Shortwave frequencies = over-the-horizon snoopi

The antennas on the NFC readers and cards are so small that they are effectively invisible to anything outside their limited range (at 13.56 MHz).

The cards themselves get their power from the RF field and although their modulation is usually quite strong, the antennas are very small and as such cannot be heard outside their small bubble of operation.

All the NFC stuff that works at 13.56 MHz operates in an area where you can still safely use the term magnetic field, not electromagnetic waves (radio). The devices operate based on inductive coupling, not EM wave propagation and induction.

EMV Contactless especially requires that all devices have a maximum signal strength (which is pretty low) to reduce the operating range even further (10cm in the best of cases, up to 7 cm in real life cases). And while getting your card read on the bus is still possible, one would need to be very close to your card to do so. Buying an RFID blocking card sleeve/holder/wallet removes this possibility entirely (if you remember to put your card in it).

That is from the more physical side of NFC, the higher level algorithms, of course, can be full of bugs or faults that can allow bad people to do bad things. Not to mention human stupidity, naivety or forgetfulness which also contribute a large part in credit card theft and fraud.

Rothschild

[NewYork]

"Give me control of a nation's money supply, and I care not who makes its laws." --Rothschild in 1744.