Slashdot Mirror
Credit Card Fraud Could Peak In 2015 As the US Moves To EMV
dkatana writes Some analysts expect fraud to increase this year as thieves will step up their efforts to capture more credit card details before the Europay, MasterCard and Visa (EMV) standard conversion goes into full throttle. The next time U.S. cardholders receive a new card it will probably be equipped with an EMV chip, and most likely be contactless. The U.S. is finally making the transition to secure cards based on the European EMV standard, mostly because the liability shift imposed by the three big credit card brands — Visa, MasterCard and American Express. The European Union, where EMV became standard ten years ago, has the lowest level of credit card fraud in the world, while the U.S. accounted for 47.3% of the worldwide payment card fraud losses but generated only 23.5% of total volume.
Your next creditcard (in a couple years) will probably have a chip-and-pin system, which can not be easily cloned as the magstripes of today can. The analysts cited believe fraud will escalate soon, while most people still DON'T have a chip-and-pin card, since defrauding those people will be harder in a couple years.
One of my RFID-enabled cards came with a blocking sleeve for it. We've had these for years in Canada.
Chip yes, PIN, no. In the US, "Chip-and-signature" is what we get, with extremely rare exceptions. It is more secure than the magstripe to stop massive hacks such as Home Depot and Target, but does nothing to stop stolen card fraud. Note that if your card does not support chip-and-PIN (it can support it even if it's not the default, but US banks aren't doing this), then you can't use the card at many automated kiosks (train stations, etc.) outside the US.
I disagree with the summary that contactless goes along with the chip - it doesn't. There are some banks offering contactless payment cards, but this is not common right now.
As at the 1st of August last year you were no longer able to sign for purchases on your credit card in Australia. A pin became required for every transaction.
With regards to a contactless payment system, it is referred to here universally as paywave (even though that is Visa's name for it) and my AMEX, Visa and Mastercards all support that functionality. They contactless system allows an up to $100 purchase just by tapping your card on the reader. Kinda scary if you lose your wallet but soooooo convenient. Total transaction time is around 1 second.
EMV is NOT contactless. If your new card(s) include electrical contacts, It's EMV .
deleting the extra space after periods so i can stay relevant, yeah.
Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.
Britain has had a lot of trouble with this.
deleting the extra space after periods so i can stay relevant, yeah.
Rubbish.
I have had credit card fraud on a card of mine that had a chip and pin. The crim racked up $25k in flights in a couple of hours. I got a call from my bank asking me about the transactions as it had set off alarms, I said it wasn't anything I had done. Card got cancelled immediately, new card arrived 3 days later and the $25k was immediately refunded. The bank then went through every transaction for the last 3 months and flagged ones they thought were suspicious and once I confirmed they were nothing to do with me those too were refunded.
My experience has always been very positive when it comes to issues with my cards.
My bank has an additional layer of security for when you purchase online. When you purchase with the credit card it spawns a page that comes from my bank. I gave it a personal statement that it uses to show that it is real - ie "Your wife's favourite food is potato chips" and then it asks for a password. If I give the correct password the transaction will go through.
Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.
This is not at all the case in the US.
When TFS says liability shift, they're referring to the merchants (at least, in the context of the US anyways.) The merchants have an agreement with visa, mastercard, et al (and the banks) that determines who is liable in the event of fraud. Presently mastercard/visa/amex assume most of the liability (and they very well better for the transaction fees they charge.)
Visa and mastercard have issued an ultimatum of sorts to the merchants saying that this will only continue for magnetic stripe until the end of 2015, after which the merchant assumes liability for fraud. The merchant can avoid that by simply replacing their POS systems with a chip and pin system, in which case visa/mastercard assume most of the liability.
For you as the card holder however, nothing has changed in that regard: The law in the US still stipulates that credit card holders can only be liable for up to $50 (which most banks waive these days.)
I'm in Argentina. My CC terminal (VeriFone VX520, issued by Visa since visa has this racket that you can only rent, and not own, CC terminals from them or Mastercard) has an EMV reader. Only really new cards in Argentina have this, and out of pure curiosity I tried it with a client's instead of the mag stripe and it worked fine.
Visa has been issuing these units for a couple of years and before that they had another model which also had an EMV reader. It's right under the keyboard. You stick the card in (like you do on an ATM) and you feel it "clicks" on a little switch that enables the chip.
So probably you have seen EMV readers. You just don't know you have.
Time to make a Faraday Cage wallet.
Time to permanently disable contactless payment on all your cards.
Apparently the banks and credit card companies in some countries will send you a new card without the RFID on request. But here in Canada at least one company simply refuses to do this. My bank DID disable contactless payment on my new debit card in their records, but of course the RFID is still physically intact so there's no guarantee that it won't suddenly start working as a result of some administrative fuckup. I'm going to call about my new credit card, but I'm pretty sure they'll tell my politely to piss off. At that time I plan to get out my drill, put a hole in the appropriate place, and test. If it disables Tap and Pay, then all of my cards will get the same treatment.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Apple can get away with securing NFC payments because there is a processor on both ends. The reason you can't secure an NFC card, is that you can't generate enough power using an antenna to power up a chip which can do crypto.
NO.
NFC was first cracked on cell phones. In fact it was cracked on some of the first cell phones to include it. It wasn't even common yet. Which made me wonder why the other manufacturers went ahead with it. It was already broken.
Researchers were able to snarf NFC credentials from cell phones from several feet away, using concealed body-worn equipment that only cost a few hundred $. And it only required that NFC was turned on; no transaction was required.
I have not turned the NFC on my cell phone on even once, and don't plan to.
In case you want to look it up, the researcher's name was Christopher something. He's the same guy who read RFIDs from passports from his car, 30 feet away. And later used the data to clone them.
Further, you DON'T WANT it to operate by NFC, or anything RF for that matter. RFID, NFC, and other RF technologies have all been broken for some years now. I can't imagine what Apple is thinking, with its Apple Pay, but maybe they think they've gotten around the security holes in NFC. Remains to be seen.
There is plenty of information around about how Apple Pay works. All the communication can be in clear text and recorded by a dozen hackers, it doesn't make a difference, because the actual data sent through the insecure channel is safely encrypted.
A hole punch in what? Did you kill the chip? There's better ways.
Simply hold the card up to the light and you'll see the antenna connections run around the outside of the card. A simple cut through the antenna will render the contactless payment inoperable without affecting the chip and the ability to use the chip+pin features.
NFC was first cracked on cell phones.
It doesn't even matter. NFC can send the number in plaintext for all I care. The Apple Pay app generates a one-time card number. After it hits the reader, it is useless.
http://techcrunch.com/2014/09/...
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.