Slashdot Mirror
Credit Card Fraud Could Peak In 2015 As the US Moves To EMV
dkatana writes Some analysts expect fraud to increase this year as thieves will step up their efforts to capture more credit card details before the Europay, MasterCard and Visa (EMV) standard conversion goes into full throttle. The next time U.S. cardholders receive a new card it will probably be equipped with an EMV chip, and most likely be contactless. The U.S. is finally making the transition to secure cards based on the European EMV standard, mostly because the liability shift imposed by the three big credit card brands — Visa, MasterCard and American Express. The European Union, where EMV became standard ten years ago, has the lowest level of credit card fraud in the world, while the U.S. accounted for 47.3% of the worldwide payment card fraud losses but generated only 23.5% of total volume.
...like me
Worry it not, minions. We won't steal money from you again. We will steal it directly from the source - the big fat banks. And we will grab your password and purchase history and personal details along the way. -- signed, the Internet Barron.
Time to make a Faraday Cage wallet.
EU
When I got my 2nd new card in a year (Target & Home Depot hacks) it came with the chip. Also the numbers are no longer the pressed-in type and are on the back. Every time I've used it I have to let the person know the last 4 numbers are on the back.
I'm still hoping more NFC in terminals and more support for Apple Pay. The handful of times I've used that, it's been much faster and it is more secure.
- My favorite error message: xscreensaver, running on an old Sparc 5 w/ 8bit color: bsod: Couldn't allocate color Blue
I, for one, welcome this innovation!
As the US demonstrated during the recent massive-clusterfuck-in-a-casino financial meltdown, advances in technology and worker productivity now allow the production of enough fraud to supply the entire industrialized world by a relatively small number of highly trained knowledge workers!
Why, then, should we have an inefficient, unproductive, labor force of blue collar criminals laboriously committing fraud, by hand, like some sort of pre-industrial master/apprentice nonsense, when we have massively more efficient fraud production technology available?
According to new research, chip-based "Smartcard" credit and debit cards - the next-generation replacement for magnetic stripe cards - are vulnerable to unanticipated hacks and financial fraud ref.
Same 16 digit code, expiration date and CCV?
Actually, RFID with no PIN is a massive step backwards from mag-stripe, sure mag-stripe could be easily copied, but RFID doesn't even have to leave your pocket to get copied, and there are many proof of concepts in the wild for this already.
I live somewhere where ALL credit and debit cards have chip and pin, unfortunately almost all the credit cards also have RFID. I've had long arguments with my banks and finally managed to get non-RFID cards, but it's really hard to get back up to the level of security provided by mag-stripe
And to be clear, although all our cards have chip and pin, they also all have mag-stripe, so the cards themselves aren't actually any more secure than they were before, but because most stores (not all) also use chip instead of mag-stripe, you don't generally give away your card to let the staff skim them anymore.
There is NO CONTACTLESS EMV. That is something else, RFID or NFC.
And not at all the same thing.
deleting the extra space after periods so i can stay relevant, yeah.
Chip and pin is an obsolete solution. Sure point of sale in person fraud went way down in Europe but online and telephone fraud went way up making total fraud almost the same. Meanwhile merchants lost the ability to contest fraud and had to pay for card readers. Bits expensive to replace lost cards. And it's been hacked multiple times already so it's not secure .
The only silver lining here is that forcing merchants to pay for new point of sale terminals will force an upgrade that can slipstream in apple pay which is the right solution. Tokenized one time payments that can be used for Internet sales or provided with parental controls and instantly replaced by the end user if lost are the safe modern aproach
Some drink at the fountain of knowledge. Others just gargle.
Chase Visa Freedom sent me one of those chipped credit cards a month after I thought about asking for it for upcoming trip to Europe on vacation.
The instructions that came with it said that there is no pin code for the card and that it still comes with the magmatic strip and can be used normally like that. So it appears that the presence of the chip is only for compatibility and compliance with a new standard not actual security since it falls back to the insecure magmatic strip or even less secure numbers or legacy's embossed raised numbers for carbon copy. The RFID contactless feature is now gone also.
In the popular car analogy meme for this site, using the chip is like pressing the car door open button on your wireless car key fob; but you could also use the physical key to open the door normally, or why bother when the car is unlocked in the first place since the embossed card number is easily stolen and can be used to charge online, still without even the name or CCV2 on some merchant plugins.
I feel that the chip might be used against the consumers and merchants since when it becomes compromised or copied the card company will shift the blame to them claiming that the physical cards must have been present since their infallible security chip is uncopiable.
I used to vacation around the Southwest US. At that time there wasn't credit fraud like today. Use Cash. It's accepted everywhere.
How many credit cards do you have? Plus you can change the PIN to whatever you want.
I don't think many people realise that the contactless system wide spread in credit cards is not secure. It's ironic that the system implemented by visa/MasterCard does not even pass PCI DSS standard. There is no encryption or authentication. Only the more expensive chips on passports have encryption. Wireless credit cards give out: -Your name. -Your account number. -Your transaction history (usually last 64 transaction amounts, times and dates, and payment terminal identifier). -All credit card numbers excluding CCV. Also the claims that you cannot read from more than a few inches away are bull crap. The standard readers have to have antenna and signal strength to read only upto 5cm. However you can put any high gain antenna and transmit amplifier you want. It uses standard EMV which you can buy for $20. A small backpack concealed system can work upto 1.5 METERS. A large antenna setup on the card reader could extend this to 50m+!
I have 5 credit or debits cards in my wallet. And 1 EMV card. 1 company that takes security seriously. And whose card is that? Of course, it's the card that I use to operate the laundrymat. Not Bank of America. Not my credit union.
EMV is hacked not because EMV is theoretically secure but the implementations of it are botched. Predictable unpredictable numbers, transactions not testing cypher validity or the incrementing number are hacks in widespread use right now. The easiest hack of all is to move the card number from europe to any country that does not yet use EMV. all the EMV cards work in those countries by reverting to just mag stripe signature cards. yeah you could implement geo-locking but once again, they haven't done the implementation right. Chip and pin on ATM cards is also being exploited by card snatchers in false facia of ATM machines (they video your pin, then physically steal the card unlike the mag stripe which don't have to be physcially inserted all the way into the machine to work).
http://krebsonsecurity.com/201...
http://www.telegraph.co.uk/new...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://www.banktech.com/fraud/...
Some drink at the fountain of knowledge. Others just gargle.
Convenience vs security trade off.
There's limited damage you can do with a copy of the RFID chip. I think it's in the order of $50 / vendor / day and even that is covered by fraud protection.
But don't pretend that this is a step backwards. Anything + signature was orders of magnitude worse for you than anything + pin. With a copy of your magstripe you were effectively robbed of whatever your credit limit was without the borderline not worth your while limit.
if you're using one-time pad encryption, which Apple Pay does.
US businesses are as incompetent and insecure as Sony, but can be provoked into taking absolutely minimal action when their profits are under direct threat by sufficiently powerful financial organizations. You mean nothing, you never have, you never will. You have no say, you have no power, you have no rights, you cannot walk away. You aren't the customer, merely the product. Easily replaced if damaged.
You aren't getting security because security matters. You aren't getting security because you matter. You're getting it because two vendors and a trading bloc said so.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Because maybe I know that MITM attacks aren't the only way things become compromised.
Software flaws are becoming increasingly attractive attack vectors for criminals.
Also perhaps its also because Apple has a terrible track record for taking responsibility for stuff ups and blaming the user when it all goes horribly wrong.
My experience is fanboys tend to ignore the facts and go after the person making the statement, ad hominmem is easier than rational argument. Thanks for reinforcing that.
Calling someone a "hater" only means you can not rationally rebut their argument.
This is why a move towards digital e-currency could provide an added protection for consumers. They have a secure backbone that prevents fraud from taking place.
My wife has a small company that accepts credit cards. As the parent comment points out, the credit cards want to push liability for fraud onto the merchants. This has two aspects
- First, the physical card: Chip and pin is standard here, which would be fine, but don't think your fees go down when they hand you the liability. My wife has, to my knowledge, never had a case a fraud in 20 years, but that doesn't matter either. Mastercard/Visa are completely in collusion, there is no competition, they can demand whatever fees they want.
- Second, the Internet: I wrote her first web-shops, including the payment processing. This has become completely impossible. The credit card companies impose ever more impossible rules. Ultimately, if you handle credit card numbers electronically, they began insisting on quarterly audits of your IT infrastructure. We used an ISP - so they were going to insist on auditing the ISP infrastructure. Our ISP was - shockingly - actually ok with this, but the whole nightmare just got too complicated. In the end, the rules appear to be nothing but a way of forcing you to use their approved payment processors - yet another way to suck money out of merchants.
Will some Internet payment service please, please spring up and actually give Mastercard/Visa some real competition? Paypal has been largely co-opted, Bitcoin is a joke - we need something that your average Joe can and will use. So far, nothing...
Enjoy life! This is not a dress rehearsal.
My wife just got a new card with a chip and PIN. I forget the bank, either Chase or Barclay I think.
Mostly though, you are right - we are getting cards with chips and no PIN.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Apple Pay works just as well as using a traditional CC for payment, only it's even MORE secure than chip+PIN (and way more secure than the old number only system).
Apple has also solved online payments too since you can use ApplePay with websites. That's slower to roll out but I see that making big gains in just a year or two since again, it's easier and more secure than using a "real" credit card to pay online, with zero risk of a hack letting thieves be able to charge to your card.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So it's hardly surprising if the US receives the highest amount of fraud. It's trivial to skim the details because it's all stored on the magstripe, stores hold the info in arcane systems, there is no authentication and there is no financial burden on the store if fraud occurs.
Chip and pin isn't perfect but it's FAR better than the US system. In Europe every business has a chip and pin device. Restaurants have a portable chip and pin device. Supermarkets and stores have one at the cashier. You pay by sticking the card in the device and authenticating with it. There is less scope for the card to be skimmed because the card never leaves the customer's hands. There is less scope for a malicious store because authenticating and authorisation is via a secure payment system.
Ideally cards wouldn't even have a mag stripe any more. Give businesses 5 years to replace their decrepit equipment and banks to upgrade their ATMs and then get rid of them. Chip and pin and NFC cover the same use cases and provide better security into the bargain.
Yes, it's easy to manufacture and attach fake ATM fronts....
EMV means that card present fraud effectively disappears overnight. The liability shift is not to you, it's to merchants that do not accept Chip and PIN, or Banks that do not issue it. Your position is exactly the same as it was before the shift. The difference is that payment networks will no longer accept liability for insecure card-present payment methods which is not unreasonable.
Online/card-not-present transaction fraud is entirely different and EMV is not designed to deal with it, so it's no surprise it doesn't. For THAT all the networks are implementing payment token support which I expect to see become mainstream over the next couple of years. The tokens will be limited time use alphanumeric strings that have specific values - basically "ApplePay" is re-branded Visa Tokenization. Mastercard already have PayPass Online but that is a digital wallet and their newer solutions will abstract the path to the cardholder's account, Discover and AMEX are also implementing something similar, as are the regional switches in the States.
Rational thought is the only true freedom
Two companies. Mastercard bought (or merged with) Europay, so the E and M in EMV are the same company now.
Rational thought is the only true freedom
Unfortunately, peak fraud is ahead of us with the widespread adoption of a poor implementation of RFID. The EU and ROW were wise to jump to chip and pin while the US dragged its feet for a decade with cashiers expected to be CSI signature verification specialists. But the move to pinless RFID rolls security back to the days when cashiers were expected to peer through lists of bad credit card numbers. Actually it's worse than that because card dup information is conveniently broadcast on 13.5 MHz, in the 22 meter amateur radio band. This is a great frequency for over the horizon broadcasting in summer. Not so good for secure communication over a distance that is supposed to be in the range of a few centimeters.
Its sad because properly implemented RFID has the potential for enhancing the security of paypoint transactions. This implementation will have so much fraud, people will forever associate RFID with fraud.
I'm from Europe and I have had such cards for 10 years.
I was hit twice by thieves, once an hotel reception guy in Rome copied my card details and bought stuff for 4500€ online, another time it was a restaurant in London who did it the same thing.
Both times a simple email was enough to avoid having to pay, but chips don't help there.
They only make copying the cards themselves a bit more difficult.
You still have to check your account carefully each time.
NFC was first cracked on cell phones.
It doesn't even matter. NFC can send the number in plaintext for all I care. The Apple Pay app generates a one-time card number. After it hits the reader, it is useless.
http://techcrunch.com/2014/09/...
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
Look at some of the proof of concept hacks in the field.
With RFID people are able to copy enough details to generate a mag-stripe without your card ever leaving your pocket. Meanwhile, merchants are trained that if the chip on a card doesn't work to revert to mag-stripe.
So now we have exactly the same insecure mag-stripe transactions, and at the same time we can now copy the mag-stripe without even seeing the card.
Sure, chip and pin is more secure, but only if you get rid of RFID and mag-stripe, neither of which is happening.
is that right? how do they make money?! they must unloading that burden on the merchants or selling the customer's data out for major bucks. bitcoin! we need you to spread.
The cost for fraud is shifted to the merchant if their technology is not up to the level of the banks. If the retailer has high enough tech level, the liability is shifted to the customer.
The day of you denying charges is about over, even if someone used a PIN device to fool the retailer.
This does improve some security for the retailer network/software when dealing with the CCs but its a lot like saying DVD's are secure because they are encrypted. Is it secret, is it safe? No, its not. .
The EMV web site disagrees with you. Just because they used existing communication standards for their specification doesn't mean it's not contactless EMV.
Yes I have read the specs. Contactless mode is not an EMV communication. It doesn't use the chip. It is essentially a mag stripe transaction via RF, similar to NFC.
In contactless mode, mag stripe mode must always be supported, while EMV chip mode is optional.
it looks like book C-5 fully described this, going past the mag stripe mode.
Feh. I wonder if all cards will have RF-activated chips.
deleting the extra space after periods so i can stay relevant, yeah.
Payment cards, as in train passes etc perhaps, but my experience has been that overall Japan has a comparatively low credit-card penetration compared to North America, and in many areas is still very cash-centric. It's a bit of a shock to find that even many major chains (McDonalds, etc) don't necessarily take Visa in Japan.
Oh yeah I fully know that, but it is entirely irrelevant.
The introduction to chip+pin is just step one of the process towards security. So someone copies my RFID and generates a magstripe as a result. Here is what happens:
They swipe the card and it says insert chip. That's it. There's nothing they can do about it. It's not the merchants decision on what to do with the card, it's the terminal and issuer's decision. The only time a swipe is accepted is if the chip fails to read and the bank approves the swipe.
Okay next step down the rabbit hole: 2 years after the introduction of chip+pin, signatures are now no longer valid. If I go through the process and the device approves the swipe I STILL NEED A PIN. There's no two ways about it now. You cannot complete a transaction over $50 (although another comment hear said $100 so I'm not sure anymore) without a pin number.
That's what we're going towards. The liabilities still fall on the banks for fraud and even with chip+pin+RFID+mag we in Australia and Europe are now in a much better place than the USA has ever been with how complicated credit card fraud has become.
"Give me control of a nation's money supply, and I care not who makes its laws." --Rothschild in 1744.
Casteism