Slashdot Mirror
Credit Card Fraud Could Peak In 2015 As the US Moves To EMV
dkatana writes Some analysts expect fraud to increase this year as thieves will step up their efforts to capture more credit card details before the Europay, MasterCard and Visa (EMV) standard conversion goes into full throttle. The next time U.S. cardholders receive a new card it will probably be equipped with an EMV chip, and most likely be contactless. The U.S. is finally making the transition to secure cards based on the European EMV standard, mostly because the liability shift imposed by the three big credit card brands — Visa, MasterCard and American Express. The European Union, where EMV became standard ten years ago, has the lowest level of credit card fraud in the world, while the U.S. accounted for 47.3% of the worldwide payment card fraud losses but generated only 23.5% of total volume.
Worry it not, minions. We won't steal money from you again. We will steal it directly from the source - the big fat banks. And we will grab your password and purchase history and personal details along the way. -- signed, the Internet Barron.
Time to make a Faraday Cage wallet.
Your next creditcard (in a couple years) will probably have a chip-and-pin system, which can not be easily cloned as the magstripes of today can. The analysts cited believe fraud will escalate soon, while most people still DON'T have a chip-and-pin card, since defrauding those people will be harder in a couple years.
Ya, no shit. As someone who is from downunder, holy CRAP America is in the dark ages when it comes to its banking and communications systems.
Jesus christ.
And the funny thing is, they are so blissfully unaware things are better elsewhere in the world because none of them ever go anywhere anymore.
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
I've already got two, both of which I acquired this week after switching from a card that yielded a lower cash back reward percentage. Neither have a contactless component (which I assume means some kind of RFID/NFC chip.)
Haven't yet seen any vendors with an ISO7816 reader though. Last time I used one of those for a payment method was when I was in the Army, and that was over 13 years ago. Obviously the technology hasn't caught on anywhere besides AAFES stores.
Chip yes, PIN, no. In the US, "Chip-and-signature" is what we get, with extremely rare exceptions. It is more secure than the magstripe to stop massive hacks such as Home Depot and Target, but does nothing to stop stolen card fraud. Note that if your card does not support chip-and-PIN (it can support it even if it's not the default, but US banks aren't doing this), then you can't use the card at many automated kiosks (train stations, etc.) outside the US.
I disagree with the summary that contactless goes along with the chip - it doesn't. There are some banks offering contactless payment cards, but this is not common right now.
One thing that I wonder about is the definition of "fraud".
If C&P isn't as secure as banks say, can the bad guys steal people's money but the banks deny it, saying that C&P is secure?
"I don't know, therefore Aliens" Wafflebox1
As at the 1st of August last year you were no longer able to sign for purchases on your credit card in Australia. A pin became required for every transaction.
With regards to a contactless payment system, it is referred to here universally as paywave (even though that is Visa's name for it) and my AMEX, Visa and Mastercards all support that functionality. They contactless system allows an up to $100 purchase just by tapping your card on the reader. Kinda scary if you lose your wallet but soooooo convenient. Total transaction time is around 1 second.
Lol. Given that chip and signature is no longer allowed in Australia it seems kinda funny that the US is moving to a system that was abandoned because it wasn't secure enough.
The difference is that because these cards are "fraud proof" the bank will refuse to reimburse you for the fraud, and will instead leave you on the hook for the bill. In some cases the banks have actually had people arrested for daring to say that they were the victims of fraud.
The credit card companies aren't doing this for you, they aren't doing it for security, they're doing it to shift the risk.
EMV is NOT contactless. If your new card(s) include electrical contacts, It's EMV .
deleting the extra space after periods so i can stay relevant, yeah.
We have neither the money nor the vacation time to go anywhere.
and I really, really don't see how that's an improvement to security. Why the fark are we doing contactless, and not just going with the chip+pin?
Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.
Britain has had a lot of trouble with this.
deleting the extra space after periods so i can stay relevant, yeah.
Great question! I had wondered about this myself - How does C&P really make the card more secure if you still basically just need a photocopy of it to use it? Or do they have an entirely different mode of operation when used online (like easy generation of disposable one-use card numbers)?
Not that it matters - US vendors will fight this to the bitter end. I already have cards with a chip in them (not sure about the "pin" part, since I certainly don't know any pin to use with them), one of which I've had for over five years. And I have *never* found a merchant that it works in any mode other than "swipe and sign". My local supermarket actually has readers compatible with them - And have intentionally disabled that feature because it "confuses" people - Damned straight, it confuses people! It confuses the hell out of me that you've intentionally made your readers insecure, and that after a major breach a few years ago!
Fuck the PCI, and fuck merchants. Give me security or pay me real penalty-money when your latest data breach results in my identity getting stolen. None of this "$50 maximum liability" bullshit - You lose my identity, BAM, $100k in my pocket. Anything less, and we'll keep hearing about the latest record-breaking breach-of-the-week.
Yes, in fact they can, and this has happened in Europe. One problem with C&P is the "offline PIN" mode which doesn't exchange data with the bank. In the UK, at least, the consumer is liable for any fraud with a C&P card as it is assumed that if the PIN was entered correctly it was by the cardholder. In the US, all the card issuers assume liability for fraud, no matter what, so there is less incentive to require a PIN.
The article you linked to is informative, but as the US transitions to EMV, it will become harder for thieves to use magstripe cards.
As I noted earlier, the biggest benefit of EMV, with or without PIN, is that merchants and payment processors aren't holding on to vast quantities of card numbers, and card skimming becomes far more difficult.
Chip & pin is more secure than chip and signature. Simply because your average pleb can't tell a genuine signature from a forgery.
The setup in Australia means a pin is not required for transactions of under $100 but is required for transactions over. I assume that the risk assessment from the card companies is that under a $100 exposes them to a small risk for the increased usage that using contactless creates. Anecdotal evidence is that when my mastercard went contactless but my amex wasn't I pretty much stopped using the amex even though I got twice the points (money even comes out of the same account). It took 3 months before an shiny new amex card arrived in the post. Also everywhere here has a card machine, even the pubs, & clubs accept card at the bar so a lot of people have stopped carrying cash.
Honestly they are not aimed at the same problem. I had a credit card scanned and the used when I was travelling. The crim did a small transaction first and then bought 25k worth of flights. My bank immediately locked the card and while it was a pain to have my card stop working I wasn't out of pocket and I had a new card in 3 days. I think there is now a physical risk if you lose your wallet but the card companies have said they will cover any transactions that occur after you have lost the card as long as you notify them within 48 hours.
"and it is more secure" why on g-d's green earth would you possibly think that, when it can be hacked by someone standing next to you on the bus (as demo'd many times)?
Rubbish.
I have had credit card fraud on a card of mine that had a chip and pin. The crim racked up $25k in flights in a couple of hours. I got a call from my bank asking me about the transactions as it had set off alarms, I said it wasn't anything I had done. Card got cancelled immediately, new card arrived 3 days later and the $25k was immediately refunded. The bank then went through every transaction for the last 3 months and flagged ones they thought were suspicious and once I confirmed they were nothing to do with me those too were refunded.
My experience has always been very positive when it comes to issues with my cards.
My bank has an additional layer of security for when you purchase online. When you purchase with the credit card it spawns a page that comes from my bank. I gave it a personal statement that it uses to show that it is real - ie "Your wife's favourite food is potato chips" and then it asks for a password. If I give the correct password the transaction will go through.
Maybe it is a state or region thing then. Everyone I know in Brisbane calls it PayWave. PayPass is the Mastercard brand name
Honestly, it means what Europe was using 20 years ago, and what much of the world has been using for at least 10 years is slowly being adopted by American banks.
In the mid 90's we talked about chip-and-pin cards in a crypto class, and I knew people from France who had them. I've had one in my pocket for at least 10 years.
Essentially American banks move at glacial speed, and are taking up what is now fairly old technology.
Why American banks move so slowly? I can't say.
Lost at C:>. Found at C.
As for mail order, I'm sure Visa/MC will continue to have a web object that pops up, asks for a PW or PIN, which is used for shopping via the Internet.
This is truly where credit card fraud is going to go in the next few years. As EMV rolls out in the US (finally!) credit card fraud is going to move online. Card not present transactions will be the next target and participation in multifactor authentication schemes like Verified By Visa and MasterCard SecureCode will become critical and possibly even mandatory.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
I got a warning message in Spanish when I took out money from the ATM in Cartagena, Colombia (Caribbean edge of northern South America). Since my money came out ok I didn't pay it much attention. My buddy who spoke Spanish, however, was pretty amused.
He said,
"Did you see that warning message," "Yeah?" "That warning message is telling you your card only has a magnetic stripe, and no secure chip-and-pin system which is really insecure and you should ask your bank to upgrade it for you. This is the same system the Europeans use. Fuckin' Colombia's banks, in South America is a decade ahead of the United States banking system when it comes to technology. Typical."
moox. for a new generation.
Maybe because Americans carry 10 cards? How the fuck are they supposed to remember which PIN goes with which, not very secure to set the PIN the same for all them
Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.
This is not at all the case in the US.
When TFS says liability shift, they're referring to the merchants (at least, in the context of the US anyways.) The merchants have an agreement with visa, mastercard, et al (and the banks) that determines who is liable in the event of fraud. Presently mastercard/visa/amex assume most of the liability (and they very well better for the transaction fees they charge.)
Visa and mastercard have issued an ultimatum of sorts to the merchants saying that this will only continue for magnetic stripe until the end of 2015, after which the merchant assumes liability for fraud. The merchant can avoid that by simply replacing their POS systems with a chip and pin system, in which case visa/mastercard assume most of the liability.
For you as the card holder however, nothing has changed in that regard: The law in the US still stipulates that credit card holders can only be liable for up to $50 (which most banks waive these days.)
I don't think many people realise that the contactless system wide spread in credit cards is not secure. It's ironic that the system implemented by visa/MasterCard does not even pass PCI DSS standard. There is no encryption or authentication. Only the more expensive chips on passports have encryption. Wireless credit cards give out: -Your name. -Your account number. -Your transaction history (usually last 64 transaction amounts, times and dates, and payment terminal identifier). -All credit card numbers excluding CCV. Also the claims that you cannot read from more than a few inches away are bull crap. The standard readers have to have antenna and signal strength to read only upto 5cm. However you can put any high gain antenna and transmit amplifier you want. It uses standard EMV which you can buy for $20. A small backpack concealed system can work upto 1.5 METERS. A large antenna setup on the card reader could extend this to 50m+!
Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.
You sort of imply that this shouldn't be the case? I'm no expert but just wondering how a crook could get a PIN other than lack of reasonable protection from the owner? It seems a whole lot more secure than a scribble which is extremely trivial to imitate.
I'm in Argentina. My CC terminal (VeriFone VX520, issued by Visa since visa has this racket that you can only rent, and not own, CC terminals from them or Mastercard) has an EMV reader. Only really new cards in Argentina have this, and out of pure curiosity I tried it with a client's instead of the mag stripe and it worked fine.
Visa has been issuing these units for a couple of years and before that they had another model which also had an EMV reader. It's right under the keyboard. You stick the card in (like you do on an ATM) and you feel it "clicks" on a little switch that enables the chip.
So probably you have seen EMV readers. You just don't know you have.
I stand behind you in the line, see you type your PIN into the terminal, wait for you outside, mug you, then use your card.
Really? You couldn't think of that one? It is that easy. They sell little "shades" for CC terminals to avoid this, but they are accessories. Most CC terminals don't have them.
By many measures including inequality, public infrastructure, primarily exporting agriculture, bought and paid for politics, etc the US *is* a third world country
Driving through the gulf coast from Houston to Miami was a real eye-opener for me. I've been to 20+ countries and the closest thing I can compare their standard of living is to rural Peru.
moox. for a new generation.
if you're using one-time pad encryption, which Apple Pay does.
It's still better than the magnetic stripe. But I agree - it's not as secure as it can be.
Compromised card readers are one item that can be used to spoof cards.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
US businesses are as incompetent and insecure as Sony, but can be provoked into taking absolutely minimal action when their profits are under direct threat by sufficiently powerful financial organizations. You mean nothing, you never have, you never will. You have no say, you have no power, you have no rights, you cannot walk away. You aren't the customer, merely the product. Easily replaced if damaged.
You aren't getting security because security matters. You aren't getting security because you matter. You're getting it because two vendors and a trading bloc said so.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Just about a month ago I got a emv chipped card from my bank. The grocery stores and a few other shops near me have that same type slot reader under the keypad you mentioned. I've been sticking my card in all of them when it prompts for an insert/swipe but I don't know if they're just not enabled around here or what because it never works and I always have to fall back to the mag strip.
The thing I don't like about it, is on the signature block on the back of the card I just write check id, then I put clear tape over the sig block and the cvv so it doesn't wear off (I've worn off the cvv #'s before...). Anyway, so my old card had a picture of me on the front of it. The new one doesn't. So now if someone actually does bother to read where it says check ID, instead of just me saying look at the picture, I have to pull id as well (which is either an RFID Drivers license, or an RFID enabled passport card). So for now, I kind of miss my old photoid card, vs my emv chipped card that doesn't work. I already had to buy a faraday cage wallet because of my drivers license & passport card (I'm paranoid about the rfid stuff), and then another rf blocking pouch for my regular full size passport.
01:36AM up 426 days, 2:46, 1 user, load average: 0.14, 0.11, 0.05
Because maybe I know that MITM attacks aren't the only way things become compromised.
Software flaws are becoming increasingly attractive attack vectors for criminals.
Also perhaps its also because Apple has a terrible track record for taking responsibility for stuff ups and blaming the user when it all goes horribly wrong.
My experience is fanboys tend to ignore the facts and go after the person making the statement, ad hominmem is easier than rational argument. Thanks for reinforcing that.
Calling someone a "hater" only means you can not rationally rebut their argument.
Further, you DON'T WANT it to operate by NFC, or anything RF for that matter. RFID, NFC, and other RF technologies have all been broken for some years now. I can't imagine what Apple is thinking, with its Apple Pay, but maybe they think they've gotten around the security holes in NFC. Remains to be seen.
There is plenty of information around about how Apple Pay works. All the communication can be in clear text and recorded by a dozen hackers, it doesn't make a difference, because the actual data sent through the insecure channel is safely encrypted.
My wife has a small company that accepts credit cards. As the parent comment points out, the credit cards want to push liability for fraud onto the merchants. This has two aspects
- First, the physical card: Chip and pin is standard here, which would be fine, but don't think your fees go down when they hand you the liability. My wife has, to my knowledge, never had a case a fraud in 20 years, but that doesn't matter either. Mastercard/Visa are completely in collusion, there is no competition, they can demand whatever fees they want.
- Second, the Internet: I wrote her first web-shops, including the payment processing. This has become completely impossible. The credit card companies impose ever more impossible rules. Ultimately, if you handle credit card numbers electronically, they began insisting on quarterly audits of your IT infrastructure. We used an ISP - so they were going to insist on auditing the ISP infrastructure. Our ISP was - shockingly - actually ok with this, but the whole nightmare just got too complicated. In the end, the rules appear to be nothing but a way of forcing you to use their approved payment processors - yet another way to suck money out of merchants.
Will some Internet payment service please, please spring up and actually give Mastercard/Visa some real competition? Paypal has been largely co-opted, Bitcoin is a joke - we need something that your average Joe can and will use. So far, nothing...
Enjoy life! This is not a dress rehearsal.
A hole punch in what? Did you kill the chip? There's better ways.
Simply hold the card up to the light and you'll see the antenna connections run around the outside of the card. A simple cut through the antenna will render the contactless payment inoperable without affecting the chip and the ability to use the chip+pin features.
Here in Germany it's a bit weird. Any online banking done through my bank's website requires the use of a separate TAN-generator device. One inserts the card into the side, presses a button, and holds it against a flickering pattern on the screen. After a couple of seconds the device shows the last few digits of the payee's account number and the amount to be transferred/paid, and then a TAN which is typed back in to the website. It gets weird with things like Netflix or Amazon - one can simply enter the bank account details, and payment is taken from your account that way. This is only available to compliant companies, and any fraud can be reported to your bank for them to take care of (which they do - with zeal). It comes from Germany's love affair for invoices. Back in the early days of online commerce, when Germans purchased goods from the net, they would be sent the goods with an invoice to pay - payment was accepted after the goods had arrived in the hands of the customer. It's a cultural thing, I guess.
'rewards'. Yeah, right...
Non-Linux Penguins ?
So it's hardly surprising if the US receives the highest amount of fraud. It's trivial to skim the details because it's all stored on the magstripe, stores hold the info in arcane systems, there is no authentication and there is no financial burden on the store if fraud occurs.
Chip and pin isn't perfect but it's FAR better than the US system. In Europe every business has a chip and pin device. Restaurants have a portable chip and pin device. Supermarkets and stores have one at the cashier. You pay by sticking the card in the device and authenticating with it. There is less scope for the card to be skimmed because the card never leaves the customer's hands. There is less scope for a malicious store because authenticating and authorisation is via a secure payment system.
Ideally cards wouldn't even have a mag stripe any more. Give businesses 5 years to replace their decrepit equipment and banks to upgrade their ATMs and then get rid of them. Chip and pin and NFC cover the same use cases and provide better security into the bargain.
Your info is a couple of generations out of date. Contactless EMV cards do ECDSA on chip.
The way it's done with my bank is that you set a phrase that only you know, which is displayed when the page is spawned.
Bruce Schneier (IIRC) described the obvious hack for that the day Visa came out with it...
The attacker (whether a fake merchant, or a MitM) waits for a request for you to verify your identity. It then presents your information to the real site (keep in mind the attacker builds this connection, so encryption doesn't mean a damned thing). The real site responds with your known prompt-phrase, so you "know it's legit". Attacker then prompts you with that phrase, and waits (and records) your response. Attacker passes your response on to the bank, and the transaction goes through successfully.
Except, that the attacker now has everything he needs to produce as many fraudulent charges as he wants.
Unfortunately, peak fraud is ahead of us with the widespread adoption of a poor implementation of RFID. The EU and ROW were wise to jump to chip and pin while the US dragged its feet for a decade with cashiers expected to be CSI signature verification specialists. But the move to pinless RFID rolls security back to the days when cashiers were expected to peer through lists of bad credit card numbers. Actually it's worse than that because card dup information is conveniently broadcast on 13.5 MHz, in the 22 meter amateur radio band. This is a great frequency for over the horizon broadcasting in summer. Not so good for secure communication over a distance that is supposed to be in the range of a few centimeters.
Its sad because properly implemented RFID has the potential for enhancing the security of paypoint transactions. This implementation will have so much fraud, people will forever associate RFID with fraud.
BBC newsnight - UK chip and pin credit and debit cards are insecure Feb2010
Part of the flaw is that the pin is confirmed by the card and not the sellers equipment / card network. That seems like an odd way of doing things since a fake card can simply lie about the pin.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
EMV is not contactless in the same way that TCP/IP is not wireless. EMV is a payment specification, it can be done contact or contactlessly. There are contactless specifications based on EMV from all of the big card brands.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Saying NFC has been "cracked" is like saying that ethernet has been "cracked". It doesn't make any sense. NFC is just a transport layer, it doesn't have any encryption or security at all. You have to build that in at the application level that uses NFC to transfer its data.
NFC payment cards are secure. They have been in use in other parts of the world of ~15 years now. Japan started using them around 2000. There have been no mass thefts by people with big antennas or readers hidden under their jackets. The hacks you heard about were attacks on the phone's NFC software stack, similar to a bug in the TCP/IP stack of some desktop operating systems. Again, we didn't say that ethernet was "cracked" when that happened, we recognized that the implementation of the TCP/IP stack was broken.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
This is an RFID only card - "VISA PayWave" - not a smart card so there's no chip+pin. Using the hole-punch on the RFID chip was very satisfying. Contact-less CCs are a gimmick to encourage thoughtless purchasing.
It must have been something you assimilated. . . .
I'm from Europe and I have had such cards for 10 years.
I was hit twice by thieves, once an hotel reception guy in Rome copied my card details and bought stuff for 4500€ online, another time it was a restaurant in London who did it the same thing.
Both times a simple email was enough to avoid having to pay, but chips don't help there.
They only make copying the cards themselves a bit more difficult.
You still have to check your account carefully each time.
NFC was first cracked on cell phones.
It doesn't even matter. NFC can send the number in plaintext for all I care. The Apple Pay app generates a one-time card number. After it hits the reader, it is useless.
http://techcrunch.com/2014/09/...
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
is that right? how do they make money?! they must unloading that burden on the merchants or selling the customer's data out for major bucks. bitcoin! we need you to spread.
One problem with C&P is the "offline PIN" mode which doesn't exchange data with the bank. In the UK, at least, the consumer is liable for any fraud with a C&P card as it is assumed that if the PIN was entered correctly it was by the cardholder.
Fairly sure this is not so in Norway, liability is put on the merchant because they are the only ones who can invest in systems to bring and keep terminals online. Even waiters at the table generally have online wireless terminals for this, apart from one bus company that apparently haven't updated their terminals in ages, a few old parking meters and a few remote cabins selling coffee and snacks to cross country skiers it's all online. I've used it if their line is down, but then it's in their interest to fix the line and get the sales validated ASAP. Particularly many teens only have VISA Electron, if it's not online they can't pay at all, no backup for them.
Live today, because you never know what tomorrow brings
The cost for fraud is shifted to the merchant if their technology is not up to the level of the banks. If the retailer has high enough tech level, the liability is shifted to the customer.
The day of you denying charges is about over, even if someone used a PIN device to fool the retailer.
This does improve some security for the retailer network/software when dealing with the CCs but its a lot like saying DVD's are secure because they are encrypted. Is it secret, is it safe? No, its not. .
EMV includes a contactless variation that Apple Pay implements.
Yes, and considering that all somebody needs to do to check your pin is read the heat signature on a pad after you've used it that's a pretty low bar.
"EMV is going to render a lot of crappy, insecure technologies obsolete (things like Coin, LoopPay, NFC, and many of the smartphone based "wallet" apps.)"
WAT? Yes, LoopPay and maybe Coin will be rendered obsolete, since I know LoopPay is magstripe based and hence it's going obsolete in October.
But for the rest, "EMV is going to render itself obsolete" - makes NO sense whatsoever. Apple Pay, Google Wallet, and all other known NFC payment methods ARE EMV!!!! In fact many of them are more secure than the "plastic card" based EMV since both Apple Pay and Google Wallet use time-limited/geographically-limited or one-time-use transaction tokens, wherease "plastic card" EMV can fundamentally not be limited in time to anything other than the expiration date and can't be geographically limited.
In the case of Wallet, IIRC the method used since Google Wallet moved to HCE with KitKat is to generate a time/geography limited credential when you unlock Wallet with your PIN (which is why HCE-based Wallet needs a network connection for unlock, while the previous SE-based Wallet did not).
retrorocket.o not found, launch anyway?
No idea. What do they do for people that are blind currently?
All I know is that you can't sign any more and have to use a pin. Also I wouldn't have though numeric dyslexia would stop you entering a pin in the same what normal dyslexia doesn't stop you writing. The challenge comes in the reading.