Slashdot Mirror
Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video)
The answer seems to be: sort of, a little, but not a whole lot, according to Jerry Irvine, who is a member of the U.S. Chamber of Commerce Cybersecurity Leadership Council and CIO of Chicago-based Prescient Solutions. More security theater? It sounds that way when Jerry starts reeling off the kinds of attacks the new cards will do nothing to prevent. Even so, October 1 is the date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
Luddite credit cards are insecure and let you waste money on LUDDITE garbage like Windows 7.
App cards are super secure and let you app apps by spending apps!
Apps!
I'll just avoid the merchants that require it. My local Home Depot has a sign up saying that after tomorrow they will no longer swipe credit cards. Guess I'm going to Lowe's.
date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
It's the date after which merchants are supposed to be liable for fraudulent purchase made with New-style chip and PIN cards which are made as signature transactions (e.g. with an old terminal).
Their idea is: The bank will be liable for a fraudulent charge if the original bank/card doesn't support Chip and Pin but the merchant does, AND the Merchant will be liable if the Bank's issued card supports chip and pin, but the merchant doesn't support the feature.
...that's not the system we're getting in the US, at least for the time being and at most retailers. We're getting Chip and Signature, which is much less secure. We're just calling it Chip and PIN, but most retailers aren't actually using PIN numbers to complete transactions...
You guys don't have chip and pin yet?
What?
How does this work for online retailers? How do I get my own time pin out of the card? Does this mean you can't save a credit card anymore?
It does increase security a little bit. Don't forget: What really protects you, the consumer, is that fact that you're almost never responsible for fraudulent charges on your card unless you were grossly negligent.
The credit card companies don't want to (and cannot) completely prevent fraud. All they need is something to keep it at a manageable level so their high profits remain high. And chip-and-PIN is a little better than mag-stripe.
There's no PIN. I thought the "industry" decided we Americans were too stupid to remember a PIN so they went with sig only.
Isn't that correct?
-Lee
What the hell kind of "security" have you been using the whole time?
Always some fat neckbeard running his mouth about some shit. It's hard to watch because you can hardly stop laughing because their neck-fat flaps around like a bowl of jello during an earthquake.
Total fucking fail.
"Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video)"
" sort of, a little, but not a whole lot, according to Jerry Irvine, w"
yeah i am the same stupid as slashdot. yeah yeah yeah yeah, yeahs it will increase security, yeah , yeahs a little, and a sort of and, yeah yeah yeah, am I slashdot or what ????
These Chip and Pin cards are called "EMV" cards.
For those who are curious about what's inside those chips, check out Cardpeek, an open-source tool to read the contents of smart cards.
http://pannetrat.com/Cardpeek/
Lots of stuff in there.
The problem is that there are six million merchants out there with mag stripe readers, and nobody can force them all to change to EMV overnight. It took Europe four years to get even to 90% adoption rates. Until such time as most all retailers take them, the crappy mag stripes are required for backward compatibility. And if we say "this does nothing", that's wrong. It takes us one step further down a path we need to fully traverse.
John
Chip-and-PIN is not a new idea! We've had it for over a decade in Britain and we weren't the first to implement it! One of the reasons the banks pushed it here was because other countries that have tried it saw substantial reductions in fraud!
It works!
US chip cards are set to "prefer signature". Many of them don't have PINs at all.
It's less secure, but likely it doesn't matter. Part of chip and PIN was designed to blame the customer for all in-person fraudulent charges on the idea that if your PIN was entered, you must have been there (and not just your card). This does not pass muster with US consumer protection laws, so there isn't a lot of reason to go to chip and PIN in the US.
Not that chip and PIN wouldn't work, I think the retailers just saw it as too much hassle to make all merchants put in card readers which face the customer instead of the employees.
Chip and sign cards cannot be cloned. That's what adds the most protection anyway. Especially since much stolen credit card info from around the world has been used in the US since you could make a cloned stripe card from account info for chip and PIN cards and then use it in the US.
http://lkml.org/lkml/2005/8/20/95
Outside of the US, everyone already has it.
Studies in europe showed that when chip and pin nearly eliminated point-of-sale (in store) fraud, that within a year or so the fraud moved to card-not-present sales (that is, the fraud occured by european cards used on the internet, phone, and also countries where the Pin network was not integrated back to europes clearinghouses like brazil, the US, and off-the-grid stores). The total amount of fraud was roughly the same as it had been (one can argue about details or if it's less than it would have been).
For in-store (card present) sales, It isn't lost cards that are the biggest problem. It's stolen card numbers being either cloned onto forged plastic. Stolen card numbers are easily transmitted faster and also can be replicated many times, which is better than the original card itself. Just having the chip there can shut this down. You don't have to have the pin. thus card+signature is just as good as chip and pin for practical purposes. The pin just shuts down people using the original stolen card which is a small slice of the problem.
So no this isn't going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn't help much.
Some drink at the fountain of knowledge. Others just gargle.
The *user* should never trust the merchant to begin with. We have this flaw that is unbelievably obvious that has been exploited by criminals in Europe. The criminals bug the merchants terminals. The user should never have to enter a pin into a terminal in the first place. The way the system should work is every user's card should have a number pad on it where they enter there pin. It should display the merchant's name, an amount of the transaction, and a transaction ID (ie the receipt). The card should then encrypt a message with GPG that is then transmitted to the card holders bank authorizing the bank to release the funds to the merchant. The system would work with both merchants on the internet and in the real world. The merchant would need not ever be liable for fraudulent transactions.
If you have a gun to your head and someone steals the card and forces your pin out of you then you need to file a police report. You might lose money, but it'll be a *major* crime and the police *would certainly* investigate.
Merchants are on the hook when a fraudulent purchase is made, with a NEW style card, but the merchant hasn't updated to a new style reader. Issuers are on the hook when a fraudulent purchase is made with an OLD style card.
(If at first you don't succeed, do it different next time!)
In sweden we have had 4digit pincodes for our credit/debit card for at least 20years, the reasons US don't is that americans are to stupid to remember 4digits (at least that was why it was postponed last time).
The chip was introduced some 10years ago to prevent cardtheft.
If you buy online you have to enter a second code with a technique accepted by your bank (usually using a app in the phone to generate a code)..
It's always amusing hearing americans describe there bank system, it's like sweden in the 60th's
It hasn't stopped my boss from cracking the whip the last three months to get us to get EMV implemented.
Secession is the right of all sentient beings.
So following up my own post, notice that paypal and apple pay both have the means to verify the user of the transaction for card-not-present transactions. Other card methods like say samsung-pay are just wrappers around the card right now and emulate the old swipe system. Thus samsung pay is actually obsolete before it even happened. Chip and Pin now forces you to carry your credit card not just the credit card number. Thus you will already have the credit card in your wallet making samsung pay replace exactly nothing you would have carried anyhow. Apple pay and pay-pal don't have that problem because they can conduct secure transactions through the stores payment mechanism.
Some drink at the fountain of knowledge. Others just gargle.
Samsung Pay still provides a virtual card number, so there's some benefit to it. And it can be used now, unlike Apple/Android Pay (which may very well never have anywhere near 100% acceptance if most retailers choose to keep NFC support on their brand new terminals turned off).
US businesses that currently accept chip and PIN/signature
Sorry, UK guy here. Somebody seems to have a made a repost from the early 2000s...
We're just in the process over here of replacing chip and pin with 'contactless', thus removing the security that the PIN afforded us.
Besides, as long as the merchant and the bank are responsible then the card provider can choose how little or much security they provide without it really being my problem. Though I'll wait for everyone else to test the PIN-less 'contactless' system first to see what the problems are...
Samsung Pay still provides a virtual card number, so there's some benefit to it. And it can be used now, unlike Apple/Android Pay (which may very well never have anywhere near 100% acceptance if most retailers choose to keep NFC support on their brand new terminals turned off).
Why would they turn it off?
Some drink at the fountain of knowledge. Others just gargle.
Chip And Spin
I'd honestly have thought they'd have given up on this stupidity already, having known that the damn stuff flatly doesn't work.
Some of the CLEAR problems with Chip and PIN
This shit was brought up to have real and serious issues and shown to be a farce back in 2006(!)- which means they should be goddamn ashamed of themselves to FORCE this because now they're going to blindly follow what the EMV system tells them and YOU are going to be the one to eat the fraud not the bank. I'm limiting how much I spend on my card from here on out- because they're going forward with this joke. Just because you use crypto and "smart card" tech does NOT magicially make it secure, sound, or even sane.
CVS told me they have to do it for HIPAA reasons in their pharmacy.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
interesting. News reports said CVS and Walmart didn't do it because they are launching a competitor.
Some drink at the fountain of knowledge. Others just gargle.
A large number of US retailers actually rely on non-consensual tracking/data mining as part of their business models. NFC would really interfere with that. Not to mention there are a few (like Walmart) who really hate Visa/MC and at best want all of the benefits card acceptance brings without paying anything.
US businesses that currently accept chip and PIN/signature
Yep, CurrentC. Which is basically a usability and security/privacy disaster. It'll probably fail (and some retailers such as Best Buy already have abandoned it), but there will still be holdouts.
US businesses that currently accept chip and PIN/signature
.. so, if there are some disputed charges on your account, the bank can either 1) chase the retailer to get the lost money back - assuming the retailer has not given you the opportunity to use Chip and PIN or 2) chase you, since clearly if there is a transaction on your account, and your card is a Chip and PIN card, either you have given someone your card and PIN (in which case it's your fault) or someone has stolen your card, and found out your PIN (in which case you failed to keep it secure, and bugger me, it's YOUR FAULT again).
I was a victim of an early fraud about five years ago, at a coffee shop at Paddington Station. I bought a coffee using my chip and pin from my business account (well, there were lots of us having coffee, and I decided for once it was a business expense). A few days later, I noticed some charges on my account I couldn't identify, and I contacted the bank. Their immediate reaction was that I must have let someone have my PIN. It took six weeks to have the money returned to me by the bank - and then only when they could displace the blame on to the retailer (apparently I wasn't alone, and an investigation by the police turned up a hacked card reader which stored PINs on an SD card).
The way the system should work is every user's card should have a number pad on it where they enter there pin. It should display the merchant's name, an amount of the transaction, and a transaction ID (ie the receipt). The card should then encrypt a message with GPG that is then transmitted to the card holders bank authorizing the bank to release the funds to the merchant.
...and that's how it works with lots of European banks' e-banking interface:
a completely offline device (either chip-card in a small calculator-like device, or card with keypad directly on them) are used to sign transaction (or simply the numbers they display. But you get to see the numbers).
European banks do it because:
- it's really the best possible security at this level of conveniance, thus less risk for their customer and thus less possible liabilities for the banks themselves.
- it's their own e-banking infrastructure, they get to do what pleases them (see point above for what pleases them).
That would be completely different with credit card payment:
- because the bank themselves don't get to decide. Instead they have to abide to whatever Visa and MasterCard imposes on them, and Visa and MasterCard are interested in a different point of balance on the security vs. conveniance scale (they need the credit card usage to be as easy as possible because they need as much transaction as possible to happen, which makes more money flow, which gives them more earnings from the percentages)
What some european banks have introduced is complete out-of-bound confirmation of transaction:
you get an SMS asking you to confirm the transaction that you do with the credit card. Even if the terminal is rigged/bugged, the SMS will show you that that the transaction amount isn't what its supposed to be.
Currently, that's not very convenient (slows down the procedure a lot), it's not very secure (all it takes is a rigged/bugged picocell spoofing the SMS), but at least it helps discover and intercept fraud much faster (wait, why am I receiving a confirmation SMS when I'm just sitting at work ?!?) and is a first baby step in the right direction (the user should rely on an external non-trusty device for displaying info about the transaction and asking PIN to sign the transaction).
-----
Sadly, for the sake of convenience, some of these separate e-banking authentication are replaced... by smartphone apps.
Yup. Software running on *always online* devices that can be hacked.
All this because the user have already a phone in the pocket, and because the smartphone has a camera which is convenient for reading data from QR codes.
-----
For the record: Bitcoin protocole also relies on the user signing a transaction that they see on their side.
Except that instead of getting checked by on single authority (that might have some sort of privacy policy), the check is distributed and each transaction is publicly broadcast for the whole network to store it in its distributed ledger (no true anonymity trades for no single point of failure).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
You guys are only just getting chip and pin? ... I forget how far behind the rest of the world the USA is sometimes...
Most Brick and Mortar Merchants are already liable for the vast majority of fraudulent transactions. Chargebacks for identity fraud (ie, a stolen credit card) currently hit the merchant, not the issuing bank.
That liability will shift temporarily to the bank, IF the merchant has the new technology, AND the bank does not. Once both have the tech, the liability falls back on the merchant, because anybody with a stolen card, has also stolen the chip.
This is primarily a stick for the banks, since they will have to eat a larger percentage of chargebacks until they issue new cards. There is very little carrot for merchants. The best incentive is for early adopters to defray some of their equipment costs, as the money drops off very quickly, as banks issue new cards.
In six months to a years time, there is going to be almost zero incentive for any merchant to buy new chip & sig equipment, until it becomes part of PCI rules. The US implementation is ridiculously stupid without the pin, and this entire transition will prevent exactly one type of fraud- when organized crime manufactures fake cards with real numbers. The more common types of fraud (stolen physical cards & stolen card numbers used online) will not be impacted one bit, and merchants will continue to eat the costs.
For online purchased why doesn't the bank issue two factor codes like I use to log into AWS?
While the USA are getting on board with Chip and Pin, the rest of the world has already moved on to NFC.
I don't recall the last time I used a magnetic strip.
There was a petrol station near me that did exactly the same. Bonus was it was the cheapest in the area so loads of people used it...
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
It prevents card cloning, nothing else. The PIN makes an additional step required for cloning (which shouldn't be possible in the first place).
With mag stripe only, you can clone a card in about a minute with minimal equipment and the original card in hand for about 2 seconds.
Are there any mainstream Chip & PIN credit cards in the US? The only ones I've found are either Chip & Signature ("so you don't have to remember another PIN" was how a support drone explained it to me), or default to that even if they have a PIN. So not that useful in the civilised world.
Which is why the US banking system, in its infinite wisdom, went for chip and signature, which is worthless as a security measure. The one advantage of the system is that when we go to Europe, our credit cards will at least work in European machines, rather than eliciting hapless giggles.
Australia no longer accepts signatures at all. August last year it became chip & pin only
Untrue. I was there in March of this year, and made north of 35 signature transactions up and down the entire east coast on at least two different cards. For cards without chips, Visa tells you specifically that all merchants that accept their cards are REQUIRED to accept signatures. Their travel department goes as far as to tell you that if you are refused a transaction because a merchant refuses to accept a signature as verification, to call Visa collect from the store and they will straighten things out for you.
I imagine that policy will now change starting tomorrow, but until that point - including early this year - they accepted signatures.
I've had a chipped card (issued by a US bank) for years now. But I've never seen a reader in the USA capable of using it. Some years ago, I was preparing for a trip to Europe and I figured I'd better get the PIN part of the card activated. One more interesting fact: This card was issued to me by a bank that I don not have an account with. Credit is the only business I do through them. So I call the service number and ask about the PIN. According to them, in order to have a PIN, I'd have to 'attach' the card to a bank account, effectively making it a debit card.
Other accounts I have also seem to be pushing their debit card products. The problem (as I understand it) with debit cards is that the liability for fraud falls harder on the consumer. Charge my credit card fraudulently and laws protect me and minimize my losses. Charge my debit card and someone can empty my bank account. And it's my problem.
So, whatever happens tomorrow, I'm going to watch my card agreement information very carefully. To make sure that my credit card doesn't magically turn into a debit card.
Have gnu, will travel.
Jerry Irvine is wrong on most of the points he makes. Just to correct some of them:
1. The PAN (the primary account number) is not enciphered on a chip card.
2. If you have a chip reader and easily-found software, you can recover the card PAN easily and quickly.
3. Cards do not provide support for "unlimited number of transactions" - as almost all cards have amount and velocity limits.
4. Most transactions will go online to the card issuing bank for authorization - allowing for lost and stolen cards to be blocked.
5. Each purchase with a chip card does not "create a separate token". He appears to be confusing tokenization with cryptography, though it's hard to know exactly what he means.
6. Issuing banks do not create tokens. Instead, they are created by a Token Service Provider, usually an independent third-party.
7. A partial EMV implementation would have mitigated against certain segments of the Target fraud. A full implementation, with PCI, industry-wide, would have mitigated against much more.
8. Mobile payment systems, in general, today, do not provide higher levels of security than chip cards.
Documentation on most of the above is freely available from EMVCo's website at http://www.emvco.com/
Mr Irvine's four minutes are, as a whole, inaccurate and unhelpful.
The true purpose of chip cards is to transfer the cost of fraud away from the issuers.
I've lived in Oz for over 50yrs, I had to google the question out of sheer curiosity, turns out you and the GP are both correct, the law only affects cards issued in Australia, I assume yours were issued in the US?
BTW: Hope you enjoyed your visit, Melbourne to Brisbane via the coast is still one of the world's great road trips, I've lost count of the number of times I've done it, first time was 1966 in the back seat of Dad's bright red VW beetle, it's changed quite a bit since then, hell of a lot more people and cars now. For any tourist, Oz is a hell of a long plane trip away, I don't understand (english speaking) tourists who come all the way to Oz and then don't leave the city they landed in??
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
This still does nothing about internet transactions which are always "signature"; actually, there's not even a real signature involved.
Ok...I guess if no one else is going to...
https://www.youtube.com/watch?v=B80SyRmtbdI
Thank you guys for this video. I love these videos about banking and other security.
im amazed by all the wrong information out there on EMV cards.
They track data is still present in Tag 57 and in most cases this still goes up to the credit processor in the track 2 field (either encrypted or plaintext but over an SSL connection). the "tokenization" he is talking about is an additional EMV data field called the Issuer Application Data (among many other data elements) that gets passed to the issuer to verify the card is authentic.
he is correct in any online purchase will not have this extra EMV data so any database breach is still possible because you have to type in your card number and exp date.
In the US, table service restaurants virtually NEVER have customer-facing credit card readers.
Bars don't either.
In both you give them your card.
Really the places that do reliably have them facing customers are retail checkouts and anything with a self-serve kiosk.
http://lkml.org/lkml/2005/8/20/95
Stolen card fraud is something we all pay for. But requiring PINs would require making all CC readers face the customer. That costs money. The CC companies also surely worry people won't remember their PINs and will thus not use their CCs. And then there's that chip and PIN is even slower than chip and sign which is already slower than swipe and sign.
There are a lot of different factors in a lot of different directions. This is the decision they came up with, it hardly seems terrible.
Frankly, given that clearing fees are being jacked so companies can take a bigger cut just to give "cash back" I don't know we'll notice the fraud rate difference between chip and PIN and chip and sign.
http://lkml.org/lkml/2005/8/20/95
You guys are far behind times. Over here in Europe, we are just starting to switch AWAY from chip and pin, to the next fad in credit cards: Contact less credit cards. RFID cards which can be read from quite a distance with the right equipment (involving high-tech hardware like a Pringles can), and no pin required for purchases up to $50.
No pin, no signature, and you don't even have to have the card in your hand (could be in another customers pocket).
Now, THAT's progress. For criminals.
For me, that means I'd keep my card at home, except when going to the ATM to pick up some cash.
" chase you, since clearly if there is a transaction on your account, and your card is a Chip and PIN card, either you have given someone your card and PIN (in which case it's your fault) or someone has stolen your card, and found out your PIN (in which case you failed to keep it secure, and bugger me, it's YOUR FAULT again). "
So horrible to be resposible for your own belongings instead of pushing the cost to everyone else. Regarding your example.. the perp got caught, with magstripe & signature it could have been anyone, and never gottten caught.
Buying something with a magstripe normally involves swiping the card in a reader and scrawling a signature onto a screen. Theoretically the cashier might ask for ID or compare the signature to the card but they rarely do. And the cashier might even be cahoots with the thief, knowing the card is stolen and not do any check at all. On top of that the merchant might store transaction details insecurely, or their software may be hacked. And in some scenarios such as bars & restaurants, the card might be taken from the sight of the customer which increases the risk of it being skimmed. All of these are major vulnerabilities that thieves have been known to exploit.
A chip and pin reader means that the card holder must authenticate themselves before proceeding. That stops someone from picking up a card, or cloning one and being able to use it without the pin. And authentication is to the payment processor and not to the store or cashier so it's not possible to bypass this check. It also means the store never captures the credit card info (they only get partial info and some payment authorization code) so hacking the store does not put details at risk. And chip & pin devices are portable so payments in bars & restaurants can be made in the presence of the customer so they are less likely to be swiped.
So yes it closes some very obvious security flaws. Is it perfect? Of course not, but it's a hell of a lot better than a magnetic stripe. It's a damned shame that it's taken the US so long to even switch to chip and pin. The next step would be to get rid of the magnetic stripe altogether but I expect we can look forward to years of lobbying by ATMs and banks how this couldn't possibly be done.
Please don't insult people that once would have been called 'retarded' by comparing them with Americans. That's really unfair and rude to them.
The European chip&pin system is same but the US one is different.
It's basically the same thing as a magstripe..
Ev arkadasi ara
"it patently clear no-one else agrees with your position" - by dave420 (699308) on Friday September 25, 2015 @04:44AM (#50595241)
Here's some that are QUITE contrary to yours from /. users + experts in the field:
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
"I like your host file system." - by Karmashock (2415832) on Wednesday September 09, 2015 @03:57PM (#50489401)
&
"his hosts program is actually pretty good" - by xenotransplant (4179011) on Monday August 10, 2015 @03:34PM (#50287195)
---
* Let's see - a TOP antimalware company hosts AND RECOMMENDS my ware, & real users here like it - you're outnumbered, outthought, & OUTSMARTED, easily as usual, by "yours truly"...
APK
P.S.=> To top all THAT off? Better people that a "ne'er-do-well" MORON troll who's never accomplished a thing of good note in computing in yourself AGREE with me hosts are good security:
Quote of Aryeh Goretsky of NOD32/ESET doing so in fact -> http://it.slashdot.org/comment...
You UTTER blowhard do nothing "ne'er-do-well" troll... "eat your words" & tell us:
HOW DID THEY TASTE?
Flavored with the "bitter taste of SELF-defeat" since your mouth wrote checks your dimwit brain can't cash? Rammed down YOUR THROAT since you stuck your FOOT IN YOUR MOUTH too?? LMAO...
... apk
As the security gets more complex it creates more points of attack. Future hacker buzz word,"Token Spoofer".
Whether a cellular carrier charges extra to receive an SMS isn't a country-dependent thing. Or even carrier-dependent. It depends on which plan you have purchased.
Whether low-end cellular plans include charges for receiving is certainly country-dependent. They have been commonplace in the United States. In the United States, the tradition has been to offer plans that charge both the sender and the receiver. They have not been commonplace in European countries. In European countries, the tradition has been to offer plans that charge only the sender.
All major providers in the US (and probably all providers, even the minor ones, but I haven't actually looked) offer plans with unlimited SMS
Which then means you have to consider the cost of upgrading from your current plan to a plan with unlimited SMS. These plans cost plenty of extra dollars per month compared to an occasional-use pay-as-you-go plan only for urgent calls. If you use services with 2-factor authentication to make money, then perhaps unlimited SMS is worth $120 per year. And if you don't share a house with someone with a landline, then your landline-replacement plan may already include SMS. But for someone who mostly uses cellular to arrange an occasional ride and currently pays less than $10 per month to begin with, the cost of multiple incoming texts per day, one for each service that uses 2-factor authentication, can add up.
Will they still be using the card number as not all devices and pc's have a smart card reader on them.
They could have solved the whole thing using two factor with magstripe, pin plus second factor - could be an RSA token, Google Authenticator, or what have you. It would make pretty much all card fraud impossible.
The chip-pin setup really secures the credit card industry from all the lawsuits currently, no one can identify who's responsible and the gov't points the finger at the card industry to pick up the loss.
This just clearly helps the card industry by pushing some of the fraudulent claims back to consumers. And I'm sure they get to pass on the new infrastructure costs to consumers and business as well.
Consumer fraud protection in the US means you're not liable if they copy down your details. And the companies seemingly would rather do it this way, it saves money in the end, even though any fraud that happens raises their clearing fees. Remember, there is nothing stopping US restaurants from bringing a portable transactor to your table. Those things read swipe cards and PIN cards just fine. So if they aren't doing it by choice, there could be a good reason.
It does reduce waiter back-and-forths, but is that really the limiting issue? The waiter bringing the reader and waiting while you use it increases waiter time spent which costs money.
If you want to go fast, ask your waiter to do the job fast. Otherwise, the restaurant can save money by having a pile of those little trays/folders and waiters picking up and running 3 at a time.
http://lkml.org/lkml/2005/8/20/95
I completely disagree with the arguments prematurely concluding chip-based credit cards are insecure. For that matter any system is insecure if you consider a super strong adversary, there will be security problems in any system. Magnetic strip based credits cards should have been replaced long time ago! And, the chip-based cards are better and step in the right direction even without a user supplied pin. Why? 1. To the best of my knowledge, the chips themselves are tamper proof and its internal logic cannot be replicated easily -- very much so compared to magenetic strips. So you can't steal a card without "actually" and physically stealing the only card. This is much better as it is not hard for one to notice a lost card and immediately report it, making the stolen card invalid and useless. Note that it does not have any information to replicate or steal any identifiable information. 2. Chip's OTP based token transactions are much better than communicating the account number and password. Much of the burden on the POS system being secure is lifted any stored transaction information (which could potentially be stolen) is useless as the information can be used only for one-time use. And, the reference to Target breach seems to be inaccurate. It is true that a flaw in the backend enabled installing a malware on the POS systems, but the attack did rely on magnetic strip based credit cards and the POS systems had access to all the necessary account credentials for a future cardless transaction.
How does chip and pin work?
If you have to enter the data into the vendors system, it is not secure. You have to swipe the card. You have to use their equipment at their Point of Sale to enter the pin. So if they add software that stores the card data and stores the pin, the card has just been compromised. Perhaps the chip is harder to fake than a strip?
To really make this more secure, you should swipe the card/insert card to have chip read, and then receive an instant request from the bank, not the vendor, to approve the expense. This could be done with phone call, text message, email, or app push notification. Of course the vendor could wait for you to approve before letting you out of the store with their goods.
That way, the pin is never delivered to the vendor.
I am still waiting for photo recognition. If you buy something with a card, it should take a picture of your face and send that in with the transaction request. People will cry privacy, which is a silly argument. If you want privacy, pay with cash.
"it patently clear no-one else agrees with your position" - by dave420 (699308) on Friday September 25, 2015 @04:44AM (#50595241)
Here's some that are QUITE contrary to yours from /. users + experts in the field:
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
"I like your host file system." - by Karmashock (2415832) on Wednesday September 09, 2015 @03:57PM (#50489401)
&
"his hosts program is actually pretty good" - by xenotransplant (4179011) on Monday August 10, 2015 @03:34PM (#50287195)
---
* Let's see - a TOP antimalware company hosts AND RECOMMENDS my ware, & real users here like it - you're outnumbered, outthought, & OUTSMARTED, easily as usual, by "yours truly"...
APK
P.S.=> To top all THAT off? Better people that a "ne'er-do-well" MORON troll who's never accomplished a thing of good note in computing in yourself AGREE with me hosts are good security:
Quote of Aryeh Goretsky of NOD32/ESET doing so in fact -> http://it.slashdot.org/comment...
You UTTER blowhard do nothing "ne'er-do-well" troll... "eat your words" & tell us:
HOW DID THEY TASTE?
Flavored with the "bitter taste of SELF-defeat" since your mouth wrote checks your dimwit brain can't cash? Rammed down YOUR THROAT since you stuck your FOOT IN YOUR MOUTH too?? LMAO...
... apk