Slashdot Mirror

← Back to Stories (view on slashdot.org)

To Secure ATM Transactions: Ditch the Card (securityledger.com)

Posted by timothy on from the step-zero-have-no-money dept.

chicksdaddy writes: Security Ledger has a piece that looks at the efforts of a string of startups to secure ATM transactions from skimmers and malware-based attacks. Step 1: get rid of the ATM card. The article profiles a couple different companies. One, Trusona, has technology that can uniquely identify standard issue ATM cards by analyzing the unique distribution of Barium Ferrite particles on their magnetic strips and using it to connect the card to the customer. The company combines that with card swipe biometrics to thwart malware-based replay attacks. The article also mentions upgrades that will allow banking customers in the U.S. to use a mobile application to withdraw cash from ATMs without a card or PIN, and a prototype from Diebold that combines proximity based sensing (via NFC) with iris scans to authenticate customers and authorize transactions. Cool as it sounds, its worth remembering that most ATM attacks are decidedly "low tech." A survey by the ATM Industry Association in 2015 listed "physical attacks" and those using "explosives" as the second and third most common type of ATM attack after card skimming.

133 of 184 comments (clear)

  1. actually it is really easy by Anonymous Coward · · Score: 1

    You just have to choose. You can have any 2 of these 3:
    Secure
    Convenient
    Cheap

    You just have to make up your mind.

    1. Re:actually it is really easy by Anonymous Coward · · Score: 1, Insightful

      Ditch the card. Bitcoins.

    2. Re:actually it is really easy by Z00L00K · · Score: 2, Funny

      Use Bitcoins and get tagged by the FBI and all other three letter agencies you can think of.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re:actually it is really easy by dissy · · Score: 5, Insightful

      Use Bitcoins and get tagged by the FBI and all other three letter agencies you can think of.

      If you're an American and not working for the authorities, you're already "tagged" by the government for observation as a suspected criminal.
      No action is required on your part for this, so there is little point in letting it stop you from using bitcoin.

    4. Re:actually it is really easy by Anonymous Coward · · Score: 1

      Who cares anymore? Those 'holes are tagging everybody and anybody these days anyways. If you live in fear of them all of the time, you live as a slave.

    5. Re:actually it is really easy by Cajun+Hell · · Score: 1

      In a world where everyone is tagged, is there a downside to being tagged?

      --
      "Believe me!" -- Donald Trump
    6. Re:actually it is really easy by BarbaraHudson · · Score: 1

      People are still using cards with a mag strip?

      What 3rd world country is this?

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    7. Re:actually it is really easy by Z00L00K · · Score: 1

      Well, you get tagged on a scale, so you may get a higher priority on your tags if you stand out using bitcoins.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    8. Re:actually it is really easy by Cro+Magnon · · Score: 4, Funny

      If you're an American and not working for the authorities, you're already "tagged" by the government for observation as a suspected criminal.
      No action is required on your part for this, so there is little point in letting it stop you from using bitcoin.

      I don't believe that's true. I'm pretty sure that even if you ARE working for the authorities, you're under suspicion by our beloved government.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    9. Re:actually it is really easy by Darinbob · · Score: 1

      Use a bitcoin and contribute to criminal agencies and support its pyramid scheme. Bitcoin was not designed to be an independent secure alternative to cash or it would have been designed differently.

    10. Re:actually it is really easy by Darinbob · · Score: 1

      I used a mag strip ATM card in Europe quite easily.

  2. Who is still using mag stripes on ATM cards? by Anonymous Coward · · Score: 3, Insightful

    You can't skim a chip. Well, not with something that you can disguise on an ATM.

    1. Re:Who is still using mag stripes on ATM cards? by fraxinus-tree · · Score: 4, Informative

      You are from Europe, right? US still use mostly the strip. And while the chip is good, it only offers protection from skimming. Other vectors (theft, burglary and likes) still exist.

    2. Re:Who is still using mag stripes on ATM cards? by dwsobw · · Score: 1

      Not sure how theft, burglary, etc are a problem if you do not write down your pin? Sure robberies are different but I rather lose my money/pin then my eyes ...

    3. Re:Who is still using mag stripes on ATM cards? by slashping · · Score: 5, Insightful

      US still use mostly the strip

      But the article is talking about upgrading the ATM to do a barium analysis on the cards. That seems idiotic if you can also upgrade it with a chip reader which is standard, and much more reliable.

    4. Re:Who is still using mag stripes on ATM cards? by CanadianMacFan · · Score: 2

      Canada has had chips on the bank cards for quite a while too. Not as long as Europe but probably around a decade.

    5. Re:Who is still using mag stripes on ATM cards? by Alwin+Henseler · · Score: 5, Informative

      Not sure how theft, burglary, etc are a problem if you do not write down your pin?

      Common method is to look over victims' shoulder when the PIN is used in a legitimate transaction. Often at supermarkets: just think about how 'hard' it is to see what PIN a customer in front of you enters on the keypad.
      Then card is stolen / pickpocketed to be used immediately with the just-obtained PIN. Happens regularly, especially with elderly people as victims. But normally unless customer is clearly to blame, card issuer will compensate the damage (well okay... somehow spread out over all customers, that is).

      But overall incidence is not that high. So in terms of cost to the average user, chip + PIN is a pretty good system. As a bonus, often the perps are caught on cam when they (try to) use the card at an ATM, retail store etc.

      In some European countries (like mine) processing this type of payment has become so efficient, that (per transaction) it's as cheap if not cheaper than exchanging a few coins & bills. And of course store owners love it as it makes for less cash in house & thus less incentive for robbers.

      Recently they've introduced the option of PIN-less payments for low-amount transactions (so there's less need to use your PIN 'everywhere'). And/or combined with some kind of electronic wallet that holds a limited amount (up to ~150 Eur or thereabouts). We'll see how that goes.

    6. Re:Who is still using mag stripes on ATM cards? by slashping · · Score: 1

      A suitably strong encryption would be enough to prevent skimming attacks, even assuming that the perps could insert a man in the middle.

    7. Re:Who is still using mag stripes on ATM cards? by TheRaven64 · · Score: 2

      You might want to take a look at some of the known attacks against EMV.

      --
      I am TheRaven on Soylent News
    8. Re:Who is still using mag stripes on ATM cards? by fraxinus-tree · · Score: 1

      Canada is european in lot of senses, anyway.

    9. Re:Who is still using mag stripes on ATM cards? by Anonymous Coward · · Score: 1

      In what way? That they aren't US?
      The US is the odd kid in the Americas. To consider Canada to be European requires a very US-centric world view.

    10. Re:Who is still using mag stripes on ATM cards? by Z00L00K · · Score: 1

      You can skim them, but it's a lot harder than the magnetic strip.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    11. Re:Who is still using mag stripes on ATM cards? by IamTheRealMike · · Score: 1

      EMV isn't a European thing, even though that's where deployment first started. EMV is an "everywhere but the USA" thing.

      The bizarre insistence of American financial providers on trying everything except just rolling out EMV is really amazing. At some point I start to wonder if it's a subtle form of protectionism.

    12. Re:Who is still using mag stripes on ATM cards? by wardrich86 · · Score: 1

      God damn USA! Get with the times. Still using Imperial, still using mag stripes... Your neighbours to the north are disappointed in you. You guys are better than this!

    13. Re:Who is still using mag stripes on ATM cards? by gmack · · Score: 1

      In Spain, I had to show ID with every card based purchase in a store even if it was chip and pin. I can only imagine it reduced a lot of thefts like this.

    14. Re:Who is still using mag stripes on ATM cards? by gmack · · Score: 1

      American cards have chips but it's chip + signature and they don't use it. Last summer my friend came to visit me in Canada and I had to explain to him how to use the chip portion of his card,

    15. Re:Who is still using mag stripes on ATM cards? by houghi · · Score: 1

      You could also look at the US being the UK of the Americas. I propose a trade: The UK goes to North America and Europe gets Canada. Everybody wins. (Sort of)

      --
      Don't fight for your country, if your country does not fight for you.
    16. Re:Who is still using mag stripes on ATM cards? by houghi · · Score: 1

      being in Belgium, I was amazed when I had to walk to the counter in Amsterdam to do my payment. In Belgium all restaurants that I know of have a cardreader they take to the table. You put in your card. You put in your code. The thing beeps. You take out your card and that way the card never leaves your sight and you do not need to walk to the counter to do the payment.

      In the US I was confused by the number of papers I got. First the bill, then several papers with the same amount on it. You need to sign it and write the tip on it and put it away and the rest in your wallet.

      As I never saw a waiter after they left the bill, I noticed when I came home that I had several papers with signature and tip on it. So not only did they not get a tip, they never even came by to verify the signature or if there WAS a signature.

      And sorry for the not tipping. I do think that it is a stupid custom, but that is NOT the reason they did not get a tip. Others where I left the correct papers, I tipped.

      Another thing is that it is so much harder to verify. In Europe the money I said OK to will be billed and I can follow it electronically. With the tips, I need to write it twice and then verify if they did not add some amount or if the writing was clear or not.

      It is an ancient system and the sole reason they kept it so long is, I think, investing 25USD now in a machine that is able to do it is not interesting, even if the gain over a period is great.
      Also: we have pre-paid cards that do not even have a strip and several banks have blocked credit cards for use in the US by default. If you go there, you must ask to activate it. All because the security is non-exitend.

      --
      Don't fight for your country, if your country does not fight for you.
    17. Re:Who is still using mag stripes on ATM cards? by Anonymous Coward · · Score: 3, Insightful

      So are Botswana, Mozambique, Zambia, and Uganda. You don't see many people suggesting they act like European countries because of it, though.

      Having spent a lot of time in the UK, the only resemblances to it that Canada has that I can think of are we still have a Queen (though she can no longer make laws here), kept some British spellings, and that's pretty much it. Canadian grocery stores (that aren't bottom tier) bag stuff for you, we mostly have intersections with lights (not roundabouts), police carry guns and are not considered friendly neighbours, most British language and British slang is either not understood or is just plain odd (nobody calls it a lift, being pissed means angry, chips are thin round crunchy discs, and you don't have flats not let them). If you want classic British cuisine you'll have to seek out the rare British pub and they will do a very bad impression of it. Pickup trucks are still the best selling vehicles and Canadian cars are closer to US size. Homes are some of the largest in the world here. Taxes are closer to US level than UK level. Canada is 12th on the gun ownership list, the UK is at 82.

      Canada is neither the US nor Europe nor Britain. However, between all those, Canada is closest to the US, physically and by attitudes/preferences as well. Now, if you focus on Quebec, things change a bit, but for the odd rather than closer to Europe (France is not fond of Quebec). Quebec is far away from being similar to the US and yet also very far away from being similar to anything European.

      Actually, suggesting Canada is like other countries in the Americas might possibly be the most interesting comparison I've heard. The problem is the rest of the Americas outside of Canada and the US are doing poorly economically. I wonder if those other countries would end up similar to Canada given a solid economy and lower corruption levels?

    18. Re:Who is still using mag stripes on ATM cards? by dwsobw · · Score: 1

      Thanks! Fair points.

      Also our pin readers usually have a screen to prevent to easy spying. Something at least like this which is usually sufficient.

    19. Re:Who is still using mag stripes on ATM cards? by dwsobw · · Score: 1

      In Germany we used to have a "moduliertes Merkmal" which is essentially a dielectric code that the machine could verify with a capacitive sensor. So even with a strip there was never a problem inside Germany. All the fakes had to use a ATM outside Germany that did not check the dielectric code ...

    20. Re:Who is still using mag stripes on ATM cards? by dwsobw · · Score: 1

      Thanks that looks interesting, but apparently only effects some (Visa-style?) EMV standards.
      The German SECCOS EMV standard (used for debitcards) seems to require the verifications (since before 2005) that were/are missing in the British standard.

    21. Re:Who is still using mag stripes on ATM cards? by Outta_the_way_peck! · · Score: 2

      Chips have been rolling out pretty aggressively in the USA over the past few months from all institutions, major banks to local credit unions. Stores may still be using the mag stripe to authorize, but it means they are accepting the liability for fraudulent transactions.

    22. Re:Who is still using mag stripes on ATM cards? by ShanghaiBill · · Score: 1

      Canada has had chips on the bank cards for quite a while too.

      America has also had them for quite a while, we just don't actually use them. When we do use them, we do chip+signature instead of chip+PIN, so we get all the hassle of using a chip, with none of the benefits!!!

    23. Re:Who is still using mag stripes on ATM cards? by Salgak1 · · Score: 1
      I've only recently started getting Chipped cards, and in any case not all merchants have enabled their readers to use chip-based cards.

      Reports I've seen combined blaming the Christmas shopping season (i.e. don't slow down the cash flow), engineering issues, and MasterCard and Visa reportedly being late in publishing at least SOME of the documentation.

      http://www.nbcnews.com/busines...

    24. Re:Who is still using mag stripes on ATM cards? by Woldscum · · Score: 1

      They do now. Walmart started Jan 1st. No more swipe or signature for credit cards. Just stick the chip end of your card in the reader. Debit cards are chip + pin. Sometime this year all stores are going to be 100% responsible for fraud if they do not use the new chip readers.

    25. Re:Who is still using mag stripes on ATM cards? by BarbaraHudson · · Score: 1

      Canada moved to chip and pin long ago. Last I looked, we're not in Europe. And without the pin, it can't be used. 3 wrong tries and it's killed.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    26. Re:Who is still using mag stripes on ATM cards? by BarbaraHudson · · Score: 1

      It's more polite to leave the tip in cash, unless you're tipping at least 25%.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    27. Re:Who is still using mag stripes on ATM cards? by BarbaraHudson · · Score: 1

      God damn USA! Get with the times. Still using Imperial, still using mag stripes... Your neighbours to the north are disappointed in you. You guys are better than this!

      Apparently not. Kind of embarrassing when the only other countries that don't use metric are Liberia and Myanmar.

      It's a form of protectionism, since things like 4 liters of milk are not the same as a gallon, so exporting to the US requires different, non-standard sizes.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    28. Re:Who is still using mag stripes on ATM cards? by I-am-a-Banana · · Score: 1

      Sorry to say but I have been contacted by my bank 3 times because there was a potential my chip card was skimmed. They cancelled the card and I had to get a new one each time.

    29. Re:Who is still using mag stripes on ATM cards? by Anonymous Coward · · Score: 1

      I had my chip skimmed once in SA, Johanesburg. The waitress at the Hard Rock Cafe used a fake "credit card machine" to get the chip data and pin.

    30. Re:Who is still using mag stripes on ATM cards? by Applehu+Akbar · · Score: 1

      Our credit cards have the EMV chip now, but most of the stores whose POS terminals have an EMV slot are not using it. It's an even more confusing maze than before.

    31. Re:Who is still using mag stripes on ATM cards? by swb · · Score: 1

      Who does this? The reason I pay a $250 dinner tab with a credit card is so I don't have to carry much cash with me, a $50 tip is nearly as bad from a carrying cash perspective.

      The whole social construct of tipping aside, I always wonder about tip fraud. It's just too easy to cheat on tips when they get manually entered into the credit processing system. You'd have to be supremely detail oriented to track the meal cost + tip as it shows up on your credit card. I think amex might detail it, but it's not hard to see how this could get gamed by a few percentage points without anyone ever detecting it.

    32. Re:Who is still using mag stripes on ATM cards? by ewibble · · Score: 1

      For the purpose of this discussion Canada could be considered more European because the don't seem to be as opposed to change as the US. (Although I have never been to Canada). They use the metric system, (although not really European but every other country in the world except (Burma, Liberia, USA)). They have dropped their 1 cent coin, they their 1 and 2 dollar note a coin. When I visited the US, it amazed me how may places seemed not to accept EFTPOS, for what considered the most technologically advanced country in the world. Where Europe did not have this problem.

      Let me be clear I have never been to Canada and this is only my opinion, gathered from media, not personal experience.

    33. Re:Who is still using mag stripes on ATM cards? by wardrich86 · · Score: 1

      We should just ship things th the US in same size as everywhere else, but with ugly sizes printed on the container.

    34. Re:Who is still using mag stripes on ATM cards? by gmack · · Score: 1

      This is why I prefer the chip and pin terminals that ask you to input the tip. Some of the newer ones allow you an enter an amount or a percentage.

    35. Re:Who is still using mag stripes on ATM cards? by swb · · Score: 1

      I have a hard time seeing this being adopted in the US, so long as we don't use the pin.

      I seem to remember eating at a restaurant where the servers used iPads for order taking and they had Square-style card readers to do the charges, but it was a pretty casual, small place so far all I know it WAS Square they were using.

    36. Re:Who is still using mag stripes on ATM cards? by Viewsonic · · Score: 1

      In the US, the new chip thing that rolled out has been met with..issues. I've been declined at least three times now, they had to manually put my card in. One place it hung the entire system, and they had to call their payment vendor who rebooted it, and told them to swipe until told otherwise. That is about after 12 times of having to slide it in. The chip also looks like it's halfway worn off the card already. It simply takes too long to use as well, you can't just stick the card in and out and be on your way. You have to stick it in and wait for her to finish. Then pull it out.

      I have a feeling this chip thing will be gone by next year and we will be back to swiping.

    37. Re:Who is still using mag stripes on ATM cards? by Darinbob · · Score: 1

      The chip and pin system can and has been hacked. Use cash when you can.

    38. Re:Who is still using mag stripes on ATM cards? by nukenerd · · Score: 1

      Who does this [tip in cash]? ............ a $50 tip is nearly as bad from a carrying cash perspective.

      You give $50 tips? Must be a very wealthy man.

      The reason for tipping in cash is so that the particular waiter gets it. If you tip with a credit card, you don't know that the restaurant owner might get it. Is it really that hard to carry some coins for a tip? (Oh, forgot, the USA does not have any coin worth more than a peanut).

    39. Re:Who is still using mag stripes on ATM cards? by Darinbob · · Score: 1

      Chip and pin suffers from a flawed assumption common in many systems. The assumption that breaking it is too costly for the average person and that any remaining losses will be handled as a cost of business.

      For the mag strip credit cards the banks actually do assume a percentage of loss rather than fix the flaws. For chip and pin they assume that hacking it is too difficult for the average corner shop or quickie mart, except that once someone figures out how that information is easily spread and replicated. Start with a reader with a poor design, figure out its schematics and software, find the hole, and exploit it (some have been hacked unobstrusively by drilling through the potting material from the to reach test points which is not detectable by the customer). Chip and pin systems also rely on an approach used by a lot of smart cards in where they assume it is better to provide absolute physical security rather than improve the cryptography, so you can get buggy algorithms at the same time that there are features to thwart physical tampering.

    40. Re:Who is still using mag stripes on ATM cards? by swb · · Score: 1

      $50 is 20% on a $250 tab.

      Since there's no rule book on tipping, I kind of follow my own.

      In any low-end table service place, I figure the person working there isn't making much money to begin with, so if the service was good, I tip 20%.

      At a higher end place, I will adjust the percentage down closer to 15% by default unless the server provided extraordinary service, especially if there are only two people being served because there's just not enough service taking place to warrant that much add on. In larger groups with attentive service, I think more is warranted.

      At a lot of high end places, they have dedicated staff for delivering the food, clearing the plates, sometimes even for delivering cocktails from the bar, which complicates the tip as a "reward".

      I do assume that most of these places the tips are pooled and divided among all the service staff, which complicates your rationale for ensuring the staff gets the money. It'd be easy for the server to skim the cash tips for themselves.

      I don't worry about the owner withholding tips, at least not in my town. Attracting competent wait staff is difficult, and most people I know will avoid a place with good food and shitty service. Owners who withhold tips from servers will not attract any but the worst wait staff and basically slit their own throats.

    41. Re:Who is still using mag stripes on ATM cards? by Darinbob · · Score: 2

      But what if the shop keeper is skimming off your card? How does the customer know that the chip reader has not been hacked? And yes, this situation has happened.

      Consider the example of the Target stores. The machines were hacked to intercept customer information. The machines did use mag stripes and have since become slightly more secure (Target today does not use the chip reader even though the reason my card was exchanged to have a chip was because of Target!). However the core cause of the breach was not the machines themselves or the magnetic strips but the transfer of the data from end point to back office and on to the credit card company. Customers are given false assurances that they've "fixed" things because they see new machines and have been issued new cards.

      Good security is damned expensive. So businesses only want to deal with "good enough for now" security. The losses due to poor security are smaller than the cost of implementing proper security. The two problems with this thinking is that encourages criminals and when a flaw is discovered it be exploited on a large scale, and the ability to steal from the system become much easier over time as technology changes (mag stripe readers used to be extremely expensive but now are quite affordable).

    42. Re:Who is still using mag stripes on ATM cards? by slashping · · Score: 1

      LOL. I have a chip card for a few years now, and never had problems. In fact, the only time there's an issue is when a vending machine doesn't accept the chip and tries to read the magstrip (which is severly damaged on my card) instead. In your case, I don't think you'd have better luck if the ATM was trying to do a finely tuned analysis of the barium signature in the magstrip.

    43. Re:Who is still using mag stripes on ATM cards? by Darinbob · · Score: 1

      Part of the US bag groceries for you, and much of Europe will not bag groceries and think you're some sort of elitist by wanting such service. There are some European countries with high gun ownership. The stop light and stop sign are extremely common in mainland Europe.

      I think there's a disconnect in assuming that teh UK is a typical European country.

    44. Re:Who is still using mag stripes on ATM cards? by Darinbob · · Score: 1

      The signature is supposed to be important. It makes the transaction somewhat legal and a way to detect fraud or mistakes (find a mistake on your monthly bill you can complain to the restaurant and ask them to find your signature, though these days it's easier to just dispute charges with the credit card issuer).

      Personally I have little problem with cash. People hate it because they want everything to be electronic, thus it's more cool.

    45. Re:Who is still using mag stripes on ATM cards? by Darinbob · · Score: 1

      I don't even know what my PIN is with my card. It was assigned to me a couple decades ago and I've never needed it on a credit card. I got a reissued card a couple years with a chip but it did not come with any separate mail telling me what my PIN was...

    46. Re:Who is still using mag stripes on ATM cards? by Darinbob · · Score: 1

      I've only done it once, and it was at my optometrist and only a few months ago. No where else did it, not even Target which was the damn store with the break in (unrelated to magnetic stripes) that encouraged banks to start re-issuing cards with chips.

    47. Re:Who is still using mag stripes on ATM cards? by Darinbob · · Score: 1

      Technically we're still supposed to be migrating to metric, as I think that law is still on the books. The snag is that Reagan stopped funding some of the programs. Everyone learns metric in school though, all science here is done in metric, even the UK (technically a part of Europe if you squint) still uses miles, etc. We are not ignorant troglodytes even though it's the current elitist fashion in Europe to laugh at everything in America.

      (seriously, they're going to put up a wall Europe to keep out immigrants before the US does, all the while claiming that the US is full of bigots :-)

    48. Re:Who is still using mag stripes on ATM cards? by gmack · · Score: 1

      Considering I met a consultant who had to deal with Target.. They didn't even bother with any security let alone "good enough for now" security but that's beside the point..

      In most of the rest of the world, if they skim the card info from the payment system they can't just throw it onto a new card since chip and pin cards are much more difficult to duplicate. In the one successful replay attack I've managed to find out about the stolen info could only be used on hacked chip and pin terminals making the thief pretty easy for the banks to find after.

      Mag stripes on the other hand, can be duplicated using less than $5 worth of equipment, in fact I had a friend in high school duplicate his ATM card onto his library card because he was bored.

    49. Re: Who is still using mag stripes on ATM cards? by fraxinus-tree · · Score: 1

      errr,... cash has much longer history of vulnerabilities

    50. Re:Who is still using mag stripes on ATM cards? by david_thornley · · Score: 1

      Tips are usually based on the food price, so they go way up in really expensive restaurants. There's a lot of social and legal structure in the US built around the tip as a percentage of the bill. Also, if I can afford an occasional $250 restaurant bill, I can afford a slightly more occasional $300 one, despite not being "very wealthy" (I'm well-off, but not wealthy).

      There are differences between tipping in cash and putting it on the card, and I don't see one as necessarily superior to the other. If I tip cash, the server need not report it. It does get to the server, but not necessarily anywhere else, and it helps the server cheat on income taxes. If I put it on the card, it doesn't go directly to the server, which may be good or bad, and it's more likely to be recorded income. In some restaurants, the tips should all go to the server, and in some they should be pooled in some fashion. I don't know what any individual restaurant does about tips, and it's really not any of my business.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    51. Re:Who is still using mag stripes on ATM cards? by Kjella · · Score: 1

      But what if the shop keeper is skimming off your card? How does the customer know that the chip reader has not been hacked? And yes, this situation has happened.

      At least here in Norway, if the customer is not at fault for losing either the card or the PIN then it's the card company/merchant's problem. The consumer authorities have made it quite clear that the individual customer has no power to introduce extra security measures, so if they're insufficient it's the card company's loss and the card company's choice whether or not to improve security. One of the ways they've ensured big roll-outs is to shift blame to the merchant if they stay on old technology, like for example offline terminals. If the merchant doesn't have an online terminal, it has to cover any fraud themselves. So it's almost hopeless to exploit stolen cards here, almost always they try using them abroad. Which is why the cards typically have regional blocks, try "using" my card outside Scandinavia and it's going to get blocked and flagged immidiately. I can of course go in my online bank and turn regions back on if I'm travelling.

      --
      Live today, because you never know what tomorrow brings
    52. Re: Who is still using mag stripes on ATM cards? by Darinbob · · Score: 1

      Right but I can't hand over $20 in cash and then when my bill comes find out that $40 are withdrawn from my account. Cash is vulnerable to physical security, but so are chip and pin cards (because you can't keep that PIN secret if you're entering it in public). I can worry about some thug taking my money, but I generally don't have to worry about the money secretly vanishing while inside a store and wondering where it went. There is a limit to the amount of cash I can lose also, only what I have in my wallet at the time.

      And the smart card makers in the past have not necessarily spent the proper amount of time to ensure it is really secure given how easy some of the hacks have been. It's slightly better thean feel-good security though but it's not great security.

    53. Re:Who is still using mag stripes on ATM cards? by Darinbob · · Score: 1

      The skimming systems are added as extra transactions to the store in the cases I've read about. Thus the store gets paid back by the banks for more than the customer wanted to pay. It's not a third party that is skimming, but the actual store itself.

    54. Re:Who is still using mag stripes on ATM cards? by BarbaraHudson · · Score: 1
      Many restaurants tack on all sorts of "fees" before they pay the staff the tips they earned. Some even keep the entire "service charge" for themselves.

      Another restaurant chain in London, Gaucho, which serves steak dishes that cost up to £99, takes 16% of staff tips and puts part of this towards 'staff incentives and competitions'. It also takes a further 2.3% each month from sales generated by each waiter, which is shared among non-waiting staff.

      A Gaucho employee told the Observer that in one month they earned close to £500 in tips but, because of a combination of the two deductions, more than £400 of that was retained by the company.

      Last week a further tipping scandal came to light when the London Evening Standard reported that a French restaurant chain, Côte, retains the entire 12.5% service charge that it adds to customers’ bills rather than giving it to their staff .

      Tipping in cash is a good way for the wait staff to remember you the next time that the manager wants them to push the fish, so they'll tell you "avoid the fish."

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    55. Re:Who is still using mag stripes on ATM cards? by BarbaraHudson · · Score: 1

      That would just give them more of an excuse to add to the "contents may settle during shipping" for all those half-full boxes of cereal.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    56. Re:Who is still using mag stripes on ATM cards? by fraxinus-tree · · Score: 1

      As an european, I would sign right now.

    57. Re:Who is still using mag stripes on ATM cards? by peawormsworth · · Score: 1

      But what if the shop keeper is skimming off your card? How does the customer know that the chip reader has not been hacked?

      The chip on your card cannot be read from a skimmer. The shop keeper does not gather enough information to repeat a transaction or request a new payment. Each transaction requires the chip which is embedded in the card. The shop keeper would require your PIN and also to steal your physical card.

      Good security is damned expensive.

      I think bad security is more expensive. And no... this form of security it is not expensive. It only becomes expensive when security has been ignored for a long time while it should have been slowly upgraded, as was done in the rest of the world. But now, the US is in poor shape for in personal digital payment technology and yes, it will be very expensive to update what has been neglected for so long.

    58. Re:Who is still using mag stripes on ATM cards? by Darinbob · · Score: 1

      But the cards can be skimmed, and they have been! Getting the PIN is extremely simple, so don't even count on that as security. So it's just a matter of intercepting the data going to the bank as a man-in-the-middle, replicating even temporarily a card, predicting the upcoming "random" number, and so forth.

      I'm not saying chip and pin is worse than mag stripe, but they are not so completely secure as the marketing would have you believe. Don't trust the banks or others when they say the cards "cannot be read". They have the same sorts of vulnerabilities as ATM in many cases; relying on cheap manufacturers who don't follow best practices on security, over confidence of the security, assuming a PIN is private, or willingness to accept a certain level of loss.

      https://en.wikipedia.org/wiki/...
      https://people.csail.mit.edu/r...
      http://www.theregister.co.uk/2...
      http://arstechnica.co.uk/tech-...
      http://krebsonsecurity.com/201...
      http://phys.org/news/2015-03-b...
      http://www.thisismoney.co.uk/m...

  3. kiss the cook by Anonymous Coward · · Score: 1

    plenty of countries/companies provide ways of getting cash from an ATM without a card already.

  4. chip ? by slashping · · Score: 4, Interesting

    Why not use a chip card instead ?

    1. Re:chip ? by Alumoi · · Score: 4, Funny

      I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head.
      Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited.
      No more muggins as it's quite hard to carry 2-3 severed head with you.

    2. Re:chip ? by slashping · · Score: 1

      You don't think the tattoo is easily duplicated ?

    3. Re:chip ? by thegarbz · · Score: 1

      Because you can't use fancy sounding science to scam investors who don't realise Chip+Pin is the solution to replay attacks.

    4. Re: chip ? by Anonymous Coward · · Score: 1

      Because it's America, they try everything before doing the right thing.

    5. Re:chip ? by Alumoi · · Score: 1

      Note the AND between tatoo and chip. You must have tem both in order to work. It's not called 2 factor authentication for nothing.

    6. Re:chip ? by AmiMoJo · · Score: 1

      Chips aren't all that great for security... Better than mag strips, but far from perfect as anyone living in a country with the chip+PIN system will tell you. In fact in some ways it's worse, because when first introduced in the UK the banks tried to blame all fraud on the customer because the system was supposed to be immune to fraud.

      Phone is a pretty good option. You need the phone and you need a way to unlock it (fingerprint, PIN or 97 character password if you prefer). That's already at least as good as a chip, and potentially better since the current crop of fingerprint readers are much harder to fool with copies. You can have a >4 digit PIN too.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:chip ? by slashping · · Score: 1

      anyone living in a country with the chip+PIN system will tell you

      I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect, but at least they can be made to prevent skimming, which is what the article is about. And it's a much better solution than chemical analysis of the mag strip.

      Phone is a pretty good option. You need the phone and you need a way to unlock it

      Except that not everybody has a (smart) phone. Also, it's easy to see what PIN people use when you sit next to them, or guess it from the fingerprints they've left on the touch screen. Or you can just wait for them to unlock the phone and then grab it out of their hands. Phones can also be infected with malware much easier than ATMs or chip cards.

    8. Re:chip ? by bev_tech_rob · · Score: 1

      That would never fly in 'Merica, because the bible belt folks would then bray about the mark of the beast and the Book of Revelation.

      --
      You're messin' with my Zen Thing, man.....
    9. Re:chip ? by AmiMoJo · · Score: 1

      far from perfect as anyone living in a country with the chip+PIN system will tell you

      I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect

      Uh...

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re:chip ? by Nyder · · Score: 3, Interesting

      I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head.
      Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited.
      No more muggins as it's quite hard to carry 2-3 severed head with you.

      Pretty sure the xians will say this is the Mark of the Beast. But if it will bother them, then I am down.

      --
      Be seeing you...
    11. Re:chip ? by slashping · · Score: 1

      Why even respond if you can only grunt ? The chip+pin cards are a lot better than the magstripe cards, and the remaining problems can be solved without having to introduce radical new technology. They just need an upgrade to the protocol to remove the flaws.

    12. Re:chip ? by AmiMoJo · · Score: 1

      far from perfect as anyone living in a country with the chip+PIN system will tell you

      I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect

      Uh...

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:chip ? by drinkypoo · · Score: 1

      Phone is a pretty good option. You need the phone and you need a way to unlock it

      And you need a power bank in case it gets run down and you need a backup phone in case it fails. What is needed is an end to the race to the bottom, so that employers are hiring people smart and scrupulous enough to check for credit card fraud instead of engaging in it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    14. Re:chip ? by operagost · · Score: 2

      Well, they'd be correct, wouldn't they? "And he causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or the name of the beast, or the number of his name."

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    15. Re:chip ? by Anonymous Coward · · Score: 1

      The solution to skimming is to not use the card as proof of identity.

      The card identifies the account you want to charge, it's essentially a user name. What you need to authenticate is either a password or a combination of password authenticator artifact or biometrics.

      A solution that ditches the card altogether and just requires you identify the account (card) number to let the merchant know what account to request, then the bank contacts you with a one time code to validate the transaction would be better by far that trying to make the card harder to duplicate. This could be done with a card and phone (they SMS you the code) but would be better managed by a a smartphone app, which can require you to log in with a comparatively strong password. If your phone has strong security built in you can make it more convenient with things like using a fingerprint to authorize the phone to use your stored password to log into the app or having a weaker PIN for the phone and relying on the retry limit to brick the device in a brute force attack.

    16. Re:chip ? by AmiMoJo · · Score: 1

      Millions of people use their phones for payment already, not bothering to carry backup phones/cards/batteries etc. It's been working well for over a decade. Maybe your problem is you buy crap phones where the battery doesn't last three days on a charge.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    17. Re:chip ? by BarbaraHudson · · Score: 2

      I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head. Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited. No more muggins as it's quite hard to carry 2-3 severed head with you.

      Joe Pesci would like a word with you. "Only 3? What a piker. Try 8."

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    18. Re:chip ? by BarbaraHudson · · Score: 1

      So you're in a large store and you don't have reception - no purchase for YOU!

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    19. Re: chip ? by nehumanuscrede · · Score: 1

      Yet, they all willingly carry a cell phone.

      The " Mark of the Beast " is easily the Mac address or ipv6 address of your phone. :|

    20. Re:chip ? by rowls66 · · Score: 1

      The phone is also a really bad option in other ways. It is a multi-function device running all kinds of software from many sources. Some of that software could be malicious. Securing a phone is potentially very difficult. A card is a single function device devoted to authenticating the card hold for financial transactions. I think that from a security standpoint, a chip card is a better option. For convenience, the phone might win.

    21. Re: chip ? by aristotle-dude · · Score: 1

      Yet, they all willingly carry a cell phone.

      The " Mark of the Beast " is easily the Mac address or ipv6 address of your phone. :|

      Sorry but I am not seeing the connection. You do not have to have a cellphone and it is not required to buy or sell things. It is a tool of for communication and not identification. The IP or MAC address is tied to the device, not you.

      --
      Jesus was a compassionate social conservative who called individuals to sin no more.
    22. Re:chip ? by aristotle-dude · · Score: 1

      I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head. Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited. No more muggins as it's quite hard to carry 2-3 severed head with you.

      Pretty sure the xians will say this is the Mark of the Beast. But if it will bother them, then I am down.

      A couple of points. 1. What is an xian? If you are going to talk about a group, try to use the correct terminology. 2. Why do you have such a low self worth that you would want to be branded as a slave because you think it might piss some other people off? Have some self respect. You are a human being not cattle.

      --
      Jesus was a compassionate social conservative who called individuals to sin no more.
    23. Re:chip ? by Darinbob · · Score: 1

      Because it's not a perfect solution either. Chips are feel good solutions though, let the customer think that they have security.

    24. Re:chip ? by Darinbob · · Score: 1

      The mark of the beast, but with a CRC at the end!

    25. Re:chip ? by Darinbob · · Score: 1

      "X" has been a shortcut symbol for "Christ" for a thousand years. So saying "Xmas" is not an attack on Christmas like some want to claim.

    26. Re: chip ? by qbast · · Score: 1

      No sell for the store you mean.

    27. Re: chip ? by david_thornley · · Score: 1

      The " Mark of the Beast " is easily the Mac address or ipv666 address of your phone. :|

      FTFY.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    28. Re:chip ? by vandamme · · Score: 1

      That's a Greek letter Chi, first letter in Christ.

  5. Diebold by Anonymous Coward · · Score: 1

    The same guys who did the awesome voting machines? I'd trust my cash in their hands no questions asked! Or really not.

    1. Re:Diebold by Z00L00K · · Score: 1

      I agree there - as soon as I saw Diebold and NFC I realized that this is going to be really bad.

      Not that magnetic strips are good either, they should have been killed a decade ago. All cards I have are chip cards, and any point of sale here in Sweden have a chip reader.

      For Iris scan, just watch this scene from the movie Demolition Man.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:Diebold by tetraverse · · Score: 1

      @Zoolook: "Not that magnetic strips are good either"

      The original idea of using credit card numbers embedded in a magnetic strip for online financial transaction - the dumbest dumb idea ever. No doubt, done this way to save on money. Greed is good !

      As for biometrics and iris scan, once these are hacked you're in an even worse situation. As you can't get re-issued new irises or fingerprints. ref

  6. Sigh. by Erik+Hensema · · Score: 1

    You guys at that side of the pond still use magnetic strips?

    Just use standard PKI. It's secure, it's easy and it's standard.

    Create a key pair for each customer. The private key is protected by a pass phrase (also known as a PIN code). Distribute the key pairs along with the bank's public key on a chip which does the encryption/signing.

    Now go the the ATM or POS. Enter the card with the chip. Unlock the private key with the PIN. Let the card encrypt a message to the bank using the bank's public key and signed by the customers private key.

    It's not rocket science. And to the end user it works exactly the same as before. It's cheap too.

    --

    This is your sig. There are thousands more, but this one is yours.

    1. Re:Sigh. by wardrich86 · · Score: 1

      Canadian here - we've been using Chip since at least 2008/2009. USA is still stuck in their old ways. I assume they'll start using chip when they start using the metric system.

    2. Re:Sigh. by slashping · · Score: 1

      At the same time, maybe they'll do electronic bank transfers and git rid of personal cheques.

    3. Re:Sigh. by LMariachi · · Score: 1

      We're in the midst of transitioning right now.

    4. Re: Sigh. by illogict · · Score: 1

      That’s because cards delivered in the USA are set to prefer chip + signature instead of chip + PIN.

  7. Stuff biometrics by TractorBarry · · Score: 1

    There is no way in hell I'm having biometric identification for anything. I'm not about to have my fingers cut off or eyeball pulled out so some some crook can make off with my stuff.

    http://www.theregister.co.uk/2...

    Damn fool idea and probably being pushed more for the use of such data to build a huge database by ye olde 3 letter agencies than for any "security" reasons..

    --
    Sky subscribers are morons. They pay to be advertised at !
    1. Re:Stuff biometrics by david_thornley · · Score: 1

      Not to mention that you can't revoke more than two retinas in the key repository, or that you can't get your money when you desperately need to pay for retinal detachment surgery.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  8. DIEBOLD ??? by rickyslashdot · · Score: 1

    ummmm, I seem to remember something about this company's decidedly insecure attempt to make voting machines.

    --
    redneck geek
  9. Yesterday tech coming real soon... by Macfox · · Score: 2
    All this is pretty much available today outside the USA. Mobile or web App generates code. Anyone with the code and the value can visit the participating ATM and withdraw the cash within a few hours. The app even gives you the option to SMS the code. Same apps even support NFC, so the phone acts as the card.

    The majority of the big banks in Australia have been offering these facilities or similar for 2+ years

    Given the popularity of the Magstripe in the US, even after all these years, any advancement seems revolutionary I guess. One would think a possible reduction in fraud would drive even modest initiatives, like Chip+PIN adoption.

    --
    Area51 - We are watching...
    1. Re:Yesterday tech coming real soon... by Nidi62 · · Score: 1

      It's been a common problem in Atlanta where crooks follow someone with a nice car home, then jump them and kidnap them in their driveway, take them to an ATM and empty their account.

      Things like that have been happening here for years. I remember about 8 years or so ago they arrested a bunch of kids right before school in the parking lot of the high school I used to go to. They would watch people at ATMs withdraw money then follow them and hold them up (believe they were using a BB gun though) and rob them. This wasn't even in Atlanta, it was in East Cobb (admittedly I went to school on the border of East Cobb so we had plenty of rougher, poorer areas in our district too).

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    2. Re:Yesterday tech coming real soon... by Darinbob · · Score: 1

      I would not trust a phone to handle anything to do with money, ever. When I see a vendor with an iPad with a credit card reader, I pull out cash instead and use that.

    3. Re:Yesterday tech coming real soon... by Darinbob · · Score: 1

      Chip+pin doens't reduce fraud claims because it doesn't reduce fraud.

  10. Nice try... by shellster_dude · · Score: 1

    It'll be a cold day in hell before I willingly give my biometrics to my bank, my government, or a private agency. For one thing, I can't change them if they get stolen.

    Secure payments is a very solve-able problem. The only reason it hasn't been solved yet is the reliance on old technology and infrastructure. The two primary problems are a lack of instance validation, and static card information.

    Here's one answer:

    Bank issues card with a chip. The chip has the bank's public key and a unique private key that the bank installs on the card, then keeps the associated public key. Encrypt the chip key with a 4 digit pin, or a real password. Now the payment process is a public / private key asymmetric encryption process. The card chip encrypts the transaction details, and a nonce that the bank sends (encrypted). If you need to support offline card use, then every time the card is plugged in to an online system, have the bank send down 50 or so nonces that are encrypted and have the card chip store them encrypted locally. That way, if the terminal doesn't have direct network access, the card just uses and burns the next stored nonce. If the terminal needs to store information, it can wrap the card's encrypted information in it's own public/private key encryption that it passes to the banks.

    The biggest remaining issue is key exchange, but in the case of the end user, that only needs to happen when they request a new card. For the the merchants, this can happen in the same process that handles reconciliation with the banks. They can exchange a list of merchant public-private keys as an extension of those protocols.

    1. Re:Nice try... by Darinbob · · Score: 1

      As you say the network is often down or not present. The nonces don't help because the stores themselves are not to be trusted. Stores have hacked the chip+pin systems and skimmed from customers. So nothing has really changed here: in the past the banks have accepted as certain percentage of loss from fraud credit cards, and today the banks accept a certain percentage of loss from chip+pin. You're also assuming, possibly naively, that the crypto systems are written to the highest level of security possible, that the machines are designed to the highest standards with respect to security, and so forth. In practice that is too expensive so short cuts are taken as long as the marketing claims otherwise.

  11. In Soviet Russia ... by maestroX · · Score: 1

    You give money to ATM.

    1. Re:In Soviet Russia ... by BarbaraHudson · · Score: 1

      TD Bank, basic chequing account, $3.95 a month, if you have a $1,500 balance the fee is waived. 4 cheques and 10 debit / atm transactions included at no extra charge (or no charge w. the $1,500 balance). If you need more transactions, just carry around cash - it's still accepted pretty much everywhere.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  12. Chip by Nukenbar · · Score: 1

    While chips have been standard in Europe for some time, I'm starting to see more and more US businesses starting to use the chip in cards over the past 6 months, especially drug stores.

    It is interesting though that many people do not have a PIN associated with these chip cards in the US, so it is still "authenticated" with a signature.

  13. Stupidest idea I've heard all week! by kheldan · · Score: 1

    Get rid of the card

    What if I don't have and don't want a smartphone?

    Also, hasn't it occurred to anyone that this will actually make a 'cyber'-based attack easier?

    Here's a better idea: How about you train banking personnel to be proficient at inspecting automatic teller machines for card skimmers and other physical exploits, and have them do it every time they service or reload the machine? In other words: How about better security? Also, how about multi-factor authentication at ATM machines?

    Come on, people; every other day I read about some new exploit or security vulnerability on any type of smartphone you care to name, and now they want us to entrust access to the cash in our bank accounts to them? Really? Seriously?

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
  14. Riiiight by s.petry · · Score: 2

    The only reason people could possibly disagree with Electronic voting machines is because "Luddite", and not because there has been a long history of corruption made-easy by these devices.

    Since this is the 2nd article in as many days on the same subject, basic math shows that there is no benefit in safety using a Phone vs. an ATM card. Both are a single point of failure, protected by a simple PIN (and last I checked Phones don't require PIN numbers). TFA hints at it: The majority of theft from ATM is by physical attack. It is not easy to install skimmers in reputable places, but it's pretty easy to stick a gun in someone's back and tell them to make a cash withdrawal. You won't hear much about the robbery stuff, small does not generate ratings or help the narrative along.

    You increase security by distributing the attack surface and minimizing exposure. Using a phone to generate/receive a timed PIN for your ATM card would be more secure.

    I would rather not tie bio metric data to the verification, and, it can not be checked effectively (consider how your body changes every time you eat something different, or use a different soap, etc..etc..). Too many things can go wrong with that, and again you are only changing the surface not extending the surface. "I have, I know" simply becomes "I have, I am".

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  15. Trust by nehumanuscrede · · Score: 1

    I trust my debit card far more than I trust a mobile software application to interface with my financial accounts.

    Under no circumstances will I use a mobile platform ( regardless of vendor, MS / Google, Apple ) to access my bank accounts.

    Financial transaction alerts are pushed to the phone based on triggers I have setup, but I would never use a smartphone platform to log into nor perform a financial transaction.

  16. Ditch the Diebold by dcw3 · · Score: 1

    Great idea, but not with that company.

    --
    Just another day in Paradise
  17. Re:chip/signature by ShanghaiBill · · Score: 1

    The reason for chip/signature is that it is believed customers will not remember their PIN and won't be able to use
    a chip/pin card.

    That is silly. People use PINs all the time with debit cards. An interim solution would be to allow individuals to enable/disable PINs on their account. I would certainly enable it, for the extra security. My PIN is my wife's birthday, so I have plenty of incentive to not forget it.

  18. Re:chip/signature by nukenerd · · Score: 1

    That is silly. People use PINs all the time with debit cards.... My PIN is my wife's birthday, so I have plenty of incentive to not forget it.

    It certainly is silly; so silly that I wonder if you are not allowed in the US to change the PIN to something easier to remember. The date idea, being four digits, is a good one. I might use dates of battles; a pickpocket, or even someone who knows me, is hardly likely to derive it because (1) He won't know that I use dates of battles and (2) Even if he did he won't know which battle.

    So my HSBC card might be the Battle of Blenheim, and my Lloyds card the Battle of Borodino. Actually, they are not.

  19. Cheap is not so much a factor by OrangeTide · · Score: 1

    A card sized microprocessor that does two factor authentication is a relatively reasonable cost. Interfacing them to existing machines could be done through the mag reader as an interface, or through a new interface. The problem with a new interface is replacing all the terminals to support the new interface, this is the problem that the chip based credit cards are facing.
    Today the cards themselves are replaced so infrequently that I can't imagine cost being the driving force.

    What we already know is that the chip based cards are really slow to authorize. There are other ways to design the architecture so that it can be secure without requiring a constant connection to a central database. For example if banks were to sign my credentials and public key that is present on my card, and the microprocessor internally holds my private key used to challenge and authenticate transactions, then the system would only need to refresh a database of all of the public keys for all of the banks it needs. Realistically that's less than 10,000 banks, and would easily fit in the storage available in a modern card reader.

    (sorry for the armchair architect post - I originally intended to only show that there are many ways to solve a problem)

    --
    “Common sense is not so common.” — Voltaire
    1. Re:Cheap is not so much a factor by peawormsworth · · Score: 1

      ...could be done through the mag reader as an interface, or through a new interface...

      No new standard is required. Many exist. There are standards used throughout the world. Most involve a chip and a pin pad entry. Your bank or banking group simply picks one if it does not already have a proprietary solution.

      ..we already know is that the chip based cards are really slow to authorize.

      That is not my experience at all. Please provide a link to the data you are referencing. Because I think maybe you are just expressing your personal experiences. Perhaps your bank or merchant has installed slow products or uses slow network connections.

      I am guessing that maybe you are from the United States. It is my experience that consumer banking technology in that country is easily 10 years behind the others. I don't know why that is, but I speculate that either the banking cartels in the US are too competitive to come to a single standard that they are have access to, or more likely, the banking system depends on fraud in order to profit from the consumers and businesses who are forced to insurance against it.

      In my personal experience, credit/bank card with chip is the faster than a cash payment. The new swipe technology is fastest. Your suggestion that it is slow or requires new technology is incorrect and I would be suspicious of the source of your information.

  20. Re:Get rid of the card by OrangeTide · · Score: 1

    What I would like to see is a banking app that would run on a phone or on a durable card sized device.
    I'm really not comfortable tying everything to my phone, which is easily hacked or frequently runs out of power on extended trips.

    NOTE: some contactless payment technologies today can be skimmed without contact, using a radio antenna designed for the purpose. (ex: EMV)

    --
    “Common sense is not so common.” — Voltaire
  21. Re:How Bout No by Darinbob · · Score: 1

    But, but... using smart phones is cool! You can pay your bill and update your Instagram at the same time! I can hardly believe how uncool old people are.

  22. Easy ATM opening by etudiant · · Score: 1

    Card skimming is much too piecemeal an approach.
    The preferred technique (well over 100 uses in 2015) in Germany is to hook the ATM to a cylinder of ethylene, add a spark, collect the cash and scram.
    This takes about 2 minutes and produces about 10,000E per application, with about 100,000E collateral damage.
    Best of all, it is not vulnerable to changes in the card technology

  23. Re:chip/signature by Larry+Lightbulb · · Score: 1

    It is silly, but it's also the line that many of the US card issuers are saying publicly - that it's a bonus because it's not yet another PIN to remember.

  24. Re:chip/signature by ShanghaiBill · · Score: 1

    that it's a bonus because it's not yet another PIN to remember.

    I just use the same PIN for all my cards. This might be trivially less secure, but I don't have to write anything down.