Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Chip Card Transition In the US Has Been a Disaster (qz.com)

Posted by msmash on from the ramification dept.

Ian Kar, writing for Quartz: Over the last year or so in the U.S., a lot of the plastic credit cards we carry around every day have been replaced by new one with chips embedded in them. The chips are supposed to make your credit and debit cards more secure -- a good thing! -- but there's one little secret no one wants to admit: The U.S.'s transition to chip cards has been an utter disaster. They're confusing to use, painstakingly slow, less secure than the alternatives, and aren't even the best solution for consumers. If you've shopped in a store and used a credit card, you've noticed the change. Retailers have likely asked you to insert the chip into the card reader, instead of swiping. But reading the chip seems to take much longer than just swiping. And on top of that, even though many retailers now have chip reading machines, some of them ask us just the opposite -- they say not to insert the card, and just swipe. It seems like there's no rhyme or reason to the whole thing.

11 of 675 comments (clear)

  1. What's the big problem? by Anrego · · Score: 5, Insightful

    As a Canadian I really don't get this. We've had chip and pin here for awhile, and while the initial adoption was a bit rough, it generally works fine.

    Confusing

    Reader says "insert chip in the bottom".
    You insert chip in the bottom.
    Reader says "enter pin".
    You enter pin.

    Painstakingly slow

    I've noticed some readers are slow, but this probably has nothing to do with the chip, the merchant just has a shitty system. If you're talking about the process being slower, ok yeah, by about 10 to 15 seconds or so.

    Less secure than the alternatives

    What alternatives? Getting a signature that no teller ever verifies or checking the name against your ID (which again, never actually happens)?

    Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".

    1. Re:What's the big problem? by Z00L00K · · Score: 4, Insightful

      Which is really seriously stupid since almost anyone can fake a signature.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:What's the big problem? by slimjim8094 · · Score: 2, Insightful

      This is an interesting point. The signature in the US isn't considered an authenticator, it's actually considered agreeing to a contract. If you look at your receipt it probably says "I agree to pay the above amount according to the terms of the cardholder agreement" or something. The idea is (in theory) they could take you to court and say "but you signed a contract saying you'd pay!". If they have someone other than the cardholder in court over that transaction, it's not because of a broken contract - it's fraud.

      In Europe, it is considered to be an authenticator, which really slows things down. They do check the signature vs the one on the card. I guess chip-and-signature at least means that someone can't clone your card and use their signature, at least not trivially. They'd have to get your card and then match whatever was on the card, or erase the signature somehow.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    3. Re:What's the big problem? by Anonymous Coward · · Score: 2, Insightful

      Nobody checks the signature at time of purchase but if you report a fraudulent transaction and they guy was stupid enough to sign your name, that's forgery which is a felony in most states.. A guy got two years for buying $50 worth of booze with a stolen credit card of mine because he signed it with my name.

  2. This disaster is entirely of your own making by Nemyst · · Score: 5, Insightful

    First of all, "But reading the chip seems to take much longer than just swiping." Big fucking whoop? That's the time it takes for the card to obtain authentication from the bank server instead of the terminal just blindly accepting the transaction. That's already more secure, so stop whining.

    But more importantly, chip and PIN is known to be more secure than swipe and sign. That's not up for debate, it's a fact. Unfortunately, the US, in their wise ways, decided to bastardize the system into chip and sign, removing the vast majority of the additional security for no real benefit. Oh, you can't remember a 4-digit PIN? Tough fucking luck. Instead, you'll probably have to switch to chip and PIN at some point in the future, causing another confusing transition.

    Furthermore, the partial transition, various fuckups and all have largely been isolated to the US. Sure, Europe, Canada and others have also had a few hiccups when moving to the new system, but they had clear, strict deadlines that all providers followed. The US basically let the monkeys run the show, and so it's been a mess of delays.

    You guys fucked up, now you get to live with the consequences. This isn't a failing of the chip system, it's a failing of the US thinking they could half-adopt it. That entire article sounds like entitled whining.

  3. Nope by fireylord · · Score: 5, Insightful

    The whole article just smacks of fear of change frankly. We in the 21st century part of the Western hemisphere have long since done this, and reaped the fraud prevention benefits (read: no significant retail chip and pin fraud, fraudsters forced to try Cardholder not Present fraud, to which there are also pretty effective countermeasures).
        I suspect those retailers still asking for magswipe will be transitioned to chip usage by their card service provider as the fraudsters will increasingly target those that still insist on swipe. The money will talk in this case, however the idea of chip and sign is a bit silly in that it will only stop coounterfeit cards, not stolen cards.

    1. Re: Nope by Anonymous Coward · · Score: 5, Insightful

      Yeah, there are places in the world where "disaster" means something more than just a few seconds of inconvenience at the supermarket.

    2. Re:Nope by west · · Score: 3, Insightful

      Even at the weakest level, EMV adds one important security factor. You can't simply skim a chip card and make a new working chip card.

      Without PIN, chip cards won't prevent the card from being individually stolen and used, but that's not where the industrial level losses were occurring. It had reached the point of being a major business for organized crime, and this will put a serious crimp in it. (When I was more involved in bank security a few years ago, you could find franchising skimmer opportunities on YouTube that were renewed every few minutes as they got taken down.)

      As well, as one wealthy hold-out to chip, the US was attracting the attention of the world's high tech criminals. Since crime migrates to the weakest link, you don't want to be the slowest deer in the herd, which the US was rapidly becoming. (The US punitive legal system had kept the US from being a favored target when other countries had left their doors unlocked, but once there weren't any other wealthy countries with low hanging fruit, cyber crime was going exponential.

      There'll be other forms of crime (crime migrates to different types of crime as well), but few that worked so well on the an industrial scale.

    3. Re:Nope by Dahan · · Score: 5, Insightful

      With no PIN, there is really no major advantage. Steal a card, forge a signature.

      The advantage is that you now have to steal a card, rather than just skimming the magstripe of one. The idea is that the chip ensures that you have the actual card, and the PIN (mostly) ensures that you are an authorized user of the card. In the US, with chip and signature, we don't have that second assurance, but having the first is better than nothing.

  4. The fault lies.... by Lumpy · · Score: 5, Insightful

    Completely at the feet of the banks. They needed to get off their asses and spend a tiny bit of their immense profits to fucking switch over. The banks could send every retailler a new chip reader for every register for free and STILL make record profits every quarter.

    So blame the Banks and the Greedy assholes that run those banks.

    I'm for bringing back all the heavy handed bank regulation from before 1980. Fuck the bankers.

    --
    Do not look at laser with remaining good eye.
  5. What the hell?! by silviuc · · Score: 3, Insightful
    From the article:

    "But, for the less digitally inclined, plastic cards and those tiny metal chips will probably still be pretty cumbersome for the foreseeable future."

    My mom has 70+ years and can shop the any local store with her card just fine. We use chip & pin over here. She can remember her card pin just fine. She's also not digitally or technically inclined. The whole thing takes a few seconds until the transaction is authorized by the bank.

    What exactly is your excuse there, over the pond?

    Banks have been issuing new cards (or replacing older ones) with NFC versions for at least a year. Just bonk and pay.