Ask Slashdot: How Do You Keep Your Credit Card Secure?

It's easy to pontificate about the best security practices -- but the real test is what we do with our own money. Long-time Slashdot reader Keybounce writes: So, like most of you, I recently got a new credit card with a chip in it. I was not worried about that -- I know the chips are harder to copy and counterfeit. But I recently discovered that the card is also a radio card -- swiping it near the screen caused an message to show up on the reader. In this case, it told me to use the chip reader instead, but this means it has an active radio signal, and could be "hacked" -- stolen by someone with the right device.

How can I prevent this? Is there anything I can do that will disable the radio signal and still leave the chip functioning?
At least 200 million RFID credit cards were in circulation by 2012, even though their signals could be easily intercepted, prompting the introduction of RFID-blocking wallets and sleeves. But what's the alternative? A recent article in Quartz argued that America's transition to chip cards has been an utter disaster (since the banks dispensed with PIN numbers altogether and now validate with only an electronic signature). Is the answer to just use a mobile wallet like Apple Pay or Android Pay -- or to always pay with cash?

So leave your own answer in the the comments. How are you keeping your own credit card secure?

Shielding, jamming

[stevel]

Currently I use an envelope that claims to be RFID shielding. No idea if it works or not.

I have backed on Kickstarter an interesting "jamming" solution, Vaultcard, which looks promising.

The current RFID cards - Visa PayWave is one brand - provide the "Track 2" data plus an authentication code from the EMV chip. Quite usable for fraud.

Re:Shielding, jamming

I use this: https://www.amazon.com/Alpine-Swiss-Blocking-Capacity-Trifold/dp/B00XQG5F6Y?ie=UTF8&tag=slatmaga-20
If they're honest with their video, you should be in good shape.

Re:Shielding, jamming

[ls671]

I am already using Vaultcard but since I carry the cards close to my genitals, I decided to add a layer of protective gearing constituted of a lead casing. It ended up requiring an additional belt that I wear under my clothes so it is not apparent. It is a little heavy and uncomfortable but in the end I feel safe in all regards and proud to be using the latest technologies.

Re:Shielding, jamming

[cheater512]

https://www.youtube.com/watch?...
https://www.youtube.com/watch?...

Re:Shielding, jamming

[AHuxley]

+1 for shielding. Keep an eye on any outgoing account activity. Find a real bank that has services to protect its customers rather than wait for its consumers to report issues.
Use cash for a lot of smaller transactions.

Re:Shielding, jamming

[swd99999999]

I got a similar style Aplpine-Swiss about a year ago. It's a good wallet but takes several months for the smell to go away. I bought it for RFID shielding but none of my new chip cards have RFID as far as I can tell. I think RFID cards are a stupid idea and should be eliminated. You might want to check your cards first before investing in RFID protection.

Re: Shielding, jamming

Easier still: closed all my bank accounts years ago, reload a pre paid card every few months with a few hundred dollars pay for github, domain registration, etc. I have Fridays off every week and I drive to my local ISP, PUD, and bank to pay mortgage.

Re:Shielding, jamming

[ArmoredDragon]

I wouldn't even fret over it at all, and indeed those little sleeves are a total waste of money.

Current credit card laws limit your liability for fraudulent transactions to $50. But that's not all: Every bank that isn't shitty takes that a step further by making you liable for nothing at all. Really, I haven't even seen a credit card offer that has a non-zero liability clause. I'm sure they exist, but you'd have to have downright awful credit to have one of them as your only option.

That said, a much bigger risk (indeed by far the biggest risk) of getting your credit card information stolen is when you use it to buy something on the internet and the merchant's PCI database is compromised. This has happened numerous times to me, by the way, and you know what it has cost me in my entire lifetime? Not a single red cent.

Typically it goes like this: My bank calls me and notifies me that somebody all the way on the other side of the country in a state that I've never been to tried to buy something expensive on my card within minutes of me buying chips from a vending machine. Obviously something wrong there, so they call me and list the most recent 5 or so transactions and ask me if I made any of them. If the answer is yes, then there's no problem. If the answer is no, they deactivate my card and send me a new one, and have me fill out a form telling them which transactions showed up on my bill that are ones I didn't make. I just tell them which ones aren't mine, and they simply remove them from my statement.

That's it, no problems. The only inconvenience is that I'm out of a credit card for a few days, but that's ok because in addition to my mastercard that I use practically everywhere, I also have an Amex card that I occasionally use for its occasional incentives, and I can continue using it until my new mastercard arrives in the mail.

No need to waste money on a sleeve, and no need to have to pull it in and out of the sleeve when I need to use it.

Re:Shielding, jamming

[ls671]

Just watching the first video and enjoying it for the vulgarization style. It's basically spot on.

What I don't understand is the bozos that implemented this in the first place. The only thing I can think of right now to make it properly is RSA like digital keys, signatures and yes maybe CAs with revocation lists of course and thigh control over the fricking CAs cause it would be hard for customers to allow host key signatures (point of sale) manually.

Of course, that would likely raise the cost of distributing supposedly touch-less cards to customers.

I am getting to the tinfoil part of the video by now. You would be amazed how efficient it is. Back in the Sony Beta video tape recorder era, I had a friend of mine living a few hundred feet from a VHF TV station antenna and the reading heads of his 2000$ (1985) Beta would get impacted by the RF from the antenna screwing up video display.

Wrap the Beta video recorder/player in tinfoil and connect the cage to ground and the problem was gone.

Re:Shielding, jamming

[cheater512]

The chip does mostly use public/private key methods, however the NFC aspect does transmit the magnetic stripe data.
Why? Cause it means they can just use modified PoS machines rather than making new ones from scratch - the existing system needs that data so they made it less secure by keeping it pretty backwards compatible.

Re:Shielding, jamming

[Barny]

Tip, all of these RFID systems (paywave, etc) use a magnetic field to power the device. Simply placing a sheet of tinfoil in the lining of whatever you have the card in (the slot in your wallet/purse) and that field will be suitably disrupted to make them impossible to read.

https://youtu.be/kp63MZ6RudE

The commercial jamming solutions usually use a woven pouch with metal in it. There are also active jammers (see the video) that trigger on the magnetic field presence and then jam the spectrum the cards use.

It isn't quite a tinfoil hat, but in this case it works...

Re:Shielding, jamming

[AmiMoJo]

Do you really think that the banks would have added a feature that makes fraud as easy as pointing an antenna at people walking past? Where are the crime waves of people draining accounts with concealed card readers? How come it's been in use for over a decade in some parts of the world and they haven't noticed this massive flaw in their security?

Unless US banks are uniquely incompetent with their card design I think this is just paranoia, whipped up by click-bait articles.

Re:Shielding, jamming

I decided to add a layer of protective gearing constituted of a lead casing.

How often does it need to be said?

Lead for radioactive shielding, copper or aluminum for RF shielding.

Re: Shielding, jamming

I also have an Amex I occasionally use because it's occasionally accepted.

Re: Shielding, jamming

[nxtr]

Where he lives, contactless card transactions take place through Pocket LINAC technology.

Re:Shielding, jamming

[AmiMoJo]

Bravo sir, I can't tell if this is a joke or not. Of course, the cards don't have a power source so never transmit anything unless introduced to the EM field of the card reader, so your reproductive organs are safe.

Re:Shielding, jamming

[coofercat]

Indeed - all that fraud just gets passed on to the vendor/retailer. Unfortunately, those retailers have absolutely no way to measure the 'fraudiness' of a card transaction, so can't decide to decline something on their own - they have to ask the Bank to make that choice for them. When the bank makes the wrong choice, the retailer pays.

In the UK we have some (relatively new) financial industry rules that include 'treating the customer fairly'. I wonder how long it will be before some credit card banks get held to account on that basis, but until then, banks control everything and pay for nothing.

Re: Shielding, jamming

You don't need a power source. Just a reader. The power from the reader powers the chip. THats the magic of the system. In about 2k, a professor in Oregon/Washington area wrote the first paper on hacking RFD. He had to use a briefcase size device, and could read cards from up to 60 foot away. Much has changed. Now it's a program on an Android phone and a hundred foot away.
Safer? Line your wallet with tinfoil, keep the pins side against the foil. Want really paranoid, there is a foil lined sticker sucker, to place over the connectors. Really really paranoid? Use cash.

Re:Shielding, jamming

"Every bank that isn't shitty takes that a step further by making you liable for nothing at all"

So how many banks does that represent?

Re:Shielding, jamming

[stevel]

Do you really think that the banks would have added a feature that makes fraud as easy as pointing an antenna at people walking past? Where are the crime waves of people draining accounts with concealed card readers?

Why yes, I do. It has been demonstrated numerous times, and is easy to reproduce on your own with inexpensive equipment. The specs are public (have you read them? I have.) Even EMV chips send your card information in plaintext - any encryption needs to be added by the terminal. You may not have read much about it as RFID cards are still uncommon in the US, but that is changing. The specs for this and EMV are more than a decade old and were designed for the banks' convenience, not your protection.

US banks have shown a singular unwillingness to invest in technology that helps their customers. In the US they fall back on "zero liability" terms that mostly shield customers from direct financial losses but then pass on the cost of billions of dollars of fraud to all consumers and merchants.

Re:Shielding, jamming

[stevel]

The chip creates a digital signature for the transaction, but the data is cleartext. EMV makes card cloning much more difficult, but it doesn't protect the data against interception.

Re: Shielding, jamming

[stevel]

The EMV chip contacts have nothing to do with RFID capability.

Re:Shielding, jamming

[stevel]

But consider what happened to me last year on the first day of a two-week international vacation. I got a notice from my primary card bank (Chase) that my card had been compromised and that they would cancel it and send a new one. The problem was that I was depending on this card (which has no foreign transaction fees) and I would be moving around every two days meaning that it would be difficult to get a new card to me quickly. They did offer a compromise - disable any card-not-present transactions and had me list which countries I would be in, until I could return home. I had several online purchases outstanding so I had to scramble to fix those, and even then I missed one of the countries I would be in and had my card declined twice before I figured out the problem.

I am sure this case was a leak from a merchant that stored card data insecurely, or maybe a skimmer somewhere. That card did not have RFID. We really do need to move quicker to a tokenized system. Even so, it was more than a minor annoyance to me.

Re:Shielding, jamming

[kilodelta]

Yep and those protections may or may not exist on debit cards. Mine has that feature of almost zero liability. I like that very much.

Re: Shielding, jamming

That's the dumbest idea ever. Lose your prepaid card and you lose everything.

Re: Shielding, jamming

I also have Fridays off, and I use it to relax and enjoy myself. Your solution sounds absolutely awful.

Re:Shielding, jamming

You are right about this, at least in Canada. Canada's laws require the credit provider to assume all risks, except for that first 50$. That's why banks try to look nice and offer the zero liability clause. 50$ or 0, it's the same for them. In Canada, to protect the card is to protect the bank, not yourself.

Similar regulation may exists in other countries.

Re:Shielding, jamming

[jafiwam]

Disable "card not present" should be available to end user as a check box in their online account settings.

That, and single use numbers for online transactions.

Of course, the banks don't give a shit about security so don't offer that stuff (for the most part.)

I fail to see why _I_ should care if some retailer gets fucked. Maybe the retailer should be pressuring the banks to fix it.

Re:Shielding, jamming

[dattaway]

An easy way to check if the RFID "shielding envelope works is to slide your car's FOB or some other small RFID device in it and test it. NFC devices can be checked with most new phones.

Re:Shielding, jamming

[MercTech]

I'm of a different opinion. I'm not comfortable with someone walking by reading my information. Yes, you can read rfid chips on the fly. Not only credit cards but many driver's licenses and your passport has rfid built in.
    I have a shielding pocket portfolio I use when I travel to keep ID and cards in. If you check the statistics; it is during crowded travel and at popular tourist destinations that the majority of identity theft occurs.

    Now, if you want to shield on the cheap; make your own shield. Aluminum foil works great. There is a certain cachet of using a duct tape and aluminum foil wallet. (Worry if you want a matching hat as a fashion statement) I have a friend with a paranoia streak that glued aluminum foil inside of his wallet. It does shield the contents from an rfid reader.

Re:Shielding, jamming

[AmiMoJo]

So in the US you have vast amounts of walk-by contactless card fraud? How come it doesn't get reported?

Re: Shielding, jamming

[ArmoredDragon]

There are certain things that vendors are supposed to do to protect against fraud, hence they're liable for it in most cases.

This can range from looking at the last four digits of the card to make sure they match what was swiped (prevent somebody from changing the magnetic stripe on a real card to have the numbers of a stolen one instead) to checking ID.

Also in card not present transactions, the 3 digit number on the back of the card should be asked for, because it's not encoded on the magnetic stripe nor on the RFID tag, which means that card skimming (or drive by RFID scanning) should be useless for fraudulent online transactions.

So assuming the vendor does their due diligence, the only way fraud should occur is with a fake ID or if they're an online vendor and somebody else had their PCI database hacked. The latter can be avoided with some common sense (I.e Dell receives a big purchase to a Ukraine address with a US credit card.)

Re:Shielding, jamming

[Lorens]

I can request a non-RFID card. I haven't, I'm thinking of using an RFID shield, but my RFID payments are limited to 20€ anyway.

More worrying is someone reading my card number (snooping camera during a transaction) and using it to buy things on the Internet. Even though there is an SMS verification, it's not always, and my card might get stolen with my phone (which shows text of incoming SMS without having to be unlocked). Theft of card is otherwise not a major problem since you need the PIN. A poor man's solution is to erase the CCV on the back. A better solution is provided by my bank: my card doesn't work on the Internet. Any request made without the card physically present is refused. This could probably be negated by a corrupted payment processor, but it's good enough. For Internet use I use one-time cards provided by my bank website.

Re:Shielding, jamming

[Black+LED]

I have one of these

I keep my passport card in the RFID Safe transparent sleeve and my credit card is in the RFID blocking paper sleeve that the passport card came in, which in turn is in one of the card slots.

Re:Shielding, jamming

what about his precious bodily fluids?

Re:Shielding, jamming

Correct observation, IMHO. New researchers always get surprised by this attitude of the financial institutions.

Re:Shielding, jamming

[stephows]

My Australian bank allows me to tell them online which countries I will be visiting in the near future.
Countries on the list are okay to use the card.
Countries not on the list trigger warnings when the card is used there.
This is done online, so I can update the list when my travel plans change.

Re:Shielding, jamming

[ls671]

The construction actually involves a sandwich type design made of layers of gold and silver + lead. Just to make sure my genitals are safe.

But then again, what if any neutrino or Higgs boson type particle that I am not aware of were involved?

Re:Shielding, jamming

[NotAPK]

It's tricky to shield from ionizing radiation, and unfortunately your layers of gold and lead are not terribly effective at neutron shielding. For example Pb is transparent to neutrons below 0.57 MeV. In addition to poor attenuation, when heavy shielding for neutrons does work, it often does so by becoming radioactive itself, over time creating a gamma emitter right next to your junk!

For ultimate protection, you will find lighter H-rich materials to be much better at attenuating neutrons. I think you should make a wax cast over your genitals (keep the Pb shielding there) or wrap the entire area in many layers of duct tape.

Good luck brave sir!!

Re: Shielding, jamming

[piojo]

I have Fridays off every week and I drive to my local ISP, PUD, and bank to pay mortgage.

That's a pretty high price to pay for what is essentially insurance.

Re:Shielding, jamming

[stevel]

Many banks, including mine, do this as well. But that doesn't help with card-not-present transactions.

Re:Shielding, jamming

The #1 source of credit card theft is when you buy gas and two thieves use phone cameras to snap a picture of both sides of your card when you insert it into the pump.

The truth is that 99% of thieves are not that smart... Only in the movies do thieves have all kinds of high tech equipment.

Re:Shielding, jamming

I worked for a company that sold RFID readers. I sat my wallet on one of the readers and it read all of the chip-enabled cards in my wallet (3 of them). Now, I use tin foil sleeves for all of my cards (much cheaper than the $50 wallet with the foil embedded in it), and try to use cash when possible for purchases.

Re:Shielding, jamming

People probably just report it as fraud not walk-by contactless card fraud. People don't know how their info was stolen, they only see the end result.

Re:Shielding, jamming

So in the US you have vast amounts of walk-by contactless card fraud? How come it doesn't get reported?

Maybe because you can't tell where or how a credit card number is stolen? That should be pretty obvious.

Seriously, it's very easy to build a device if you want. You can buy one pre-made in the right circles for $150 that can grab 15 cards a minute. Just because you don't know about them doesn't make them fake.

Tinfoil

[dimethylxanthine]

Tinfoil around the inside of the wallet. And don't forget the hat!

Re:Tinfoil

I've tested this with mixed results.

I first used a thick piece of foil to wrap my phone, and tried calling it and sending SMS to it. It was pretty much dead. Then I figured that, if it can stop the phone reception, it can definitely protect my wireless credit card inside my wallet. I was wrong. In some cases it does offer protection, but keep in mind that some readers are quite powerful and will pierce through the foil. I'm not certain that the metro station RFID reader I have in mind would actually get anything useful out of it, but it did get a response from the card, and that indicates that tinfoil is not shielding it 100%.

Re:Tinfoil

I've just put all those RFID-card together in the same pocket. The collisions then make them unreadable.
Another option which I have verified to work is a thin sheet of aluminium foil in the outsides of the card-segment of my wallet. Place it such that it's V-shaped and all the cards end up between the legs of the V.

Re:Tinfoil

[Shortguy881]

I use titanium. The wallet is sexy as hell, garners a lot of attention, and doesn't come on a spool in my kitchen.

Re:Tinfoil

Having to use your wallet to garner attention speaks volumes about your level of douchiness.

Turn it off

[Mikkeles]

We just asked our bank to have it deactivated and they did.

Re:Turn it off

[stevel]

That does very little good. The info that can be obtained with a reader is still usable for making charges to your account.

Re:Turn it off

[Wrath0fb0b]

Not even remotely true. The information that can be obtained with a reader does not contain the actual keys (!) that would be used to sign a transaction.

You could actually read about EMV, the specification is public. It's fairly clear you haven't.

Re:Turn it off

I've deactivated it by cutting antenna.
Some cards will reveal it over bright light. With others - you might need to check the net for x-ray of your bank's cards.
Knowing where antenna is, just gently cut through wire(s) far from the chip. No cut through is necessary - just cut one side deep enough to cut wire.
In case of my card, 1mm long cut was enough. Well placed - near the magnetic strip - it is nearly invisible, so little risk of "overdoing salesperson stopped my card saying it is damaged".
Of course there is a trade-off. You lose ability to pay by paywave/paypass. No problem for me - as I use chip&pin card for many years; but those allergic to remembering and entering pin should re-consider.

Re:Turn it off

[mjwx]

Not even remotely true. The information that can be obtained with a reader does not contain the actual keys (!) that would be used to sign a transaction.

You could actually read about EMV, the specification is public. It's fairly clear you haven't.

Actually, it contains your card number, name and expiry date.

Everything you need to start making transactions online.

I have to wonder why people still think that card cloning is a credible threat these days... Card fraud moved online years ago, far better return on effort.

Re:Turn it off

[Malc]

When I discovered about five years ago that my contactless card interfered with my Oyster card, and just asked the bank to replace it with an non-contactless one. I hate fiddling around trying to find my Oyster card and prefer to just tap my wallet as I zip through the gates on the Tube or getting on a bus.

The other thing to do to keep your card secure is to minimise your usage. I stick to cash as much as possible which reduces the chances of it being copied and makes it easier to review transactions for something dodgy. The added benefit is better control of my money (I don't seem to spend as much), and as I've never got used to contactless I don't feel like I'm missing out on anything.

Re:Turn it off

It doesn't include the CVV2 that will be requested even by very low risk online retailers. You might be thinking, "But this field right here is labelled CVV" and it is, but there are like four CVVs for a modern card, and that's the wrong one. The one you need online is CVV2, which is the one written on the back of the card but not stored on the card itself.

This happened because cards _used_ to have just one CVV, baked into the magstripe, so you could tell you had a "real" magstripe read, not one based on just reading the digits off the card, but if people got the CVV elsewhere they'd fake that out. So the "fix" was to have a different value for CVV in each place, and check you got the right one. So there's a CVV for EMV chip transactions, a CVV for the magstripe and one written on the card for online.

Re:Turn it off

You MUST read your statements because any VISA retailer, anywhere in the world, can tell VISA "Oh, this 16 digit card was used in my store, and I want $100" and they will just add that to your statement and bill you unless you protest. VISA does not give a shit whether there is even the slightest evidence the charge is legitimate _unless_ you say you didn't do it.

Credit Cards have two separate processes. Authorization is the first, it's the one with chips and PINs, and CVVs and checking your address matches, and a typical retailer wants nothing to do with you unless they can successfully complete Authorization. This step exists _purely_ for the retailer to obtain proof you authorized the transaction, the VISA network doesn't need it, doesn't care about it, unless you dispute.

Settlement is the second step, it has no security whatsoever, it's purely on the word of the acquirer and it's the step where your money is taken. All they need to provide are the card numbers and the amounts they want to get paid. If there's Authorization but no Settlement, you don't pay a penny in the end. But if there's Settlement but no Authorization, your money is GONE unless you say "Hey! I never agreed to pay that".

For a huge fraction of transactions nobody has any actual proof. Even if it's a legit transaction where you presented your card, often they screwed up and threw away the proof, or they typed in the wrong amount and then later "fixed" it and billed you a different amount. And because Settlement has no security, they get their money anyway. UNLESS you say you didn't agree to pay, and then VISA sighs and says "Hey, where's the proof?" and the retailer says "Oh, whoops, we don't have it" and you pay NOTHING.

So, that's the only thing you need to know about Credit Cards, READ every statement, DISPUTE anything you're concerned about.

Re:Turn it off

[stevel]

Pretty much every week I place online orders with merchants that don't ask for CVV2. While it is true that the RFID data doesn't include CVV2 (it has a digital signature code created by the EMV chip), what is sent is MORE than enough to commit wide-scale fraud.

Re:Turn it off

wrong.
Track data can be easily retrieved.
No need to sign anything. Same goes for expiration date.

Then all you need to do is to burn a magnetic card with that info, or worst, online purchase .

Re:Turn it off

While the info from the rf chip cannot be used for an emv transaction, it can be used for unline transactions or manually keyed transactions, or to create a fake card and do mag strip transactions.

Re:Turn it off

[The-Ixian]

so little risk of "overdoing salesperson stopped my card saying it is damaged".

FWIW, I have been using a mag stripe AMEX card for years (and the exp is still over 4 years in the future) that is damaged pretty badly and is being held together by cellophane tape and super glue. On top of that, the bag stripe itself has a few big gouges in it and the signature area is all but worn off so you can't make out a signature any longer. Yet I still use it almost daily and nobody has even batted an eye at it.

Re:Turn it off

If you don't like the chip, then you definitely should be worried about the magnetic strip. Swiping is not secure, a 3rd party can sneak a sensor into the swipe area and read your card number. A counterfeit card can easily be made using a kit like the kind hotels use to make room cards. The thief or thief's customer can then use your card at self-checkout lanes or kiosks. Happened to me a few weeks ago, wasn't liable for any of the charges, but still annoying getting your card frozen and switching over all your auto-pay accounts to the new one.

Re:Turn it off

I thought that one gets penalized for not submitting the CVV (I believe it is $0.09 per transaction) but the transaction sails through if other pertinent data are correct. There are many fraud checks at the various hops along the way but it all depends on what the various hops signal along the way. Sometimes sales/marketing folks get upset when an online order is not accepted and thereby unwittingly contribute to fraud by being a little careless about the workflow.

Re: Turn it off

[jofas]

No, that is not how RFID transactions work at all. There's a one-time token system which makes man in middle hijacking very very difficult. Your skimming machine would have to be effectively able scan your card and use your token before you complete the transaction yourself. Tokens also expire very quickly, so the likelihood of your card getting skimmed by RFID is very very low. I'm not sure why Americans are so honed in on the security of RFID when the internet is literally rampant with PCI compliance problems and exploit fraud. RFID transactions can also be disabled by the card issuer, it's part of the spec. Any carrier who says they can't is lying. RFID transactions work well and are optional.

Re: Turn it off

[stevel]

You misunderstand the threat. It is not that an attacker uses MITM to relay the data, though that has been demonstrated. The threat is due to the cardholder data (name, account number and expiration date) being readable in plaintext from hundreds of meters away using readily available and inexpensive equipment. This data can then be used to perform offline transactions or other identity fraud ("what are the last four digits of your credit card number..." sort of "verification" questions.)

Even just knowing the name of a cardholder passing by could be a security risk (ask in nearby hotel for the room of Jane Doe, etc.)

Re:Turn it off

Apple doesn't require ccv2. Steal some credentials and go load up at the apple store.

Pay Cash for everything!

Pay cash and stay anonymous!
 
// Dammit! They can track the serial numbers. Doh!

Re:Pay Cash for everything!

Pennies don't have serial numbers...

Actually, after getting screwed at a gas station, (Somehow I managed to fill up the tank on two cars at the same time...), I cut up my Credit Cards inside my issuing Bank in 1994, and I've gone Cash ever since. They've known me as a customer since 1976, and I go to the same Teller since 1991; she lent me her scissors.
Oh, that doesn't mean that I haven't been scammed; Amazon actually has a few times- I send the packages back followed with an email reminder that I'm record as not being a customer of theirs, and don't let this happen again.
I make _all_ purchases in Cash, and the motto that Cash Is King in purchasing is quite true. (I still pay Utilities, Taxes, and a Marina Bill where I keep my Megayacht, that I bought with cash, by check. I'm not a believer in Autopay either.)
Occasionally, I have to make a large purchase; a couple of weeks ago it was for $4200. It pays to be cautious- the Bank recorded all of the serial numbers, and so did I. I knew the Seller; we've done business before. But it's as much for their protection as mine. They may be the one that gets mugged.

There are those that say that I'm suspicious and old-fashioned. That's not really true. I in my lifetime have _created_ the State-Of-The-Art in several fields. Suspicious I am, Mom being dead had not much say in the creation of new Credit Cards that looted her Estate. (Inside Job at a distant Branch.) But perhaps the greatest charge against me is that I enable Crime. That is, Inside Crime, the kind that sees $20 bills escaping Cash Registers, to which I reply, "That's not my problem." There is also the Underground Economy; within two or three transactions, cash may make possible the purchase of naughty goods. "Again, not my problem. Oh, want to look over those Serial Numbers once more?"

But I also look at it this way; if I spend say $50K a year in cash, that's what, $2000 that doesn't go into the Credit Industry profits? And that's not my problem either.

Re: Pay Cash for everything!

[Fwipp]

Get a load of this guy.

Re:Pay Cash for everything!

Whoa, whoa, whoa! You haven't been taking your meds for a few days, have you?

Cash is King!

[RodyMcAmp]

Cancel and cut up all credit cards and use cash.

Don't care, not my card, card issuer's problems.

I could care less. If I see fraudulent transactions I call AmEx and I get a replacement card next morning. No need for me to go out of my way to keep a card that provides access to someone else's money secure.

I don't

[Pulzar]

It's really not my job to go the extra distance to improve their security. The card is the way it is, and if it's good enough for the banks, it's good enough for me.

I've had the card cloned a couple of time in the last five years, and it was never more than a minor inconvenience. Call the number in the back, tell them that I didn't spend $2000 on a strip club in Mexico, and they send me a new one.

Re:I don't

[OzPeter]

I've had the card cloned a couple of time in the last five years, and it was never more than a minor inconvenience. Call the number in the back, tell them that I didn't spend $2000 on a strip club in Mexico, and they send me a new one.

Or in my case, get an email from Amex basically telling me, "we didn't think you spent $2000 on a strip club in Mexico, so we have blocked that transaction for you. We'll be sending you a new card".

Re:I don't

[JoeMerchant]

Same here, I secure my card by handing it to waiters in restaurants who disappear with it, using it in retail stores where employee turnover is atrocious, and shopping on the internet. About once every 4 years (on average) we get a charge we didn't make on the bill, we tell the company ASAP and it gets reversed and we get a new card number.

We were included in the recent Target and Home Depot attacks, nothing happened until about a month ago, then we got a $900 charge from COSTCO - impressive since we don't have a membership.

Re:I don't

Maybe you have a CostCo membership now.

Re:I don't

This was my thought too. Just look over the monthly statement. If something is on there you didn't actually buy, call the bank and file a report. They'll send you a replacement card. I have had to make a few fraud reports (none of them with a chipped card) and they were all sorted out in a few minutes.

Re:I don't

Or in my case, go to a strip club in Mexico and then call the number on the back telling them I didn't visit a strip club in Mexico and have them send me a new card.

Re:I don't

[jbmartin6]

I great illustration of how risk management is the best security strategy. No risk to you, and there's no need for security. Of course, that only applies to you, not the bank.

Re:I don't

[guruevi]

There is no risk to the bank either, only the merchants get to eat the fraud.

Re:I don't

I've had the card cloned a couple of time in the last five years, and it was never more than a minor inconvenience. Call the number in the back, tell them that I didn't spend $2000 on a strip club in Mexico, and they send me a new one.

Or in my case, get an email from Amex basically telling me, "we didn't think you spent $2000 on a strip club in Mexico, so we have blocked that transaction for you. We'll be sending you a new card".

Uh-huh. And if the charge was legit, you now have some 'splainin' to do to some large and unfriendly bouncers. And are in Mexico with a deactivated card.

Re:I don't

[ShanghaiBill]

Don't they kick you out when the transaction is denied?

If you are paying $2000 in Mexico, you are going to the wrong strip clubs. Try walking more than 1 block from the border.

Re:I don't

[bigdavex]

I've had the card cloned a couple of time in the last five years, and it was never more than a minor inconvenience. Call the number in the back, tell them that I didn't spend $2000 on a strip club in Mexico, and they send me a new one.

They might not buy it a third time.

Re:I don't

[uncqual]

Just make sure to remember to put your plane ticket to Mexico on another card!

Re:I don't

[apoc.famine]

That's the way I secure it, with one addition: I have a local credit union that prints cards on demand. I see a fraudulent charge, wander down on my lunch break, sign a form, they print a new card, shred my old one, and their website even notes things that look like reoccurring charges and nudges me to update my card for those places whenever the number changes. Hard pressed to beat service like that!

Re:I don't

[jhecht]

You're pretty damn lucky. For the past few years we typically have had 2-3 cards hacked a year, with those from Bank of America most likely. No chip cards hacked yet, but I suspect that's only a matter of time. We were caught in Target, Hannaford and Home Depot hacks, among others.

Re:I don't

[JoeMerchant]

Well, if you've got a bad taste from BoA, why not try switching? We've been happy with PNC, and similarly happy with the GM Card through Household bank before that (until we realized that we are likely NEVER going to buy another new car again, and if we do it probably won't be a GM, so that $5K perk balance was actually worthless.)

Re:I don't

Call the number in the back, tell them that I didn't spend $2000 on a strip club in Mexico, and they send me a new one.

The best part is you got $2000 in hookers for free. Gotta love credit cards. If you have no conscience, they're the best thing that could happen to you. Max them out, buy property, declare bankruptcy, and you legally just made $80,000-200,000. depending on your credit rating. Easy money.

Re:I don't

[dbIII]

I think it's a guess for a quick theoretical example.
My guess is they wouldn't take anything that could be blocked but I don't really know either.

To paraphrase a comic I roughly remember:
"You'd even give the vote to soiled doves?"
"It would help with economic policy. Cerberus has never met a whore who would abide credit."

Re:I don't

[Hank+the+Lion]

And, as a result, the merchant will need to increase their prices to stay profitable.
In The Netherlands, most people I know don't have a credit card, but a debit card with chip and pin.
Guess how many fraudulent charges most of us get per year (or even in our lifetime): none!
Most people here act as if credit card fraud is a given, but only a minor nuisance.
They ignore that in the end they will bear the cost nevertheless, and that it is preventable.

Re:Easy

[Lord+Crc]

If you cannot afford to buy something with cash, then you can do without it.

There have been serious suggestions here in Norway to forbid cash payments for various things. This includes buying tickets from bus drivers, paying at restaurants and for purchases above some threshold (think 2000 USD and such).

The bus drivers don't want to have cash because of robberies, the tax administration wants to make it harder for restaurant owners to cheat, and the police wants to make it harder to launder money.

We're not there yet, but I'd say it's coming soon.

Re: Easy

Sorry you're poor. Are you at the library right now using their internet?

Random

A few companies let you create a new credit card on every purchase. The number is good for 1 purchase.

Re:Random

Which ones?
I've been wanting this feature for ages--seems like it would perfectly solve the issue--at least for the consumer. For the providers they would have to deal with churning through numbers a lot faster--but sounds like a problem they only have to solve once.

Both single-transaction numbers and/or single-merchant numbers would be great.

Re: Random

I have a BoA card that has this option. It's a holdover from when BoA bought out MBNA. I don't know if it's a regular deal on their accounts.

It is really nice to get a 1-time number with a set limit when buying online, or over the phone. Just this summer I got a notice when a contractor tried to put through a 2nd charge on the number I'd given them over the phone.

Re:Random

[uncqual]

Both my Citibank and Bank of America cards have this feature. Set the limit and the expiration date. Only the merchant who initiates the first charge can charge to it again (I don't think either one offers "allow only one charge" though). You can close the number at any time.

Hole punch

[NiteMair]

When I last had a card like this, I just took a hole punch and punched out the RFID chip. they're pretty easy to locate (small square divot, usually right near the RFID symbol printed on the back of the card). You can also pry them out easily with a razor blade if you don't want a hole all the way through the card.

Snipping out the RFID chip shouldn't affect the smart card chip in any way, since they should be totally unrelated mechanisms. I could be wrong though - I haven't seen an RFID included in a modern chip card yet.

Re:Hole punch

[stevel]

Snipping out the RFID chip shouldn't affect the smart card chip in any way, since they should be totally unrelated mechanisms. I could be wrong though - I haven't seen an RFID included in a modern chip card yet.

You are mistaken - the RFID chip is connected to the EMV chip - may even be the same chip nowadays. This wasn't always the case, but is now. The RFID data includes an EMV-derived authentication code like the CVV.

This had all been theoretical for me until Costco replaced my Amex card with a Visa that had PayWave (RFID). I did a LOT of reading then!

Re:Hole punch

[lucm]

PayWave is awesome. You just tap the card on the terminal (or near it) to pay, no pin, no signature.

Of course some people will freak out, just like they freaked out when chips came out ("what the devilry is this!"), but it's hugely convenient. Credit cards companies already have very customer-friendly policies for fraud and scams, this is just making things even easier with no risk for the card holders.

I've learned from past experience to have 3 credit cards: 2 in my wallet, 1 at home, that way if one gets compromised I have options until I get a new card. That's a minor price to pay for the convenience.

Re:Hole punch

[stevel]

PayWave is awesome. You just tap the card on the terminal (or near it) to pay, no pin, no signature.

That it is - I have used it once so far, at a Walgreens, and it was very speedy. Not too surprising as it's effectively the same as swiping - there's no challenge-response sequence as there is with a chip-based transaction. Indeed, Visa's specs for PayWave require a response in half a second.

That said, I very much prefer tokenization systems such as Apple Pay and I find that is almost as fast as PayWave. (PayWave is Visa's brand name for RFID transactions - other card issuers use different names, but the underlying technology is the same.)

Re:Hole punch

[AK+Marc]

My EMV chip is broken, probably from flex of the area of the card with it. The Pay Wave still works fine.

Re:Hole punch

[FrankHaynes]

That ease of PayWave sounds like it makes an ideal target for the attacks listed upthread. What's to stop someone with a hand-held RFID reader designed to lift data or even run fraudulent transactions as they pass you in a crowded store or subway or whatnot? You might even get a free grope if you keep your wallet in your back pocket.

Re:Hole punch

[dbIII]

PayWave is awesome. ... I've learned from past experience to have 3 credit cards: 2 in my wallet, 1 at home, that way if one gets compromised I have options until I get a new card

Not exactly selling the idea well there.

Re:Hole punch

Welcome, America, to the rest of the world, 2005. We've had RFID and tap-to-pay for a very long time and it's significantly more secure that a ludicrous magnetic strip, circa 1950. CC theft, directly off chips is almost 0. Car skimming of magnetic strips is only still a thing because the US still uses them.

Re:Hole punch

[locofungus]

I think with modern cards there is only one chip.

But cutting the aerial is enough to disable the RFID features:

http://www.woodall.me.uk/barcl...

Re:Hole punch

So You are 3x 1diot. Where do You live?
You misunderstood what others are telling You. If You live with caws on the field, don't worry, no one will stole Your money. If You live in a busy town with public transport then You have to reconsider...

Re:Hole punch

[TheRaven64]

If it works anything like the contactless system in the UK, then the thing that's stopping it is that this kind of attack is basically the same as stealing a card and replacing it in someone's wallet with a piece of paper containing your name and address. The number that's generated is valid for a single transaction of a specified amount with a single merchant, as part of a challenge-response protocol. If the transaction goes through, then the bank will record the recipient of the money. If a lot of people notice fraudulent transactions going to you then you're likely to get a visit from the police. Oh, and you won't even get to keep the money, because there's a delay between people spotting the transactions and your being able to get at the money.

Re:Hole punch

The EMV chip processes 2 way dynamic information. The RFID chip sends static data that is stored on the chip. The chips are physically located on different parts of the card, do not send the same data, and are in no way connected to each other by anything other than plastic.

Re:Hole punch

[Keybounce]

Funny; guess WHICH card it was that prompted me to write in to Slashdot about this :-)

Re:Don't care, not my card, card issuer's problems

[mattwarden]

Exactly. Why is this my problem? I am not liable for fraudulent charges.

I find it easier to mitigate the damage.

[Nyall]

I've watched my friends get hacked countless times. In the end everything gets taken care of, but for those few days while everything is cancelled or locked down they're broke. Which makes it hard to buy diapers. But fortunately they've got family in town. (I keep lecturing them about using cards at gas stations...)

I've been the victim of credit card fraud once. But I've had cards preemptively cancelled multiple times because they were used at companies that got hacked (target, home depot, etc) I've also had cards cancelled because the issuer (usaa) was switching from mastercard to visa. Sometimes you get notice. Sometimes you don't

So my solution is to keep multiple credit cards and multiple ATM cards. Two of which are normally left at home. Or if I'm travelling the backup cards are deep inside my backpack. If I get hacked or lose my wallet I still have options to pay for things.

Re:I find it easier to mitigate the damage.

[jedidiah]

Well, you simply need to be prepared for disasters. That's all there is to it. Your entire bank can get shut down. You need a plan for when this sort of thing happens. Don't keep your eggs all in one basket and keep some cash around.

Why?

[AK+Marc]

I don't bother. The number of attacks in the wild is still essentially zero, and I'm indemnified against all loss. It might be inconvenient, but it's not a loss. So it's not worth my time and trouble guarding against.

I might worry about it if I were to go to the Olympics or something else with lots of international tourists, the best ones to skim, but for regular everyday use, the chance of you being skimmed rounds to zero, and if it does happen, you are blameless.

Re:Why?

[fustakrakich]

And the fees/interest? Are they essentially zero?

Re:Why?

[apoc.famine]

For me, yes. Local credit union. 1% cash back on everything, no annual fee, low interest on the card. I make $50-$100 a year from using my credit card. The wedding year we broke $200. My cards have been compromised a number of times in the last year or two, and it seems to be a mixture of local skimmers plus Russian gangs brute-forcing card numbers. I had a brand new card used to buy $35 of McDonalds in St. Petersburg before I had used it more than 2-3 times locally, which leads me to believe that there's some brute-forcing going on.
 
They print on demand, so I walk down at lunch, fill out the fraud form, they shred my card, print a new one, and I'm on my way 15 minutes later. That night their website notes that my card number changed and some reoccurring charges are possibly tied to it, and nudges me to update my card anywhere it's used.
 
I haven't used a bank in almost two decades, and I don't see myself using one anytime in the near future. Until they offer service and rates that beat my credit union, no reason to bother with them.

Re:Why?

[AK+Marc]

Interest is zero (when paid off every month). Fees are zero, unless you are getting cash back/out (not counting merchant fees, paid even if you pay cash, in most places). $0 to fight a bad charge, usually reversed when first noted, and in limbo until settled.

Where are you paying money for your cards/accounts?

Re:Why?

[mjwx]

For me, yes. Local credit union. 1% cash back on everything, no annual fee, low interest on the card. I make $50-$100 a year from using my credit card.

LoL...

You actually believe the bank is giving you free money? Where do you think this cash "back" coming from?

No, I can already tell that you have no clue. So let me hit you with the clue by four.

The cash "back" actually comes from you. You see the banks figured out long ago that they can charge you as many fees as they like as long as you don't know you're paying them. They know if they charge you for using it, you wont use the card so instead they charge the merchant for accepting the card. Then they put these little "incentives" to encorage you to use it and make you get angry at merchants who dont accept cards.

You see the thing is that the merchant pays 2-6% for accepting the card which, by the terms of his agreement with the banks, he has to build into his prices. So you're getting 1% back of the up to 6% you're spending to use the card.

And the best part, the sheer Machiavellian brilliance of it is that you'll sit there and defend it until you're blue in the face because you've never been a merchant and have no idea how bad the fees are.

When I ran a business, accepting credit cards dwarfed my staffing costs.

Re:Why?

When I ran a business, accepting credit cards dwarfed my staffing costs.

That's nice to know. And did you incentivize your customers to pay cash by giving them a lower cash price?

Re:Why?

[Dr_Barnowl]

You know businesses pay a percentage to handle cash as well, right?

Here in the UK you can get a business account that provides free handling of automated transactions if you have a slightly elevated cash handling rate. The rate for a normal "cash handling" business is 4.8-6.2%

Now, I get that you can avoid some of that by paying your suppliers in cash, etc. But it's a myth that cash payments are inherently advantageous to all merchants.

Re:Why?

[apoc.famine]

You actually believe the bank is giving you free money?

Credit union.

The cash "back" actually comes from you....they can charge you as many fees as they like...

Yeah, but no. I pay $0 a year to have my accounts with my local credit union. $0 in fees. $0 in interest on the credit card because I pay it off monthly. $0 for them to print and mail a check to anyone for any amount I specify, and $0 to even schedule reoccurring payments this way. $0 to transfer money to anyone else in the credit union. $0 for a credit report. The only money I have ever given this credit union is $5 to open each account I have with them. And $10 for a cashier's check once. They cover their costs with their piddly interest rates, which aren't any better than any other banks in the area due to the federal rate being so low.
 
I just don't get how the world is happy with predatory banks who do the sort of crap you're ranting about. You don't even seem to understand that other types of financial organizations exist.

You see the thing is that the merchant pays 2-6% for accepting the card which, by the terms of his agreement with the banks, he has to build into his prices. So you're getting 1% back of the up to 6% you're spending to use the card.

And here is where you turn out to be a fucking dumbass. Because unless the merchant is giving a 2%-6% discount for using cash, which none are that I run into with any frequency, it doesn't matter what form of payment I use.

When I ran a business, accepting credit cards dwarfed my staffing costs.

Your clear lack of Econ 101 might be the reason you no longer run a business, if you ever did. No business takes their operating costs, pads a percent for profit, and then adjusts that price when things like merchant fees change. You charge what the market will bear. That's absolutely basic, day one, economy and statistics stuff. Is the merchant fee a negative hit on your profit for goods and services? Sure as hell is. Might it make the cost of what you're offering more than the market will bear? It might, in a competitive market. But to claim that it's somehow something that drives the final price is a basic misunderstanding of economics. And that's ignoring the fact that a sizable percentage of people don't carry cash, so if you don't accept cards, you aren't selling your goods and services to a percent of the population.
 
In summary, I think you're a hater.

Don't live in the US

So have been living with the benefit of chip & pin for 20 years. A few years ago, Australia backed away from signature verification for most cards - its still possible in limited circumstances, but for 99% of the population its tap and go for purchases under 100 AUD, and chip and pin or tap and pin for purchases over. Add in an RFID wallet and you are gold.

The US situation is bizarre, as its almost the opposite of established best practice internationally.

In the US case, Apple Pay and other EMV 3 standard systems are probably the only reasonable option for consumers.

I don't worry

I use CowboyNeal's credit card.

but this means ... or does it?

[frovingslosh]

...swiping it near the screen caused an message to show up on the reader. .... but this means it has an active radio signal

Maybe you are not presenting your experience with proper English, but if you swiped the card and were then told to use the chip reader, that does not imply that the card has any RFID capability. It simply means that the swipe passed along enough information that the reader learned that there was also a chip. I've seen this on multiple credit cards and have confirmed that the card has no RFID. Maybe you shouldn't have used the word swipe and only mean to say that you were told to use the chip when you got the card near the card reader, but if you actually swiped it then you know nothing about if RFID is present. It does not seem to be as common as many fear mongering commercials for cheap crappy wallets would have you believe.

As to what to do if your card really does have RFID, I suggest doing the same thing that I do with my card without RFID, keep a close eye on your charges and alert the issuing bank if there are any discrepancies. Beyond that, don't worry. It is the problem of the idiots who put RFID chips in the cards if their cards get sniffed, and it is the problem of the issuing bank if they accept bogus charges on your card. Your only issue is to not be completely stupid and pay the credit card bill without checking it for accuracy (and there are certainly some people who do).

Re:but this means ... or does it?

Some banks, at least the Royal Bank here in Canada, sends you an SMS *every* time there is a transaction made against your card (well, you set a dollar value to be notified of, but it allows you to set $1.00, so that is effectively every transaction). When I use my card, the phone chirps at me within a few seconds of the transaction being made with the notification, which also includes the vendor name.

Re:but this means ... or does it?

No he's talking about paywave. Once you guys finally get the hang of inserting your cards you will be presented with the option for paywave. I guess until then you have been deemed too paranoid to bother about it.

Re:but this means ... or does it?

[Keybounce]

...swiping it near the screen caused an message to show up on the reader. .... but this means it has an active radio signal

Maybe you are not presenting your experience with proper English, but if you swiped the card and were then told to use the chip reader, that does not imply that the card has any RFID capability. It simply means that the swipe passed along enough information that the reader learned that there was also a chip.

No, I mean I passed the card in front of the screen, not inside the card reader.

The card does have those three nested arcs that look like it might be a radio signal, a wifi indicator, or some sort of transmission thingie.

Ask bank, processor, whatever

To implement SMS, push to cell phone, email for every trx so you know when someone use it. Even they can make app to allow yourself to block the card (avoiding a storm of fraudulent trx once you detect the first.

Re: Ask bank, processor, whatever

People can jack your phone number without even being on the same continent as you. That's why they are trying to ban SMS for 2FA.

Card security

I don't - Credit card fraud is not my problem. As a cardholder I am completely protected. Security is their issue.

Easy

I NEVER USE MY OWN!

I use YOURS!

Cat got your tongue?

Like don't have one for start, basic and simple.

Get a credit card which notifies on each charge

[glomph]

The 16-digit system is ridiculous. If you're going to use your card online, or in restaurants, etc. your card number is quasi-public.

Two of my cards have an option which sends email and/or SMS and/or app-notifications upon every transaction, accepted or denied.

I caught a bogus attempted charge last month - this saved a lot of exposure & aggravation. It also informed me last week when my personal activity caused my card to be suspended ( several international charges, different countries in the same hour). CapitalOne, Discover, & Chase offer this, and I assume some other competitors do so as well.

Re:Get a credit card which notifies on each charge

[guruevi]

The problem with chips (EMV or RFID) is that the banks are pretending they're "secure" so any charge done by EMV/RFID is actually yours unless you can prove otherwise. Sure, the merchant will still eat the charges but it's a heck of a lot harder to dispute than a swipe.

Re:Get a credit card which notifies on each charge

[lucm]

Mint.com does that across all your banking options (cc, debit, checking, etc), they also email you when you pay an unusual bank fee. All free.

It's an amazing service. I love getting that weekly "can you guess on what you've spent the most money this week?", it makes me realize when I go on spending benders.

Re:Get a credit card which notifies on each charge

[AK+Marc]

None of my banks do that. Is that your experience? Or just your irrational fear you are trying to pass as fact?

Re:Get a credit card which notifies on each charge

[ADRA]

This won't happen. Cards get stolen all the time. The only time I see problems with a CC vendor is when
1. They have the card
2. They used a PIN (we have pins here)

Since these two pieces are essentially never together illegitimately, there's never problem. A hacked pin pad can get you #2, but you still have your physical card. Stealing can get you #1, but the pin isn't on the card (challenged against online). Pretty much the only way it happens without specific permission is if your card is stolen after using a skimmed pad while working in collusion. Certainly a police report and a swift cancellation will leave no personal liability for you.

Its a little worse in the US, because you stupidly chose chip-and-sign, which essentially buys you that the card wasn't skimmed but is just as exposed to theft and abuse, and online abuse since they have the CVC (still not solved in Canada / others either unless you issue an online-only card and have online purchases diabled, etc..).

Re:Get a credit card which notifies on each charge

[InterGuru]

Two of my cards have an option which sends email and/or SMS and/or app-notifications upon every transaction, accepted or denied.

You said it first. I do the same thing.

Re:Get a credit card which notifies on each charge

[guruevi]

Krebs recently posted a picture of an EMV skimmer found at Walmart capable of skimming the PINs. The skimmers retail for ~$200-300. There are hundreds of stories out there from people that have had their "chip-and-pin" stolen and not getting reimbursed by the bank because it's "impossible".

Attacks on EMV have been proven possible for several years now by researchers, after researchers heard of stories about cloned pin-and-chips being refused for reimbursement. You really think criminals haven't gotten any better in half a decade?

Re:Get a credit card which notifies on each charge

[Chrondeath]

I thought the point of the chip was to do some challenge-and-response thing, so that even if the skimmer watched the response it wouldn't give them enough to respond correctly to a subsequent challenge. Am I misunderstanding how the chip works?

Re:Get a credit card which notifies on each charge

Try to imagine the most disappointing way that the chip could satisfy your expectation. It's probably doing it that way.

Re:Get a credit card which notifies on each charge

[mjwx]

The 16-digit system is ridiculous. If you're going to use your card online, or in restaurants, etc. your card number is quasi-public.

That is what PCI-DSS is for. Only six digits are required to be censored for a card number to be secure. Hell, the first six digits of your number is just identifying information.

Re:Get a credit card which notifies on each charge

[TheRaven64]

You understand how the chip is supposed to work. There are a few attacks that work. For example, it turns out that a lot of terminals use a very predictable 'unpredictable number', so if you temporarily have the card then you can generate a response for a challenge that you predict will happen from a buggy PoS (in both senses) machine, then you can use a fake card to issue that response when you get the challenge.

Re:Get a credit card which notifies on each charge

[houghi]

In Belgium it is becoming standard. This is enforced by Visa and MasterCard. This also means that if you don't have a cellphone, you can't buy things online.
Not all websited use this, but then the risk is with the merchant.

Re:Get a credit card which notifies on each charge

Here in the UK you just use a static PIN with a chipped card.

Re:Get a credit card which notifies on each charge

[guruevi]

There are various attacks being brought up. These chips and terminals have really weak PRNGs with poor entropy, we're talking about embedded chips barely 1sq.cm. that were "cheap" 15 years ago. They have the processing capacity of a SIM card (if you remember those).

One way is to downgrade the crypto to "acceptable" levels. You intercept the negotiation between the chip and the bank and the first number of authentications will be at higher levels of crypto (think 128 bit), your "fake" terminal instead sends a response that the crypto is unavailable; the card-bank then downgrade levels until you get to 56 bits or something you can easily crack.

Additionally it's possible to do a pre-play attack. You basically challenge the chip with a number of fake queries during a real transaction (eg challenge the chip for a $1000 payment from another place and record the response) and then just replay the response the card gave you from a cloned card when you make a "real" $1000 payment.

Re:Get a credit card which notifies on each charge

pretty much the law in europe.

My own testing

[luckytroll]

I have a chip and RFID enabled card, and of course the first thing I did when I got it was to test what could be pulled from the card with tools available.
Interestingly enough, the thing you can pull from both the chip and the wireless are general details of the last 10 transactions placed on the card. This in and of itself is only a small part of what you would need to get access to funds - I think you would need keys and application access (in RFID parlance) to access that part - but having the last 10 things you did open and in the clear for any reader is pretty alarming when you consider that any vendor that does an authorization or tap on the card can also collect this information and add it to their database on you as a customer.

Of course, Visa or Mastercard have that and a lot more - but having it handed to the vendor too is a bit disturbing. Handing it to the guy with a reader concealed and giving him an idea of how much cash you took out an hour ago might also be scary.

Note - I live in Canada, so US folks with their less than secure (no PIN) methods might be worse off.

Guns

Lots of guns.

check your bill

[phantomfive]

Check your bill every month, if you see anything weird, let your credit card company know that it wasn't you. Numbers can be stolen by waiters, or over the internet......in numerous ways. So it's not really worth worrying about.

Re:check your bill

[AK+Marc]

Outside the US, the practice of handing out your card to a stranger (waiter) isn't common. That seems to be a US-centric issue, Traveling through Europe, and you'd go to the bar to pay for your meal. Swipe/insert the card yourself. Never letting anyone else touch it. If you insist they come to your table to settle the bill, they'll come out with a wireless PIN pad and you can pay at your table.

Vigilance, that's how

[ClickOnThis]

Criminals have committed fraud with credit cards for a long time. They will continue to do so, no matter what technologies we use to protect our cards. And we will continue to use credit cards despite this, because they're convenient.

Check your statement every month, and report fraudulent charges. I have never had a problem getting fraudulent charges reversed. Also, credit-card companies have an interest in avoiding fraudulent charges, so many employ analytic algorithms to detect suspicious charges, and contact you about them.

The EMV chip cannot be read wirelessly. It must make contact with electrodes in the card reader. It is not the same as an RFID chip, which some cards have also. So, EMV chips may be vulnerable to a fake reader (as magnetic stripes are to a skimmer) but you'd have to insert your card into one in order to be compromised. So, don't be promiscuous. Think before you use your card with a machine that looks suspicious.

And let's not forget that it has always been possible to read credit cards wirelessly -- with human eyes. Keep it concealed unless you're using it.

Fuck it

You aren't responsible for any fraudulent charges as long as you don't do anything grossly negligent. Therefore, you don't need to worry about it.

Citibank does ok.

[minstrelmike]

I let Citibank manage it.
It ain't perfect but they have about as much interest in it that I do, on a statistacial basis. In a very personal perspecitve, it may seem like they don't give a shit. But thinkg about it. It ain't worth spending 1% of your money to stop thieves from stealing 0.5% of your money, just like it ain't worth crawling under a car for a dime or quarter or dollar you dropped in the parking lot (depending on circumstances).

Problem with perspective is that the folks stealing from citibank aren't stealing 0.5 % from each customer, which would be "allowed" or ignored at least, they are stealing everything (identity theft and all bank accounts) from 118 specific people--who are really pissed off for excellent reasons.

Re:Don't care, not my card, card issuer's problems

[ShanghaiBill]

I am not liable for fraudulent charges.

Sometimes you are. I was fraudulently charged $19/month for several months by Travelocity. I disputed the charges through Bank of America, and BOA told me that Travelocity was their "marketing partner" so the fraudulent transactions could not be reversed. I cancelled the credit card, closed all my BOA accounts, and switched to Wells Fargo (the only other bank within bicycle distance of my house). I also never again used Travelocity for anything. I periodically go into the local BOA branch and steal their ink pens.

You can't...

A major department store, where I've never shopped, transposed the numbers of a check that was converted to an electronic transaction resulting in my savings account (which has no checks and is not connected to a checking account) being deducted $25. The bank refunded the money, but both the bank and the department store were unable to explain who, what, or why this happened. The bank did say this can happen again, all someone needs to do is guess an account number. I assume credit cards are no different, and will not generate an alert if it's a small amount that doesn't require a signature or I.D.

Has it ever happened?

[TokyoJimu]

Although in theory someone could walk by my wallet and scan my RFID credit card and buy something*, can anyone cite a case of this actually happening?

*Actually, this can't happen because I have too many RFID cards in my wallet and they all garble each other. Some people can just touch their wallet to board a bus, for example, but I can't due to having multiple RFID cards in there.

Identity Theft Victim Here with My Insight

[Proudrooster]

Here is how to stay out of trouble.

1. DO NOT USE YOUR ATM CARD ANYWHERE, EXCEPT AT THE BANK THAT ISSUED IT IN THE LOBBY.
2. Feel free to use your credit card anywhere, AS LONG AS YOU CHECK THE MONTHLY STATEMENT AND DISPUTE ANY CHARGES.
3. Anywhere especially seedy, PAY CASH or use a Green Dot Card from Walmart money card loaded with the exact amount.
4. Only use checks for re-occuring variable bills like phone, gas, electric so an error can no clean out your bank account. Some phone cable and phone companies occasionally have problems with sending customers erroneous $1000 monthly bills.
5. Do not use online banking. Make sure you have it turned off.
6. Make sure you have an ATM only card that can not be used as a debit card. This means it only works at ATM machines.
7. Setup all fixed cost bills, mortgage, car, insurance, student loan for auto pay so you don't need to use online banking or write a check.
8. Do not let money pile up in your PayPal account. Paypal is not a real financial institution and can play games with your money and you have very little protection.
9. Bank with a real bank, an 800 lb. gorilla like Chase that has 24-hour fraud people.
10. Keep a copy or scan of all documents/cards in your wallet. If you wallet gets stolen you can quickly cancel everything, instead of trying to figure out what was in your wallet.
11. Pay your credit card off EVERY MONTH, no exceptions. 20% interest is for suckers. If you can't control yourself, set you limit for what you are able to pay. NEVER carry credit card debt. NEVER.

The safest forms of payment are:
1. CASH / Walmart Green Dot Money Card
2. Credit Card
3. Check
4. ATM Card

Why do I make these recommendations?

1. Cash can't be hacked.
2. VISA provides you with protections to dispute charges. That means if you get hit with a charge, you can dispute it and during the dispute period you aren't out any money, unlike bank fraud. If a vendor is getting a lot of chargebacks from VISA, they will figure out they have a hole in their system and fix it or go out of business.
3. Your ATM card connects directly to real money. If you have Autopay setup and someone hacks your ATM/Debit card, you could be in a world of hurt because your account might get emptied out and there would not be any funds available to pay your bills. This is a bad, expensive situation.
4. Your checks have a magnetic toner on the bottom with your bank routing number and bank account number. With these numbers, someone could possibly access your account. Only use checks for variable payments like phone, gas, electric.
5. If you need to buy something that you don't want associated with you directly, get a Walmart Green Dot Card. This is great in case you are in need of a burner phone or other untraceable payment. By law you are supposed to register these cards but Green Dot will still allow you to use it but will deny you a personalized card. Many illegal/undocumented immigrants use these cards. These cards can be sketchy and prone to fraud, so buy it, load it, and spend it as soon as possible.

If you have any questions, let me know and I will check this thread again. Be smart. Guard your privacy, credit score, and your hard earned money.

Re:Identity Theft Victim Here with My Insight

[Dan+East]

Sheesh. Apparently you omitted the part where you hire an armed security force and an assistant who carries your cash in a briefcase handcuffed to his wrist.

No way I would live that way. Keep most of your money in an account separate from the one you pay stuff out of day to day. That should do it.

Re:Identity Theft Victim Here with My Insight

[jedidiah]

Much of this isn't terribly bothersome and some of it actually ends up being more convenient. Some of it's a little paranoid but not much. Mostly just be mindful of the risks of using each type payment.

You can sum up most of it with "Credit card risk is very limited and anything tied to your bank account is terribly dangerous".

Re:Identity Theft Victim Here with My Insight

Here's what I do. I don't even have to get WalMart involved!

1) Use online banking. (This is actually pretty critical.)

2) Use a bank that makes it trivial to move money between accounts at a moment's notice.

3) Keep at least four accounts: One for paychecks going in, one for bills going out, and two others that each have _debit_ cards tied to them.

4) Keep walking-around money in one of those debit card accounts... enough that you can make most impulse buys you're gonna make, but not so much that you're hurting if someone drains the account.

5) Keep the other debit card account as empty as your bank will permit. Transfer money to it only when you need to make big-ticket purchases, or when you do online shopping.

6) If you need to buy something that you don't want associated with you directly, use cash. Green Dot Bank must abide by the Know Your Financial Customer laws just like every other bank in the US.

Because the bill paying account isn't the same account as your paycheck account, your creditors can't accidentally draw more money from you than you expect them to.

Because the walking-around-money debit card account has a fairly low balance and the big-ticket debit card account only ever has just enough money in it to cover the purchase you're going to be making in a few minutes, it's very, very difficult for someone to siphon off enough money to impact your finances.

If you have any questions, I won't be around to answer them because I'm an AC, and -frankly- this stuff is pretty self-explanatory if you sit down and think about it for fifteen minutes. :-)

Re:Identity Theft Victim Here with My Insight

[apoc.famine]

Yeah, you're a paranoid fuckwit. Bank with a non-abusive company and don't be a dumbass.
 
If you're using a bank, you're using an institution that is probably trying to fuck you. Don't do that. Pick a local credit union instead. Better service, better rates, less ass-fucking. My wife and I both push a monthly amount to a joint account which is tied to our bills and debit cards. I noticed fraud on that account recently. Went to the credit union at lunch, told them that I didn't know what card it was on, they figured it out, (mine) put the money back, shredded the card, printed me a new one, and I walked out of there 15 minutes later.
 
Their online banking is the shit. We do our banking through their portal most of the time. And that includes their free, scheduled, repeating if necessary bill payments where they format a check with your account number on it and mail it out. And do electronic transfers with some companies. "Only use checks" lol, how quaint. We have our payees set up in the web portal. Log in, click "Utilities", enter the amount, click send. Done. Check is in the mail the next morning. Same with mortgage, student loans, cell phone, etc.
 
I used to use big banks, but they spammed me, fucked me, and generally treated me like shit. I moved to a local friendly place, and they treat me like a king. It's amazing that you recommend using fucking Walmart and pre-paid cards and cash. Those can be lost and stolen. And if they are, you're SOL. And pre-paid cards have overhead.

If you have any questions, let me know

If anyone does, it's going to be why you aren't taking your meds. The fuck is wrong with you? How did your world get so broken?

Re: Identity Theft Victim Here with My Insight

Yup.

Second checking account designated as a bill pay account. Only keep enough in there to cover a month, maybe two then transfer funds to it as needed.

Someone gets into it, it doesn't cause a major issue like it would if they got into your primary account.

Re:Identity Theft Victim Here with My Insight

[fox171171]

Sheesh. Apparently you omitted the part where you hire an armed security force and an assistant who carries your cash in a briefcase handcuffed to his wrist.

And here is the briefcase to use: https://www.youtube.com/watch?...

Re:Identity Theft Victim Here with My Insight

The fuck is wrong with you? How did your world get so broken?

Can't you read? He is an identity theft victim... apparently it was pretty bad, too.

Re:Identity Theft Victim Here with My Insight

Even better than #11, pay off the card every week. You can easily check the balance and go through the transactions online once a week when you pay your bills. This helps prevent a big surprise at the end of the month and let's you detect suspicious activity more quickly.

Re:Identity Theft Victim Here with My Insight

I have been banking with Chase bank for over twenty years for my primary checking account. With direct deposit set up the only fee I ever paid was the time 18 years ago when I bounced a check.

I have had two auto loans through AmeriCU (a credit union). Had no problems with them. I did have to pay a $5 membership fee to get it going. No other fees though.

So in terms of fess, both the bank and the credit union were excellent but the edge goes to the bank. As I said, this is simply my experience.

In terms of online banking, what you have described for your credit union is pretty typical (except that most transactions are done electronically and I suspect that is true for your credit union as well). Chase was doing it in the late 90s although it wasn't a web site at that point, it was a Windows application you needed to install. (This was fine in the late 90s, nobody expected that kind of thing to be on the web like we do now.) Eventually they transitioned to the web and I started using Linux but never had a problem with their site.

Re:Identity Theft Victim Here with My Insight

You forgot the part where you disable DNS and use a manually curated hosts file so you never ever ever land on a malicious page ever again.

Re: Identity Theft Victim Here with My Insight

[Proudrooster]

Except all of the Insufficient Fund Fees and late fees when legitimate entities request a withdraw.
But fear not, the bank will give you OVERDRAFT protection, which means another account could be compromised.

This may protect your main account, but you could have a large tangle that needs straightening out with multiple entities (banks and creditors).

Re:Identity Theft Victim Here with My Insight

[Proudrooster]

DNS is set to 8.8.8.8 and 4.4.4.4

Re:Identity Theft Victim Here with My Insight

Some people don't have a lot of money / enough to maintain multiple accounts with $2500 minimum to avoid monthly fees / etc

Re:Identity Theft Victim Here with My Insight

[ebvwfbw]

A lot of companies also offer the service that when your card is used, you get an e-mail. I found that the e-mail is generally on my phone in less than 15 seconds. This is really great. Shows right up on my phone within seconds. I call the number, cancel the card, they are cut off cold!

Re: Identity Theft Victim Here with My Insight

That's precisely why I love my credit union. Day one, I told them, "No overdraft protection, please. I want any ISF to straight up deny the transaction." I get no fees on my checking or savings accounts, cashback if I use it more often, and if I somehow get close to being broke, I can't accidentally overdraft. I refused saving-to-checking overdraft protection as well. If I'm getting a rejected transaction, then either 1) somebody's stolen my shit because I'm on top of my money, or 2) I'm an idiot and forgot a transaction.

I tested it when I was out of work for a while and had little in my account. It rejected the transaction as I expected. I don't know why anyone would go through a big bank. They have a vested interest in continuing to charge you for stupid shit. Credit unions still have to pay the bills, so they have interest on loans and likely invest the money people trust them with, but since I have an actual voting share in the company (and can buy more if I want), credit unions have a much stronger tie to their communities and are more accountable.

Re:The PNOs are clueless

[ShanghaiBill]

Honestly, the best you can do is to use a system (like Apple Pay) that uses a device specific PAN for your transactions.

Or you could use a PIN, with is how chip+pin was designed to be used, and how it is used in other countries that have far less CC fraud than America.

Correction to the summary

this means it has an active radio signal

No, it doesn't. It's almost certainly a passive RFID tag, which doesn't transmit on its own; it's read and powered by interrogating radio waves.

There's still a potential security leak there, since malicious readers can easily power it, but it's not transmitting an active radio signal.

Re:Correction to the summary

There's a nuclear battery chip in the card that powers it. Hold a flashlight up to it while looking at the other side with a scanning electron microscope and you'll see it. The RF blocking wallets, or a strip if foil in your wallet will also keep your private parts from being irradiated and falling off.

Re:Easy

Bus passes, tickets or tokens have always worked just fine for me. Buy them at the lottery counter or the drug store. There certainly is no need for credit card processing on the bus. Like the driver has time to manage that. They don't sell tickets or passes on our buses here, exact change, pass or tickets only. They're bus drivers, not cashiers.

If a restaurant will only take credit cards. that's their loss. I won't eat there, and they'll be paying higher transaction fees than if they took cash or debit.

There simply is no need for credit cards. The liability is just too high a risk. Not to mention that the interest rates are usury.

(P.S. when I say cash, I also mean bank/debit card with "tap-to-pay" disabled on the account, you'll need to make solid electrical connection with the gold contacts on my bank card to perform any transaction, and you'll also require my 8 digit pin.)

Re: Easy

You didn't answer the question. Are you paying for internet, and if so, how does that make you more free than owning a car?

Attack dogs

[Kohath]

I got 3 attack dogs to guard it. I keep my wallet in my right back pocket and one of the attack dogs in each of the remaining 3 pockets.

Seriously, you must have a really problem-free life if this is what you spend your time on. If you're really, sincerely worried about your RFID credit card getting hacked, I'd suggest a talking to a psychiatrist. There are medications to help you so you don't always have to worry about everything all the time.

Re: Easy

So you are at the library then. Sad!

Why do you need to?

[gweihir]

Serious question from an European viewpoint: If I have bookings on my statement that I do not recognize, I request the original receipt. If that does not show up, my card is not billed. If it does show up bit does not have a signature or a fake one, my card is not billed unless the merchant can actually prove it was me making the purchase. In case of fraud, he obviously cannot. As long as I do not cancel bookings fraudulently, my card or credit-rating is not in any danger. I did have my card replaced a few times free of charge though, because of some fraud patterns. I never had my card not working.

From what I read here, things are different in the US. This is pretty surprising as credit cards are an American invention (AFAIK) and hence I would expect them to work well in the US. Seems they work a lot better in Europe.

Re:Why do you need to?

[jedidiah]

If you see a charge you don't recognize, you tell the bank immediately and it gets sorted. Your total risk is limited. It doesn't impact your credit rating.

If the CC company is good enough, they will overnight you a replacement card.

Although as others have said... if your card issuer is really diligent they will recognize a strange pattern themselves and tell you first.

Re:Why do you need to?

[gweihir]

Thanks for the info, that is what I would expect. So what is the problem here? People that do not read or do not understand their credit card statement?

Re:Why do you need to?

Thanks for the info, that is what I would expect. So what is the problem here? People that do not read or do not understand their credit card statement?

Some people do not have real credit cards. They have debit cards (a fake credit card that works more like a check), so the law doesn't protect them nearly as well as with a credit card.

Re: Why do you need to?

Also, with a debit card, your money is locked up until the fraud investigation completes. This can be bad if you were, say, planning on using it to pay rent or anything else where it is unlikely for them to accept credit cards.

Re: Why do you need to?

[gweihir]

I see. That would be a real problem.

Re:Why do you need to?

[thinkwaitfast]

The one time my cc# was stolen (pretty sure by my druggie roommate) they covered the loss and sent me a new card, but for some reason did not cancel the old compromised card and wound up costing them an extra $1000.

As a nerd aside, I found out about the loss when my card was denied while trying to buy windows NT, the very first version, I think 3.1, on the first day it became available.

Re:Don't care, not my card, card issuer's problems

[fustakrakich]

I am not liable for fraudulent charges.

You still pay for them. It's just another pretext to raise fees and interest. You are paying a very high tax to use your money, or even if you don't use it. Convenience at any price, I guess.

Highly secure location.

[fahrbot-bot]

I keep my CC right next to my penis. No one has gone near that in years. :-) [ My wife died in 2006 ... :-( ]

Works fine for me

I really don't understand how the introduction of chip cards could have been a disaster in the US, the home of can-do technology. Here in Australia it went smoothly and I cannot recall hearing any complaints apart from a few scare stories at the time which proved to have no foundation. I have used the cards in Australia, Singapore, Germany, Ireland and the UK, all without problems.

According to http://www.apca.com.au/payment-statistics/fraud-statistics/2015-financial-year in 2015 we had a transaction fraud rate for Australian issued cards of 0.0272%, but if you look at the fraud rate for PIN usage compared to no PIN usage, it's a ratio of 64:1, in other words you are a lot safer without a PIN. PINs are really bad passwords and if you use an ATM it is very difficult to hide them completely. I feel much safer now the chip and Pay-Wave allows me to go completely cash-free. I have a far lower chance of being mugged for cash because I carry very little. I have a far lower chance of being mugged at an ATM because I don't use them. If they take my card, good luck to them becasue at under $100 a time, I can get the card cancelled before they can get much, and the bank will cover what they get anyway. But I stay out of places I'm likely to get mugged anyway, so the risk is low.

I rate the probability of the card being skimmed as pretty darn low because they have to get a skimmer very close to the target to be able to skim the target's cards. In practive few people bother trying to use it because the alternative methods are far easier - get credit card numbers from web sites. Far easier to make a living that way.

Normal security measures apply. Provided you keep an eye on your statements and query fraudulent transactions then in my opinion the risks have been reduced, not increased.

Re:Works fine for me

[jedidiah]

I don't see it as a disaster. I didn't see the old state of things as a disaster either. I think that media outlets just need to manufacture excitement in order to sell ads.

I'm not sure what this lot has to steal really...

Re:Don't care, not my card, card issuer's problems

[murdocj]

You pay fees and interest on your credit card? You are doing it wrong.

Review your statement

[holophrastic]

not responsible for fraudulent charges. review your monthly statement; contest unknown activity.

Re:Don't care, not my card, card issuer's problems

[whoever57]

I disputed the charges through Bank of America, and BOA told me that Travelocity was their "marketing partner" so the fraudulent transactions could not be reversed.

What that a debit card or a credit card? Had you given the card number to Travelocity?

Re:NO SUCH THING.

If you learn these things too late, the world's oldest profession is still prostitution. Especially during times of war.

Re:The PNOs are clueless

[fustakrakich]

CC fraud in the US is more likely an inside job. We should be very suspicious of all these stories about hacks and breaches into their systems and so-called "stolen" money, such things make very effective electronic "drop points". They leave the door open and tell the cops someone came and stole all your shit. Every little glitch, "Oops, so sorry, your balance has been corrected. By the way, we are raising our fees a bit to cover our new 'anti-fraud' features." We know the nature of their business.

It's time for the Post Office to get back into it..

I don't get it...

[mark-t]

The USâ(TM)s transition to chip cards has been an utter disaster. Theyâ(TM)re confusing to use, painstakingly slow, less secure than the alternatives, and arenâ(TM)t even the best solution for consumers.

How are they confusing? You insert the card and enter your pin. How are they slow? You wait 5 seconds or so and then you're done. How are they insecure? While only ten thousand pin combinations is not much for a computer to crack, more than a few invalid attempts locks out a card from being used without making a phone call to one's bank and talking to a live human being, and getting them to reactivate the card.

Re:I don't get it...

[jedidiah]

> You wait 5 seconds or so and then you're done.

5 seconds is an eternity for a computing device.

I find it certainly conspicuous. Although it doesn't quite raise to the level of annoying.

Re:I don't get it...

[apoc.famine]

Half the companies decided that PINs are too hard, so they went with signature instead. So instead of swiping and then signing, you insert, wait, wait, it beeps. You push a button. You sign. It asks if you want cash back. You say fuck off. You pull the card out, it beeps saying that you ruined the transaction and that you need to do all that shit again.
 
You see, we largely didn't implement chip-and-pin. We replaced the quick swipe and sign with an insert of the chip card, and then layered a bunch of other mandatory, slow, stupid shit on top of it, any step of which could cancel the transaction and require you to start over. And different merchants and different card vendors do it differently. So you might have multiple ways it now needs to be done depending on what's in your wallet and where you're shopping.
 
We also weren't smart enough to design a system where you can insert and PIN first, then wait for the transaction to finish, like you could with swipe&sign. Most of the places I've seen with pin&chip now force you to wait until you're done until you do the payment process.
 
It's seriously like we wanted this to be a failure.

Re:I don't get it...

[mark-t]

I seriously don't get that... in the country I live in, direct payment is ubiquitous... You insert your card, enter your pin, wait a few seconds for the approval message, then take your card and your good to go. There's also a mode for doing pinless transactions if the transaction amount is under a certain limit (typically $15 or so, depending on the customer and the host bank) which just requires you to tap your card to the pin entry machine.

Re:I don't get it...

How are they confusing?

The equipment used in the US has had both the swipe and the insert capability for a long time. But up until recently, you were only asked to swipe. Now you swipe and sometimes the it works (because the vendor does not support chip) and sometimes it doesn't. You can't tell by looking which one you are expected to do.

How are they slow? You wait 5 seconds or so and then you're done.

It's slower than swiping. Some of this might just be perception because the chip process requires you to leave the card in the reader while with swiping the card doesn't leave your hand. Based on my unscientific experience I think it takes longer than 5 seconds, more like 10-15.

How are they insecure? While only ten thousand pin combinations is not much for a computer to crack, more than a few invalid attempts locks out a card from being used without making a phone call to one's bank and talking to a live human being, and getting them to reactivate the card.

Most of the issuers in the US have chosen to use chip-and-signature instead of chip-and-pin. So it is less secure than chip-and-pin. However it is not less secure than swiping.

Re:I don't get it...

[mark-t]

How is chip and pin any less secure than swiping and PIN? The magnetic strip is copyable. Making forgeries of the chip, however, is not so inexpensive.

Re:Don't care, not my card, card issuer's problems

[dohzer]

Do they still use the number generation scheme where anyone can predict the next number of your card, thereby making it easy to continue the fraud?

Aluminium foil 4 layers thick

I put aluminium foil in my wallet where the notes go, about 4 layers thick. I have about 5 RFID cards and the readers kept complaining "multiple cards detected". So my transport card sits on the outside so I can scan it without opening, and credit cards on the inside for added security - I have to open the wallet up to scan them for purchases.

In Australia, there's a $100 limit with RFID/"PayWave" purchases before a PIN is also required.
Otherwise it's very convenient not having to remove the card to scan it.

Re:Don't care, not my card, card issuer's problems

It seems to me like you should obtain a notary, return with him to the branch office which was giving you the problem, then ask for a signed statement stating whether or not they will reverse the fraudulent charges and reimburse you, and if not, then why they refuse to do so.

Re:Easy

No credit card, no cellphone, no car. Still function just fine in modern society.

Good luck with the "no car" part in small towns with no bus service.

Re:Don't care, not my card, card issuer's problems

[fred911]

BoA (previously Bank of Italy) are Big Assholes well know for their abuses of customers. Never ever do business with them.

Been using contactless payment in Aus for years

So from someone who's banking system is not stuck in 1982, let me give my perspective on contactless payment.

I love it. And I'd say a fair proportion of Australia loves it since so many people use it. We've had NFC payment widely available for the better part of 5 years now. It's only for changes under $100 (over that you still need to insert), it's fast (no PIN/sig needed or card to insert/swipe) and so far I've never had a fraudulent charge, nor has anyone I've known. Additionally, I haven't heard of any news stories of people using readers in public places to skim cards or anything like that.

Mole hills and mountains. NFC is a really quick and in my experience secure payment method. I love it.

Oh and checks? Really? You guys still use those? I'm 35 and I've used checks twice. Once to buy a car and once to put a deposit on a home. Both were bank checks. I've never had a personal check account.

Re: Easy

[jedidiah]

You could also just be a minor.

There are so many trivial economic transactions that suddenly become bothersome the moment you force a middle man into it.

Also, there's no reason to belittle or exclude the poor.

easy

[bloodhawk]

thankfully other countries haven't taken the brain dead approach the US has taken. most have pin not electronic sign. But regardless I keep a couple of different credit cards just in case, the only time I have had my card cloned and used is the US but even then it is just a call and the charges are reversed and new card issued. The solution is US banks need to stop being retards and ditch sign and go to pin.

Re:Don't care, not my card, card issuer's problems

[fustakrakich]

No, I don't have one. I remember reading that a lot of people were complaining about them. Are you telling me you pay none at all? All your bank sheets only indicate the amount of the transaction, with no "miscellaneous" anything? Well, if the vendor is paying them, then it's in the price.

Security by Obscurity

[originalGMC]

no money no problems.

Check out this one weird tip; fraudsters hate him!

[santiago]

I keep my credit card secure by posting the number online and linking to it as the article in my Slashdot submissions, thereby ensuring no one will ever read it.

Re:Easy

[ls671]

Not going to work in all cases. Some people would revert back to things like gold or some digital currency for trading. As long as you can bribe people to launder the profits for you, it keeps on going. A better approach could be to fix the system and the people keeping it in its current version.

Re:Easy

I can't pay my internet bill with cash. They require some kind of electronic transaction.

Don't have or need a credit card

[Nyder]

I live without a credit card. I do have a debit card though. I keep it secure by keeping it on me. If you can get it from me, then I guess you earned it.

Re:Don't have or need a credit card

[whoever57]

I live without a credit card. I do have a debit card though.

So you choose to use a card that provides less legal protections to you?

Re:Don't have or need a credit card

[Pinkbunnyman]

It gives protection of "you can't spend more than you have" which a credit card doesn't, it also (stupidly) doesn't allow you to build your credit rating though..

Re:Don't have or need a credit card

[whoever57]

It gives protection of "you can't spend more than you have" which a credit card doesn't,

If you have such poor self control, you probably should not have a debit card.

I have, frankly, lots of cash available to me; I exercise self-control in not spending this cash.

SignalVault

[gbr]

This. Tested and works. http://www.signal-vault.com/

Re:The PNOs are clueless

Except for the fact that Chip & PIN was broken, from the onset.
https://www.youtube.com/watch?v=JABJlvrZWbY

Re:The PNOs are clueless

[sumdumass]

Keeping it secret is difficult. A customer decided to add credit card transactions to the booking and reservation program when their service contract was up. Shouldn't be a problem i thought but I was told about it only 4 hours after implications. Their software couldn't negotiate the proxy properly so I went on site. After double checking settings with no luck, I decided to sniff the packets to see if there was a clue there. Immediately I noticed they were sending the CC information in clear text. They acted like I was hacking their program until I finally got them to ask one of their developers about it. I had to threaten to disclose their noncompliance with pci standards for them to even do that.

Now they had one of their developers dealing with me on the inability to negotiate a simple proxy. Never could get it to work and ended up having to install a second gateway for the one computer that processed the cc payment basically bypassing the IDS and real time virus/malware scanning. There was a package they built for a test system that worked but the company (management not the developer) refused to implement it live because of some expensive testing. I called bullshit because their supposed previous testing allowed them to fail encryption of the information.

Next year - they didn't renew the contract and went with another setup altogether that was mainly web based. That created another issue of redundant internet in a remote location but was easier to implement than the CC issue.

Re:Don't care, not my card, card issuer's problems

[ShanghaiBill]

What that a debit card or a credit card? Had you given the card number to Travelocity?

It was a credit card. Yes, I had been a previous customer of Travelocity, and they had my CC info. They did NOT have my permission to sign me up to any paid marketing subscription for $19/month (which is what they did).

Re: Easy

It's fine being poor. It's sad when you're poor and play it off like you chose to be poor and not have things.

party pooper much

[lucm]

Money made it easier to trade, but I'm sure back then someone like you complained that it would be easy to steal. Then checks, and bank wires, and credit cards, and ATM. Always the birds of ill omen came out and spewed their "they gonna steal it" mantra.

With credit cards we've finally reached a point where for the most part the risk is not on the small guy's side of the equation. But instead of rejoicing and embracing the convenience of technological progress and the risk-free high speed transaction mechanisms now available, you keep the FUD going.

At least you're not gonna stop progress since all you do is sit and whine, but still, party poopers suck.

Re:party pooper much

[dbIII]

If it's "risk-free" why your post above about multiple cards to mitigate the risk?

Re:party pooper much

Either it is a pretty rare process because they've already covered most of their security bases or I'm paying it one way or the other. Most likely through transaction fees that get passed to the retailer which in turn are reflected in my purchase prices.

Re:party pooper much

[lucm]

I don't think you understand the economics of credit cards. There's no transaction fees for the cardholder. They make money on idiots who only pay the minimum amount each month and who end up racking up gigantic fees over time. That's why there's an incentive for them to make it as easy as possible for the customers to make transactions. Pay your entire bill in time every month and you're essentially enjoying a convenient payment method with no risk, for free.

When it comes to ATM cards, though, that's another story. There's fees up the wazoo and far less incentives dor the banks to make it easy. I have no idea why people use debit cards to pay for stuff, credit cards are best in every way (convenience, reward programs, insurance programs, etc). Unless you're unable to manage your own spending.

Re: Don't care, not my card, card issuer's problem

YES, that is correct. I go to Walmart/Kroger/Amazon/Publix/CVS/Chickfila/etc. I pay X by cash or credit, same price either way.

That's all I see and that's all I pay on the statements. It's basically a 45 day interest free load.

Re:Don't care, not my card, card issuer's problems

[LuniticusTheSane]

Never bank with Bank of America, there is only one bank with worse customer service in the US, unfortunately for you, it's Wells Fargo. Try and find a credit union with really good online banking, that way you don't ever have to go to the actual branch.

Re:Easy

I don't have one. There is no need. If you cannot afford to buy something with cash, then you can do without it.

No credit card, no cellphone, no car. Still function just fine in modern society. The freedom is well worth doing without these things.

I have one. I spend on my card all month and then pay it off in full at the end of the month. Credit cards are more widely accepted than EFTPOS (direct debit from your savings account) and I earn points on my transactions. Bought the Mrs a new fridge recently on points, and a dozen bottles of wine. Got them for free as the vast majority of credit card transactions I make don't have a surcharge either...

Re:The PNOs are clueless

[plover]

The PIN doesn't make any difference between easy-to-skim/hard-to-skim. The chip makes it virtually impossible to clone a card issued by a bank that properly authenticates its cards, meaning skimming is worthless for creating cloned chip cards. The US will continue to have problems with skimming until online/card-not-present security can be solved, and that doesn't matter if the card technology uses PINs or signatures.

Other countries no longer have cloning problems, but they all have had massive increases in online fraud problems.

The only security difference between signature and PIN is that PIN protects your card from being used by muggers, and the banks don't give a shit if you get mugged or not.

Re:Don't care, not my card, card issuer's problems

You probably didn't try hard enough (or maybe have enough money in your account ;) Similar thing happened to me, they claimed they couldn't reverse, it, I told them a half a dozen times I never signed up for it and was happy to sue over it, and they reversed it. The customer care people at banks (or their supervisors, at least) have a surprisingly wide leeway on these things, but they also are not going to give up $$ if you aren't willing to call their bluff...

Re: Don't care, not my card, card issuer's problem

[raftpeople]

Poster you responded to doesn't seem to understand how the system works. Everyone, including the people paying cash pay for the credit card users because the 2% to 3% the store pays to CC company gets included in the prices to everyone, even the cash customers. I'm like you, free cash for X days, I pay the whole thing off before I incur interest, lather, rinse, repeat.

Re:Don't care, not my card, card issuer's problems

[Dahamma]

Then why are you trying to explain how they work?

A responsible credit card user pays their bills at the end of the month and doesn't rack up interest of fees. And, no, they do not raise the fees to the vendor, in fact they have recently lowered them since they have had their ass reamed in lawsuits for overcharging.

Yes, VISA, etc charges a small fee for transactions, they make a (sometimes too healthy) profit, but fraud protection is one of the major FEATURES of using a credit card. Go pay cash to a shady person for something and then try to get your money back later when you got screwed. Use a credit card? If it was the vendor's fault you will get your money back.

Re:Don't care, not my card, card issuer's problems

Why didn't you sue?

Whether you win or not it would cost them millions to defend -- and your odds of winning are very high.

Re:Don't care, not my card, card issuer's problems

[Dahamma]

This is the dumbest (or maybe just trolliest?) statement of the day...

Please explain how *anyone* can predict someone's next CC number. If you can't explain it exactly, it's bullshit, since I assume you are included in "anyone"...

How do I keep my stuff secure?

[RightwingNutjob]

Nice try. I'm not telling.

Re:How do I keep my stuff secure?

Obligatory xkcd

Re:The PNOs are clueless

[Dahamma]

Flawed is relative.

It has flaws, but what doesn't? Cash is flawed, it can be counterfeited. And you have NO resource if you take counterfeit cash.

The credit card system includes fraud in their business model. As long as their profits exceed their losses, they are fine with it. Yes, it's often a pain in the ass for the customer to clean up, but if your CC is stolen you are not responsible for the charges in the end.

Re:Don't care, not my card, card issuer's problems

[guises]

It still has all of the privacy implications associated with carrying around an RFID chip. Regardless of who might pay for fraudulent charges, this is not something that you want to have in your wallet unshielded.

Re:Don't care, not my card, card issuer's problems

because most likely he did inadvertently sign up to something and was just pissed he could not get out of it easily. though there have been a few dodgy SMS providers and other marketing stuff that has auto signed people up I have not ever heard that Travelocity was one of them.

Re:Don't care, not my card, card issuer's problems

[bloodhawk]

I have not paid fees or interest on my credit card in over a decade. if you choose the right card and are using it correctly there is no need to ever be hit with any fees or charges. yes most places charge fractionally more to everyone to cover fees but that is the same for cash and card users. Credit cards when managed correctly are a great convenience and can actually reward you quite well with flyer points, or cash back deals so that you end up paying less than those that use cash.

My credit card company dropped it.

[SeaFox]

My Chase card was an RFID card when I first got it, and I used it that way a couple times, but generally ignored the feature.
I guess I wasn't the only one because the next time a new card got issued to me it did not have that functionality.

They do make RFID-blocking wallets. I would suggest the OP look for one if they are worried about radio skimming.

Why does it matter? You aren't liable

[RubberDogBone]

Why do so many people worry about credit cards? You aren't liable if the card or number is stolen or misused. Keep an eye on your accounts and just file the charge backs, change the card number, and go on with life. Worst case, all you have is a maxed out card until the chargeback process is completed. All your actual money is still in your pocket/bank account. Ideally you'd ONLY use a real credit card for purchases just to reduce liability.

I wonder if the banks laugh at how people freak out about leaked credit card numbers when the customers don't usually bear any liability for them. We worry about something that is the bank's problem. It's backwards.

Now, a debit card which directly draws against the cash in your bank account is another matter. THAT one you need to protect. Still not liable if the card is stolen but the hassle of getting your own money back and dealing with other things bouncing is a mess.

That said, my bank has issued a new debit card with the chip and roughly 80% of the places I use that card do make me use the chip reader AND my pin so it achieves Chip and Pin just as in Europe. Although it seems they don't always ask for the pin if it is below a certain dollar value. Some sort of calculated risk on that. But at least requiring the chip protects against fake cloned cards.

Fun tip: all this worry about card numbers is fine but look at your checkbook: a paper check has printed right on it all the info anyone would need to do horrible damage to your account. And if you still use checks at all, every single one of them you write or mail off is really a financial weapon that can be used against you, yet you put the thing in the mail or hand it to a store clerk and you have NO idea what happens to that check next or who sees and copies it completely out of your control. And unlike a credit card or even a debit card, checks have very minimal protections and it can be a gigantic mess trying to recover from it. Meanwhile the cops treat stolen checks that fail as if you wrote the bad checks yourself and they WILL come and arrest you and throw you in jail.

Checks are an absolute disaster in the wrong hands. Yet people freely write them for stupid crap like groceries or bills and think nothing of it, while they obsess about credit cards which carry zero risk. We worry about the wrong damn things. We need to look at a paper check like it's a loaded gun pointed at our finances. The credit card doesn't even rate in terms of threat.

Re: Don't care, not my card, card issuer's problem

[fustakrakich]

Ah, so even without using a card, I am subsidizing the business. Another question, does the bank require you to keep a certain minimum amount of cash in your account? Used to be that way when I had one, is it still so? If not, maybe I can see the advantage.

hmm I don't have these problems BitCoin

[chris2net23]

I find it hilarious that people don't just utilize BitCoin more. If you ask for it more merchants will adopt it. We've got a growing selection of stores in Keene, New Hampshire. More than anywhere else in fact. All because people here are asking merchants to accept it. Unlike credit cards neither merchant nor consumer have to worry about fraud. It's like paying with cash.

Re:Don't care, not my card, card issuer's problems

I could care less.

Could you, now?

Re: Easy

What s sock puppet modding up his own retarded post with multiple socks.

Couldn't be easier... just carry TWO cards

The protocols that drive these cards do not have any collision detection or avoidance mechanisms. If you have two or more of these devices in your pocket they you're safe - as they will talk over the top of each other and the reader will be unable to make sense of it.

I've tested this many times on vending / parking machines with PayPass / PayWave (as it's called in Australia). With two cards in my hand, it errors every time.

It's still our problem; just well hidden

[Flexagon]

Yes indeed, exactly. And short of not using a card at all, there's really no alternative anyway. As someone else referenced here, the switch to chip cards has been a disaster in the US. Most stores I visit still don't accept chip cards; exactly one restaurant I've visited accepted chip cards, and the process was quite painful. I keep reading about new POS terminal updates designed to try to shorten/simplify the process, so it's far from stablized. And none of the stores I visit accepts a smartphone payment method yet. So even with a tinfoil wallet, my card's vulnerable to hacked or dishonest merchants anyway. Online, I could probably use a 1-time number, but why add to the transaction grief since my card's so exposed anyway? Credit card terms require the banks to limit my exposure to $50 if I report in a timely manner (a federal regulation), and most banks waive that too on a timely report (and I've exercised this more than once). And this limitation of liability with credit cards is one main reason why I've never had a debit card; it was many years before some banks provided similar coverage for them (but there are other reasons too).

Presumably, though, the banks have successfully offloaded the risk to merchants that have not switched to chip cards yet. And that risk is probably rather significant to those merchants, many of them small. The cost has to be paid, and eventually winds back to consumers like me as higher prices, but that's so indirect and invisible that nobody notices, so nobody complains.

But it's that hidden cost, plus the additional hidden (to me) cost of the basic transaction itself (that presumably no longer needs to include the bank's risk for this particular example) that leads me to pay cash for anything less than $10-20. It's the same reason that many small merchants want cash below a similar threshold (or charge a higher price for credit cards) even if the credit card companies' terms to them have forbidden that. But for purchases larger than that, cash is at least as impractical and risky. And the risk with credit cards is certainly nothing new (which shows that the banks didn't care from the get-go, and still don't).

Re:It's still our problem; just well hidden

[mattwarden]

I will never understand the purpose of debit cards. I have asked debit card users to explain why they use them over credit cards. The only reason I have ever heard is a comfort level from the money physically leaving their bank account immediately after their purchase, so they don't accidentally double spend it. Yikes.

Even if you can't get a credit card due to bad credit, you should be using s secured credit card to fix your credit. Not a debit card.

Re:It's still our problem; just well hidden

[Flexagon]

Years ago, my bank at the time sent a letter announcing a wonderful, new capability: they'd enabled my credit card to also be usable as a debit card; no change to the credit card number. Needless to say, I demanded that they remove this unrequested capability. They did, but the only way they could was by issuing a new credit-only card with a new number; a completely unnecessary inconvenience.

Re:It's still our problem; just well hidden

I bank with a credit union. The money's protected under FDIC up to $250k. The main reason I use debit is I can deposit my money (or have it deposited automatically) to an account and access it from the card. It's a SPOF, but even a legitimate transaction's been caught by my credit union and my last credit union reversed multiple fraudulent charges, no questions asked. I also refuse to have a checking account that allows over-drafting. So if I'm getting low on cash in the account, I don't incur a $35+ fee for going broke AND being broke at the same time. Transferring from savings does not make me comfortable because the entire point of savings is to have it separate from your checking so you can't easily dip into it without manually transferring.

All these "conveniences" and "benefits" to credit I see as deficiencies.

Re:It's still our problem; just well hidden

[mattwarden]

I think you basically validated what I said; you just worded it differently. You don't want to spend more than you have, so you want a debit card. You don't want to track your credit balance compared to your cash balance, so you have a debit card. These things do not suggest to me that the credit card is the problem.

Canadian vs. USA

[jetole]

I'm a dual citizen and about 3 years ago I moved from Miami to Toronto. Canada has had the chip 'n' pin cards and NFC cards longer since, when I moved here, everyone had them and I don't remember seeing them in the states but 6 months after I moved here a friend in Miami told me he had one. I was cautious about the NFC too when I first got my card until I talked to my Financial Adviser at my bank as well learning some details through experience. The Canadian NFC cards are limited to $100 in Canada so if someone steals or clones your card, that is the most they can purchase via NFC. Furthermore, my bank, and from what I understand, all banks in Canada, will instantly cover any reported fraud cases on the NFC purchases. Ask a Financial Adviser at your bank what kind of protection you have against fraudulent NFC charges because if it is anything like it is in Canada than you are very safe against fraudulent use.

Re:Easy

[godel_56]

If you cannot afford to buy something with cash, then you can do without it.

There have been serious suggestions here in Norway to forbid cash payments for various things. This includes buying tickets from bus drivers, paying at restaurants and for purchases above some threshold (think 2000 USD and such).

The bus drivers don't want to have cash because of robberies, the tax administration wants to make it harder for restaurant owners to cheat, and the police wants to make it harder to launder money.

We're not there yet, but I'd say it's coming soon.

A card-only system is the perfect surveillance solution. Not only does it reveal everything that you've purchased and from whom, but the time and location as well.

Presidents Putin and Erdogan recommend them!

Re: Easy

The corrupt police cannot use my internet account, which I pay for at the bank, against me like they can a car. Cars are used to control people. you don't see it until you stop and get out for good. Then you see the rest of the world too.

better worry about something else

[Eugene]

I'd be more worry about handing your card to waitress at the restaurant than worrying about your contactless card being read remotely.

obtaining the data contactlessly is not enough to create a duplicate of your credit card(assuming proper card implementation), and certainly not enough to create a "card not present" transaction such as internet, mail, or phone purchase. (only exception is probably using pre-play attack, and this requires some elaborated setup)

A properly implemented contactless card don't even have your name in the contactless interface.

seriously, your credit card company is worrying more on the fraudulant transaction then you, and so there are fairly good measurements deployed to ensure contactless duping can't be done.

Re: Easy

[slashrio]

The moment the cashless society is a fact you will regret that you didn't fight it.

My card leaks visible spectrum radio signal also!

[vortex2.71]

I recently found out that my card was leaking radio waves in the visible spectrum! This is really nefarious because the radio waves do not actually originate from the card itself. When a store, hacker, or other third party sends radio waves in the visible spectrum towards my credit card, the card returns the signal back to a wide range of locations with the user's name, the credit card number, and even the cvv code on the back!

The worst part is that there are even visible spectrum enhancers on the market, which turn the radio signal, which is usually only decipherable at 2-3 ft, into a signal that can be deciphered from 30-100 ft. I can't even believe that these things are legal, or that the card returns these radio waves in the visible spectrum!

The world is going to hell in a handbag!

Re:Easy

[slashrio]

I know towns (being there regularly) where there is no local bus service. The buses that do operate, do so to the next towns (40 or more km away) and cost about $1.50 to do so.

You get one of these

[bytesex]

https://www.secrid.com/en/

Made in my home town - hooray!

Re:Don't care, not my card, card issuer's problems

[dbIII]

Those fraudulent charges can max out the card and prevent you using it or getting a new one until you have managed to convince the bank they are fraudulent charges. Apparently quickly dealt with by some banks but weeks with others.

Re:Easy

[Aighearach]

Here in the US, for many decades, since long before I was born, buses have had 1-way locked cash boxes and require exact change. A thief can't get at the money. And long distance buses simply don't sell tickets from the bus. Remote sales are handled on the telephone.

A business doesn't have to take cash if they don't want to, but banning it so nobody can? I'm sure glad that wouldn't happen here.

With the banks pushing the chip reader, and since using the chip puts more security liability on the user, I'm rarely using my card anymore and now I'm mostly using cash again. I don't care what the experts say is more or less secure, I don't trust the "most secure option" to be perfect, and I don't want the liability. If it was so good, why would they want me to be the one liable if it turns out to have unanticipated holes? Maybe there are new RFID holes that they already know they don't want to be on the hook for?

Re:Don't care, not my card, card issuer's problems

[Aighearach]

You think this because you don't understand how things change with the chip. I used to agree; fraud was visa's problem, in my case. But check the liability changes attached to chip use.

Re: Don't care, not my card, card issuer's problem

[murdocj]

Yep. My cc charges are for the amounts of my purchases. Period. Cost to me is exactly the same as if I paid cash for my purchases.

Re:Easy

That is exactly where it works best. When I lived in a small town, everything in town was in walking distance. In the city I often have to resort to using the bus because of time constraints.

Man evolved to walk long distances. Like stupidly long distances. It is healthy and natural for us, it is what we are built to do.

Re:Don't care, not my card, card issuer's problems

Yeah, same thing here. I notified Bank of Montreal Mastercard about a bad charge and they told me that I don't get to decide what is a fraud charge on the card, only they get to decide. I cancelled the card and never paid them the amount of the fraud. Eventually they quit sending me bills.

Was a customer in good standing for over 25 years. Fuck 'em. I had no problem getting a another charge card and it even has more available credit.

Re:Don't care, not my card, card issuer's problems

He's fucked anyway; Wells Fargo is the only other bank "within biking distance".

Re:Don't care, not my card, card issuer's problems

Next number in the sequence, not next number you'll be assigned, genius.

Shielding, jamming... Nope, try disabling.

[mjwx]

The current RFID cards - Visa PayWave is one brand - provide the "Track 2" data plus an authentication code from the EMV chip. Quite usable for fraud.

Forget track 2 data, the card gives out your name, card number and expiry date wirelessly to anything that asks. That's enough for anyone to start making transactions.

The first thing I do when I get an NFC enabled card is disable the wireless. I do this using a Stanley knife. If you look at your card over a bright light, you can see the induction loop, It then becomes a simple matter of making a small incision into the card to sever the induction loop. No loop, no wireless, card still behaves nicely with Chip and Pin terminals.

I've tested this with an app on my Android phone (here but it hasn't been updated in a while and doesn't work with my Nexus 5x). Its also been tested many times by vendors who don't seem to get that yes, it's disabled now stick it in the machine so I can press savings.

Personally I wouldn't bother with trying to shield or jam it as malicious devices are most likely to be placed on terminals, ATM's and other places where you'll have your card unshielded. If you don't want your card to be exposed, disable it completely.

My wallet seems to block RFID readers

[millertym]

My work badge has an RFID component to it for opening certain high security doors within the building I work in. I have a metal wallet, and when I have my badge within that wallet the RFID badge readers won't detect my badge. I have to remove it first. So I would guess this also means it makes my cards less susceptible to RFID scammers.

This is a link to model of wallet I currently use if you want to see what it looks like.

http://www.trayvax.com/collect...

Re:Don't care, not my card, card issuer's problems

http://www.scmagazine.com/samy...

Re: Easy

[smallfries]

Doubt it. Sweden has been a defacto cashless society for years. I can't remember the last time I used cash. No downside that I can see.

Re:Don't care, not my card, card issuer's problems

AMEX really is the best. Sady I am forced to use inferior cards a most of the time and with them (MC,VISA, etc) I am guilty until proven innocent. I have to PROVE that I did not make the charge.

Simple: don't.

[vikingpower]

I don't use a credit card, as I don't see what it brings me. Buying something with a credit card is buying something with money you don't have. That is against all rules of dealing with money responsibly. Credit is something one should only use for the acquisition of capital goods or for investments, e.g. in one's own business. (A mortgage is a form of credit BTW.) I can still use Amazon: the German site offers the option of direct debit from one's bank account. Many, if not most of my transactions I perform with cash.

The only thing that not having a credit card complicates for me, is travel to the USA. One can lead an entirely fulfilling life, however, without visiting Trumpistan.

Re:Don't care, not my card, card issuer's problems

I could care less.

Are you sure about that?

Some options

[raynet]

I didn't get RFID enabled creditcard, instead I got app from the bank that enables the RFID payment with my phone after I enter my pin and click 'pay with RFID'. Another thing I do is to use only Visa Electron and keep minimal amount of funds on my account the card is linked to. Same with payments online, I have another Visa Electron with account that usually has balance of 0-5 euro and move funds there as needed. Also on sites that require to store my CC number, I usually switch that to one of the test CC numbers that are meant for testing online payment processing. They check as valid, accept any kind of payment and are not actually charged anywhere.

Re:Easy

It is already like that in Sweden. Many forms of transportation only allows card payment or you have to pre-pay with cash at some other place (like a 7-eleven etc.). Some restaurants are also cash-free (accepting payment through credit/debit card or by phone. Direct transfer of funds for via phone number is easy to set up in Sweden and free for private users, it's kinda like paypal but with your phone number instead of email address)

Simple

Keep it maxed out.

Re:Don't care, not my card, card issuer's problems

[rastos1]

This is something I don't understand (probably because I live in entirely different part of the world) - what stops me from making a big purchase and then claiming that it was fraudulent. I get to keep the stuff and merchant is left holding the bag. Appeal to my honesty? With every fifth American being below poverty line, that's not going to work. Right, if it becomes a pattern then the credit card company will notice, but from what I'm reading here it seems that even then they do not give a fuck and the merchant just has to eat the losses.

On the other hand, if I make a purchase on the internet, then I provide to the merchant all information required to pull money from my account. What stops him to do that again and again? Or selling that info? Just that I can notice an unauthorized withdrawal and ask the CC company to cancel that? That sounds stupid.

What works reasonably over here is that the checkout on the web shop redirects to the internet-banking web page of my bank, gives it some token and after I transfer the money on the bank's site, the bank signs the token and redirects back to the merchant. The only trouble is, that it may not scale well for big number of banks.

Don't panic

[Gumbercules!!]

Reading through the comments below, I see a lot of people worrying about this. Can I say, as someone from the "rest of the world" (not America), i.e. a place that's had chip based credit cards for several years, they are far more secure and far less likely to be stolen than magnetic strips. Card skimmers still claim many victims, each day off mag strips, but essentially 0 people get skimmed of a chip. Firstly, you need to be basically on top of the card - the card does not have active power, so the range is very small. Secondly, you can only purchase up to $99 without a PIN and thirdly, the code changes after every use - so even if someone did skim your card with an RFID scanner, they could only use it once - and only for $99. Unlike a mag stipe credit card, which can be used with the same info, over and over.

Since moving to a chip only system, credit card theft of this kind (not including online sales at places that don't require a CCV) has dropped to basically zero. I am sure someone will eventually get good at ripping them off again, but at the moment, card fraud is very low.

Why bother?

[bizitch]

Use a bank that will text you everytime the card gets used. As soon as you see an unauthorized charge, call the bank and cancel the card. They typically cancek the fraud charges out and send you a new card. Best security is simple information

Re:Don't care, not my card, card issuer's problems

Agree with this wholeheartedly.

The ONLY caveat on this is that this applies only to true credit cards _not_ debits cards, as federal liability limits only apply to credit cards and not to debit cards.

IMHO, you're an idiot and an asshole to use a debit card instead of a credit card to pay for anything. In paying with a debit card, should that card number be compromised, you're exposing the funds in your bank account to theft. Just pay the damned card off every month, and you're golden.

If your credit card is compromised, the worst thing that happens is it's a bit of a pain in the ass and you're on the hook for as much as $50. I'll take that any day of the prospect of trying to claw money back from the bank into my checking or savings accounts.

Re:Easy

[Anne+Thwacks]

You do know there are countries outside the USA?

Here in London, England, buses don't take cash, and in most shops, restaurants, etc paying with a debit card is faster than cash (mostly cos the checkout staff can't actually count).

just requested to disable that feature

1) went to my bank and requested to disable that feature.
2) inserted card to ATM machine to update card chip. and done.
3) just in case I have also cut antena circut on the card. now it is very near range.

use debit card w/no overdraft

[thinkwaitfast]

put money into account immediately prior to use

Re:My card leaks visible spectrum radio signal als

[smallfries]

You're overreacting. The technology to block that portion of the spectrum has been integrated into wallets for centuries. It's quite neat tech - google for leather.

Re:Don't care, not my card, card issuer's problems

American Express had their generation scheme cracked years ago, if you have the original card's information all subsequent card numbers are derivative of it. Everything but the security code can be known before you or a thief ever has the card in hand.

Don't use credit cards

[kosmosik]

I don't use credit cards. I live in Poland and actually credit cards are not a good deal here. It is much better to use a card which is attached to your account and is only billable by the amount you have on your account.

As a security measure (minimising risk) I have my cards attached to separate subaccount that I only load with operational cash (no the account I use for savings). I have daily payment limits set up.

Also I have no problem with using wireless payment swiping. It is great and very convinient. In Poland you can only do transactions up to 50z (about $12) without submitting a PIN. And transactions with wireless payment can't be cached (issued off line). So it makes thing pretty secure and convinient.

Also I have my card insured as standard bonus with my account. I think card insurance is somewhat mandatory. So when somebody cheats me I will get my money back.

In my opinion using cards is much safer than carrying cash, doing bank transfers or using something like Paypal.

Ask your Bank to change it

I had one of these send to me when my card was renewed, but I called up my bank and asked them if I could have a non-contactless card instead and they send one out and marked my preference as not wanting a contactless card.

The other option is to cut the antenna that runs around the outside of the card with a hole punch or a small cut with scissors which will pretty much render it inoperable.

I suppose it could be convenient, but the fact that there is no authentication checks when the contactless thing is done (You don't even have to enter your PIN!) trips my paranoia; The other problem is it was interfering with the other contacless cards I have - I was effectively being double-charged on the bus because I'd just tap my wallet on the terminal and it would read my credit card and charge that instead of using the season ticket on my travelcard!Again, with no checks or confirmation!

Re: Easy

[stealth_finger]

Cars are used to control people. you don't see it until you stop and get out for good. Then you see the rest of the world too.

Yeah, you see the rest of world in a very small radius.

Re:Don't care, not my card, card issuer's problems

[stealth_finger]

What that a debit card or a credit card? Had you given the card number to Travelocity?

They did NOT have my permission to sign me up to any paid marketing subscription for $19/month (which is what they did).

Wait, they want to charge you $19 for the privilege of advertising to you?

US banking moves into the 90s

That would probably go some way towards solving it. It's hilarious how archaic some things are in the US compared to the rest of the world

Re: Easy

Use a gift card :-)

Re: Don't care, not my card, card issuer's problem

You evil evil git!
They may never recover from the rapid fire ink pen loss

Disable antennae (antennas)

Hi everybody

The RFID bank card contamination is on its way for years now. I was surprised with my new MasterCard - paypass was mandatory. I complained, then become angry and then disabled it by myself.

The technology differs, with USA behind Europe, as there are not PIN-chips. The solution I propose is 100 % working on European cards fitted with large RFID antennae. My card was issued 2014 and it works so far using PIN-chip and magnetic stripe. I pay all around the world - Vegas, London, Paris..

I spent time researching and there are some good You Tube suggestions, but mine solution is simpler and doesn't leave much evidence on disabling RFID:

So, antenna goes all around the card's border. Go to dark room, closet, wardrobe or whatever. Take your "magic" light torch and do some X-Ray to see if there is antenna wired along the card border and more important - if it goes below the chip. If You cut the antenna then RFID won't work. That's what I did.
Take a sharp knife, razor or cutter. Cut wire just next the chip and try reading card's RFID using your smartphone - download some NFC reader and try. If disabled phone won't detect RFID. I did cut also another end on the other side of the chip.

There are new chips, AFAK version 2.0 which are more complicated and that do not have antenna. I still didn't find solution as I suppose my bank will stay with older technology... If someone has a solution will be nice to share.

Re:Disable antennae (antennas)

...or bind Your card in aluminum foil. every kitchen has many of this... people say it works. tried with Samsung phone and worked.

Easy Solution

Just ask your bank for a card without NFC. They'll happily give you one (at least, every bank in the UK will - I assume US banks are at least as accommodating).

Still super hackable.

I remember an article talking about these new chip + RFID cards, Problem is if they get the signal they still need to verify by the chip.. And thats where this article comes in.. So basically some hackers hacked the chip by interfacing their own chip on top of it to bypass it and make it pass valid. Thus making the chip nulled, so again fucked.

RFID blocking wallets/holders

[jonwil]

There are plenty of gadgets out there (including wallets and sleeves for individual cards) that will store your credit cards and prevent them being read remotely. If you are concerned about your RFID card being stolen, just get one of those blockers.

The problem with paying with cash...

[Pinkbunnyman]

The problem I have with paying with cash (and the only reason I have a card) is credit rating, if I need a loan 10 years down the line and I've always paid with cash, I have a crap credit rating. The only safe way at the moment is to ask your bank for a non-RFID card, or smash the transmitter (which I accidentally did in another card and the chip and pin still worked.)

SecurID

[zmooc]

I use a SecrID wallet. It's awesome, though it does still expose the mythical RFID chips in paper money, which is kept outside of the faraday cage.

Re:Easy

[TheRaven64]

What has being able to afford it got to do with anything? I buy pretty much everything with a credit card that's paid off automatically by direct debit. I get 1% of everything I spend directly as cashback, I get 15-45 days of interest-free loan so that the money that I've earned can be sitting in an interest-earning account for longer, and I get various forms of consumer protection (the card company will reverse transactions if the seller doesn't comply with various regulations regarding after-sale support, for example). I can afford to buy everything that I buy with my card in cash, but I'd end up with less money if I did.

Oh, and the way the banking system is set up, having a credit card and paying it off every month helps build credit rating. When we applied for a mortgage recently on a new house the bank was willing to lend us about double what we wanted to borrow.

Re:Easy

[TheRaven64]

paying with a debit card is faster than cash (mostly cos the checkout staff can't actually count).

I think you have that back to front. The reason that paying with cash is faster in the USA is that many retailers have no expectation of basic numeracy of their checkout staff and so have the tills count the money and produce the change.

RFID can be disabled on my card, said my bank.

Though I wouldn't trust that disabling RFIC would prevent anything RFID mechanism to work ON the card, my bank did tell me that they could arrange for my new bank card to have RFID to be disabled before issuing it to me.

Instead of doing that, I went with RFID shielding, that hopefully will shield the card from more distant scanners.

Having said that, even though it is pointed out by testers, that the RFID signal is at a fixed frequency, it would not surprise me if law enforcement or spy agencies have arranged for "pinging" a credit card from a distance in some way. I might ofc be wrong about that.

Re:Don't care, not my card, card issuer's problems

[TheRaven64]

I've never had a credit card that charge fees. Most have very high interest rates, but they don't charge interest between the purchase time and the date that the statement is due (14 days from the statement date, so you get an interest-free loan for 14-45 days, depending on when in the month you make the purchase). Any reputable card lets you pay by direct debit, so the money goes out of your account on the due date each month for the previous month's spending so the interest rates are totally irrelevant because you never actually hit them. You get to keep the money in an interest-earning account (you can put one month more spending into a savings account if you have a credit card than if you don't). Most cards also have some kind of reward scheme - mine gives me 1% of all purchases back.

Credit card companies like two kinds of customers. The first are people who spend a lot and pay it back every time. They like these people because they're low risk and the company makes 2-3% of everything that they spend. The other people are ones that go into debt quickly. They like these people because they can get a judgement against them that forces them into effectively perpetual repayment. If you think you might be in the second category, then don't get a credit card.

Oh, and it's worth remembering that it isn't free for a merchant to take cash either. They have to keep tills balanced, they have to trust their checkout staff more, they have to keep tills stocked with change, they have higher insurance premiums if they have a lot of cash in the store, they have to arrange to have their takings moved securely to the bank, and so on. Cash is only cheaper for very small retailers - the point at which it's cheaper to have the majority of transactions from cards is lower than you might think.

Metal cardholder

[Tukz]

I've got all my cards in a metal cardholder. I don't have a wallet, so this cardholder contains my every day cards and identification.

Use it as infrequently as possible

[moeinvt]

Unfortunately, a CC is practically a necessity, but you don't need to use one for everything.

Rental cars, hotels and airline tickets usually require a credit card. The company that delivers my propane also demands a CC# but only as a backup mechanism. Shopping online obviously requires a CC. You don't have to give your consent for online merchants to keep your card # "on file" and a lot of places accept PayPal.
I don't give my CC# or bank account info to other companies who want to keep it for "auto-billing" purposes. I certainly don't use credit cards at every random restaurant, gas station and convenience store I happen to visit(the place I buy gas gives a cash discount) nor do I ever use a card for face-to-face transactions. I can't believe these people who need a f***ing card to pay for small retail purchases. If you're shopping at a local small business, they have to pay a GD fee for the "privilege" of taking the card. Better to use cash at those places.

Re:Don't care, not my card, card issuer's problems

[fustakrakich]

Then why are you trying to explain how they work?

I was relaying other peoples' complaints about the costs.

But now I am finding out that cash or credit, we all subsidize the industry. Turns out that simple credit card theft is very profitable for more people than just the thief. You may think you aren't paying for it, but just the opposite is happening, we all are. Ask yourself why the banks are dragging their feet in securing the system.

Re:Easy

[Drethon]

I don't have one. There is no need. If you cannot afford to buy something with cash, then you can do without it.

No credit card, no cellphone, no car. Still function just fine in modern society. The freedom is well worth doing without these things.

Cash's cash back policy is lousy so I use a nice cash back credit card and pay it off weekly.

Re:Don't care, not my card, card issuer's problems

[cdrudge]

what stops me from making a big purchase and then claiming that it was fraudulent.

The bank contacts the merchant to provide verification of the purchase. Is there a signature? Was the item shipped/delivered/what was the address? Was verification information provided (address/zip/phone/"Verified by Visa/etc).

If they can provide that, then it may just be written off, or the bank doesn't reverse the charges if they think it's fraud. Or the charge gets reversed and the merchant is left without the product and without the money.

If the card holder is living below the poverty line, they likely have a low credit card limit and/or very high fees. Fraudulent activity is limited by the card limit, and it's paid for by the high fees by the honest card holders.

On the other hand, if I make a purchase on the internet, then I provide to the merchant all information required to pull money from my account. What stops him to do that again and again? Or selling that info? Just that I can notice an unauthorized withdrawal and ask the CC company to cancel that? That sounds stupid.

Technically nothing other than the vetting process of the merchant account provider. But if you started running fraudulent bank transactions by the time that you started getting funds into your account they likely would be detected, and accounts/funds locked.

Re: Easy

Do you need to own a car to buy a plane ticket where you live? Not so here. I can fly anywhere in the world I want to go - no car needed!

Re:Don't care, not my card, card issuer's problems

[coinreturn]

I am not liable for fraudulent charges.

Sometimes you are. I was fraudulently charged $19/month for several months by Travelocity. I disputed the charges through Bank of America, and BOA told me that Travelocity was their "marketing partner" so the fraudulent transactions could not be reversed. I cancelled the credit card, closed all my BOA accounts, and switched to Wells Fargo (the only other bank within bicycle distance of my house). I also never again used Travelocity for anything. I periodically go into the local BOA branch and steal their ink pens.

Stealing their pens is a great form of retribution! I need to do that to the BofA that stole some of my money. If this was a credit card, I hope you never paid the fraudulent charges. Fuckwads!

Re: Don't care, not my card, card issuer's problem

[grqb]

Exactly! I see all of these concerns about credit cards. WHO CARES! You'll never be responsible for paying a fraudulent charge. The hardest thing you have to do is read over your bill at the end of the month and most times your card company will notify you of sketchy activity.

IMHO credit cards are more secure than cash. It's easier to keep track of spending, if you lose your card you get a new one, if somebody steals it you get a new one. Same is not true for cash.

Welcome to the 21st Century!

[Gonoff]

It can be funny to watch people in the USA have "new" concepts forced upon them that the developed world has been using for over a decade.

Smart cards, that is what they are called, are unpowered. They do not do anything unless they are brought close to a reader. Perhaps you have heard of NFC? The N stands for near. When this unpowered card is sitting in your wallet, it is not irradiating your favourite body part. If you keep them in your wallet they will not work because a reader won't be able to make sense of multiple replies at once.

I think I have 5 smart cards on me. A debit card, a credit card and a debit card that is linked to my Vodafone account and 2 work ones hanging round my neck.This is neither new or particularly advanced. I know that I could get them onto my phone so that I didn't need to carry them but they are secure and convenient enough at present. My phone is powered and so might be readable at a greater distance. That is not something I currently need.

As for the people who got rid of all their plastic and unwanted signs of modernity, consider the fact that the CIA, NSA, FBI or whatever other criminal groups you are shying away from could satellite track you. GPS bugs are pretty small and easy to hide nowadays. Or perhaps you are of no interest to them and you have opted for an unnecessarily less easy lifestyle - or is your first name Theodore?

Re:Welcome to the 21st Century!

[ledow]

Smart cards are just NFC / RFID cards. You can activate them by inducing any kind of magnetic field and you can do that from across the street.

I'm actually suspicious now that the shoplifting arches at stores are capable of powering them up.

Then they broadcast radio signals on known frequencies.

Yes, tagging them against a mobile with NFC will activate them and read data. So will your passport (there are apps for getting your photo off your passport!).

The problem here is not the activation (that can be done from across the streets, demos all over the web), not the broadcast radio (that can be picked up from miles away once activated, again demos all over the web). It's not even that an app can read the data from the card (that's it's purpose and you'll see that the chip in the card is indeed "smart" and requires authentication and setting up an encrypted session to a bank to actually DO anything that includes private data) - it's that the smartcard has pushed liability to you. If the above goes wrong, on Chip & PIN, you are liable if they think you authorised the transaction.

Now think about the box you enter your PIN into or that you swipe over. Who supplies that? How do you know? What kind of authentication does your CARD do on that device? None. You're typing your PIN into a generic looking box or tagging your card on a generic looking reader that could happily be relaying that stuff to a genuine, bank-supplied box under the counter (thus authorising the immediate transaction) while capturing enough to be able to put in more transactions later when you're not there.

And you'd be liable if you tapped your PIN on some Raspberry-Pi homebrew box that just stored and relayed the number you typed into the real bank card reader.

Smart cards are another step up - the card DOES authenticate to the bank somehow over a communications channel considered insecure (no different to Diffie-Hellman over the Internet) - but the liability is still with you.

And as you say - you have 5 smart cards on you. Any of them could be picked up when you authenticate. London Underground is full of warnings about "card clash" where people are charged on their credit card by mistake when they wave their wallet with their Oyster card over the reader.

The US is behind here and has picked up THE worst technology available, much like we all did. Smart cards and NFC can be secure, in theory. Chip & PIN and mag-stripe can't. Hence why C&P made almost zero dent in card fraud.

However, much more interesting? My bank app now turns my phone into an NFC credit card, as does Android Pay / Apple Pay. Then you're given a whole new virtual credit card on your phone. Now you're completely out of the loop of what happens on that card and can only hope to dispute transactions that might appear on it.

And it's unlikely that people will turn all NFC off until they make a purchase and then turn it back on, so it can be "sniffed" at any time. Chances are slim of that encryption being broken, but we're now just moving to client certificates stored on a passcoded device running a general purpose operating system for security, and broadcasting over open frequencies on activation.

It's not exactly how I'd design a secure payment system.

Re:The PNOs are clueless

[stdarg]

Of course the banks care, you aren't liable for fraudulent charges (which includes a mugger taking your card and making unauthorized charges).

Actually your point reminds me of the cases where a person is kidnapped and taken to an ATM and forced to withdraw money. It usually doesn't end well.

Re: Don't care, not my card, card issuer's proble

[grqb]

It's not even necessary to have a bank account with the same company that you have a credit card with. So your bank account is not linked to your credit card. You still need a convenient way to pay off your credit card, like electronic payments from your account to your credit card or whatever works for you.

* at least this is how it works in Canada, but for whatever reason we seem to be ahead of the US in terms of credit card technology based on what I've been reading (no pin? no tap payments? You still need signatures? Wtf?)

Re:The PNOs are clueless

Chip cards can now be cloned. It is a more complicated process than cloning a mag strip card, but it has been done and has been abused by thieves already.

Re:Easy

Sorry your time is worthless to you.

Re:Don't care, not my card, card issuer's problems

[jafiwam]

This is the dumbest (or maybe just trolliest?) statement of the day...

Please explain how *anyone* can predict someone's next CC number. If you can't explain it exactly, it's bullshit, since I assume you are included in "anyone"...

An article with exactly that in it appeared here on Slashdot months (or a year or two) ago.

There was no fix at the time.

"Did they fix it yet?" is an entirely valid question.

Scratch the security code off

After 3 credit card info thefts in 2 years (CC# and Security Code but not the physical card) I started scratching off the security code from the back of the card. The Burger King near me was responsible for 2 of the card information thefts (in both instances the cashier got promptly fired) and the 3rd time the info was stolen by a Chipotle cashier. The stolen info ended up being used for purchases in Florida and England which were promptly caught by my bank since I live in Illinois and don't travel at all. Ever since scratching the security code info off I have not had a single incident with stolen info.

Credit cards - That's Visa's problem.

[netsavior]

I don't work particularly hard to keep my card secure. I mean, I don't post photos of it on instagram or anything, but I don't need to go all cloak and dagger either.
I keep my credit card secure by not linking it to my bank account, and by checking it often for fraudulent charges.

If Sony or Target leak my credit card(both of which happened) I get a new one.

If someone gets a hold of it and charges 500 dollars at Walmart in Alabama (which happened, after a breech) then I tell the credit card company and they take care of it. And send me a new card at their expense.

Now if I fell into some kind of trick, like setting up auto-pay, so that it is actually my problem when someone else breeches my info, well that would just be silly,

Visa is a vast profit center built around making it easy to spend money. They are fully aware of how to make cards more secure, they don't want to, so neither do I.

Re:Easy

>A card-only system is the perfect surveillance solution. Not only does it reveal everything that you've purchased and from whom, but the time and location as well.

so the surveillance cameras magically turn off when you make a cash transaction? the serial numbers magically erase from the items you purchase? the memories of the cashier are erased?

Re:Don't care, not my card, card issuer's problems

Exactly. Why is this my problem? I am not liable for fraudulent charges.

You have to discover the fraudulent charges and report them in a timely matter. I don't want to bother checking for fraudulent use of my card all the time, so I want something more secure. Fortunately, I can get that in Europe.

Re:Don't care, not my card, card issuer's problems

"so the fraudulent transactions could not be reversed"

I'm gonna say no. You agreed to them, somehow. Fraud is fraud. You missed a checkbox and got charged. Being a 'marketing partner' is not free reign to commit credit card fraud.

Re:Don't care, not my card, card issuer's problems

[freeze128]

So don't buy shit from shady vendors. Problem solved!

Re:Don't care, not my card, card issuer's problems

[grahamsz]

Spot on. I'm long past giving a fuck. It's a minor inconvenience when my card numbers get stolen and I try to not use a debit card ever since getting that stolen would be a lot worse.

Re:Don't care, not my card, card issuer's problems

AMEX for business accounts issues cards to your employees with each card only differing by 1 incremental number. Thieves have stolen 1 card and then simply added or subtracted 1 to get another employee's number and rack up fraud charges on multiple cards.

Re:My card leaks visible spectrum radio signal als

It's the part where you take it out of the protective environment that's the problem here.

Re:The PNOs are clueless

When PINs first came out the banks and CC companies tried to pin fraud charges back onto the holder of the CC. Your pin was used so it can't be a fraud charge, you have to pay.

Went to court and after a few years ruling when in CC holders' favor. Since it is possible to steal someone's pin so a pin could not prove the CC holder made the charge.

Whereas Signature based gives them a chance to verify whether the CC holder made the charge or not.

So Signatures benefit the bank/CC company and allow better fraud detection (like when CC holder lies and made a charge they said was fraud).

Re:Easy

They don't show what you've purchased. They just show where you've been spending your money. If you have a loyalty card... now then the store knows what you've bought. Also, that's what your email full of order confirmations is for.

In Australia, our Bank Apps are amazing

I just go into the CBA app and click two buttons to get a new card sent to me and dispute the charges.

Who even cares if credit card information gets stolen. Anything through RFID is completely indemnified anyway. If you travel to another state and make too many PayWave transactions within an hour you'll get an email telling you to call the bank OR a call directly.

It's all pretty cool.

"Radio"? or "Nearfield"?

[Ungrounded+Lightning]

If the card is using a "radio" chip, it is dependent on an antenna. This won't work (unless you find and cut off the antenna wires near the chip).

If it is using a "nearfield" chip, it is dependent on a several-turn loop of wire for the short-rage connection. Cutting that with a razor blade, utility knife, or box knife should disable it adequately. (You can test whether that worked by going back to the terminal and seeing if it no longer responds.)

I'm not aware of whether these dual-mode (padded chip and radio or nearfield) use a single or multiple chips.

A couple seconds in a microwave oven should fry any chip in the card - including the one connected to the pads - and maybe also screw up the mag stripe. So that probably isn't what you want to try.

CVV2

[Khashishi]

CCV2. Isn't that the number you give to EVERY MERCHANT you buy from, along with number, name, and expiration date? How in the world are thieves ever going to get a hold of that VERY SECRET number?

RFID-blocking wallet!

[D00MSlayer]

I found a leather wallet on Groupon that is lined with RFID-blocking materials. https://www.groupon.com/deals/...

Re:Don't care, not my card, card issuer's problems

[Enigma2175]

Credit card companies like two kinds of customers. The first are people who spend a lot and pay it back every time.

Credit card companies don't really like this type of customer, internally they call them deadbeats.

OBAT TUMOR PAYUDARA

Anda Butuh OBAT TUMOR PAYUDARA ?Hub.Bu LIA WA-LINE 0813 1472 8217.
SOLUSI CEPAT DAN AMAN TANPA OPERASI.100% Herbal tanpa BKO (Bahan Kimia Obat).harga Rp.325000,-
Pro-K dan Teh Hitam adalah solusi Obat herbal untuk penyembuhan penyakit tumor dan kanker payudara stadium satu, dua, tiga dan empat.
Anda sakit TUMOR PAYUDARA MINUMLAH PRO-K & TEH HITAM
Insya Allah dengan minum rutin Pro-K dan Teh Hitam serta ikuti petunjuk anjuran dan pantangan yang ada di dalam brosur, TUMOR PAYUDARA ANDA & segala keluhan akan ber angsur2 membaik dan kembali normal, sehingga sehat seperti semula.
Obat sudah resmi di BPOM dan tersedia di apotek 2 agen kami, informasi pemesanan hubungi 081314728217(bisa COD jabodetabek, Bandung, Surabaya)
informasi lengkap kunjungi www.tumorkanker.net

The Radio Chip

[lsatenstein]

Our banks have been providing the chip cards for almost 10 years. Now with the Radio Chip card, there is a deal with the store, me the client, and the card company.

Purchases of under $100.00 are allowed with a proximity read. Above that amount requires the card to be inserted into the handheld and to present an authorization pin.

If your bank does not protect you, ask for a card that does not have the radio chip.

Re:Don't care, not my card, card issuer's problems

You...COULD care less? Less than you care now?

OK, so you DO care to some extent. Which seems to negate your point.

I think you meant "I couldn't care less." FTFY

Alternatives

[Shadow+IT+Ninja]

I am increasingly using plain old cash or gift cards in person, in physical stores. I am increasingly using Bitcoin and gift cards for online purchases. This is both for security and privacy reasons and there are even reasons besides privacy and security to use gift cards. There are various sites which will sell you gift cards at a discount from their actual value. There is also GL Scrip. They provide a fund raising method for various charities. The idea is that the charity works with them to sell gift cards and receive a percentage of the purchase price. The donation actually comes from the merchant who the gift card is for and they all give different percentages. Since I am associated with one such charity, I regularly write them checks for gift cards for places where I shop regularly. I have been remarkably free from physical junk mail and get less spam email than most people I know. My consistent efforts to protect my privacy both online and off is certainly a major part of that. When I mention privacy concerns to people, the knee jerk reaction is to think that I am worried about the government but really corporations are a significant concern as well. It's not just junk mail. I think that there is also a danger, particularly on the web, of the content you see being biased by what sites know about you. That could include news stories, political messages and even the prices you see for goods.

Re:The PNOs are clueless

The only security difference between signature and PIN is that PIN protects your card from being used by muggers, and the banks don't give a shit if you get mugged or not.

PIN protects your card from muggers until the muggers get a clue and keep assaulting you until you give up the PIN number, and/or kidnap you and hold you until they confirm you gave them the right PIN.

It doesn't protect anything, just ups the ante severely as to how much violence will be used against you to compromise it.

I don't

[nealric]

Simple answer: I don't, I probably can't and it probably doesn't matter. I suppose I'm a bit fatalistic about it at this point, but my credit/debit cards have been subject to fraud on pretty much an annual basis for the last decade. The card company indemnifies me, and all that I lose is half an hour of my time calling in the fraud.

The problem with chips...

[bigchrissd]

I've heard stories here and there that banks are trying to make card holders liable for suspected fraudulent charges because the transaction was supposedly done using the chip and thus the bank says the card must have been present at the point of sale. However, there are many web sites and videos that describe how the chip system has been hacked, but the banks seem to be "officially oblivious" to this fact. I suspect the whole chip thing wasn't a security feature that the banks wanted to help protect their customers, but a way to pass liability for fraudulent charges back to the card holders and vendors instead of covering those charges themselves.

Re:Easy

[idji]

The Russian embassy in Vienna refuses all cash payments - only electronic are allowed. I suppose this is to reduce embassy-level corruption, so i presume the corruption happens centrally in Moscow.

Re:Don't care, not my card, card issuer's problems

Many years ago, my apartment-mate at the time paid some random $49 fee for like 8 months before she caught it. Who doesn't look at their CC bill each month? I felt bad for her, that was $400, and she was so upset. But ... pay attention to your bills!!

Re:Don't care, not my card, card issuer's problems

[david_thornley]

I don't pay fees. I wouldn't accept a credit card with an annual fee, having a high enough credit score to pick and choose. I don't pay interest, because I pay the entire amount off each month. I get the equivalent of 1% back. I get an average of a free 45-day loan (although since I usually pay off the card shortly after I get the statement it's more like 30 days). I'm not paying much to use my money.

If you're referring to the fact that prices have to be high enough to cover credit card overhead, that's nothing anything I say or do or think affects. I pay the same amount when using cash (and handling cash isn't completely free and no hassle for the merchant either).

Use money instead

I keep my credit card secure by storing it safe and using real proper money instead :)

Re:The PNOs are clueless

[raarts]

> The only security difference between signature and PIN is that PIN protects your card from being used by muggers

Absolutely not true. It totally protects my online banking. All banks I know of in the EU provide their customers with what is called an e.dentifier ABN AMRO example here (PDF). Even if my PC gets hacked, they will not be able to access my online banking, because the device requires my card AND my PIN, and generates a login token. This has been in use for many years, and is much more secure than anything I've seen in the US.

Re:Don't care, not my card, card issuer's problems

Should have contacted your local AG, the banking commission, and the FBI. This was out and out fraud and the bank refusing to cancel the charges for any reason or prevent their recurrence after being notified was illegal and would have gotten them in a lot of trouble.

Re:Don't care, not my card, card issuer's problems

[CanadianMacFan]

Well, with the RFID you are limited in the amount of your purchase, at least in Canada. Usually it's around $100 to $200. If you start claiming that a bunch of stores around town have fraudulent purchases on your card and you haven't reported it as stolen then it's going to look suspicious. And if you try it a second time the credit card company is going to become suspicious of you.

The fraud detection systems that the credit card companies have are quite sophisticated. If a merchant starts repeating a transaction then the company will find out and get their money back along with additional fees and probably get the police involved. They certainly won't work with them anymore. It's in the merchants best interests to be honest.

Re:Don't care, not my card, card issuer's problems

[mattwarden]

No I don't. Not in any meaningful way that should affect how I view this situation.

I don't pay fees or interest; never have and never will. The only way I am paying for these things is via the transaction fees that the merchants pay, much of which gets passed on to the customer in the price. You pay for them in the same way I pay for them, even when you pay cash.

I'm not saying we should be reckless with exposing ourselves to fraud. I'm saying that the issue is the one incentivized to figure out this problem. I take the customer copy of the receipt at restaurants, and I don't leave my card out with numbers exposed to passers by. But I'm not wearing tin foil hats. It's irrational for me to care that much.

Re:Don't care, not my card, card issuer's problems

[mattwarden]

Walk me through this logic, Bernie Bro. Visa is intentionally not securing its system so that criminals will steal my credit card number and run up charges I don't ever have to pay, which hopefully eventually gets caught by their massively expensive fraud detection system and teams, after which they immediately call me asking me to verify the suspicious transactions, and once I tell them they are fraudulent, they cancel my card, reverse the transactions, and then overnight me a new card where ever the hell in the country I am at the time so they don't lose out on a couple days of transaction fees... in some massive conspiracy to profit?

Oh, and I forgot recently paying to replace everyone's cards with chip cards, in an act of pure show to throw us off on their cash cow conspiracy. Those banksters!

Re:Don't care, not my card, card issuer's problems

[mattwarden]

Credit card companies like all kinds of customers. They like deadbeats too. Otherwise they wouldn't issue them cards. Like any business, different products are targeted to different market segments. Deadbeats make the company money on transaction fees and generally get large credit limits because they represent little credit risk and the company wants to encourage you to buy your next car on your credit card, enjoying the 45 day float until you pay it off in full in cash. This is easy money for the credit card company.

Re:NO SUCH THING.

No private citizen modded this down. Everything stated is fact.

Re:Don't care, not my card, card issuer's problems

[TheRaven64]

I've heard that claim, but it doesn't really ring true. I spend about £10-20K on my credit card a year (a lot of it is business expenses) and pay it off every month. My card issuer seems to care a lot about customer retention - every time I've had a minor issue with them, I've had a written apology, credit of £20 to my account, and someone call me to check if I'm happy with the outcome. Which makes sense, when you consider that they're making a few hundred pounds from me every year with no risk.

I forgot to mention the ones that they like the most, which is people like me except who occasionally miss a month of payment, then pay it back the following month. These people are very low risk but are even higher return. Like everything else in finance, it's about maintaining a broad portfolio of risk/reward. Credit card companies need to have a lot of low-risk transactors to create enough demand in shops for credit cards and to reduce the overall risk of their business. Without them, the ones that didn't pay back would be too high risk.

logic fail

swiping it near the screen caused an message to show up on the reader. In this case, it told me to use the chip reader instead, but this means it has an active radio signal, and could be "hacked"

Or most likely, the mag stripe contains a flag telling the reader it that the card has a chip, so the reader puts up that message.

Re: Easy

[slashrio]

Sorry, I wasn't clear enough. With 'cashless society' I mean the whole society, not only Sweden.
Of course during the current introductory phase of cashless, it should be presented as something nice and handy. "Oh look mama! I can pay without money!".
Or just convenient. But the downside is that you will have no real control over your own money anymore, the banks do. And if you do things they, or the governments under their control don't like, your money will be switched off. Look at how it starts with wikileaks, arm factories and stores, porn shops and sites in the US.
Someone doesn't break any law, yet the banks (in my examples it were mainly credit card companies, but the same thing: access switched off) don't like what he does and block his account. You can't buy food anymore, drive no car. Within a month or two you will be an outcast, living on the streets. Thanks to the 'cashless convenience'.
Oh, and negative interest rates will be introduced of course, because they can. And there's no way you can change it back anymore.

Re:The PNOs are clueless

[plover]

True, the DIGIPASS readers would make online purchasing completely secure.

Except for the part where *zero* banks in America are even talking about distributing them. They'd rather push Chip and Signature because the convenience factors make them much more money, and they want companies like Square, Apple, and PayPal to duke it out in the marketplace to push crappy credit solutions out so they can collect more vigorish from the increase in transaction volume.

Not difficult.

[RockDoctor]

(1) take money out at bank.

(2) Pay for goods with money.

What's the problem?

Re:Don't care, not my card, card issuer's problems

[Dahamma]

I was relaying other peoples' complaints about the costs.

Yeah, but why would anyone find it useful for someone who doesn't use credit cards to explain credit cards second hand to a bunch of people who do? :)

But now I am finding out that cash or credit, we all subsidize the industry. Turns out that simple credit card theft is very profitable for more people than just the thief. You may think you aren't paying for it, but just the opposite is happening, we all are.

No, it's not profit, it's a risk that the banks take into account. Actual theft costs them money and the customers time. Now, you could argue fear of theft makes them more profitable... but not the actual theft. Same with any type of insurance.

Ask yourself why the banks are dragging their feet in securing the system.

Because it will cost them $$$ to do a REAL upgrade, and the results will make it more cumbersome for customers to use their product. It's absolutely not that they make money from theft. It's that they want people to feel safe while minimizing their costs of upgrade.

Don't get me wrong - not a fan of VISA, etc, the CC companies only care about themselves. That's why chip and signature security that is rolling out in the US really ONLY protects the banks from credit card counterfeiting, it does almost nothing to protect customers from the horrible inconvenience of having their CC# stolen. Chip and pin (which Europe, etc, uses) would have solved most of the consumer problems but the banks were too worried that the extra friction of entering a pin would discourage use and therefore hurt their revenue... fuckers.

Re:Don't care, not my card, card issuer's problems

[Dahamma]

Oh, and I forgot recently paying to replace everyone's cards with chip cards, in an act of pure show to throw us off on their cash cow conspiracy. Those banksters!

Actually, that's the one part where (while the GP post didn't know this aspect) the banks are completely acting in their own interest and NOT their customers. They spent a bunch of money to replace everyone's cards with chip AND SIGNATURE system cards, which do make it harder for large scale counterfeiting, but do very little to protect their customers when they get their cards stolen.

If they had adopted chip and pin like Europe did it would have made customer issues with CC loss/theft almost nonexistent. But that would have also required that customers remember and enter pins whenever they use it, and that extra friction scared VISA, et al so they didn't use it.

Re:Don't care, not my card, card issuer's problems

[Dahamma]

As the only non-AC replying, I'll reply to you...

Anyway, I stand corrected! Pretty amazing that they just don't care. I guess the loss is small enough to them (no matter the inconvenience to some customers) that it's not worth fixing. In the end, credit cards are one of the purest forms of making profit off of convenience and nothing else...

Re:Don't care, not my card, card issuer's problems

[fustakrakich]

No, it's not profit, it's a risk that the banks take into account.

If you remember what happened in 2008, you would understand that the banks take no risks.

It's absolutely not that they make money from theft.

Kinda strange to hear that from a person that tells me about "second hand information" :-) 4.5 trillion in "excess reserves" isn't exactly chump change.

Re:Don't care, not my card, card issuer's problems

[Dahamma]

If you remember what happened in 2008, you would understand that the banks take no risks.

Really? Well, these 400+ banks would disagree. https://en.wikipedia.org/wiki/...–present)
The biggest few that were savable did get bailed out, but MANY smaller ones (or a couple of the big ones like Lehman that were so fucked there was no hope) failed.

But anyway, this whole discussion was about CREDIT CARDS, not shady subprime mortgages. I don't think there are many people (other than bankers) who are particularly happy with the shitshow that is the US banking system, but in the specific context of credit cards it's moronic to suggest the banks WANT people to commit credit card theft.

RFID Security

If you are worried specifically about the RFID or NFC components of the card, don't bother. I too used to worry about these features. It's a near total waste of time.

It turns out that in the wild, RFID or NFC hacks are rare. As in, really rare. Tech demonstrations, oh sure, those are a dime a dozen! But actual fraud by criminals? Rare as hens' teeth.

Now why? I mean, criminals can get your CC data, it's a goldmine! No, no it isn't.

A real criminal can get your CC data already, today, on the internet. Not you specifically, but then real criminals don't care about you specifically. They just want the money, and not to get caught. And there's the rub.

Internet crime allows criminals access to millions of CC data, with floods of new CC sets every single day. Furthermore internet crime often goes unpunished, which the criminals really like.

Now think about what it takes to engineer an RFID exploit. The criminal has to go outside and hang around his targets, with a reader. Let's say he hides the reader though. However the criminal is still exposed, visible to his victims and any security guards, not to mention the cops. Let's say he's willing to risk it anyway. What are his potential rewards? A single CC number. But wait, he's persistent and spends a whole day at it. Let's say he gets 100 CC numbers.

This is peanuts. He can literally get 1000x more CC accounts from the internet, and he can to it in minutes, and he's not exposed himself to much risk.

Oh but you say, this is a master thief. He puts his RFID reader in a planter right in downtown, at the height of mid-day traffic. Let's say he gets 1,000 CC numbers.

It's still peanuts. He can still get 1000x more CC accounts from the internet, he can still do it in minutes, and there's no incriminating hardware sitting in that planter, waiting to be discovered and traced back to the thief. Internet crime is better in every way that the criminal cares about.

http://www.infoworld.com/article/3023422/security/why-you-dont-need-an-rfid-blocking-wallet.html

The special wallets, blocking sleeves, tinfoil wrappers and Faraday cages? I suppose they make a tiny improvement. Just don't expect that you go from 100% exposed to 100% secure by using one.

Re:Don't care, not my card, card issuer's problems

[mattwarden]

Cash or credit pays the same. This is just not a problem any cardholder needs to worry about.

While you call me dumb, you appear unable to differentiation between me saying this is not MY problem and me saying this is not A problem. It's a problem. And the issuers are the ones with skin in the game. They handle it pretty well and will continue to get better.

Re:Don't care, not my card, card issuer's problems

[mattwarden]

Again, I'm sorry, but I just don't follow the logic here. It's not my problem if a thief charges fraudulent charges on my card. It's the issuer's problem. So why is it acting in their interest and against mine that they decided not to add a PIN for my convenience's sake?

Sounds exactly backwards. It's in my interest to have no PIN, because it will annoy the shit out of me. It's in their interest to have a PIN, because they are on the hook for charges of stolen cards.

The only way no PIN is in their interest is because I will be annoyed as shit and might switch cards

Meanwhile, the same issuers have debit cards with a PIN. It's annoying as shit, but because the customer is on the hook for fraudulent charges, they insist on a PIN anyway. So, I don't follow how you end up with your viewpoint on this.

Re:Don't care, not my card, card issuer's problems

[mattwarden]

I've never been the one to find the fraud. The company calls me within hours of the event. This appears to be believed to be an issue only by people who have no idea what they're talking about.

Re:Don't care, not my card, card issuer's problems

[Dahamma]

Again, I'm sorry, but I just don't follow the logic here. It's not my problem if a thief charges fraudulent charges on my card. It's the issuer's problem. So why is it acting in their interest and against mine that they decided not to add a PIN for my convenience's sake?

Have you ever had your CC stolen? I assume not. If you have, you'd understand that while you may not be out any literal money in the end, you could potentially be out countless hours of dealing with customer care or

Have you even been out of the US in the last 5 years? Again, I assume not. If you had, you'd have seen in all of Europe they have managed to adapt to chip+pin just fine. Yes, it's a bit more expense for cafes to bring you a mobile reader to enter your pin, but honestly I used my CC 20+ times last time I was in Europe and not ONCE did it take longer than the last few times I used the damn US chip+signature in the US. The industry fucked it up so badly that their fears of adding friction with chip+pin were moot.

Meanwhile, the same issuers have debit cards with a PIN. It's annoying as shit, but because the customer is on the hook for fraudulent charges, they insist on a PIN anyway. So, I don't follow how you end up with your viewpoint on this.

This is mostly untrue in theory, and almost totally untrue in practice. The Electronic Fund Transfer Act equated liability for Debit cards to the same as credit cards - max $50 if you report it within 2 days of discovering the fraud. And, like CC case, most banks waive that since it's not worth losing a potential long term customer over $50.

Sounds exactly backwards. It's in my interest to have no PIN, because it will annoy the shit out of me. It's in their interest to have a PIN, because they are on the hook for charges of stolen cards.

Yeah, you clearly have never had you CC stolen. You just don't get it - plus, you are probably a responsible CC user and pay your balance every month. But many people aren't - and the big worry was the friction would cause people not to use CC's, and that would be larger than the loss from fraud. They don't care about your inconvenience, just your potential revenue.

Summary is, you really don't know the laws and practice of CC and Debit cards in the US. Making inaccurate comments on /. notwithstanding, you may want to actually learn the real laws since I assume you are a user of these services...

Re:Don't care, not my card, card issuer's problems

[mattwarden]

As I have said elsewhere in this discussion, I have had fraudulent charges on my card many times. Does that mean my card was "stolen"? Not sure and don't care. I travel all the time and yes, it is inconvenient to be out a credit card for a day, especially as I use different cards to keep my expenses segregated. But in every case the company called me before I knew anything had happened, asked me to verify the charges, and overnighted a new card to me.

You're right that I am what you defined as a responsible CC user, and I hadn't thought about how that might affect my experience. The CC company makes money off of me in transaction fees, so perhaps they are more motivated to keep a card in my hand than someone who makes them money on an existing balance that continues accruing interest no matter whether they have an active card in hand. But until I see some hard evidence to the contrary, I'm going to continue assuming people whining about fraudulent CC charges have no idea what they are talking about.

Why secure your credit card?

[mi2]

Why would you keep your credit card off limits to those hungry enough to try to use it? It is very selfish of you.

If you've ever supported taxing a fellow citizen to provide sustenance to the poor, it is rather hypocritical of you to guard your own account(s).