Slashdot Mirror
Visa Claims Chip Cards Reduced Fraud By 70% (arstechnica.com)
An anonymous reader quotes Ars Technica:
Although only 59 percent of US storefronts have terminals that accept chip cards, fraud has dropped 70 percent from September 2015 to December 2017 for those retailers that have completed the chip upgrade, according to Visa.
There are a few ways to interpret those numbers. First, it seems like two years has resulted in staggeringly little progress in encouraging storefronts to shift from magnetic stripe to chip-embedded cards, given that in early 2016, 37 percent of US storefronts were able to process chip cards. On the other hand, fraud dropping 70 percent for retailers who install chip cards seems great. Chip-embedded cards aren't un-hackable, but they do make it harder to steal card numbers en masse as we saw in the Target's 2013 breach.
There are a few ways to interpret those numbers. First, it seems like two years has resulted in staggeringly little progress in encouraging storefronts to shift from magnetic stripe to chip-embedded cards, given that in early 2016, 37 percent of US storefronts were able to process chip cards. On the other hand, fraud dropping 70 percent for retailers who install chip cards seems great. Chip-embedded cards aren't un-hackable, but they do make it harder to steal card numbers en masse as we saw in the Target's 2013 breach.
Seems I heard that Oct the Chip Readers were mandatory. Seems not yet - can anyone fill in these blanks?
Now we have one great place left for skimmers to set up: gas pumps. I have yet to see one that is NFC capable or that included a chip reader.
And in the past three years, I've had my card skimmed twice -- it's become annoying enough that I ended up relegating a single card to gas station use, so that when it gets skimmed again I won't need to cancel any sort of auto-pay setup against it.
It's crazy to me that credit companies don't get stricter with gas station owners.
Seems I heard that Oct the Chip Readers were mandatory. Seems not yet - can anyone fill in these blanks?
They've been "mandatory" for a while now. But many of them don't work.
A group of retailers filed a lawsuit over it but I don't think it has gone anywhere.
When they first deployed the chip cards, I had mine for all of two weeks before it was compromised by the wait staff at one of the restaurants I frequent :|
So the wait staff managed to duplicate the chip in your card? Where do you eat?
Sig ?
They aren't mandatory but they do charge higher fees to process the transaction if you don't use the chip. Online card purchases still act like swipe cards since all you have is the basic info so it's not like they can just force all transactions to work like using the chip.
So you handed them your pin, and it's their fault? You understand how this works right? You plug your card into the terminal, then enter your pin. If it was compromised, then it was a plain old skim because the business hadn't rolled over to chip & pin and were exempt from requiring *you* from entering it.
Om, nomnomnom...
"Martha? Would you ring up Woodrow 2-4-2 and ask the president of the bank to wire $10,000 to Sparky up in Reno out of my account? It's 5-4-7-9. Thanks!
Oh? And what kind of illicit business is that?
They are not mandatory. BUT the retailer is now on the hook for fraud. Not the CC co. or the processor. The retailer also must buy the new equipment. If the CC co.s really wanted to stop fraud. They would provide the readers themselves. Payback would be less than a year.
For years credit card companies allowed people to be defrauded because it was cheaper for them.
Actually, for years the major credit card companies have had zero-liability policies for fraud. Do you own/use a credit card?
But they DON'T want to prevent fraud, they want to prevent liability, which they they have.
In the US typically it is chip only, no PIN. Plus the card could have just been swiped. As pointed out in the article, 41% of storefronts don't have chipreaders.
Can I please have it this way instead? "Visa caused 70% of fraud by not implementing decades old system earlier than they did."
The glass can be half empty.
In the US, very few chip cards come with chip PIN's (these are distinct from credit card ATM PIN's for cash advances); most have you sign something or nothing at all.
Most USA issued CC's are chip and signature. No PIN is required.
So the US is still 10-15 years behind Canada then is what you're saying. Up here if you don't enter a pin, you can't complete the transaction. I also mentioned the cloning bit in my comment, which makes the original posters point about "omg chip & pin is a failure, it was all their fault" again worthless. Chip & pin didn't fail in that case which is what they were trying to make as a point.
Om, nomnomnom...
In the US, very few chip cards come with chip PIN's (these are distinct from credit card ATM PIN's for cash advances); most have you sign something or nothing at all.
Here's how it works up here. Bank card + pin = direct withdrawal from your bank account(see Interac system). CC, again requires a pin. CC+Pin = billing directly to your CC. You don't sign for things up here unless there's a widespread terminal failure and the company still has an old fashioned carbon-copy style credit device available.
Om, nomnomnom...
"Please- if you want to get rid of your crypto spend it at my business!"
>wants people to spend their crypto at their business
>doesn't reveal what that business might be
Sounds more like you're the fraud.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Why would a thief bother duplicating the chip, when they can do all the online purchases they'd like with just the name, number, expiry and CVV?
This space intentionally left blank
Fraud with Card-not-present (e.g., buying things online) is going up.
They don't care about that because in any disputed CNP transaction they can just screw the merchant with a chargeback.
It costs Visa/MC nothing, and the merchant has no recourse.
Chip and signature in the USA was designed to combat card skimming and cloning of mag stripes - it can't stop other kinds of fraud. Yes, it can help prevent fraud of stored data as chip data is different then mag stripe data - but the root of the fraud is cloned mag stripe data - often from skimmers.
If no terminals accept mag stripe, then cloned cards won't work. Someone can still copy the data off the front and back of card visually, and they can still clone the mag stripe. But then the fraud is reduced to Card not present (that won't change with internet and phone orders) and mag strip fraud will go away if all terminals require chip.
Chip and PIN is used to combat card theft, but that is only a tiny part of fraud. The credit card companies are going after what makes the most sense. And in the USA most people have multiple cards, so they have to figure out how to give all those cards PINs - not an easy problem to solve.
The chips are nearly impossible to duplicate. If you had technology to clone one secretly in a minute or two you could probably make far more money by selling that than you could steal from credit cards.
Of course the chip is absolutely not needed to run up huge fraudulent charges on a credit card, so the whole thing is kind of silly.
The technology exists to read the credit card chip over the internet, but maybe they think the cost of tens of millions of card readers would be more than the cost of fraud for as far into the future as investors care about?
If you didn't realize, Visa is part of the group that rolled out chip cards (EMV - Europay, MasterCard, and Visa) in the first place. They are still trying to convince the merchants and processors that are dragging their heels, because that's what people here always seem to do. Everyone is still in denial that chip cards are an important transition, let alone adding a pin.
For the bank info, the problem is that account numbers are treated as the sacred piece of info. You pull money with a routing and account number and protect those numbers like a credit card number. Everywhere else, banking works on a push basis where the account number is merely a destination. It's all about legacy systems and backward compatibility.
why the fuck haven't fees gone down?
You don't even need to do online purchases. After 2 years, the chips on 2 of my cards are so flaky that they often don't work. It works every now an then, but usually it ends up telling me to reinsert the card, then after the 3rd failed chip read it tells me just to swipe it. Never once has a cashier given it a second though and asked to see the card or ID. They just act like it's routine (which wouldn't surprise me if it were). So really all they need to do is clone your card onto a card with an intentionally defective chip and they're back in business as usual
That’s why restaurants use portable card terminals. The card never leaves your sight.
...si hoc legere nimium eruditionis habes...
Why would your card ever be out of sight at a restaurant (or anywhere)? The chip processor is a handheld wireless device about 1.5 x 3 x 6 inches. The card slides into the bottom and you take the whole device to privately enter your pin.
Shift the risk. Make merchants with no chip capability liable for fraud.
cards are starting to get old now
I use Android Pay. As far as the terminal is concerned, my phone is a Visa Paywave card.
While all the terminals in New Zealand support NFC, a lot of merchants don't have the option enabled as the transaction fees are lightly higher. Some don't accept credit cards at all, as debit cards have no transaction fees.
Meaning in Canada, we've had cards with chips in them for more than 10 years already and pretty much every single stores have a chip reader and very few actually accept magnetic cards anymore.
I never had a problem with my magnetic US credit card in BC or Quebec.
credit cards and crypto exclusively
you have a weird understanding of the word exclusively
"Old man yells at systemd"
to the exclusion of others; only; solely.
By defining a group of payment methods that they accept "exclusively," they are simultaneously defining the group of payment methods that they do NOT accept (i.e. everything else).
"Mandatory" is a very flexible term. Merchants can, in theory, still imprint cards with a knuckle buster and deposit those in the bank like checks.
The actual rule is that if you don't use a chip card reader, and there's a dispute, the merchant pretty much automatically loses. For merchants who don't have problems with fraud to begin with, it's an expense they can easily do without.
That's why the 59% that have adopted the new technology have produced such a disproportionate reduction in fraud: They're the ones who have the most fraud to begin with.
I've never seen a chip reader that didn't also have a mag strip reader as well. When I was in Iceland a year and a half ago, the card I used for nearly everything didn't have a chip. The only place I had trouble with it was buying fuel, and that wasn't because it didn't have a chip, but because it didn't have a PIN (which it could have, if I'd known to set it up in advance).
An increasing number of stores are refusing to swipe when the chip isn't working. (My employer does.)
The reason is that thieves will deliberately damage the chip and reprogram the mag strip with a different number than is on the card (if there is one, these days), which is the old fashioned form of credit card fraud all over again.
You really need to call your bank and tell them to replace the card. Otherwise, eventually, you won't be able to use it at all.
I mean with 70% less fraud, surely they can reduce merchant fees from 3% to 2%?
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
For somebody who uses a non-Apple device in order to run applications that have no close substitute on iOS, is it worthwhile to buy and carry an iPad mini just for Apple Pay?
I returned from a 10-year stint in Australia, where I stopped carrying cash, wrote only two checks, and for purchases under an amount set by the merchant -- $30 in some cases, $100 more typical -- simply tap the card, faster than cash. I looked into it here and the friction apparently was the cost of the chip. Apparently not. Anyone know what the heck is keeping tap-pay from becoming a thing if the chips are already on the cards?
As to card details being compromised for online purchases, hate PayPal all you want but with it (and 2fa) I finally got cancelled cards under control and some peace of mind.
Same thing in Europe - chip cards rules since at least 10 years now.
Just minor problems that are easy to resolve by cleaning the chip contacts against the shirt whenever there's a problem.
This seems to be pretty much a symptom where the US is - way behind on a lot of things these days compared to 50 years ago when the US was the leader in technology.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
There is a Bulgarian startup that offers users the ability to use only the EMV chip and bypass the magnetic strip. I have officially aksed all banks on their opinion of this product, and received emails from maybe 1 or 2 banks only, that were sketchy. My main question was if my card has both an EMV chip and a magnetic stripe - if i block the stripe with SkimProt does this invalidate my card in some way, could it cause issues with ATMs etc. Nobody bothered to answer me, so i simply went and got a card with ONLY an EMV chip and no mag stripe. But you have to ask for it. In the USA most retailers cant yet read EMVs though, kinda backwards.
with the rollout of contactless pickpocketing.
This perpetual motion machine Lisa made is a joke, it just keeps getting faster and faster. - Homer
You don't sign for things up here unless there's a widespread terminal failure and the company still has an old fashioned carbon-copy style credit device available.
You only need a carbon-copy device if the power is out or all your terminals are broken and if the power is out there's no lights so most likely the store will close. It's far more common that the Internet connection is down, then it goes into offline mode where instead of the regular receipt it spits out a bill that I sign on, at least that's the way it works here in Norway. I'm not sure if they send it electronically later when it reconnects and the signatures are just for disputes or if the store needs to deliver the paper bills to the bank, but cards eventually get charged and usually everybody is happy.
When that happens the store is on the hook for fraud as you could potentially use a debit card with no money or a credit card in excess of the limit. I'm not sure if they have offline blacklists for blocked cards, so potentially stolen cards too. But unless you're running around with wire cutters that's not something a fraudster can plan for and it's up to the store to get it fixed in a timely manner or invest in redundant connections or simply refuse large/all transactions. Tough in practice I've never been refused in ages, except when the office cafeteria's single terminal was broken. But they took IOUs on a piece of paper...
Live today, because you never know what tomorrow brings
What the fraud rate would have been if we'd done what we should have done and gone to Chip&Pin?
Even though I have PINs on all my cards, only Target uses it. Even in Europe and India my cards comes up "signature", not PIN.
But if the fraud rate is low now, that probably only means that the crims haven't figured out how to defraud it – yet.
P.S. I'm still waiting for restaurants to get the portable readers that the wait staff bring to my table and my card never leaves my sight.
You need to get out of Poland more often.
Americans like me haven't written checks (or cheques) in years. And several of my cards have contactless, and I use it.
I suspect that I am not alone in this respect.
A fucking citation is needed. There were phone payments long before {Apple|Google} Pay. From dumbphone SMS to RFID on SIMs released a year before the iphone ( https://en.wikipedia.org/wiki/Mobile_Suica ). Sure you are right if you want to narrowly define smartphones to something released since the iphone.
Sometimes the cure is worse than the disease.
No, you can't have it that way. Visa and MasterCard were the ones who created that decades-old system in the first place and they've been pushing very hard (and overall very successfully) to get it accepted throughout the world ever since. It's pretty much just the USA that has been refusing to allow the chips despite MasterCard/Visa's efforts.
The real question is, why is the USA so backwards on these things ?
Your life sounds a lot like mine. The real question is why are so many people outside the US so ignorant about how things work in the US? And why do so many of you keep trying to tell us how backward we are when it's clear you don't even have a clue?
Yes, there are still plenty of dinosaurs writing checks. In a country of 340M where probably at least 80M are over 60 years old there's bound to be a few. I dare say you've got a few over there too, where ever over there is.
Although it's true we still print these silly $1 notes, even when we've got a perfectly good $1 coin and a $2 note. It's nearly as bad as India, with their R10, R20, and R50 notes (worth about 6, 12, and 30 cents respectively. And silly /. will handle £ and € but not the cent sign. 1980 called, it wants ASCII back.)
I can't seem to understand how the US can be so behind the curve on some really important issues. One of them regarding financial/banking issues is the matter of the freaking chip&pin cards (or more the lack of proper use of them). Never ever have I seen any US store require chip&pin authentication, they always just read the chip and make you sign, which is crazy a**stupid. I thought they saw finally the light when chip cards were getting introduced - very, very, really late vs. everyone else -, but introducing such a half a**ed solution is idiotic, and nothing seems to change.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Plus it seems if a reader can't read the chip after 3 attempts, it will let it go through as a mag strip tranaction.
It's far more common that the Internet connection is down, then it goes into offline mode where instead of the regular receipt it spits out a bill that I sign on, at least that's the way it works here in Norway
Here, in my part of Canada, if the retailer/restaurant’s internet connection goes down, the hand-held terminals just flip over to 3G or GPRS wireless, and conduct the transaction through the cellular network.
...si hoc legere nimium eruditionis habes...
Meaning in Canada, we've had cards with chips in them for more than 10 years already and pretty much every single stores have a chip reader and very few actually accept magnetic cards anymore.
I never had a problem with my magnetic US credit card in BC or Quebec.
You wouldn't. Liability in this case is at your own bank (the issuer)
The way I understand it, if the acquiring bank supports chip and the merchant doesn't, then the merchant is liable for fraud. If the acquirer (in this case Canadian bank) doesn't support chip, then the acquirer is liable.
If both the acquirer and the merchant support chip, the issuer (your bank) is liable. So they have no problem with you using a magstripe. In case of fraud, your bank is liable.
---
Moving to chips had nothing to do with fraud, It had to do with liability. If a store uses chip + pin and there is fraud the bank eats the loss, If they use chip with no pin or swipe then the vendor eats the cost on fraud. Some low cost per transition sites still swipe because they are willing to eat the cost in favor of speed. Other locations where product value is high or % of fraud is high have gone chip. With checks pretty much going to way of the Dodo birds and even for the few that accept them, they technically dont accept checks but do an ACH from your account. (ever get your check back at the register, guess what ACH).
i still don't get the point of the chip when half the websites don't even need the ccv number from the back. and once i paid my time warner bill using the wrong expire date.
We don't. But out standard cards have been just fine accepting mobile phone NFC payments long before Apple claimed to invent the idea. Hell I rarely use my card.
As for plastic technology ... who developed NFC? The Japanese working with the Dutch. You're welcome.
If you ave a decent card issuer, using your card without the ccv should raise a fraud alert
My first smartphone was an i-mate SP2 in 2004.
i-mate is an Irish company. It was built by HTC, a Taiwanese company.
Nokia, Philips and Sony invented NFC, none of which are American companies. One Finnish, one Dutch and one Japanese.
ARM is a UK company, which powers pretty much every smartphone ever.
Where is 'Murica in all this innovation?
Funny when Americans think that wirelessly powered computers used for strong crypto embedded in plastic cards are "just plastic cards".
It's not the ancient plastic cards that are technology, it's the computer embedded into them, and the crypto, NFC, wireless power and other things used around them that make them technology. Is it just because the US is the last in the world to start supporting this that it's "backwards"?
Learn to love Alaska
I don't see how. I bought a game online, and my transaction was refused and the card deactivated. And that's usual behavior for me.
Learn to love Alaska
oh.. and first smartphone NFC trial was by Innovision (at the time, a UK company), using a Nokia 6131 in the UK in 2007
Apple's first NFC equipt product, the iPhone 6 came out in 2014
First Android phone with NFC was the Nexus S in 2010
A fraudulent charge isn't a "chargeback". A chargeback is when the merchant lies about sending the item, demands full payment for nothing sent, and whinges for decades about chargebacks ending their fullproof plan for profit. An unauthorized charge is *never* a chargeback, even if the merchant still loses money on the deal.
Learn to love Alaska
No, the limit for "card use after reported stolen" is $50/$0. But unauthorized card use with card in hand was unlimited liability for the cardholder. Live in a dorm? Got your details stolen by a roommate and they bought stuff and shipped it to your address? You didn't report it stolen, and you didn't keep it safe. Your fault. Also it was literally shipped to you so they begin an investigation into you for fraud. I've seen it happen.
Your negligence, real or asserted, removes all limits. You are free to sue if you think their assessment was unfair, but you'll never win.
Learn to love Alaska
In Europe, where the chip cards have been around for a while, you don't give away your card. You keep it in your hand to pay. You handed your card to a stranger who went into the back room with it. And you don't see any problem with that?
Learn to love Alaska
You don't need to clone the chip, all you need to do is damage it.
If a terminal fails to read the chip, it will accept a mag strip.
You'll probably have to swipe it - and be prompted to insert it, insert it - and be prompted to swipe due to read failure, then swipe it again
It may ask you to insert it multiple times before allowing a swipe.
How do you find the convience of $20 tranaction fees and 10+ minutes transaction confirmation times?
Or you're not using bitcoin, but some other crypto "currency" that's about to fail?
Outside the US, your bank account is effectively public. Without checks, having an account will let you deposit, but not withdrawal. In the US, if you find someone's bank account, you can presume it has checks, and you can forge a check with those numbers, and have a 90% chance of making a payment (though it could be stopped later). The rest of the world does something e-check-like at the point of sale that doesn't use account numbers. You give out your account numbers freely, and people do "wire transfers" for free. Daily.
Even the "I don't use checks" generation uses checks. If you don't set up direct debit with your utility, you almost have to pay by check. They save money by not taking CC. I even went to a utility once with an ATM in the lobby. If you don't have cash, use the ATM, because they don't take CC. Oh, and if you don't want to wait in line for 3 hours between 10 and noon, you have to pay by check in the drop box.
The rest of the world uses free wire transfers like Americans use(d) checks.
The US is still 20 years behind. Deliberately, because it locks money into banks, where you can't use it.
Learn to love Alaska
Or maybe a refurbished iphone SE? I think that would be cheaper, and a smaller form factor
Yeah I wanna tap muh card - but all of my local retailers have the slide-type only. Half of them are bolted in a fixed position that you can't rotate, and they usually have a riser shelf, or some display mounted right next to the slide! Someone here earlier referred to these as "knucklebusters" - sounds like an apt name.
All I can say is that this "stupid idea" has been working for years over here in Europe.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
See Ross Anderson's "Light Blue Touchpaper" for a timeline, https://www.lightbluetouchpape...
As other writers noted, Visa has 70% less fraud because they can now disclaim responsibility for all the fraudulent charges on the older, more popular equipment. There might be a small decrease in fraud overall, but the "70% less" is really "70% the merchant has to eat, as we're not accepting fraud reports from their equipment".
davecb@spamcop.net
You should try visiting France sometime!
The reason for poor uptake is an argument between the merchants, acquiring banks, CC networks, and issuers. Basically, most of the merchants lease the equipment from the acquirers, and the the acquirers are the only ones who didn't actually suffer from fraud because the liability largely fell on the Network or Issuer. However, the Acquirers own all the equipment and don't want to pay for an update. There is a double cost for them there as they both have to update hardware (the terminals themselves) and the software (as their systems must be EMV enabled). The Merchants were not being impacted at the same levels as the network or issuers so there was no pressure on the acquirers to change.
The liability shift that occurred last year basically put the loss on the merchant if they don't support Chip, in the hopes that they would pressure the acquirers. It's happening, but slowly. Large organizations that own their own POS stuff have mostly switched over to chip and signature. This has largely cut out Card Present fraud where it's used because it is basically impossible to clone a chip card. Stolen cards can still be used however, until they're cancelled. PIN would largely eliminate this also.
EMV doesn't really address Card Not Present (such as internet) fraud and won't until everyone has a chip reader attached to their computer.
Rational thought is the only true freedom
The degree of caution that card issuers call for depends on the site. Online bill payment is a low fraud situation. People just don't seem to use stolen credit cards to pay their electric and cable bills, perhaps because the ongoing relationship with the provider would make it too easy for them to punish you later for fraud.
once i paid my time warner bill using the wrong expire date.
My bank issued me a new credit card number as a "security precaution".
I logged into Paypal to update my number and it already had the new number. . .
"...although only 59 percent of US storefronts have terminals that accept chip cards, fraud has dropped 70 percent from September 2015 to December 2017 for those retailers that have completed the chip upgrade... it seems like two years has resulted in staggeringly little progress in encouraging storefronts to shift from magnetic stripe to chip-embedded cards, given that in early 2016, 37 percent of US storefronts were able to process chip cards."
There are still many storefronts that cannot process chip cards, but this statistic ignores the matter of the size and volume of the stores. In general, the big stores that do the most transactions have converted; smaller stores lag behind, as do gas stations. (I have not yet encountered a chip reader at a gas pump.) So the percentage of transactions that are chip-enabled is likely higher.
Another variable: the number of customers who are actually using the chip readers. In early 2016, some stores had the readers but they didn't work yet, or if they did the customers were not yet being encouraged to use them. Many stores now have their readers programmed to refuse swipe transactions if your card has a chip.
I'm amazed that so few storefronts are actually using the chip readers. Most large retailers have had them since the Target hack, but then there are some places like Mariano's who still don't have them. I'm kind of surprised they're willing to eat the losses from fraud.
Can I please have it this way instead? "Visa caused 70% of fraud by not implementing decades old system earlier than they did."
The glass can be half empty.
Presumeably, with less fraud, the fees paid by merchant and by consumer should drop, or am I joking?
Leslie Satenstein Montreal Quebec Canada
Maybe it's a north/south thing but I can't count the number of times I've stood in a supermarket checkout line at Leclerc or Carrefour while someone pulls out a chequebook. The checkout clerk sometimes even has a printer which fills in the amount automatically. There are cheques for everything here - restaurants, vacations, school, you name it. Sure, they like cards as well (though to be fair these are more like charge cards than US credit cards) and they are chip/PIN or contactless.