Slashdot Mirror
The Long, Slow Demise of Credit Card Signatures Starts Today (cnet.com)
Last year, all four major U.S. payment providers -- Mastercard, Visa, American Express and Discover -- announced plans to remove the requirement that merchants collect signatures for card transactions. Those plans officially go into effect today, or Saturday in the case of Visa. CNET reports: [D]on't despair if you actually like writing your signature at retail stores, because their ultimate demise will likely take a while. The change is only optional, with merchants, not customers, given the new power to decide whether to get rid of signatures. So, if asked to sign, please don't insist to your next cashier that you no longer need to -- it won't work. Also, plenty of retailers will likely want to keep signatures, particularly if their workers are paid based on a lot of tips, or they sell pricey items. Still, the change marks a clear awareness from payment providers that the signature doesn't really work as a strong protector against fraud.
The change is being handled a little differently by each payment provider. For instance, Mastercard, Discover and American Express said they'll let retailers make every kind of card payment optional for a signature, regardless of whether you've got a new chip card or you still swipe. Visa, meanwhile, isn't changing its requirements for payments using a swipe card, but it did relax its policy for chip card and contactless payments like Apple Pay. Visa noted that over 75 percent of face-to-face transactions using its cards in North America already don't require a signature, thanks to lower-value transactions.
The change is being handled a little differently by each payment provider. For instance, Mastercard, Discover and American Express said they'll let retailers make every kind of card payment optional for a signature, regardless of whether you've got a new chip card or you still swipe. Visa, meanwhile, isn't changing its requirements for payments using a swipe card, but it did relax its policy for chip card and contactless payments like Apple Pay. Visa noted that over 75 percent of face-to-face transactions using its cards in North America already don't require a signature, thanks to lower-value transactions.
... welcome to the year 2000!
By the time the rest of us are authorizing credit purchases with telepathy, you'll probably *JUST* be introducing the "tap & go" LOL what a fucking backwater...
I prefer cash without the gov't/corporate tracking. And no signature required, just basic math skills.
wned. Nobody has asked me about it either.
Just doing their part in making sure the fraud prevention duties get transferred exclusively to the retailers, I guess.
These signing terminals have been a thing for a good 15-20 years now, yet I've never signed one. I sign either Foo Bar or Mickey Mouse, depending on my mood. All have gone through with 0 hassle.
In fact, I bought groceries from Von's today, signed Foo Bar with no issues
Then again, their Just 4 U program ties my phone # to my credit card so there's that.
It was silly for the card networks and banks to chicken out on implementing Chip + PIN. People will have to face the (relatively small) pain of learning how to use it at some time, and better to just rip the bandaid off all at once.
All of Europe, rest of world can deal with using a PIN. What's so special about the US? Just do it, save us all from having to subsidize fraud.
Chip + PIN. People will have to face the (relatively small) pain of learning how to use it at some time
I disagree. Americans will never learn a PIN number, and they'll be forced to just deal with the identify theft that occurs because of it. The credit card companies will say there's nothing they can do about it because it's the criminals' fault, and we need to be tougher on crime!
All of my recent debit cards have chips. Merchants don't want to buy new machines and the credit card companies don't care because they pass most the cost of fraud to the merchants. It's seriously sickening how these payment providers make money on both ends without that much liability.
Then explain the merchants with the chip/contactless compatible terminals with signs saying “swipe only”. Card issuers are interested in limiting fraud... Chase called my wife today about fraudulent MSFT/XBox charges. They want to keep the consumers happy and feeling secure, and... not sure what they want to do with the merchants.
So can we stop teaching cursive in elementary school now? I hated writing the same-sized letters in the notebook with all the lines.
I disagree. Americans will never learn a PIN number, and they'll be forced to just deal with the identify theft that occurs because of it.
What identity theft? With modern chip cards that are essentially impossible to clone will solve that issue almost entirely - fraud is already down dramatically because of chip cards, and many of them still support the old insecure mag stripe mode.
Europe has lower card usage, PIN adds more inconvenience than security. You have a couple of people looking at you type it in and who knows how many cameras, what is the point?
Then explain the merchants with the chip/contactless compatible terminals with signs saying “swipe only”
I'm not sure about this, but that could be due to older POS software that doesn't grok the new reader features.
We rejected PIN because the processors believe it is more powerful than it really is. Falling back on "you must have shared your pin" for unexplained cases is not acceptable here.
I'm perfectly happy using chip-only and stopping the pointless signatures. But, I shall retain the right to view my statement and dispute a fraudulent charge. I refuse to use a PIN when the banks try to bundle that with a shift in liability and a presumption that their little toys are invulnerable to fraud.
Also, I will never accept a system where I am forced to enter my supposedly sensitive, never-share-with-anyone PIN into random devices maintained by shopkeepers. A proper end-to-end secure transaction should consider the point of sale device to be adversarial.
With modern chip cards that are essentially impossible to clone will solve that issue almost entirely
Spoken like a true American! We don't need no PIN numbers, it's good enough without them!!
(Sarcasm.)
Since 2017 all cards issued/replaced are chip&pin cards as govt mandated. But majority people, skipped the card-phase, have gone to mobile payment using govt supported UPI(uniform Payment Interface) implementated by various apps. UPI does not require a merchant machine, just a phone QR code paper printout stuck at counter, which a road side hawkers have it now a days on thier push carts and cabs. I routinely make UPI payments to sellers whose turnover is less than 50$ per day.
Except of course that cards are used so frequently in Europe that people are talking about a cash less future...
We should just skip the whole chip card thing, which Europe has been doing for like the last 20 something years, and move to contactless payments. Granted not everyone will have a smartphone capable of NFC payments, but surely we could figure out SOMETHING. Japan was letting people pay at vending machines back before there was such a thing as a smartphone. It can be done.
Why on earth is it okay to share the chip with the card reader, but not the PIN?
Australia has been using chip-and-pin credit cards for years now, as has Europe and many other places. What is it about the US that makes card companies (Visa, MasterCard etc), banks and merchants so reluctant to introduce chip-and-pin in the US?
1. The fraud will happen anyway.
2. Better to have them steal an identifier than an authentication secret.
The signature is meaningless. It's just an identifier. You can literally put a big X on the pad and it, plus the cashier in most places, will happily take it.
The PIN on the other hand is also used as an authentication secret to gain access to the cardholder's bank account. Most people in the US will have a card tied to their bank account that can also be used as a credit card, because that's what the banks in the US are selling you. A credit line.
Ever notice how somehow despite it being a "bank" account, you can somehow have it wind up in the negative digits? Most of these scams are called "over-draft protection" or "courtesy pay" by the banks. These schemes allow the bank to charge you to pay more than you have in your account to someone. Instead of failing and returning "insufficient funds" when the transaction was made. Depending on the bank, this may also allow them to hide screwing around with the order of your transactions in an attempt to hit you with more fees. Particularity, if you don't keep a close eye on the account statements.
Knowing that PIN could easily cause some people to drop into the red simply due to someone else using it. Worse, some banks also use the PIN for customer service and online services, amongst other things.
Wanna know how easy it can be to hack the reader to send out the PIN to a phone somewhere? Or how about the old camera above the keypad trick? The US is about to find out.
Are you suggesting that Americans will continue to use the signature strip on the back of their card the same way they have always used it -put a copy of the thing that authorizes them as the valid user of that card there for all to see?
The truly obnoxious thing is that without the PIN, the chip itself is worthless, but was forced on us anyway. So we got the slowdown at the registers for no reason. With a PIN, at least if I lose my card or my wallet is stolen, the card would be useless to the thief barring unbelievable luck in guessing. But with only the chip in play, the only place a thief couldn't use my card is the gas station, which was already the case with the stripe.
Pointless. Security. Theater.
Imagine all the people...
The chip signs a transaction to report "card present". The device does not get a copy of the keys held inside the chip.
The PIN is purported to indicate "user is present and accepts transaction". But a rogue device could capture it and then reuse it later if they happen to acquire the card again. That defeats the purpose of having a supposed second factor.
Once you recognize that large merchant chains have been hacked and will be hacked again, you should assume that there is a malicious network of point of sale devices out there, waiting for victims. A malicious device could generate fraudulent charges while my card is present. And I can dispute them with the current rules here in the US for a chip-only transaction. The PIN does not guarantee that I am approving this particular transaction, when it might be a replay attack using a stored PIN value obtained on a previous encounter with my card. It doesn't add security, and we shouldn't entertain the security theater nor allow the finance companies to shift liability to users when this useless extra ceremony is performed.
Only in a handful of countries. Southern Europe, Germany, and Eastern/Central Europe are basically cash economies.
you have a direct link to your bank account in your wallet, that if lost or stolen anybody can use? No pin, no nothing. Man.. I guess you really are the land of the brave..
Pointless. Security. Theater.
Otherwise known as the American Way.
and more to do with getting businesses to buy all the hardware and software needed to do it. Chip + Sig was cheaper and easier to implement. As for what's different about America, we are positively _loath_ to spend on infrastructure of any kind (except private airports for the ultra rich, but I digress).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The point is that the ones who see you type in the pin don't have the chip and the guy that steals your chip hasn't seen you put in the pin.
I can't write anything that looks like my signature on those silly tablets anyway, and a lot of people just make a wavy line..... how about some actual security instead? a pin? connect the dots on a grid in a pattern?
signatures always were silly, a thief can practice the one they make you put the the back of your card
Also, I will never accept a system where I am forced to enter my supposedly sensitive, never-share-with-anyone PIN into random devices maintained by shopkeepers. A proper end-to-end secure transaction should consider the point of sale device to be adversarial.
Why? The PIN is useless without the attached card. As long as you can retain possession of the card immediately after you enter the PIN there is no possibility of fraud. You'll see the authorized amounts on the device.
You DO keep your receipts so you can correlate with what your issuer said happened right?
As many others have said, works for Europe just fine...
when it might be a replay attack using a stored PIN value obtained on a previous encounter with my card
Except your card is no longer present for that replay attack to work. It is my understanding that there is some sort of handshake between the card company and the chip to authenticate. There isn't a simple mag stripe account number that they can save and replay with your PIN.
nor allow the finance companies to shift liability to users when this useless extra ceremony is performed.
This is the root of the problem. Consumers have become too accustomed to the ease of reversing fraudulent charges, based on the ease of signature forgery. Losing a PIN implies some carelessness on the part of the consumer, so they end up accepting more liability.
I'd like to see a system where the banks issue two types of card accounts. One with a chip only and one with a chip and pin. The fees charged against each type of card to cover fraud losses would be spread among the holders of each type. Let the free market decide.
Have gnu, will travel.
Canada has been doing this for more than 25 years...today? Are you joking??
Most credit card fraud is based upon writing bogus data (data for the victim's card) to the magnetic strip, so the chip does at least provide security against someone getting hold of your number and creating a fake credit card using it.
But yes, it does nothing for you without a PIN if the card leaves your possession.
You are not alone. This is not normal. None of this is normal.
Posting as AC because it's somewhat embarrassing.
Nearly 30 years ago I let a woman use my credit card and of course she abused it and the stated agreement between us was that she would pay me back.
You can guess how that turned out. Capital One ended up reversing every charge that didn't have a signature which was mostly to fill her gas tank but didn't cover most of the other purchases.
Of course her name didn't match the credit card at all but apparently no one challenged her on it. Lesson learned. I sued in small claims court and won, but of course it was a judgement I could never collect on. ....
Nowadays I merely "make my mark" rather than signing my name. Like many people, I just scribble as little as possible and it has no resemblance to what my signature would look like on a document I considered important like my mortgage.
Was it not just last week we had reports of new chip cards being intercepted in the mail, having their chip pulled off and replaced with the chip from a dummy card, the real chip put onto the dummy card, and then the modified card placed back in the mail, so that the customer receives their card and activates it, thus enabling the thieves to use their dummy card with the real chip on it, leaving the customer up a creek with their useless card, and charges they did not make?
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
I don't know when the last time I signed my name in one of those esig boxes. I random scribble something and the cashier just pushes a button, my receipt's printed, and out the store I go with my goods. And people wonder why it's so easy for someone to use someone else's credit card.
--- Keep the choice with the user..
More transactions were done on card than in cash in the UK. A lot of people in the UK, myself included, go months without touching cash.
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
The PIN doesn’t give access to your bank account. It is used to authenticate you to the card, which signs the transaction. It is useless without the card and the card is useless without the PIN. You need both to complete the transaction that is displayed on the screen. Replay wouldn’t work either since the transaction challenge contains a pseudo random number that is signed by the card along with payment information. The number is different for each transaction.
>> It was silly for the card networks and banks to chicken out on implementing Chip + PIN.
This. The USA is only 20 years behind on tech
aaaaaaa
>> ....having their chip pulled off and replaced with the chip from a dummy card, ....., so that the customer receives their card and activates it
That happens only in the broken US system.
In EU you typically can only activate your card with the right PIN, and only on an TM which checks the chip.
aaaaaaa
Over here in Europe I get sent the PIN by registered mail or (now nore common) electric secure mail (RSA dongle required). And activating the card requires to go to the bank's ATM and enter the PIN. Until then the card is blocked from any purchase...
Chase has not provided me with a pin for my Chase Sapphire Preferred credit card. I have to sign.
There really isn't an excuse for not requiring pin authentication for a card present PoS credit card transaction.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
It is my understanding that there is some sort of handshake between the card company and the chip to authenticate
This is half true. The EMV protocol allows the bank to authenticate the card, but doesn't allow the card to authenticate the bank. This makes some forms of attack possible if you MITM the connection.
I am TheRaven on Soylent News
I'm perfectly happy using chip-only and stopping the pointless signatures. But, I shall retain the right to view my statement and dispute a fraudulent charge. I refuse to use a PIN when the banks try to bundle that with a shift in liability and a presumption that their little toys are invulnerable to fraud.
That's not how the liability shift worked, in the UK at least. If you use a contactless payment (which is limited in amount) or if you use a PIN, it's the bank's liability if it's fraudulent. If you use a signature, it's the merchant's liability. It's never the cardholder's liability (at least on paper - there have been a couple of cases where banks have tried to pretend it's impossible for the fraud to take place. Fortunately, those of my colleagues involved in demonstrating weaknesses in the EMV protocol were happy to turn up as expert witnesses and inform the court that the banks were full of shit).
I am TheRaven on Soylent News
Replay wouldn’t work either since the transaction challenge contains a pseudo random number that is signed by the card along with payment information. The number is different for each transaction.
The second half of that is true. The first half is what the spec says, but a significant number of uses use an incrementing counter, so if you do two transactions in a shop you can predict the value. Oh, and I seem to remember that it's only a 16-bit value, so if you can trick the card into doing a bunch of retries (which isn't too difficult, because the protocol doesn't allow the card to authenticate the bank, only the bank to authenticate the card) then you can just get the card to generate all possible signatures for a transaction and present the on that the bank asks for.
Note that although most of the EMV attacks were demonstrated several years ago, we've not seen any evidence that they are in widespread use, because the equipment required to do them is fairly complex. If you're going to that much effort, then there are ways of stealing much more money with the same probability of being caught.
I am TheRaven on Soylent News
"Americans will never learn a PIN number"
Americans use PINs for debit cards reasonably well.
My most recent card doesn't have that at all. But, in general that box is about agreeing to the cc terms and nothing else.
It's a target card, so it might just be because it's not on the usual network.
If you don't have to sign your name much anymore as it has become with me, your signature will become little more than a scribble (like mine). Writing is kind of like being fitted with braces. You have to wear a retainer at night the rest of your life or your teeth will revert to crooked again.
It was silly for the card networks and banks to chicken out on implementing Chip + PIN.
All of Europe, rest of world can deal with using a PIN. What's so special about the US? .
The US is a scammer's safe-haven, moreso than Nigeria.
Requiring a signature was insisted upon by customers, noit vendors. People require a way to prove that they didn't authorize a charge, especially in the UK where the card vendors claimed that a PIN was "unbreakable" and there was no fraud. The courts eventually caught on, and now require the vendors to prove that the customer authorized the charge.
davecb@spamcop.net
When it was proposed in the US years ago, the tone was very much "this is unbreakable" and the cardholder would be on the hook (based on a presumption that they shared their PIN if a transaction went through). There was massive backlash against this and I think that left us where we are and also poisoned the well for future changes. Maybe they will try again when all the older folks die out and the memory fades.
Historically, many cardholders in the US experienced this sort of bias for debit/ATM cards versus credit cards. We can contest a credit charge without paying it. Debit would go through and it was a much harder uphill battle to ever get payments reversed. For folks with those memories, a PIN goes with a debit card and we are much less promiscuous about where we will use those cards. To this day, I consider my debit card as just my ATM card. I would never use it with a merchant as I would never type my PIN into anything other than my own bank's teller machines.
I don't think US cardholders see any upside to adopting PINs for credit card transactions. The card-only transaction will be quicker, the current liability protections are what we expect, and we don't care about the effects on merchants or processors. We know (cynically) that any potential reduction in fraud rates will line the pockets of bankers, not us.
I wish there would be a card-reader option for web browsers so we could have card-present transactions for online purchases and stop the frequent sharing of card numbers and CV codes. I'd be happy for it to be impossible for merchants to perform recurring charges after one encounter with a card, as well as stopping all the fraud that can happen when card numbers are stolen out of merchant systems.
I wish there would be a card-reader option for web browsers so we could have card-present transactions for online purchases and stop the frequent sharing of card numbers and CV codes. I'd be happy for it to be impossible for merchants to perform recurring charges after one encounter with a card, as well as stopping all the fraud that can happen when card numbers are stolen out of merchant systems.
About seven or eight years ago, a company produced credit cards that had a button on them that would generate a one-time code displayed on a small LCD on the card. The battery was good for a couple of years of normal use and the code could be used as the CVV for CNP payments - each generated code is good for one transaction and is then not generated again for at least a few hundred transactions. It was trialled in, as I recall, Singapore, but at the end of the trial banks decided that the more expensive cards would cost them more than just eating the fraud as part of the cost of doing business.
The closest thing today for online payments is Apple Pay. When you buy something online using Apple Pay from an iOS device, it runs the full EMV protocol with your endpoint being a software implementation running in the Secure Element. The Secure Element is also responsible for verifying fingerprints, so the entire process can be locked using your fingerprint. In theory, no code running on the application processor (i.e. iOS and iOS processes) are unable able to interfere (other than to attempt to MITM the connection between the secure element and the remote site) and the private key never leaves the secure element. Some Android phones implement Google Pay using a similar mechanism with TrustZone protecting the EMV endpoint. It would have been nice if the TPM spec had included a mechanism for running an EMV endpoint for standard x86 machines.
I am TheRaven on Soylent News
Here in americastan you just dial a phone number thats on a sticker on the card, give the computer a few identifying pieces of information about yourself and your card, and it activates. PIN being optional because we're twits.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
Yeah, our phone activation system is extremely convenient for both the customers and the thieves.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
Chip on its own makes card cloning harder. WAY harder. it is down right trivial with mag stripe only.
If by long you mean short, and slow you mean fast. Also by today you mean many years ago.
Early 1980s already had chip cards, mostly used for phone booth (remember, back in the dinosaur era when your phone couldn't fit in your pocket and you needed to call from public ones).
Wikipedia mentions in french the "Télécate" in France in 1983 as a first massive deployement beyond local tests .
The patent itself dates back from 1974.
The first chip payment system is the "Carte Bleure" in France, 1986 according to wikipedia (and by 1992 there were nothing else but chip cards)
Germany also had GeldKarte as a local older chip payment system.
But yeah, the EMV standard came much later, in the 1990s. So lots of payment system were still magstripe.
But in 1980s there were already chips. Just not as widespread.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
that you USAsians live in.