Slashdot Mirror
The Long, Slow Demise of Credit Card Signatures Starts Today (cnet.com)
Last year, all four major U.S. payment providers -- Mastercard, Visa, American Express and Discover -- announced plans to remove the requirement that merchants collect signatures for card transactions. Those plans officially go into effect today, or Saturday in the case of Visa. CNET reports: [D]on't despair if you actually like writing your signature at retail stores, because their ultimate demise will likely take a while. The change is only optional, with merchants, not customers, given the new power to decide whether to get rid of signatures. So, if asked to sign, please don't insist to your next cashier that you no longer need to -- it won't work. Also, plenty of retailers will likely want to keep signatures, particularly if their workers are paid based on a lot of tips, or they sell pricey items. Still, the change marks a clear awareness from payment providers that the signature doesn't really work as a strong protector against fraud.
The change is being handled a little differently by each payment provider. For instance, Mastercard, Discover and American Express said they'll let retailers make every kind of card payment optional for a signature, regardless of whether you've got a new chip card or you still swipe. Visa, meanwhile, isn't changing its requirements for payments using a swipe card, but it did relax its policy for chip card and contactless payments like Apple Pay. Visa noted that over 75 percent of face-to-face transactions using its cards in North America already don't require a signature, thanks to lower-value transactions.
The change is being handled a little differently by each payment provider. For instance, Mastercard, Discover and American Express said they'll let retailers make every kind of card payment optional for a signature, regardless of whether you've got a new chip card or you still swipe. Visa, meanwhile, isn't changing its requirements for payments using a swipe card, but it did relax its policy for chip card and contactless payments like Apple Pay. Visa noted that over 75 percent of face-to-face transactions using its cards in North America already don't require a signature, thanks to lower-value transactions.
... welcome to the year 2000!
By the time the rest of us are authorizing credit purchases with telepathy, you'll probably *JUST* be introducing the "tap & go" LOL what a fucking backwater...
I prefer cash without the gov't/corporate tracking. And no signature required, just basic math skills.
These signing terminals have been a thing for a good 15-20 years now, yet I've never signed one. I sign either Foo Bar or Mickey Mouse, depending on my mood. All have gone through with 0 hassle.
In fact, I bought groceries from Von's today, signed Foo Bar with no issues
Then again, their Just 4 U program ties my phone # to my credit card so there's that.
It was silly for the card networks and banks to chicken out on implementing Chip + PIN. People will have to face the (relatively small) pain of learning how to use it at some time, and better to just rip the bandaid off all at once.
All of Europe, rest of world can deal with using a PIN. What's so special about the US? Just do it, save us all from having to subsidize fraud.
All of my recent debit cards have chips. Merchants don't want to buy new machines and the credit card companies don't care because they pass most the cost of fraud to the merchants. It's seriously sickening how these payment providers make money on both ends without that much liability.
Then explain the merchants with the chip/contactless compatible terminals with signs saying “swipe only”. Card issuers are interested in limiting fraud... Chase called my wife today about fraudulent MSFT/XBox charges. They want to keep the consumers happy and feeling secure, and... not sure what they want to do with the merchants.
I disagree. Americans will never learn a PIN number, and they'll be forced to just deal with the identify theft that occurs because of it.
What identity theft? With modern chip cards that are essentially impossible to clone will solve that issue almost entirely - fraud is already down dramatically because of chip cards, and many of them still support the old insecure mag stripe mode.
Europe has lower card usage, PIN adds more inconvenience than security. You have a couple of people looking at you type it in and who knows how many cameras, what is the point?
Then explain the merchants with the chip/contactless compatible terminals with signs saying “swipe only”
I'm not sure about this, but that could be due to older POS software that doesn't grok the new reader features.
Except of course that cards are used so frequently in Europe that people are talking about a cash less future...
Australia has been using chip-and-pin credit cards for years now, as has Europe and many other places. What is it about the US that makes card companies (Visa, MasterCard etc), banks and merchants so reluctant to introduce chip-and-pin in the US?
Are you suggesting that Americans will continue to use the signature strip on the back of their card the same way they have always used it -put a copy of the thing that authorizes them as the valid user of that card there for all to see?
The truly obnoxious thing is that without the PIN, the chip itself is worthless, but was forced on us anyway. So we got the slowdown at the registers for no reason. With a PIN, at least if I lose my card or my wallet is stolen, the card would be useless to the thief barring unbelievable luck in guessing. But with only the chip in play, the only place a thief couldn't use my card is the gas station, which was already the case with the stripe.
Pointless. Security. Theater.
Imagine all the people...
The chip signs a transaction to report "card present". The device does not get a copy of the keys held inside the chip.
The PIN is purported to indicate "user is present and accepts transaction". But a rogue device could capture it and then reuse it later if they happen to acquire the card again. That defeats the purpose of having a supposed second factor.
Once you recognize that large merchant chains have been hacked and will be hacked again, you should assume that there is a malicious network of point of sale devices out there, waiting for victims. A malicious device could generate fraudulent charges while my card is present. And I can dispute them with the current rules here in the US for a chip-only transaction. The PIN does not guarantee that I am approving this particular transaction, when it might be a replay attack using a stored PIN value obtained on a previous encounter with my card. It doesn't add security, and we shouldn't entertain the security theater nor allow the finance companies to shift liability to users when this useless extra ceremony is performed.
Only in a handful of countries. Southern Europe, Germany, and Eastern/Central Europe are basically cash economies.
you have a direct link to your bank account in your wallet, that if lost or stolen anybody can use? No pin, no nothing. Man.. I guess you really are the land of the brave..
Pointless. Security. Theater.
Otherwise known as the American Way.
and more to do with getting businesses to buy all the hardware and software needed to do it. Chip + Sig was cheaper and easier to implement. As for what's different about America, we are positively _loath_ to spend on infrastructure of any kind (except private airports for the ultra rich, but I digress).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I can't write anything that looks like my signature on those silly tablets anyway, and a lot of people just make a wavy line..... how about some actual security instead? a pin? connect the dots on a grid in a pattern?
signatures always were silly, a thief can practice the one they make you put the the back of your card
just a phone QR code paper printout stuck at counter
I don't understand how this works. The shop has the QR code. The customer scans it with his phone. 'Beep', the payment has been made. What stops someone from writing a 'Beep' app?
Have gnu, will travel.
Also, I will never accept a system where I am forced to enter my supposedly sensitive, never-share-with-anyone PIN into random devices maintained by shopkeepers. A proper end-to-end secure transaction should consider the point of sale device to be adversarial.
Why? The PIN is useless without the attached card. As long as you can retain possession of the card immediately after you enter the PIN there is no possibility of fraud. You'll see the authorized amounts on the device.
You DO keep your receipts so you can correlate with what your issuer said happened right?
As many others have said, works for Europe just fine...
when it might be a replay attack using a stored PIN value obtained on a previous encounter with my card
Except your card is no longer present for that replay attack to work. It is my understanding that there is some sort of handshake between the card company and the chip to authenticate. There isn't a simple mag stripe account number that they can save and replay with your PIN.
nor allow the finance companies to shift liability to users when this useless extra ceremony is performed.
This is the root of the problem. Consumers have become too accustomed to the ease of reversing fraudulent charges, based on the ease of signature forgery. Losing a PIN implies some carelessness on the part of the consumer, so they end up accepting more liability.
I'd like to see a system where the banks issue two types of card accounts. One with a chip only and one with a chip and pin. The fees charged against each type of card to cover fraud losses would be spread among the holders of each type. Let the free market decide.
Have gnu, will travel.
Most credit card fraud is based upon writing bogus data (data for the victim's card) to the magnetic strip, so the chip does at least provide security against someone getting hold of your number and creating a fake credit card using it.
But yes, it does nothing for you without a PIN if the card leaves your possession.
You are not alone. This is not normal. None of this is normal.
Was it not just last week we had reports of new chip cards being intercepted in the mail, having their chip pulled off and replaced with the chip from a dummy card, the real chip put onto the dummy card, and then the modified card placed back in the mail, so that the customer receives their card and activates it, thus enabling the thieves to use their dummy card with the real chip on it, leaving the customer up a creek with their useless card, and charges they did not make?
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
I don't know when the last time I signed my name in one of those esig boxes. I random scribble something and the cashier just pushes a button, my receipt's printed, and out the store I go with my goods. And people wonder why it's so easy for someone to use someone else's credit card.
--- Keep the choice with the user..
More transactions were done on card than in cash in the UK. A lot of people in the UK, myself included, go months without touching cash.
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
>> It was silly for the card networks and banks to chicken out on implementing Chip + PIN.
This. The USA is only 20 years behind on tech
aaaaaaa
>> ....having their chip pulled off and replaced with the chip from a dummy card, ....., so that the customer receives their card and activates it
That happens only in the broken US system.
In EU you typically can only activate your card with the right PIN, and only on an TM which checks the chip.
aaaaaaa
Chase has not provided me with a pin for my Chase Sapphire Preferred credit card. I have to sign.
There really isn't an excuse for not requiring pin authentication for a card present PoS credit card transaction.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
It is my understanding that there is some sort of handshake between the card company and the chip to authenticate
This is half true. The EMV protocol allows the bank to authenticate the card, but doesn't allow the card to authenticate the bank. This makes some forms of attack possible if you MITM the connection.
I am TheRaven on Soylent News
I'm perfectly happy using chip-only and stopping the pointless signatures. But, I shall retain the right to view my statement and dispute a fraudulent charge. I refuse to use a PIN when the banks try to bundle that with a shift in liability and a presumption that their little toys are invulnerable to fraud.
That's not how the liability shift worked, in the UK at least. If you use a contactless payment (which is limited in amount) or if you use a PIN, it's the bank's liability if it's fraudulent. If you use a signature, it's the merchant's liability. It's never the cardholder's liability (at least on paper - there have been a couple of cases where banks have tried to pretend it's impossible for the fraud to take place. Fortunately, those of my colleagues involved in demonstrating weaknesses in the EMV protocol were happy to turn up as expert witnesses and inform the court that the banks were full of shit).
I am TheRaven on Soylent News
Replay wouldn’t work either since the transaction challenge contains a pseudo random number that is signed by the card along with payment information. The number is different for each transaction.
The second half of that is true. The first half is what the spec says, but a significant number of uses use an incrementing counter, so if you do two transactions in a shop you can predict the value. Oh, and I seem to remember that it's only a 16-bit value, so if you can trick the card into doing a bunch of retries (which isn't too difficult, because the protocol doesn't allow the card to authenticate the bank, only the bank to authenticate the card) then you can just get the card to generate all possible signatures for a transaction and present the on that the bank asks for.
Note that although most of the EMV attacks were demonstrated several years ago, we've not seen any evidence that they are in widespread use, because the equipment required to do them is fairly complex. If you're going to that much effort, then there are ways of stealing much more money with the same probability of being caught.
I am TheRaven on Soylent News
There was a paper published last week showing a whole raft of trivial attacks on this system, and that's ignoring the fact that it runs on phones that are likely to have at least one remotely exploitable security vulnerability. It basically works because most of the users don't have enough money to be interesting targets for theft.
I am TheRaven on Soylent News
"Americans will never learn a PIN number"
Americans use PINs for debit cards reasonably well.
Requiring a signature was insisted upon by customers, noit vendors. People require a way to prove that they didn't authorize a charge, especially in the UK where the card vendors claimed that a PIN was "unbreakable" and there was no fraud. The courts eventually caught on, and now require the vendors to prove that the customer authorized the charge.
davecb@spamcop.net
I wish there would be a card-reader option for web browsers so we could have card-present transactions for online purchases and stop the frequent sharing of card numbers and CV codes. I'd be happy for it to be impossible for merchants to perform recurring charges after one encounter with a card, as well as stopping all the fraud that can happen when card numbers are stolen out of merchant systems.
About seven or eight years ago, a company produced credit cards that had a button on them that would generate a one-time code displayed on a small LCD on the card. The battery was good for a couple of years of normal use and the code could be used as the CVV for CNP payments - each generated code is good for one transaction and is then not generated again for at least a few hundred transactions. It was trialled in, as I recall, Singapore, but at the end of the trial banks decided that the more expensive cards would cost them more than just eating the fraud as part of the cost of doing business.
The closest thing today for online payments is Apple Pay. When you buy something online using Apple Pay from an iOS device, it runs the full EMV protocol with your endpoint being a software implementation running in the Secure Element. The Secure Element is also responsible for verifying fingerprints, so the entire process can be locked using your fingerprint. In theory, no code running on the application processor (i.e. iOS and iOS processes) are unable able to interfere (other than to attempt to MITM the connection between the secure element and the remote site) and the private key never leaves the secure element. Some Android phones implement Google Pay using a similar mechanism with TrustZone protecting the EMV endpoint. It would have been nice if the TPM spec had included a mechanism for running an EMV endpoint for standard x86 machines.
I am TheRaven on Soylent News
Here in americastan you just dial a phone number thats on a sticker on the card, give the computer a few identifying pieces of information about yourself and your card, and it activates. PIN being optional because we're twits.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
Yeah, our phone activation system is extremely convenient for both the customers and the thieves.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
If by long you mean short, and slow you mean fast. Also by today you mean many years ago.
Walmart pay does this. The trick is that the a unique QR code is displayed on the credit card reader for your transaction. When you scan the code with the Walmart app on your phone, it links you to the transaction and uses a stored credit card to make the payment. It also downloads a copy of the receipt into your walmart app.
Apparently, they implemented it to avoid fees charged by Apple, Google, Samsung and other mobile payment services.
We've all been ripped off by people, in different ways.
Early 1980s already had chip cards, mostly used for phone booth (remember, back in the dinosaur era when your phone couldn't fit in your pocket and you needed to call from public ones).
Wikipedia mentions in french the "Télécate" in France in 1983 as a first massive deployement beyond local tests .
The patent itself dates back from 1974.
The first chip payment system is the "Carte Bleure" in France, 1986 according to wikipedia (and by 1992 there were nothing else but chip cards)
Germany also had GeldKarte as a local older chip payment system.
But yeah, the EMV standard came much later, in the 1990s. So lots of payment system were still magstripe.
But in 1980s there were already chips. Just not as widespread.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
that you USAsians live in.