Credit Card Chips Have Failed to Halt Fraud (So Far)

An anonymous reader quotes Fortune: New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology...

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.

It Wuz Haxx0rz!

Well, no winning against the bogeyman in your cyberspaces, eh.

Re: It Wuz Haxx0rz!

[saloomy]

If every merchant would support contactless payments, this wouldn't be an issue. Your phone is something you have and something you are, and something you know (phone, face, pin to unlock).

You don't authenticate to your credit card. That's always going to be a problem.

Re: It Wuz Haxx0rz!

not just no, but HELL NO!!!

Re: It Wuz Haxx0rz!

Unfortunately Face ID is basically garbage. The Touch ID worked fine, was fast and typically was easy to use. Face ID I end up having to use the phone PIN 50% of the time, thus exposing it every time it fails a Face ID check for a payment.

Re: It Wuz Haxx0rz!

[Sigma+7]

> If every merchant would support contactless payments,

It means the credit card can be used at least once without having to enter the pin.

As for the phone - it was very often a source of surprise $8000 bill because ITunes didn't authenticate each individual purchase. The child purchases something with stored credentials, and doesn't know that it has an impact until a few weeks later. It's also the reason a game for cats company had to come up with a custom authentication method to prevent animals from accidentally making a purchase as well.

This may have recently improvied, but still doesn't change the fact that it was worse security than classic credit cards.

  > You don't authenticate to your credit card.

You authenticate to the credit card (or at least the payment processor) if you enter a pin.

Of course

All this fraud is online where the chips aren't used.

Re: Of course

The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.

Re: Of course

And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!

Re: Of course

A lot of fraud comes from Poland too.

Re: Of course

[Bert64]

Checking signatures is worthless anyway, real peoples signatures never look exactly the same whereas a criminal can easily copy what he sees on the back of the card, or in the case of cloning the cards he can just sign the cloned card himself and thats what the merchant will compare against.

At least with a pin, the pin is either correct or not, and not displayed on the card itself.

Re: Of course

The summary talks about merchant system misconfiguration.
That would imply that the chip simply isn't used.
Well, who would have thought that a purely decorative chip that is never used actually has no effect!
Obviously we all expected the gold shininess to make fraudsters run away...

Re: Of course

[GrandCow]

Assuming you're in the US, when was the last time anyone actually even pretended to look at the back of your credit card to compare signatures?

Re: Of course

A lot of sausage comes from Poland, what is a lot and what is your point?

Re: Of course

The MAGA is not strong with you. We're making corruption great again. Get with the program man. /s

Re: Of course

[Waccoon]

Since I got my chipped card, not once have I been asked to insert a PIN. In fact, I almost never even have to sign on the reader display.

People still think I'm crazy for carrying cash!

Re: Of course

[Kjella]

And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!

Here in Norway they've fixed this quite easily because around 2010 most the banks introduced regional blocks, the defaults vary a little but my bank's card by default only works in Norway. To expand the coverage you must log in to the online bank and enable it. You can permanently enable it for our neighboring countries in Scandinavia, but for the other regions (rest of Europe, North America, South America, Africa, Asia) you can only enable it for three months at a time. That has pretty much stopped international scams dead in their tracks, even if it is enabled the crooks don't know until they try and while the occasional tourist will forget and enabled it after being declined it will stand out as a sore thumb.

Combined with 2FA using the cell phone/one time codes for online purchases fraud here is extremely low. I found a page that said total credit/debit card fraud in Norway is around 150 MNOK/year, that's $17 million. Divided by 2.4 million households that's about $7, the average household income is about $51k so 0.013% is lost to fraud. Basically that's noise level, people lose more money on grocery prices due to shoplifting than that. I don't think these numbers include robbery where you're forced to enter/hand over the PIN though, just shoulder surfing and such.

Re: Of course

[jittles]

The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.

You can't clone the cards and use them in online transactions. They are skimming the cards and using them for online transactions, most likely. Though the chip does generate a new CVV when used with the chip. If you run the magnetic stripe through, you get the real CVV which can be used online. Also there are tons of restaurants, fast food joints, gas stations, and banks that still use the magnetic stripe instead of the chip.

Re: Of course

[AsylumWraith]

Believe it or not, yesterday.

I'm not saying that's the norm, though.

Re: Of course

And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!

Here in Norway they've fixed this quite easily because around 2010 most the banks introduced regional blocks, the defaults vary a little but my bank's card by default only works in Norway. To expand the coverage you must log in to the online bank and enable it. You can permanently enable it for our neighboring countries in Scandinavia, but for the other regions (rest of Europe, North America, South America, Africa, Asia) you can only enable it for three months at a time. That has pretty much stopped international scams dead in their tracks, even if it is enabled the crooks don't know until they try and while the occasional tourist will forget and enabled it after being declined it will stand out as a sore thumb.

Combined with 2FA using the cell phone/one time codes for online purchases fraud here is extremely low. I found a page that said total credit/debit card fraud in Norway is around 150 MNOK/year, that's $17 million. Divided by 2.4 million households that's about $7, the average household income is about $51k so 0.013% is lost to fraud. Basically that's noise level, people lose more money on grocery prices due to shoplifting than that. I don't think these numbers include robbery where you're forced to enter/hand over the PIN though, just shoulder surfing and such.

I live in NL and here we have similar practice. The CC can be used anywhere, but if it used in non standard place (read used not in NL or neighboring countries), you need to do 2FA to authorize the transaction. End result is the same, without the extra authorization from 2FA you cannot steal my money.

To get money from my CC you need to know my CC details, CC pin, my phone, password for the phone and password for the CC app to get the 2FA.

Good luck.

Re: Of course

Every time I make a "large" purchase.

I also never sign my cards. I always write "Please check id" in the signature strip.

Re: Of course

Assuming you're in the US, when was the last time anyone actually even pretended to look at the back of your credit card to compare signatures?

My son for years signed his CC slips "Osama Bin Laden" and it was never challenged.
A friend was challenged once - but only because he hadn't signed the back of his CC. He was forced to sign the back of his CC and guess what? The slip and CC signatures matched!

Re: Of course

[azrael29a]

A lot of fraud comes from Poland too.

Citation needed.

Here in Poland we have EMV and 99% of cards issued by banks operating in Poland have magstripe and chip, and all transactions are authorized by a PIN. The only popular scam I've heard of here was to record the magstripe & PIN using a rigged ATM (with skimmer and camera over the pinpad), send the magstripe & PIN data to some other country (ie. in South America), and then try to grab cash using a cloned card there. The only time I have ever had to sign my card payment was when using my employer-issued lunch card, that had no chip and was magstripe&signature-only.

Banking technology in Poland is way ahead of the one in US because we have skipped a lot of now-dead technologies, like cheques, pagers, etc. Also, nowadays most points of sales accept contactless card payments, which, while they have their own problems (easy low-value PIN-less transactions after stealing the card, limited to some low numbers), at least are safe from skimmers, because the card doesn't need to touch the point of sale.

Re: Of course

I've lived in US for 10 years and never signed any of my cards

Re: Of course

[TheRealMindChild]

It doesn't matter anyway because the signature isn't there to verify the user. It is there to signify you accept the card holder agreement

Re: Of course

[TRRosen]

well since you apparently never buy anything more than $10 I don't think it matters. The only time i don't have to enter a pin is when buying a $5 meal at a fast food joint or at places that don't support chip transactions yet. Those are disappearing as that makes them liable for fraud.

Re: Of course

Because not many people can grasp the size of the retail industry of America. It's the largest in the world.

Re: Of course

[guruevi]

Chip+PIN is not invincible either. In the Netherlands there are gangs operating right now that can skim the information from Chip+PIN and the banks aren't willing or at least giving a really hard time to reimburse the fraud because "fraud is impossible". Moreover chip implementations in the EU are rampantly being abused especially across public transportation where people are cloning chips to get onto trains and busses.

The truth about EMV (and I've seen and implemented EMV systems across both US and EU) is that it was an 'old' standard by the time it came out. There were no less than 2 papers that discussed exploits in the EMV system prior to the chip implementations in the EU (and the EU went all out implementing chips for health care, public transportation, drivers licenses, passports and ID cards).

You can, right now, read plain text all the 'important' information from a chip (card number etc) simply by querying it's offline capabilities which is one of the primary ways fraud is happening - thieves implement a skimmer and do an offline authorization against the chip (basically: Hey, our Internet broke, here's a transaction for you to sign) and then a few days or even weeks later (some banks allow up to 6 weeks) they "finish" the transaction elsewhere.

Re: Of course

[BobPaul]

Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.

Some notes on this... Merchant agreements PROHIBIT merchants from asking for ID and DO NOT REQUIRE that merchants check signatures. In fact Visa et al actually essentially PUNISH vendors who do. Famously, Wal-Mart used to have a policy to check signatures and VISA successfully argued that they should not be on the hook to cover fraudulent purchases that Wal-Mart should have caught via signature checks (ie, they said Wal-Mart's employees were inconsistent). So over 10 years ago Wal-Mart changed their corporate policy and cashiers are instructed to NOT check signatures. The same amount of fraud happens, but VISA et al are now on the hook and can't blame Wal-Mart employees.

In Europe, the card vendors were forced by law into Chip+Pin. VISA has more profit that the GDP of many countries and they don't even loan out money. They don't care about a little fraud. Their concern in the USA was users might periodically forget their PINs and pay with cash instead. So they lobbied to keep signatures, and of course our congress persons don't listen to security experts if corporate interests disagree.

Re: Of course

[BobPaul]

A lot is an article or set of articles for sale at an auction. Both sausage and stolen credit card numbers are often sold via online auctions.

Re: Of course

[ErikTheRed]

Strictly speaking - not defending this practice, just explaining it - merchants should decline to take your card if you've done this, per their agreement with the card issuers. The signature is there as a promise to pay, not as a means of identification. Yes, this is stupid. A better practice is the banks that allow you to put your picture on the card.

Re: Of course

[TechyImmigrant]

The summary talks about merchant system misconfiguration.
That would imply that the chip simply isn't used.
Well, who would have thought that a purely decorative chip that is never used actually has no effect!
Obviously we all expected the gold shininess to make fraudsters run away...

In the US, most shop merchants (the kind without IT departments) get their payment terminals from banks or payment processors who offer zero configuration options. All misconfiguration is by the banks.

What is going in on a scam called PCI-DSS where they demand that you use PCI certified hardware that is so fragile that leaving them on an open network will get them pwned - so they will require you to pay them to 'scan' your website to check it's ok, even if that makes no sense, like you are serving a web site, and then charge you extra for not doing so because you aren't 'compliant'.

By these scams they have pointed the blame at the merchants who had no hand in designing the whole shitty system.

Re: Of course

Also there are tons of restaurants, fast food joints, gas stations, and banks that still use the magnetic stripe instead of the chip.

Make chip machines mandatory like the rest of the planet.

Re: Of course

[Waffle+Iron]

Assuming you're in the US, when was the last time anyone actually even pretended to look at the back of your credit card to compare signatures?

In most cases, it would be worthless to compare anyway. The signature made with a real pen on the back of a card rarely looks anything like a signature made with a bulky stylus on a slippery touch screen.

(Even worse are some delivery services where you "sign" the guy's tablet with nothing but your finger. That usually comes out as little more than a straight line.)

Re: Of course

[sjames]

They rarely do exactly because it's useless.

Re: Of course

[sjames]

Also, PIN would get in the way of their big campaign for just tapping your card to pay.

Re: Of course

You can't clone the cards and use them in online transactions. They are skimming the cards and using them for online transactions, most likely. Though the chip does generate a new CVV when used with the chip. If you run the magnetic stripe through, you get the real CVV which can be used online. Also there are tons of restaurants, fast food joints, gas stations, and banks that still use the magnetic stripe instead of the chip.

The problem is the mag stripe .. every reader still takes both chip and strip and and gas stations aren't required to accept chips for another 2 years. So almost every US gas station is a target for skimming as well as every hotel/restaurant/retail chain as they still fall back to mag strip if the chip is dead, plus all the "card not present" transactions by all the websites.

Until all of those problems are solved and credit card cease having a mag stripe.. there will be credit card fraud. End of story.

Re: Of course

There's no way I can forget my PIN, I get all my cash from using the PIN on a VISA card in ATMs. Been that way for a very long time due to living in the country that invented chip+PIN and deployed in like 1992 or something. There might be about an Atari 2600 worth of smart, minus the sound and graphics generation. I always thought it was about the mainframes and modems and in this case, business side of things.

I guess I'm a bad customer to VISA lol but if processing all my cash withdrawal transactions isn't good enough there's nothing I can do for them.

Re: Of course

I'll ask my bank about how to disable this when it's soon time for card renewal.

Re: Of course

I've seen no signature or PIN required on a chipped credit card for around $80 of groceries.

Re: Of course

Had chip+PIN debit cards forever, they were very vulnerable to being used online. The numbers and CVV are printed on the card. You can write the numbers in your hand (w/ expiry date) then you've "defeated" it. In modern times, people were taking pictures of cards with smartphones camera or buying numbers on the Internet, so now there's some kind of 2FA which defaults to sending SMS to your phone number.

Re: Of course

The sig on the card is not an authorization. Itâ(TM)s an agreement to use the card. Nobody is supposed to check the card for anything but it being signed
. If itâ(TM)s unsigned then itâ(TM)s probably fake.

Re: Of course

a lot is a a polish airline.

Re: Of course

That is how Square works most of the time.

The authorization doesnâ(TM)t work in crowded convention floors and where cell service is rubbish, so the transactions are run offline back at the hotel room.

Criminals could have a field day with a fan convention by using stolen cards to buy high value items and then fence them at other conventions or on eBay.

Re: Of course

The chip is about the size of a grain of sand and about as powerful as an Apple II.

Re: Of course

This. As long as the magnetic stripe is still widely used, the chip is irrelevant. You can kill it with a 24V DC applied to the contacts, and most merchant terminals will then fallback on the magstripe. Weakest link.

I do have to correct your comments about CVV though - oversimplified. An EMV DDA chip card (almost all cards these days) actually hashes various elements of the transaction (price, currency, date etc - up to the card issuer policy), and then signs it with some proprietary cipher (vendor dependent) which generates the ARQC or TC, which is passed in an opaque way back to the issuer. The issuer then computes the same value and is supposedly meant to then approve or deny the transaction.

For offline cases, assymetric crypto is used to prove the card was issued by the bank.

Re: Of course

The dumbest and the risée. Whereas the rest of the civilized world - way larger than the US - has managed to switch to more secure payment systems, the dumb US retail industry isn't able because of 'reasons' and sticks with an imprint or a magstripe.

Re: Of course

[jittles]

Had chip+PIN debit cards forever, they were very vulnerable to being used online. The numbers and CVV are printed on the card. You can write the numbers in your hand (w/ expiry date) then you've "defeated" it. In modern times, people were taking pictures of cards with smartphones camera or buying numbers on the Internet, so now there's some kind of 2FA which defaults to sending SMS to your phone number.

Sorry, AC. I meant that they cannot be used in card present online authorized transactions. I was tired when I wrote that. They can be used for card not present e-commerce transactions, yes. That is where they are still vulnerable.

Re: Of course

[Megane]

I think it's at the option of the place you are buying from. Some places I always have to sign for small purchases, and for groceries, where I go the threshold is $50.

Re: Of course

[mjwx]

The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.

This.

The huge advantage in EMV is that I can travel to most countries and my card simply works. Thailand, Japan, Germany, Colombia, South Africa, France, Turkey, Greece, Brazil... Pretty much everywhere except the United States where a lot of petrol stations refuse to accept foreign cards because they do not support EMV.

EMV isn't designed to protect against the kind of fraud that is commonplace now, that is the wholesale theft of card details, the number, expiry date and name printed on the front of every card because this is the information that is used in card fraud. This doesn't mean EMV is a failure, EMV is doing what it's meant to and means that anywhere I go, I can simply use my cards as if I were at home... except in the US.

Most card numbers are stolen online, either through infected PC's or by stealing them wholesale from merchant sites. First step in combating this is to make it illegal for merchants to store card data. The introduction of contractless payments is only accelerating the kind of fraud that is commonplace now as both Visa and Mastercard's implementation simply sends out your card number, name and expiry date in encryption so weak, it may as well be clear text to any device that asks for it. The device asking for it doesn't need to make a transaction immediately, it can simply store the information for later use. Even with a short range of less than 50 cm, imagine how many unique card numbers you'll get walking through a shopping centre or high street on a normal day. Not like anyone is going to pay any attention to some random guy with a handheld device, put a high-visibilty jacket on and you are pretty much invisible.

To stop the kind of fraud that is commonplace now we need to implement 2FA, any form of 2FA as long as we have a second factor of authentication. However this will never happen as it will discourage people from using their credit cards which means the banks will miss out on the percentage they're scraping off every transaction. Right now the cost of fraud pales in comparison to the risk of losing just a portion of that revenue stream. Also we'd need to change contactless to use a rolling code not based on your card number but this means the card has to be an active device which would discourage their use as many people won't be bothered to keep their credit card charged, so again, wont happen.

So combating card fraud is easy, however because there's more money being made by not doing these things than it currently costs to simply adsorb the cost of fraud, we'll continue to have to bear the cost and inconvenience of card fraud.

Re: Of course

[mjwx]

Checking signatures is worthless anyway, real peoples signatures never look exactly the same whereas a criminal can easily copy what he sees on the back of the card, or in the case of cloning the cards he can just sign the cloned card himself and thats what the merchant will compare against.

At least with a pin, the pin is either correct or not, and not displayed on the card itself.

Pin is safer, but it's all quite academic really. The majority of fraud uses neither the PIN or a signature. Card cloning has become very rare because it's difficult to do and if you've got the card number, expiry date and name... Utterly redundant.

The majority of card fraud is done via online purchases which only require the card number, cardholders name and expiry date (CVC/CVV verification is optional). The dumb criminals try buying big ticket items like TV's, the smart, organised ones simply make $5 purchases to front businesses they own. If you've got 10,000 card details, if only 3% work you've just netted $1,500 from a script that took a few minutes to run. Again, the organised criminals will randomise cards so you're not sending 10,000 transactions to the same bank. $5 is below the fraud detection level so if the cardholder doesn't notice, they can do it again in another month or two.

To combat this we're relying on banks blacklisting known bad merchants and detect new fraudulent merchants before they make too many transactions. It's not hard to set up a new merchant account, especially in a country where laws are "selectively enforced" (I.E. you can pay the copper to look the other way). As anyone who's managed an email server knows, blacklists suck.

Re: Of course

[racermd]

I think we need to stop focusing on the cards. Those aren't really the root of the problem. It's the retailers that set up insecure or insufficiently secure networks to transmit this data in the first place.

Payment processors should take this out of the hands of all retailers and provide direct, secure communication from the payment terminals. That is, a private VPN from each terminal back to the payment processor. The terminal is still technically connected to the customer network but wouldn't be directly accessible. The data that comes back from the terminal to the retailer's POS system is stripped of any full identifying data but with enough info for the retailer to conduct business.

That would stop all the MITM attacks and the scouring of stored data on the retailers' networks which seems to be the vast majority of the breaches.

Re: Of course

The Lot , indeed! Means Moose or something.

Well...

The chip prevents someone from skimming the information on the magnetic strip, and reusing that to pay for stuff. Of course someone can steal your credit card details, which are conveniently embossed right on the card for anyone to see.

Re:Well...

[ChoGGi]

The EMV chip has nothing to do with the mag stripe, this is just people doing the usual and skimming the mag stripes.

Re: Well...

Or they can skim it from the magnetic stripe, which is still there and still holds the same info for backwards compatibility.

Re:Well...

sadly the US still has this fucked up system where 90% still require signature.

Re:Well...

It only stops them if the point of sale uses a chip reader. Since some places don't, and card-not-present transactions are still allowed, I wouldn't expect it to help much.

Also, some newer cards are no longer embossed.

Re: Well...

That's not how it works. The chip is a cryptographic unit which will apply the holder's digital signature to the receipt, which is then verified by the bank, who in turn responds to the payment terminal that the payment is succesful.

Re: Well...

No they can still skim the magnetic strip, it's separate from the chip. I had a chip+strip card skimmed, cash was withdrawn from an ATM in a foreign country, chip did nothing to stop the fraudulent withdrawal. The card was in my wallet at the time the transaction notifications came through. The ATM they used didn't require a chip, enabling the fraud.

Re: Well...

That is how chip & pin works in Europe, but that is not at all how chip & sign works in US

Re: Well...

But it's only countries like the US where that attack works. If you clone the magstripe, you can try to use it online, but I have 2FA protecting that. Cash machines in the EU read the chip, so the only way it's useful is to use it in backwards countries.

---not

...except, this was not about online purchases.
Swing and a miss there, Champ.

Chip & PIN

Without a PIN, and without a chip reader for online purchases the whole exercise has been a waste of time.

chips

How much of that 93% stole was done at retailers who still use the non chip info? I have a chipped card and had my card skimmed and it was used a dozen locations that didnt require a PIN. All chipping a card did was shift who pays for the fraud. If its chipped/pin then bank eat the fraud, chipped no pin the retailer eats the fraud.

Re:chips

The problem might be that for the retailer a pin-transaction cost more than a no-pin transaction, so most retailers will do as my employer does:

Just eat the fraud until you see the fraud becoming more expensive than the pin-transactions, and only then then switch to pin.

Still no use for PIN

[Kopp]

So, in 2018, one of the biggest economies, most technologically advanced country in the world still cannot use a 40 year old technology to authenticate a payment ? I know it might not be 100% failproof, but still... Even countries in eastern europe manage to do that...

Re:Still no use for PIN

Do online purchases in Europe require the PIN? If not, I see little useful difference.

Re:Still no use for PIN

[FaxeTheCat]

Quite a number of online purchases require 2FA.

Re:Still no use for PIN

For debit card transactions (many people in Europe can not get a credit card since you need a good income to get one), yes chip+pin is required.

Re:Still no use for PIN

[blind+biker]

I see little useful difference.

You are seriously telling us that you see little difference between requiring a pin when using a CC for purchasing goods, vs. not requiring one, even if "only" for IRL shopping? If that is the case, then you are a moron with an IQ below 80.

Re:Still no use for PIN

[xlsior]

The reason that US creditcard companies don't want to force their users to use pin codes is simple: no one wants to be first. In most of the world, people have a single creditcard. The average American has half a dozen or more. Forcing Americans to remember a Pin just means that a not insignificant percentage of users will simply to switch one of their other cards that's 'less inconvenient' - therefore, nothing changes since none of the card companies want to lose their users to the competition.

Re:Still no use for PIN

[Solandri]

It's because the credit card companies don't want to pay for fraud. Right now they've gamed it so merchants pay for credit card fraud (merchant loses the merchandise, and the payment gets reversed). Chip + PIN basically makes it impossible for the merchant to be at fault in case of fraud, meaning either the cardholder or credit card company has to pay for fraud. So they gimped the chip in the U.S. by making it chip + sign, meaning it's still the merchant's responsibility to check the signature with the one on the card. And if they forget (or in the case of online orders, can't) and it turns out to be a fraudulent charge, the merchant has to pay for it.

(And if you're one of those people who've been duped into thinking the high interest rates pay for fraud, no they don't. They pay for cardholders who are delinquent on payments.)

Re:Still no use for PIN

[JaredOfEuropa]

For now. The current 2FA method - using a challenge/response that is processed on the actual chip after entering the correct pin on a special card reader - is slowly being replaced by *much* less secure methods like authentication by app, or even by SMS. Apparently many people felt it is too much of an inconvenience to carry the little card reader around (so they can't make that all important purchase on the road or in the workplace); many banks here are moving away from chip-and-pin.

Re: Still no use for PIN

Because of tipping US can't lock a payment down. Chip&pin is final - transactions can't be changed, which means / bring the terminal to the table so I can put whatever tip I want and then secure it with pin. But no - now in US you can authorize a 1.99 payment and have Joe Schmoe add 1000 tip on it, just fine.

Chip and no pin leaves the chip unencrypted, so it is no better than mag stripe

Re:Still no use for PIN

Perhaps he's blind?

Re:Still no use for PIN

As a merchant it is even worse. After you have lost your merchandise and the payment is reversed we also need to pay a fine to the credit card company.

Re: Still no use for PIN

[Bert64]

I got this same explanation from a waitress, that they didn't use pin because of tipping... But that's utterly ridiculous, in the rest of the world they bring a wireless payment device to your table and it asks if you'd like to leave a tip, you enter the amount to tip and it calculates the total and then authorises the total using your pin. The payment device then prints out a receipt which shows how much you paid in total.

Re: Still no use for PIN

It is. It means at the transaction the fraudster must have had physical access to your card.
It vastly increases the risk for the fraudster, because it means it is someone you explicitly gave your card to, or they stole it. The former should be far too high risk for most people (esp since it would usually be someone who has a job and thus is not that desperate), the latter should result in a time window of less than a day, reducing the opportunity of using it e.g. in foreign countries. It IS vastly better, even without PIN.

Re:Still no use for PIN

[Mortimer82]

Your average large merchant doesn't "pay" for the fraud, instead they pass the cost onto their honest customers. Rather than big merchants paying out their profits, they instead charge every honest customer a few cents extra to cover the fraud costs and maintain their same profits.

The little independent merchants do unfortunately suffer, as they're not the ones with the clout to improve the situation or the market share to have their honest customers cover the cost.

Re:Still no use for PIN

[FaxeTheCat]

In Norway we use athentication by app as an option. The app require a PIN for every transaction, so no less secure.

Re:Still no use for PIN

[DarkOx]

WAAAAYYY - less secure. You have moved secret handling (the PIN) from a special purpose devices with limited network interaction, that runs software that is not easily modified or updated by unauthorized parties; and moved it to a general purpose device.

A device that is on network all the time, a device where users are likely to add all kinds of software. A device where published security issues in the platform might not get patched at all... The potential for an attacker to either obtain the secrets for use elsewhere or step into the authorization process is much greater

Re:Still no use for PIN

In most of the world, people have a single creditcard

Do you have a source for that?

I don't live in a America and I have half a dozen, plus several debit cards. A couple of colleagues from different countries in Europe also have multiple - I've travelled with them so have seen them use multiple cards - others I haven't traveled with I've no reason to believe to be any different.

Re: Still no use for PIN

the rest of the world they bring a wireless payment device to your table and it asks if you'd like to leave a tip, you enter the amount to tip and it calculates the total and then authorises the total using your pin

There is also absolutely nothing preventing you from using your card to pay the value of the bill, and then as you leave the table handing a cash tip directly to the waiter. This has always been done where I'm from, even more so since there was a bit of a fuss in the UK when it became widely known that some chains weren't giving the entire tip from card transactions to waiting staff.

Re: Still no use for PIN

[Waccoon]

While we're talking about obsolete practices, could we please abolish tipping, too?

Re: Still no use for PIN

Yes but its quite a challenge to efficiently locate and hack the specific phone associated with the card (maybe some retailer databases make this easier, but still). I'm not sure how practical (profitable) it would be for low value targets.

Re: Still no use for PIN

[mark_reh]

Tipping in cash is always preferred by servers.

Tipping is a two way street. If you tip at the end of the transaction, the server benefits. If you tip at the start of the transaction, such as tipping a bartender when you order your first drink, he/she will treat you well for the rest of the evening. Both sides benefit.

Of course, if you're a regular and get a reputation for tipping well, you'll be treated well every time you visit the place.

What became of the legislation that was proposed to allow the restaurant owners to decide how much of the tips go to the servers? IRIC that was proposed as a means to relieve restaurant and bar owners of the burden of having to pay a higher minimum wage...

Re:Still no use for PIN

[Anne+Thwacks]

That is not true. Most people in Europe have several cards, and I am quite sure they have to use a PIN.

I can also confirm that a lot of people in Nigeria have several cards, and they have to use PINs there, and one side effect has been to massively reduce fraud committed by the banks themselves. I assume the reluctance of American banks to force use of the PIN is because a large part of the fraud is committed by the banks themselves.

Yes its true: American banks are noticeably less trustworthy than Nigerian banks. (cf Wells Fargo)

Re:Still no use for PIN

That seems ridiculous - I have several dozen credit cards in the UK and I don't have PIN issues. I know the PINs for the cards I use frequently (probably about 6) and I have the PINs for the others stored securely but available when I need them. The vast majority of payments I do is, in fact, contactless, so even if I don't remember the PIN I can still pay for things with a card. That even includes in restaurants or other places where I have to leave a tip.

Additionally, here in the UK, there are a couple of products which allow you to link multiple credit cards in a virtual wallet and use one physical card to pay for things. (I'm pretty sure the idea actually originated in the US via a changeable mag stripe). Here, there is a physical MasterCard labelled as a debit card, but when the payment is made the provider takes the charge and immediately recharges it to the 'true' card where the credit exists. I can even change the card I have paid *after the fact* (I assume via a debit and credit recharge) if I want to via the app.

So I don't buy that credit card companies are holding out because they don't think Americans can't remember or find a way to track multiple PINs. I suspect it is something monetary relating to the relatively lesser security that continuing to permit signatures to pay provides for them.

Re: Still no use for PIN

What became of the legislation that was proposed to allow the restaurant owners to decide how much of the tips go to the servers? IRIC that was proposed as a means to relieve restaurant and bar owners of the burden of having to pay a higher minimum wage...

In the USA? That part of the act appears to have been changed to explicitly prohibit companies from taking tips (second bullet point down).

Re: Still no use for PIN

[hazardPPP]

Tipping in cash is always preferred by servers.

Very true. I've had a waiter (in Canada) thank me for paying in cash, because he now had enough cash in the register to take his tips with him at the end of the day, instead of waiting to get the amount prepared for him at the start of his next shift (which could be in a couple of days). As I understood, it wasn't specifically about tipping in cash, but enough people paying in cash during the day (some of those people could leave $0 tip - the point was there to be cash available).

Tipping is a two way street. If you tip at the end of the transaction, the server benefits. If you tip at the start of the transaction, such as tipping a bartender when you order your first drink, he/she will treat you well for the rest of the evening. Both sides benefit.

Of course, if you're a regular and get a reputation for tipping well, you'll be treated well every time you visit the place.

What became of the legislation that was proposed to allow the restaurant owners to decide how much of the tips go to the servers? IRIC that was proposed as a means to relieve restaurant and bar owners of the burden of having to pay a higher minimum wage...

Tipping, as implemented in North America (Canada & the US), is pure bullshit. Hospitality workers are basically forced to rely on tips in order to make a livable wage, in many jurisdictions they specifically get shafted (the law specifies a lower minimum wage for restaurant workers than everyone else). As a result, you are culturally "forced" to tip large amounts even just for average/expected service (15%, or whatever is the local custom), because otherwise the people serving you are underpaid. Basically, this means that the prices in the menu are artificially deflated. You are expected to fork over an extra 15% (or whatever), so that's not a "tip" - it's an integral part of the cost you incur.

Tipping should be an optional activity and a reward for exceptional service, not mercy money that allows workers to eat. Workers should be paid for their work by their employer. Salaries should be in line with employer expectations. If employees go above and beyond that, customers can reward them (if they want) with tips. Tips should not be the employees' financial lifeblood.

There's plenty of places where it works like this. There's plenty of places where tipping is just rounding up (so on a large bill, something like 1-2% and nowhere hear 15%). There are places like Japan where there is no tip (in fact, I was told that tipping is insulting and that the waiter will angrily give you back your money). Guess what, the service is just fine (especially in Japan, where it's excellent).

Re:Still no use for PIN

[LostMyAccount]

I don't know about this specific explanation, but in general it's definitely believable. If you increase the transaction overhead and friction, economists would generally expect fewer transactions. Personally, I think this would just be a temporary dip until people got up to speed on entering a PIN with a purchase and merchants (especially restaurants) altered their transaction workflows to accommodate to allow for chip/pin transactions (eg, tips). The decline in transactions is what scares off the credit card industries as they benefit from transaction fees from every transaction, even fraudulent ones. I'm sure businesses with stored credit card info also fear it, as it makes their payment model less reliable and any transition to a pin based system would basically put a lot of their customers/business relationships up for grabs as these business relationships would need to be renewed. Basically the bottom line is PIN would result in some short-term reduction in transaction volume and create disruption in existing cash flows, and since they can mostly stick merchants for the cost of fraud, these players have no incentive to make transactions more secure.

Re: Still no use for PIN

[hazardPPP]

Because of tipping US can't lock a payment down. Chip&pin is final - transactions can't be changed, which means / bring the terminal to the table so I can put whatever tip I want and then secure it with pin. But no - now in US you can authorize a 1.99 payment and have Joe Schmoe add 1000 tip on it, just fine.

Canada has the exact same tipping culture (when it comes to restaurants and bars...not really when it comes to everything else, like bus drivers, etc.) as the US. For years, PIN cards are the norm and people leave tips just fine. You get the terminal, and you select the amount of tip to leave (10%, 15%, 20%, custom % or custom exact dollar amount). It works just fine. In fact, it simplifies people's lives since they don't have to calculate how much is 15% of their bill, the terminal does it automatically.

With the antiquated US system (get a bill with a blank line) you have a lot of chance for fraud. It's happened to people I know, they put a $5 tip but the server didn't think that was enough, so they wrote in a 1 in front to make it $15. The customers only found out 2 weeks later when they looked at their credit card statement.

Re: Still no use for PIN

I bet you are also chafed by such onerous social conventions as being expected to say âoeyour welcomeâ even to a person who isnâ(TM)t exceptionally thankful.

Re: Still no use for PIN

What kind of person hangs on to old restaurant receipts to compare them against CC statements weeks later? The kind who leaves 5% tips, thatâ(TM)s what kind.

Re: Still no use for PIN

[TRRosen]

Because of tipping US can't lock a payment down. Chip&pin is final - transactions can't be changed, which means / bring the terminal to the table so I can put whatever tip I want and then secure it with pin. But no - now in US you can authorize a 1.99 payment and have Joe Schmoe add 1000 tip on it, just fine.

Chip and no pin leaves the chip unencrypted, so it is no better than mag stripe

Absolutely untrue. whether a system simply authorizes or authorizes and finalizes a transaction has nothing to do with the card but with the systems programing. Pin or sig or none is decided by the provider according to its contract. Usually all are available but different rates are charged. The chip is always encrypted and always secure. Anyone can clone the magstripe and it usually just holds the information from the front of the card. Cloning the chip is basically impossible due to the level of tech that would be needed. The Chip guarantees that the card was present. PIN or Sig just verifies the owner was.

Re: Still no use for PIN

Tipping in cash is always preferred by servers.

Very true. I've had a waiter (in Canada) thank me for paying in cash, because he now had enough cash in the register to take his tips with him at the end of the day, instead of waiting to get the amount prepared for him at the start of his next shift (which could be in a couple of days).

Odd, at least in the U.S. servers prefer cash tips because they're off the books. The server can report a lower tip than you actually gave them so they don't pay as much tax. (Anyone who's worked in a restaurant will have a story about someone who got a paycheck for zero dollars because the entire paycheck was taken as tax on the tips they got.)

Extra tidbit: It may vary by jurisdiction, but at least some places if a gratuity is automatically added to the check it becomes part of the total that tax is calculated on.

Re: Still no use for PIN

[guruevi]

Tipping is the capitalist way of doing it - a good waiter doing 10 turnovers an hour (which is relatively common) can make $50-150/h - work 30h a week, you make $1000-3000/week - $4000-12,000/month - untaxed on top of your minimum wage.

Sure it's hard work and nobody actually wants to do it but it's a decent wage.

Re: Still no use for PIN

A lot of people don't carry cash anymore in the US.

Re: Still no use for PIN

[mark_reh]

There's a lot of BS in the US. We give tax breaks to big corporations (and rich people) and the public schools and other basic infrastructure suffers. The same corporations don't pay their workers enough to live, so the government gives them food stamps and free medical care. The execs at those corps say they can't find well-educated talent in the US so they want H1B slaves that they can underpay. The US is giving all the money to corporate execs and other rich folks while dumbing down the population to Make America Great Again by having 99.9% of us work dirty, dangerous jobs for next to nothing, while we eat, drink, and breathe every pollutant our factories and power plants scan spew.

Re:Still no use for PIN

The reason that US creditcard companies don't want to force their users to use pin codes is simple: no one wants to be first.

The first step is the Payment Card Industry (PCI) mandating that all card read must accept chips. Magstripe readers stop being accepted in 2025 (or whatever). If you try swiping a card it will simply come back as "declined".

Once everyone is using chips implement PIN in 2026.

In most of the world, people have a single creditcard.

And Americans have about the same, with two-thirds having between zero (30%) and two (33%):

* https://www.fool.com/credit-cards/2017/08/13/how-many-credit-cards-does-the-average-person-have.aspx

Some more (+18%) have between 3-4.

Also remember that some countries also use debit more, but that is also chip-based.

Re:Still no use for PIN

[Gavagai80]

Companies don't aim for a specific amount of profit and set their prices to achieve that. They aim for maximum profit regardless. If increasing the price of an item would increase profits, they'd have already increased it regardless of fraud.

Where fraud raises prices is where competition has already driven the price as low as it can profitably go. In such a case, a competitor with less fraud would potentially be able to undercut the others. In every other situation, the fraud eats into profits instead.

Re:Still no use for PIN

The decline in transactions is what scares off the credit card industries as they benefit from transaction fees from every transaction, even fraudulent ones.

Sorry, the banks don't make a whole lot on the transactions, the processing networks are the ones taking the fees.

Re: Still no use for PIN

Dude, those cows won't tip themselves.

Re: Still no use for PIN

Why not set your cards to the same number then?
If necessary, just with a slight twist related to something on the particular card...?

Re:Still no use for PIN

The reason that US creditcard companies don't want to force their users to use pin codes is simple: no one wants to be first. In most of the world, people have a single creditcard. The average American has half a dozen or more. Forcing Americans to remember a Pin just means that a not insignificant percentage of users will simply to switch one of their other cards that's 'less inconvenient' - therefore, nothing changes since none of the card companies want to lose their users to the competition.

I live in Europe and have several cards. Funnily enough, I have no difficulty remembering several pins.

Re:Still no use for PIN

Yes, but they don't typically use a credit card.

Re:Still no use for PIN

European here, I have about 5 cards in my wallet at any given time, and I tend not to use cash any more. Every single one of them supports Chip & PIN and Contactless payments.
The only inconvenience I ever suffer is if a store doesn't accept my "main" card, because it's an Amex, in which case I just use one of the others.

Re:Still no use for PIN

[nasor]

Contrary to the common misconception in the US, the signature was never intended as a security feature. The signature on the back of the card merely indicates that you accept the CC company's terms and conditions; it was never intended to be compared to anything at the point of sale.

Re: Still no use for PIN

[hazardPPP]

Tipping is the capitalist way of doing it

Tipping is the capitalist way of employers screwing their employees, the way it's done in North America.

If you're paid decently by your employer, and tipping is just icing on the cake, turning a minimum-wage job into a higher-wage job, and that makes you work harder to be extra nice to the customers to earn tips - that's fine. No problem with that.

If you get a lower minimum wage than everybody else because you get tips, well that's simply being screwed and exploited. Also, if tips are basically mandatory, the restaurant owner is lying to his customers about the price of the food and drinks.

Re:Still no use for PIN

No, the signature on the terms and conditions form is to indicate that you accept the terms and conditions. The signature on the card is there purely there to compare against a customer's signature at point of sale. It's not great protection against forgers of course - it can help to avoid some amateurish attempts but it's mainly there to stop people from obfuscating their own signatures in case they're planning to later claim that a transaction was made without their knowledge.

Having said that, a security feature to hinder actual unauthorised transactions is very important, which is why for the last 15 or so years credit cards almost everywhere in the world have required a PIN to use at POS.

Re: Still no use for PIN

In Canada, chip and pin is used, but most people use the tap to pay.

Online however almost nobody uses anything to verify because most online purchases are done with US merchants like Amazon, Steam, Walmart, Disney etc.

Re: Still no use for PIN

The most that people can remember is two 4 digit pins or one 6 or 8 digit pin. Though itâ(TM)s less trivial to reverse the pin.

However banks lock cards after three tries, so having more than three pins means you will be locking your cards frequently.

Re: Still no use for PIN

[JaredOfEuropa]

Dutch banks have you covered there: a couple of them now only require user/pass to log in to your account, with additional 2FA only needed for actual transactions. So an average script kiddie can find the high value targets with ease, after which spear phishing or even more targeted measures become profitable.

Re:Still no use for PIN

When I was in the UK. I noticed that most people paying didn't use chip and pin. They used NFC Tap to pay.

Re: Still no use for PIN

Here in New Zealand, most people don't carry any cash (nearly all transactions are by card), no one ever tips (that would be demeaning to the staff and imply that they weren't being paid a living wage), shops etc don't like accepting credit cards because of the high fee that the providers charge (EFTPOS cards don't have any such fee), and both EFTPOS and credit cards have always required a PIN.

Re:Still no use for PIN

Nope. In many places that PIN is also their ATM PIN. (Or their PIN for opening their voicemail / phone / car door / luggage / etc. OR some combination of their birthday / SSN!!! / phone number / street address / other publicly available info.)

As such, many don't want to have to type that in too knowing full well that PIN is being used elsewhere and the person behind them may be recording them.

Or a skimmer may be in place / the clerk is writing them all down somehow / the security cams are being monitored by would be thieves / some other greed induced panic and fear of others taking everything you own in a country famous for doing nothing to actually stop identity fraud.

Take your pick, in the US greed rules all. Even in this case, it's also the vendors refusing to upgrade to protect consumers due to cost. The only reason the chips are even usable is because Visa and Mastercard said payment processing would be denied or delayed to vendors that refused to implement it. Even then, every vendor in the US only rolled out the absolute minimum required, had no standard for how the UI should work, and in some cases is still non-functional. (I would know. The place I work still only has a magstripe reader.)

The one thing it isn't is card vendors deciding to not implement it out of fear. They could careless. The whole point was to make it seem like they were doing "something" to combat fraud. As a previous US president would say: "Mission Accomplished." The downside is a lot of people in the US are tech illiterate, and as such they view the only real "protection" as the PIN itself, not the shiny "chip" on the card. If anything they view it as more inconvenience because "it does the same thing as the black bar on the back. Only slower." So as a result that "Mission" backfired, and adoption slowed to a snail's pace as a result of the poor public perception to the "upgrade" giving bean counters the excuse to avoid it at all costs. Even better was the announcement by Visa and MasterCard extending their compliance deadlines. That pretty much set up the playing field for this "story."

So, how do we fix this? Well getting rid of the "PIN" requirement (as long as the chip is still used) may be one way. Another would be for Visa and MasterCard to demand all card vendors implement it this time without deadline extensions. But to really deal with fraud, the US needs a new identity authentication mechanism. Most USians still believe SSNs are valid authentication tokens. So that will be difficult, but the key aspect is: If they can establish a new identity without physical confirmation, it will be just as good as SSNs. I.e. Worthless. Maybe a national ID backed by a PKI, but that's going to be difficult to implement in a way that people will accept. I.e. Keep the private companies out of it.

Re: Still no use for PIN

... otherwise the people serving you are underpaid.

US employees must receive $9.25 per hour worked. If tips don't equate to that, the employer is liable. If, employees are walking out the door with less money, it's because the government is helping employers to ignore the law. 'Eevil gubbermint' is, alas, very true.

Re:Still no use for PIN

[sad_]

you know what is more inconvient then remembering a few pins?

getting scammed out of your money.

Re:Still no use for PIN

[rickb928]

Signature has not been required for card-present transactions in the US by American Express since April 13, 2018. This is actually a global policy change for Amex.

Merchant can, if they wish, require a signature, and some industries tend to. And there may be applicable laws in the US that require a signature for a variety of reasons, though I don't know them well enough to quote or reference here.

I see many chip (EMV) transactions processed without even a PIN, in the US, a process that uses both fraud analysis, risk shifting, and customer identification to permit many large merchants to dispense with PIN for mostly small transactions. The immense inconvenience of having to enter a PIN for a substantial purchase doesn't seem to be a factor causing unacceptable friction, and fraud is changing in response to the chip introduction in the US, but not necessarily diminishing.

Re:Still no use for PIN

[rickb928]

'fine'?

Explain, please.

Re: Still no use for PIN

[rickb928]

"Chip&pin is final - transactions can't be changed, "

That's not how it works, or at the gas pump you would have to decide in advance how much to purchase.

In reality, when you present your card to your server, in a restaurant, they take it back and their POS system request an approval for the amount of the bill plus an additional percentage, which isn't necessarily standardized. The server returns with receipts, you fill in the desired tip if you care to, the total if you bother, and sign. This signature is useful if there is a dispute over the tip etc, but isn't mandated.

Usually your tip doesn't exceed that additional amount the approval was requested for, however even if it is, most processors will permit a charge in excess of the approved amount. This may not be permitted for certain merchants or industries, merchants based on past performance, for instance those who incur higher than usual disputes involving excess charges. industries based on business practices, for instance, Amazon rarely needs to charge you more than calculated at checkout.

Gas stations regularly request approval for what they expect to be a maximum purchase, which is somewhat dependent on average or prevailing prices, and can range from $50 to $100 today. If gas prices go over $5 per gallon, this can rise to $150 per purchase. These approvals can sometimes cause problems for purchasers, of course.

But the "transactions can't be changed" claim isn't accurate in many, possibly most, cases.

Re: Still no use for PIN

[rickb928]

"It's happened to people I know, they put a $5 tip but the server didn't think that was enough, so they wrote in a 1 in front to make it $15. The customers only found out 2 weeks later when they looked at their credit card statement."

This is more often done by the restaurant owner or management, and is a form of fraud with it's own descriptive terminology. Getting caught is an excellent way to be denied payment processing services, which is hard for a restaurant to deal with in the US. Most fail. If an owner denies participation in this fraud, they will be expected to bring charges against staff, and if the business processes are such that proving that is difficult, most payment processors walk away and everyone loses.

Business owners, factoring and inflation fraud are bad practices, and hurt your employees and customers, if you care... Find another way to cheat, huh? Or go into a business you can succeed at.

Re: Still no use for PIN

[Anubis+IV]

Tipping, as implemented in North America (Canada & the US), is pure bullshit. Hospitality workers are basically forced to rely on tips in order to make a livable wage, in many jurisdictions they specifically get shafted (the law specifies a lower minimum wage for restaurant workers than everyone else). As a result, you are culturally "forced" to tip large amounts even just for average/expected service (15%, or whatever is the local custom), because otherwise the people serving you are underpaid.

It's even worse than you think, since you've got your facts a little bit wrong, but the way you got them wrong makes your point more strongly. Specifically, while tipped workers can be given a wage below minimum wage, if they don't receive sufficient tips to reach the equivalent of minimum wage, nationwide law requires that their employer supplement their income to reach minimum wage.

Problem solved, right? We've all been misled about how much of a problem the financial structure around tipping is?

Well, not quite, because there's something like an 85% non-compliance rate nationwide, with no one really having the means to enforce the law in a meaningful way. Servers who speak up frequently find themselves out of workimmediately, whereas an individual enforcement action (as well as a wrongful termination suit, should the server choose to attempt one) can take months or years to reach a resolution, leaving the server high and dry in the meantime.

As you said, it really is BS.

Re: Still no use for PIN

A restaurant manager explained to me that paying tips electronically would attract the right amount of taxes, and that the preferred method of tipping is cash, as a restaurants can report less tips (as the tax system works on estimates).

Re:Still no use for PIN

Well... For someone to successfully attack that they would have to get a copy of a persons card AND have something running on their phone... That would be quite a sophisticated / targeted attack...

Re: Still no use for PIN

[aybiss]

Or, you could just be like the whole rest of the world, where you pump your petrol and then go inside to pay for it.

Re:Still no use for PIN

Eastern Europe didn't have an entrenched magstripe network, we started from zero and went straight for EMV.

Re: Still no use for PIN

[hazardPPP]

I bet you have no idea what you're talking about.

I tip, and I criticize people who don't do so in places/contexts it is customary to do so. The same way that I, you know, follow the laws which I think should be changed or stupid, because, well, they're the law.

Also, comparing saying "you're welcome" to tipping is hardly appropriate in this context.

Re: Still no use for PIN

[hazardPPP]

It's even worse than you think, since you've got your facts a little bit wrong, but the way you got them wrong makes your point more strongly. Specifically, while tipped workers can be given a wage below minimum wage, if they don't receive sufficient tips to reach the equivalent of minimum wage, nationwide law requires that their employer supplement their income to reach minimum wage.

Problem solved, right? We've all been misled about how much of a problem the financial structure around tipping is?

I wasn't aware that this was a nationwide law in the US, thanks. Good point.

What strikes me as the perverse effect of this is that even if there were 100% compliance with this law, it would still be wrong, since tipping would basically improve the restaurant owner's bottom line - you have provided the money the owner would've otherwise had to provide to the employee. In a way, and up to a point (the minimum wage), it's tipping the owner, not the server/cook or whoever the tip is nominally for.

A couple points:

1. The chip does nothing to crooks from using the card number, type, expiration date and 3 digit code on the back.
2. Many retailers I use my chip card at don't even use the chip reader functionality in their terminals, taping it off and indicating that the card needs to be swiped instead.
3. Most retailers never check my sig (even if indicated on the card).
4. I can run my card as 'credit' and can bypass the pin entry, totally rendering that useless.

Well duh

[DrXym]

The point of chip and pin is that the cards details don't go through merchants system at all. Instead the card is authenticated / authorized through a secure device that talks directly to the payment service. All the merchant gets is a token of the transaction. Of course if the merchant stupidly allows cards to be swiped instead then they're just as vulnerable to skimming / hacking / database theft as non chip and pin devices.

Re:Well duh

[TheRaven64]

That's the theory. Unfortunately, one of the flaws in the EMV protocol is that the authentication is unidirectional. The card must authenticate itself to the bank, but the bank doesn't have to authenticate itself to the card. This makes it comparatively easy to MITM the transaction. It's a shame that the US waited over 20 years until the EMV protocol had been thoroughly analysed and numerous flaws identified and then deployed it.

Re:Well duh

[goose-incarnated]

That's the theory. Unfortunately, one of the flaws in the EMV protocol is that the authentication is unidirectional. The card must authenticate itself to the bank, but the bank doesn't have to authenticate itself to the card.

That's untrue. The path for the transaction payload is Chip->terminal->merchant->bank->issuer and the payload returns along the same path.

The chip's payload is encrypted with a key held only by the issuer, and the response is encrypted with the same key. The entities in between (the terminal, the merchant and the bank) have no way of decrypting the chip's payload, nor of encrypting a payload that the chip can decrypt.

So unless the issuer is compromised there is no MITM attack going on.

Re:Well duh

[swillden]

You're actually both right. EMV isn't a protocol, it's a whole family of protocols, most with their own family of variants. The security of these protocols varies widely.

exactly

[johnjones]

all you have to do is exactly what they did in europe and make the retailer liable for the fraud if they swipe

Re:exactly

[Rockoon]

The economics of it is certainly the crux of it, but you are just supporting what the credit card companies want.

The amount of fraud in dollars is less than the vig the credit card companies are taking. The credit companies are getting several percent of every transaction made with one of their credit cards. Full stop. This is the credit card companies problem and they would love to have their cake and eat it too. Dont help them. Please stop.

Re:exactly

Well, his fault was not mentioning the other half of how it was handled in Europe: limiting the transaction fees to 0.5% or below. It's the only reason big retailers in Germany now accept credit cards. Without that, they'd have stuck with money or local bank cards forever.
Local bank cards because they would only read the bank account number and do a direct debit from the bank account, for free. Only for small amounts as they are 100% liable for any losses themselves AND account holders can reverse transactions with no reason given for at least 6 months.

Re:exactly

[DrXym]

Well certainly some form of carrot and stick stores - use chip & pin / contactless payment and get a meaningful reduction in transaction fees, don't use and get whacked with higher fees and be on the hook for fraud.

Re:exactly

[TRRosen]

They are... That is how it works.

Re:exactly

all you have to do is exactly what they did in europe and make the retailer liable for the fraud if they swipe

They did with the exception of gas stations, they have until 2020 to take chips ..

If you are a merchant and allow a chipped card to be swipped, you, the merchant are responsible for any fraud. Conversely, if the it is a card present transaction using the chip, the bank is still responsible.

Re:exactly

[Megane]

I don't even remember where I was, but I have once encountered a place that had chip-reader gas pumps. Instead of insert/remove, I had to leave the card in for long enough to authorize the transaction, then (I think) remove it before pumping gas. The amount of sale would be determined after you finish pumping, so the chip would just be a less-insecure equivalent of swiping a card to unlock a gas pump with a second transaction to finalize the sale, and not a single transaction.

It is possible that this was a pilot test site to shake the bugs out of adding chip readers to almost every gas pump in the US. That's going to be a major undertaking, even if it takes "only" five minutes to replace each one.

Re:exactly

[rickb928]

That's how it works for many processors in the US.

If a merchant employs EMV terminals they are expected to require customers to dip the card. If the card fails, there is a fallback process. If the merchant doesn't follow that process, they may be held liable for fraudulent transactions due to that failure.

Fraudsters do try to game the system by convincing cashiers etc to violate that process, in a variety of ways. My debit card was compromised almost 18 months ago at a grocery store, and due to it being keyed in. This should never, ever happen. Defective cards that can't be swiped should be refused, and this was a chip card, a double failure. I never did get a satisfactory explanation, which is really annoying, but I also was not held responsible for the purchase, since my card was used an at an impossibly distant store moments before this fraudulent transaction, and my bank covered it. It was shortly after that used at a grocery store in Italy, fraud also. Great stuff.

Both were failures of process because EMV cards should be dipped. The Italian incident doubly so because it was corporate policy to refuse failed cards.

Pay cash where you can

[what+about]

Having some cash with you can also save your life if robbed, a thief will just run away happy with your cash

It is safe (no risk of card skimming)

you are noot feeding the bank (2% transaction fee)

it is private (big brother does not knowwhat you buy)

Think, big brother loves the plastic card for a reason....

Re:Pay cash where you can

[Rockoon]

plus your drug dealer only accepts cash

proof by induction

Re: Pay cash where you can

[iggymanz]

Nope, thief kills you for your cash, no witness no identification

Re:Pay cash where you can

[Bert64]

Having some cash with you can also save your life if robbed, a thief will just run away happy with your cash

If a thief knows you have cash he is more likely to rob you, cards are less useful to a thief, especially less organized ones. A thief will also be happy with your phone or jewellery, and will probably take your wallet and run rather than open it and inspect it in your presence.

It is safe (no risk of card skimming)

You instead have the risks of it being lost, stolen or damaged, not to mention forged cash.

you are noot feeding the bank (2% transaction fee)

Yes you are, businesses pay a lot to banks for the ability to accept cash payments, often more than the transaction fees associated with cards.
Banks charge businesses fees for processing their cash deposits, which have to be counted by both the bank and the retailer, the cash has to be transported to the bank and will usually require protection while in transit, banks charge retailers for providing large bags of small change, your insurance liability goes up if you have cash on the premises as it's an attractive theft target or could be destroyed in the event of fire or flood etc.

For the customer, the cost is the same wether paying by cash or card but many cards also offer benefits to the cardholder which they wouldn't get if using cash.

it is private (big brother does not knowwhat you buy)

It's private if your careful, and also don't have explicit surveillance being carried out against you.

Re:Pay cash where you can

[DarkOx]

Having some cash with you can also save your life if robbed, a thief will just run away happy with your cash

Maybe - I'd love to see some statistics on that. Personally I never carry much cash, and I do carry a pistol. If you try to rob me one or both of us is going to the hospital or the morgue. I am alright with the status quo there.

It is safe (no risk of card skimming)

For select definitions of safe. If the attack vector is simple fraud; say the deliberately sell you broken or defective item and then just disappear you have no recourse. But alright I will grant you this one at least for the case of places with physical buildings, names they want to continue using and printed receipts (although if you lose that and you paid cash; gawd help you).

you are noot feeding the bank (2% transaction fee)

True but those merchant fees are priced in; retailers would not accept cards unless they had determined by doing so they move product thanks to the ease of transactions and ultimately make more $$$. So when you pay cash you are just padding the big retailer's pockets. I mean maybe you like them better than the banks and that's your call but there is no gain in that for you. In fact its a loss for you. Unless you have terrible credit and have some card oriented to bad risk people, you almost certainly qualify for "rewards" of some kind even on a no-annual fee card. After all the exclusions and games that can still work out to 1.5% of your purchases back in cash or gift cards etc. Those come out of the merchant fees the banks charge. So when you use cash at retailer you are basically giving %1 or so to all the people who were smarter than you; used a card, read and understood the rewards programs offered to them.

it is private (big brother does not knowwhat you buy)

An argument from twenty years ago.. Now odds are pretty good there are cameras in the parking and your license plate was OCR'ed. If not that than the face recognition has you in the shop. If big brother wants that data they will get it; subpoenas are thing. If you are concerned about buying things from the inside of some dudes coat on the corner you might have something.

Think, big brother loves the plastic card for a reason....

doubtlessly it certainly makes things easier. I think all that talk of a cashless society for a while was driven by that. I don't hear of that (as often); given the other revelations about the NSA, Target corp, etc my conclusion is the PTBs have solved the problem of de-anonymizing cash to the degree they felt it was a problem.

The reality of 2018 is that most of the concerns about using CCs for pretty much your whole life are concers you will have with cash to, or simply don't make sense for other reasons given how the world has changed.

Re:Pay cash where you can

[DarkOx]

Another thing I'd like to point out about merchant fees.

Handling cash is not 'free' from a retailers preservative either. There is much more possibility for shrink even if it does not involve fraud or theft. Bills stick together etc. If you don't close business out in time to get deposits to the banks; you can lose a days interest on those deposits. That matters for large operations. You have pay security people to safely transport cash to the depositing institution; fuel, salary, vehicle maintenance.

Some business are deciding not to accept cash; and there is a reason for that - if they can avoid those associated costs suddenly the CC merchant fees don't look so bad.

Re:Pay cash where you can

[bn-7bc]

for me handeling cash is a haslel (bad eyesight) so i'll take the 2% fee to make my life easier and safe time while trying to find the correct amount.(this is mainly due to the fact that both Norway and Sweden , which is where I am 99% of the time, has coins fror anyting under NOK/SEK 50 (rughfly USD 7) so you very quicly end up with lots of lose change. )

Re:Pay cash where you can

[bn-7bc]

Well that might very well be a fact, having no need to deal with drug dealers myself (never needed drugs I can't option thou legal channels) I can't really comment. But yea if you want to hide eligal activerty it seams like a vice policy only to accept cash

Re: Pay cash where you can

Iâ(TM)ve seen some very small businesses charge a premium for CC purchases, presumably to cover the fees. Not even sure if this is legit, but these are tiny stores who probably donâ(TM)t pay for an armored car or have additional bank fees for handling their deposits.

But unless a retailer gives you a different price depending on the method of payment, you are paying a price that averages out any extra fees over all sales.

Re: Pay cash where you can

Thieves will be even more delighted to steal you gun than the average amount of cash a person carries.

Re:Pay cash where you can

[TRRosen]

Having some cash with you can also save your life if robbed

Paying with cash will make you a target and get you killed if the robber panics.

Re:Pay cash where you can

[TRRosen]

Handling cash is not 'free' from a retailers preservative either.

Actually business often have to pay a fee to deposit cash.

Re: Pay cash where you can

[what+about]

Where do you live that an attempted robbery ends up in murder ?

Yeah, so, a robber ask you politely, do you have any valuable with you ?
You say no... and magically he just goes away
You say, here, take this and he kills you

Always happen

Re:Pay cash where you can

[what+about]

If a thief knows you have cash he is more likely to rob you, cards are less useful to a thief, especially less organized ones. A thief will also be happy with your phone or jewellery, and will probably take your wallet and run rather than open it and inspect it in your presence.

What are you immagining, that people go around with cash hanging out of the jaket ?
Yes, a thief, will check the wallet in your presence and take whatever that is of value.
If there is nothing to take... he/she may get angry. Happens

You instead have the risks of it being lost, stolen or damaged, not to mention forged cash.

You are confused, you use cash to pay, you get it from the bank, it is not forged.

you are noot feeding the bank (2% transaction fee)

Yes you are, businesses pay a lot to banks for the ability to accept cash payments, often more than the transaction fees associated with cards.
Banks charge businesses fees for processing their cash deposits, which have to be counted by both the bank and the retailer, the cash has to be transported to the bank and will usually require protection while in transit, banks charge retailers for providing large bags of small change, your insurance liability goes up if you have cash on the premises as it's an attractive theft target or could be destroyed in the event of fire or flood etc.

For the customer, the cost is the same wether paying by cash or card but many cards also offer benefits to the cardholder which they wouldn't get if using cash.

You are even more confused, you probably are a shill, paid by the banks.
All plastic transactions pay to the bank and you will pay even more whan cash will be "premium"

It's private if your careful, and also don't have explicit surveillance being carried out against you.

ok, got it, you are just a paid drone.
It is ok, real people will understand, the others... are just drones

Re: Pay cash where you can

[Bert64]

Charging extra fees is illegal in some countries, depends where the retailer is based...

Even if a business isn't taking enough cash to justify an armored car, they still have bank fees and increases risk. The actual reason some small businesses prefer cash is tax evasion, a certain percentage of cash taken by a business will usually just disappear and never make it into the accounting system, but card payments leave a trail which is easily followed by the tax authorities.

Re:Pay cash where you can

[swillden]

You are even more confused, you probably are a shill, paid by the banks.

What he said is absolutely true. I once designed a cash management system for a large retailer (a chain of grocery stores), and in the process saw a lot of detail about just what all of this costs. Stores pay banks to have cash delivered to them. Stores pay banks to accept cash deposits. Stores pay employees and managers for a lot of hours that are spent doing nothing but counting and handling cash, including lots of double-checking and oversight to minimize "shrinkage" (the retail term for the rate of theft). And stores lose a lot of money to shrinkage.

The system I designed used automated counting machines that shrink-wrapped and barcoded blocks of bills, and registered those blocks as a sort of inventory that was tracked. To minimize cash delivery and deposit fees, the retail chain essentially set up its own set of cash "warehouses" and hired their own armored cars to transport cash between them, to make sure that all stores had the cash on hand that they needed to make change and to minimize and centralize deposits. The retailer's finance department was even looking into using the cash inventory as collateral for short-term loans whose proceeds were to be invested to generate a revenue stream from the millions of dollars that were always tied up in cash inventory.

All of that together was intended to reduce the cost of cash to a level below that of credit card fees, because the aggregate cost of cash handling was actually more costly than credit transaction fees as a percentage of cash/card business, respectively.

Of course, what the retailer really wanted was to get its customers to switch to using debit cards, which have miniscule transaction fees and none of the cash handling costs. Debit cards are among the worst of all options for consumers, of course, without the anonymity of cash or the liability limitation of credit cards.

Re:Pay cash where you can

[Bert64]

What are you immagining, that people go around with cash hanging out of the jaket ?

Thieves can see when you open your wallet to pay for something, they can see if you've received change from a purchase, they can see if you've just used an ATM, they can also stake out the owner of a small business who goes from his store to the bank every day carrying the days takings and coming back with change to hand out in the store.

Yes, a thief, will check the wallet in your presence and take whatever that is of value.
If there is nothing to take... he/she may get angry. Happens

Depends on the crime, many robberies are opportunistic and the thief is looking to get away as quickly as possible (eg pickpockets), they don't have time to check the loot because doing so slows them down and increases the risk of being detected and/or caught.

You are confused, you use cash to pay, you get it from the bank, it is not forged.

You usually have to receive change unless you insist on counting out the exact amount every time, or refusing change.

All plastic transactions pay to the bank and you will pay even more whan cash will be "premium"

If i go into a retailer and buy $10 worth of goods my card is charged $10 or i can pay $10 in cash. The retailer will not let me pay $9 because i used cash, the charge is still $10. Wether the retailer pays a percentage of that $10 to the card processor or the cash handling service is not my concern.

ok, got it, you are just a paid drone.

Because i stated that cash is not always private? How does this make me a paid drone?
Do you always check for CCTV when paying cash? Do you always use different stores where none of the staff will recognise you? do you always avoid using any loyalty schemes? do you always refuse to provide your details for warranties and other services? cash even carries serial numbers on every bill, which can also be tracked...
Cash is only private if you are extremely careful with your transactions, in many cases there are still ways you can and will be tracked.

And one further issue which i hadn't thought of before, when travelling i've found the fx rates offered by various cards (especially those geared specifically towards travelling) are much better than you can exchange cash. Also you will typically end up with small change which cannot be exchanged back, and might get a poor rate on any larger bills you have to change back. You're also likely to be unfamiliar with the currency if you've not visited that country both frequently and recently so you are an easy target for fraud (ie fake bills).

For me to use cash when i travel is usually a lot more expensive than using cards, and far less convenient.

Yes cards sacrifice some level of privacy for this convenience, but in many cases it's not important and for those few cases where privacy is a concern cash (or crypto) is still an option. If anything, having a stable history the bank can see makes it easier for them to approve loans (which most people need if they ever want to buy any property). Similarly, i couldnt care less if my bank knows i just went to a restaurant, and many people will post such things to facebook telling the whole world about it.

Re: Pay cash where you can

[iggymanz]

Chicago

cooperation irrelevant. people shot or stabbed for money, for car, after rape, etc.

nice civil world you have there, between your ears

Re: Pay cash where you can

Can u tell me which grocery store chain so I can avoid shopping there? I like my data secure thanks.

Re:Pay cash where you can

[thegarbz]

A thief will also be happy with your phone or jewellery, and will probably take your wallet and run rather than open it and inspect it in your presence.

I was once casually robbed off my wallet at gunpoint (though I presume finger point but I wasn't prepared for the fight over a few bits of plastic).

I actually saw that same thief 15minutes later again and asked if I could have my wallet back and he gave it back and complained to me about the lack of cash in it.

*Note: This lighthearted story brought to you from the Don't Try This At Home department.

Re: Pay cash where you can

[aybiss]

You should move somewhere (anywhere) else. :-)

Meanwhile

Meanwhile in the rest of the world, cards with chips have been used for decade(s) and the sky didn't fall there.

Few things

[jd]

First, make the trader liable for problems at their end.

Second, the U.S. is over a decade behind Europe on this technology, meaning hackers have had ten years to figure out problems. It's the equivalent of running Windows XP or an unpatched Windows 7 on a modern network.

Third, why the hell is anyone expecting a trader to understand network security? These systems should be proof against even ingenious idiots. Plug it all in and it works, autoconfiguring. No default passwords, no default security holes, just something that works. Are the credit card companies and banks really this incompetent?

Re:Few things

[currently_awake]

Also use a one time challenge response key pair for every single transaction. That makes card skimming worthless. The next level of security is embedding the chip into people to prevent theft.

Re: Few things

[Harlequin80]

Only a decade?

The uk had chip and pin in 2006 when i lived there. Not sure when they rolled it out out.

And in 2014 australia stopped accepting signatures at all.

Now though im pretty much 100% contactless and done mainly via my phone.

Re: Few things

Yeah but that chip and pin has been cracked a couple of times since 2006

Re: Few things

EMV has been around since 1996, and Chip and PIN systems have been common since at least 2000 in Germany.
Even before that, even in the late 80s, Magstripe + PIN was common for ATMs in Germany.

Re:Few things

[Anne+Thwacks]

The next level of security is embedding the chip into people to prevent theft.

is people being stolen really a big problem where you live?

Re: Few things

[Carewolf]

Only a decade?

The uk had chip and pin in 2006 when i lived there. Not sure when they rolled it out out.

And in 2014 australia stopped accepting signatures at all.

Now though im pretty much 100% contactless and done mainly via my phone.

I got my first chip and pin in 1997 when I turned 18, it had been around for years before then.

Re: Few things

[Harlequin80]

Magstripe and pin was what I grew up with as a kid in the 80s. We also always had the option of choosing the account at the terminal, CHQ/SAV/CRD are the three options. 3 accounts on 1 card.

Re:Few things

APK could solve all of these problems with his hosts file engine. If only the card companies would bow to him and hand him the reigns of their entire operations.

Let APK run things. He will show us all the way.

ALL HAIL APK!

Re: Few things

[thegarbz]

And in 2014 australia stopped accepting signatures at all.

Australia stopped accepting signatures long before then on any card with a pin configured. Australia legally mandated that signatures no longer be accepted in 2014.

Re: Few things

France has the chip+pin on card since 1990 (but it's the country where the chip for card where developped).
Since then, the use ramped up until 2003 where it was the first mean of payment and still is.
Two factors help the chip+pin combination here.
- This technical solution was developped by French people and company.
- The bank did not bikering among themselves and adopt a common standard (with "a bit" of political incentive)

We had even prepaid phone card on chip (mostly simple eprom) from mid-80's.

And until 200-2005, USA told everyone that they do not want smart card because it was ... (whatever excuse) with a good dose of french bashing along the way.
And after an hostile takeover (with CIA involved)
http://www.constantinereport.com/gemplus-is-now-gemalto/
https://steemit.com/macronleaks/@rebelskum/macronleaks-uncensored-the-cia-takeover-of-smart-card-company-gemplus-gemalto

Smart card were now the alpha and omega of security (since it was also their technology now #meetoo ^^ ), and no other options would be accepted.

Duh ...

[CptJeanLuc]

If the majority of the cards have a chip, then the majority of fraud cases will be cards with chip. The point of moving from a magnetic strip to a chip, is that others cannot gain access to your card simply by swiping it. After chip conversion, that vector of attack is mostly gone, and criminals move on to other methods. For which cards with chip are just as good/bad as any other card.

Re:Duh ...

[thegarbz]

The point of moving from a magnetic strip to a chip, is that others cannot gain access to your card simply by swiping it.

This is something that works well with chip+pin, not so well if you don't actually have any "something you know" method of securing the transaction.

Re:Duh ...

While this answer is logical the article states that the magnetic stripe of EMV carsds is used fraudulently. If there is such a stupid fallback then there is no reason at all to whine about EMV.

many merchants are failing to properly configure t

Well there's your problem.
If you rely on the merchant you have already lost. That is not the fault of the chip.

If US credit card companies ran IT...

[thegarbz]

Let's apply the same design to securing out IT:

- Secure Boot enabled, locked down and unable to be changed.
- Fully encrypted HDDs with decryption tied to user authentication.
- Tamper proof case, encryption keys destroy themselves if the computer is opened.

- No password.

I was mocking the USA when they decided to 40 years late adopt Chip+Pin, a technology which caused credit card fraud to plummet in the rest of the world... and then they only adopted half of the technology.

Re:If US credit card companies ran IT...

No password is fine (if you also had remote wipe in case of theft), it means you can rely on physical security.
The problem is they also have
- A easily replaceable USB stick that contains a complete unencrypted backup
(aka magstripe)
Or in case of NFC-enabled cards
- A wifi access point that provides a webserver that allows to access your files, protected only by 3 digits that are on the underside of the laptop

EMV & 'contactloos betalen'

[anonieuweling]

As this EMV technology (protocol) is also used by ING bank (and perhaps others) for their implementations of contactless payments ('contactloos betalen') I wonder what implications this article brings to ING's case.
Anybody who can share their insights here?

Thank God they still demand my "signature"

[mark_reh]

on purchases at most stores! I'd hate to think that my financial security was entrusted solely to a chip in a credit card.

Chip cards aren't meant to prevent breaches

[bongk]

There's a lot of misinformation here.

Chip cards aren't meant to prevent card breaches. For card-present transactions (in person at the store), the exact same encryption and cardholder data protection requirements are in place from the reader to the bank whether its EMV or old mag-stripe. For card-not-present transactions (online and e-commerce) EMV makes no difference at all.

Chip cards do one thing. They make it harder to make a fraudulent physical card. With mag-stripe it is trivial to take another credit card or even a subway gift card and recode its mag-stripe to use a stolen card number, so I can walk into a merchant and use that card.

The author appears to be confusing EMV standards with the PCI P2PE (point to point encryption) standard, which is meant to prevent breaches by doing many of the things the author describes.

Re:Chip cards aren't meant to prevent breaches

[Anonymice]

For card-not-present transactions (online and e-commerce) EMV makes no difference at all.

Not quite. If I try to pay anything online with one of my UK cards, after passing my card details to the merchant, a token is used to forward me to my bank, where I have to confirm 3 letters of my pin & 4 letters of my online banking password. I then get returned to the merchant once the payment's been authorised.

Fine, that system's completely independent of my card, however it's only possible because the bank's been able to force me to set two separate passwords for authentication.

Re:Chip cards aren't meant to prevent breaches

Chip cards do one thing.

Chip cards do two things. They also keep people from using your card unless you tell them your password. They also seem a bit more durable and reliable (debatable if card or reader). So now they are doing three things.

Re: Chip cards aren't meant to prevent breaches

[ljw1004]

I thought the only 'one thing' that chip was meant to do, is provide a smokescreen justification for the credit companies to change their default assumption of blame from "the fraud wasn't your fault" to "the fraud was your fault".

The industry knew it would take time

[alphad0g]

This is really no different then when EMV rolled out elsewhere, except hackers have more access to the interconnectedness off things.

EMV in EU also rolled out with loose rules to start - merchants want cards to work - so fall back to mag stripe was allowed, and the bad guys figured out they could smash the chip on a stolen or cloned card. When fallback was removed, fraud went away.

The USA is also a different beast. Besides having to upgrade older infrastructure, the problem of customers with multiple cards having to remember multiple pins has to be solved. But keep in mind, if mag stripe fall back is removed, most of the fraud goes away. No one has yet to clone the chip, and if the EMV data is protected properly, there should not be enough information to use online (card not present).

PIN protects against card theft. Removing Mag stripe function protects against cloned cards - where most of the fraud is. It took EU time to get everything right, it will take USA time too.

Re:The industry knew it would take time

[rl117]

Agreed to a point. But they could have gone straight to chip+pin rather than the chip+signature setup which is almost pointless. When the rest of the whole world nearly is using chip+pin for nearly two decades now, it seems a bit odd to not use it. And regarding the magstripe fallback, has a date been set to drop it yet? If it was withdrawn from use and on new cards starting 2020, that would significantly curtain fraud.

Re:The industry knew it would take time

[rastos1]

the problem of customers with multiple cards having to remember multiple pins has to be solved.

Don't people use the same password everywhere?

Re:good news for us momless unchosens..

[Applehu+Akbar]

Hypenosis! Now that's a word that ought to exist.

Chips are a joke

[sdinfoserv]

I've had to have all my cards replaced at least once in the past year due to failed chips. Additionally, all merchants take cards without chips anyway, so what's the point?

Re:Chips are a joke

Swiping is a lot faster. Lots of vendors still use swiping. Car washes, gas stations etc..

Re:Chips are a joke

[caseih]

Have had chips in the cards for about 10 years here in Canada and haven't ever had a chip fail. Granted cards are usually only good for 3 to 5 years and then they are re-issued with a new expiry date. But certainly I know of very few chip failures among.

But you make a good point. There's little incentive for card holders to want chips in their cards. Especially when a lot of commerce is done online and the chip and pin doesn't even enter into it.

Re:Chips are a joke

Contactless is even faster. In Australia contactless doesn't even require a PIN if it's under $100.

Re:Chips are a joke

I've had to have all my cards replaced at least once in the past year due to failed chips.

Yes, and I've *never* had any of my multiple chip cards fail in the last 10 years. Or had any of the people I know report any failures. Maybe you're sticking your cards in your back pocket and sitting on them?

US could have chip-and-PIN like everybody else

[Applehu+Akbar]

When I visited New Zealand I marveled at how easily the metric system had pervaded everyday life. Although the UK formally switched to metric in 1965, it is still in the process of slowly seeping through popular culture. The general public still travels in miles, quotes Fahrenheit temperatures, and weighs people not even in imperial but in the Neolithic unit that preceded it. In the US, the public attitude is that if some little snowflake somewhere would be offended by switching over, we can't even contemplate doing it.

When I asked the Kiwis how difficult the transition had been, they replied: the government just named a date, there was a certain amount of grousing, but we all just did it out a general sense that the time had come.

So sorry, world, but the financial system will be leaking bank fraud through American mag stripes and signatures for all time to come.

Re:US could have chip-and-PIN like everybody else

[guruevi]

Yet across the world credit card fraud has been increasing, not decreasing, pretty much at the same rate.

Re:US could have chip-and-PIN like everybody else

[Anonymice]

Although the UK formally switched to metric in 1965, it is still in the process of slowly seeping through popular culture. The general public still travels in miles, quotes Fahrenheit temperatures, and weighs people not even in imperial but in the Neolithic unit that preceded it.

That's not even half true. Sure, it's still a messy mix, however there are very few things we still use imperial for, and it's mostly the baby boomer generation. Our schools started the transition as far back as 1968, however it wasn't until 1988 that the National Curriculum forced all schools to conform.

For those over 60, Centigrade is the only Metric (SI) measurement they use - not even my grandparents use Fahrenheit. For human weight, they also use Stones (14lbs).

For everyone under 60, it's mostly SI Metric.

Imperial

• Miles: Long distances & speed
• Pints: Beer & Milk
• Gallons: Petrol
• Pounds & Stones: Used only by those over 60

Metric

• Metres: Distances below a mile & speeds below 1MPH, except those over 60
• Kilograms: Except those over 60
• Litres: Except beer & milk
• Centigrade: Everyone!

Re:US could have chip-and-PIN like everybody else

[freeze128]

That's not how the US works.

I remember when I was in grade school (in the 1970's), there was a government plan to switch to metric. It was taught in our schools, but companies were not behind it. The whole "snowflakes being offended" craze is something that has grown in popularity in the last 20 years, so that's not the reason.

The reason is MONEY.

How many speed limit signs would need to be changed to kilometers/hour? How many bridge height signs need to be changed to meters? How many truck weigh stations would need to be converted to metric tonnes? This will cost money, and requires more TAXES from people. People don't want to pay more in taxes, so they vote to stop this. It has nothing to do with snowflakes being offended.

Re:US could have chip-and-PIN like everybody else

[Applehu+Akbar]

My last visit was 2014, in Cumbria and Yorkshire. Okay, these counties may be the UK equivalent of Oregon and Tennessee, but despite official metrication the popular culture still seemed to be stuck on imperial.

Re:US could have chip-and-PIN like everybody else

[Applehu+Akbar]

Finishing the job on metrication (we did get started, remember, leaving some industries metric and the rest imperial) wouldn't be that difficult. Because the beverage industry was one of the switchers, everyone is now intuitive about volumes in liters, and can think about how easier life would be without the dumpster fire that is imperial volume measure.

For road signs, have the prisoners start making metric stickers to go on existing signs next to - not over - the imperial units, acquainting people with metric distances and load weights. New signs would be metric only. Now the kilometers on your speedometer will start to have everyday meaning.

Re:US could have chip-and-PIN like everybody else

[Paul+Carver]

America uses metric. I'm drinking a 500ml bottle of soda right now in America. I'd be hard pressed to find anything in my kitchen that doesn't have metric units on it.

Granted, some of the containers have a decimal in the metric measurement. Is that the definition of "not using metric" if the thing is marked with both an integer number of imperial units and a decimal number of metric units?

We do use 20 feet and 40 feet as the standard lengths of our intermodal shipping containers and 8x4 feet as the standard dimensions of our plywood, so if having a decimal in the metric measurement means its "not metric" then those aren't. I'm curious, what size do metric countries use? I imagine there must be some significant cost overhead to international trade between the US and countries that use metric sized shipping containers and building materials.

BTW, if you measure temperature in anything other than Kelvin, don't even bother talking to me. Seriously, what's so special about the freezing point of water? It gets colder than that around here frequently. If you haven't figured out that zero means none, as in no molecular motion at all, then you're probably not worth talking to.

And don't even get me started on the morons who use the nonsensical 60-60-24-7 system of units or the cognitive disonance in anybody who says a kilogram is a base unit but a kilometer is 1000 times a base unit.

Re:US could have chip-and-PIN like everybody else

20ft and 40ft are the size of ISO containers because the US Navy invented them. The shipping industry refers to TEU's, which stands for 20ft-equivalent. A 40ft container is 2TEUs.

A standard sheet of plywood or gyprock/plasterboard/drywall is 1200x2400, which is slightly smaller than 8'x4'. From what I've been able to deduce, building materials and designs seem to work on multiples of 300.

As for temperatures, Celsius is used because the scale is easier for humans to understand (273.15K vs 0C is freezing, 293.15K vs 20C is a nice day, 313.15K vs 40C is very hot) and most of the metric system revolves around water as well: 1 millilitre of water occupies 1 cubic centimetre and weighs 1 gramme. Water freezes at 0C and boils at 100C. 1 litre of water weighs 1 kilogramme. 1 cubic metre of water weighs 1 tonne and contains 1 kilolitre.

Re:US could have chip-and-PIN like everybody else

Although the UK formally switched to metric in 1965, it is still in the process of slowly seeping through popular culture. The general public still travels in miles, quotes Fahrenheit temperatures, and weighs people not even in imperial but in the Neolithic unit that preceded it.

Miles: Pretty much true, all road signs still in miles/mph so this won't change.
Fahrenheit: Disagree. Weather forecasts for many years, plus almost everyone I know under 60 (e.g me, 55) uses Celsius. I wouldn't really know what 50F feels like.
People weights: Mostly true, but metric probably more common for other weights.

WTF? You a moron?

The thief steals. Not murders. Murderers murder. And they get chased, unlike "petty thieves", so thieves don't kill their marks, just threaten to and take the money.

Fucking snowflake idiot...

Doesn't help online fraud

Chips are only effective when your buying in person at retail brick and mortar stores. Much of the fraud occurs from hackers getting into online merchants stored information for customers. Also I have seen many merchants fail to properly use chip authentication because they have been unwilling to install new transaction hardware.

No sh@#$

As so many others have said, instead of chip and PIN we have "Smile and Sign" - actually we don't even have that - since chip cards are so much more "secure" many retailers process transactions of $200 with no signature required! Brain dead idiots - I really don't mind you reading my card while I have to enter a PIN, honest I don't.

There is difference having the chip and using the

I keep reading stories about U. S. shops lacking the necessary chip-n-PIN reading terminals, forcing shoppers to default back to that awfully archaic magnetic strip technology from 1955.

The chip-based cards have not failed...

[QuietLagoon]

...many merchants are failing to properly configure their systems

Those humans who tried unsuccessfully to implement the chip-based cards have failed. Human error, who would have ever thought that to be a cause of failure?

What about smartphone payments?

The security rationale behind smartphone payments is that the transaction is done with a temporary card, and your real card is never exposed to the retailer. The counter-argument is that theft and hacking of phones is common enough to negate this benefit. Is anyone studying whether phones are the safer option now?

Slow but getting there

[nehumanuscrede]

My first CC to incorporate a chip was compromised in less than a week. The wait staff ( my best guess due to it's limited use based on the length of time I had it ) simply copied the name, CC numbers and security code and voila, they have everything they need to make an online purchase or provide to a third party who is paying them to collect such things due to their access to so many.

I was somewhat puzzled when the transaction alert hit the phone that I had just paid for dinner for four to go about 1600 miles away :|
( People are awfully ballsy with many banks moving to the ability to instantly send text alerts for any purchases for any amount made from any of your accounts )

Called the bank a moment later to let them know the card was compromised.
( Dunno if the folks who used my card got to enjoy their dinner or not )

They marked the transaction as such, invalidated the card and sent me a new one within forty eight hours.
( I keep one other CC in the safe for exactly this reason. If one is compromised, I can easily switch to the other. )

As time has gone by, the bank knows what my typical purchases look like. When an oddball one shows up ( say an overseas one or out of State ) they
block it by default. I have to call them up, validate who I am and authorize the unblock so the charge can go through.

My best guess for the delay in chip + pin is the cost of implementing the system due to the sheer scale of the US CC market. From what I've read, the estimated cost to shift over to the chip + pin tech will be somewhere in the vicinity of $8-10B USD and end retailers, banks and CC folks like Visa and Mastercard are fighting over who is going to foot the bill. ( The US has somewhere North of ~1B Credit Cards in circulation )

We may get there one day . . . . lol

Re: Slow but getting there

The real reason is that, while there are pouches of cleverness, the average American is among the stupidest in the world as averages go.

Having traveled the whole world and having the data to compare one sees how mind-blowingly stupid Americans are, not only in general knowledge but even in day-to-day living.

An anecdote but proves my point

I had a credit card get punched back in the late 1980's. Someone was trying to buy airline tickets in London and it got blocked.

After that I never had a problem with the card which was re-issued. Was using the same card up until 2014 when I was forced to get a "New" more protected chip card. Shortly after the very first use of the chip card I got a all that someone was trying to buy a computer.
Now 4 years later the same thing happened again.

27 years of no problems without the chip... now 2 problems in 4 years with the chip.
Have gone to using apple pay with my new phone. Hope that helps a bit, but too many vendors don't use apple pay still.

An Anecdote

[Wild_dog!]

I had a credit card get punched back in the late 1980's. Someone was trying to buy airline tickets in London and it got blocked.

After that I never had a problem with the card which was re-issued. Was using the same card up until 2014 when I was forced to get a "New" more protected chip card. Shortly after the very first use of the chip card I got a all that someone was trying to buy a computer.
Now 4 years later the same thing happened again.

27 years of no problems without the chip... now 2 problems in 4 years with the chip.
Have gone to using apple pay with my new phone. Hope that helps a bit, but too many vendors don't use apple pay still.

Anonymous PCI ISA Coward

"EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal."

This is not how EMV works. This channel is not and was not intended to be encrypted by design.. EMV is about authentication, not encryption.

For encryption at the POI, look to validated P2PE.

Which is why I don't..

[Rick+Schumann]

..use plastic any more than absolutely necessary, and use cash and checks as often as possible.

Several years ago a breach of a payment system hit locations I used to use plastic at. Prior to that I had my eye on the news, week after week, of escalating rates of breaches of payment and data systems. Luckily for me none of my accounts or identity information was affected by the payment system breach at places I then frequented, but it was clear that no merchant or payment system provider was capable of safeguarding me and my accounts, therefore I had to take matters into my own hands, instituting an aggressive program of paying cash whenever possible, using plastic only when I have no other choice, and writing checks when possible.

The Equifax breach just cemented my opinion: if a company that large and important to our financial infrastructure can't even secure their systems against criminal activities, then perhaps nobody can. I continue to use cash for everything possble, and continue to look for ways to stop using electronic payment systems entirely.

I have and will continue to urge people who care about protecting themselves and their accounts to wean themselves off using plastic as soon and as much as possible, until the day comes that the financial sector can effectively secure them against criminal intrusion.

Signature not required

[mapinguari]

It appears that none of the major cards are requiring signatures any more:
https://www.creditcards.com/cr...

So instead of Chip+Signature, it's just Chip vs. Chip+PIN.

Chip cards aren't meant to prevent breaches

There's a lot of misinformation here.

Chip cards aren't meant to prevent card breaches. They are meant to move the responsibility from the bank to use client. In case of fraud they can proof the client is at fault because there are no cloned chip-cards.

Chip cards do one thing. They make it harder to make a fraudulent physical card. With mag-stripe it is trivial to take another credit card or even a subway gift card and recode its mag-stripe to use a stolen card number, so I can walk into a merchant and use that card.

The author appears to be confusing EMV standards with the PCI P2PE (point to point encryption) standard, which is meant to prevent breaches by doing many of the things the author describes.

Some accurate information

[robindch]

The article summary is dreadfully inaccurate and most of the comments are likewise inaccurate.

EMV does not support end-to-end card to issuer, or issuer to card encryption. The PCI data security standards (separate to EMV) do provide for point to point encryption, but that's not end to end encryption. EMV does nothing to ensure that "card data cannot be captured" (actually, it's quite easy to capture it; even the PIN can be transmitted in the clear in certain card simple card configurations; more complex card configs use enciphered PIN's). EMV does support three security levels (SDA, DDA, CDA) and only with SDA is it possible to clone publicly-accessible card data onto another card. Cards supporting DDA and CDA (SDA is deprecated in many countries outside the US) require more terminal processing and the data on the card cannot be cloned to another card.

EMV does provide what's effectively a DES-based transaction hash using a card-unique key which the card generates (to hash the transaction details) and which the terminal then sends to the cardholder bank which first tries to authenticate the hash, before checking if the rest of the transaction is good to go. And if all's good, the cardholder bank then generates a response hash which authenticates the transaction response back to the card. That stops man-in-the-middle attacks. Cards also use a sequential transaction serial number (ATC) to stop replay attacks. The card's unique key used to hash request and response data cannot be accessed and is one of three different keys used to hash different classes of request and response data.

There's a lot more there and most of it is publicly available from books one to four of the EMV standards, freely available from http://www.emvco.com/

The US is in favor of people, not bank

[davecb]

Signatures allow me to say "I didn't sign this", not "I did". It's to protect us from banks. Chip and pin has been broken since 2010. For example, see https://www.lightbluetouchpape... Banks in the UK successfully scammed the courts for years with chip-and-pin, claiming that it was poor user security that allowed all frauds.

Well Duh...

Let's think about this, in the US banks/payment processors/etc were so brilliant to not to include PIN numbers in the technology, and they don't let consumers disable the mag stripe. So what are you expecting. additionally we still put the signature next to the card itself (signature strip), of course this was going to happen.

If they want to fix it, then we need to consider.

1. At restraunts payment processing at the table - similar to europe
2. Implement PIN numbers
3. Require consumers request mag stripe cards, by default ship without imprint and mag stripe.
4. Allow consumers to do chip-pin at home (basically enable card authentication for payments online), or do something similar with mobile phones.
5. Allow consumers to use 2FA for verification for certain transactions - doesn't work for all environments - but for those that it doesn't like would be limited

Lies, Damned Lies, and Statistics?

[Dahan]

So "Gemini Advisory" says card fraud is up, huh? But Visa says that fraud is down. Who's right? I don't know, and don't feel like looking into the details of both reports. It's likely that both are right, and they're talking about different types of fraud. My understanding is that overall, fraud is down significantly, but some types of fraud are up, such as card skimming at gas pumps (since the chip conversion deadline for those is still in the future and very few of them support chips right now.)

Stop Lying!

[backslashdot]

OK it's pure BS that anyone claimed it would end fraud. How can you jerks start off an article with a fat juicy lie like that? Nobody would have claimed something like that! Reduce fraud yes, but nobody would have claimed it would end it!

They were never inteded to...

...stop fraud, their purpose is to place the blame on the cardholders instead of the banks and credit card companies.

Too soon to make this call.

[sabbede]

There are two gas station/convenience stores near my house that we regularly use. They have only had their chip readers activated within the last quarter. So, for most of the 12 months discussed in the article, anyone could have used a fake card at either location.

Give it another 12 months before getting judgy about whether or not chip & PIN is making a difference.

Issue is chip standard chosen (and monopolies)

Visa spent years defining the standard. Because our commercial card processing network is provided by the a monopoly, they never considered compatibility with PCs or the reality that the majority of commerce now occurs over the internet. Even if you have a card reader on your computer, your computer likely does not know what to do with a credit card. If they had chosen FIPS-140 for their standard, computers everywhere would have been instantly compatible and we could use our cards over web. Currently over half of all commerce can't take advantage of the chip. Visa created this situation through their own monopolistic myopia. Visa's solution requires a $50 adapter in order to work with cell phone (squareup.com). They could have easily have engineered a card that would have worked with a cell phone directly, they just didn't consider it because it had nothing to do with their network.

Re:There is difference having the chip and using t

[Megane]

There are plenty of terminals, it's just that 5% or so of them have tape over the chip slot or a note to swipe the stripe (though without such catchy wording). If there is fraud when the chip is not used, the cost is now on the business, but if they think it's not bad enough, there is still nothing to force them to make the chip slot work, 3 1/2 years later.