Slashdot Mirror
Credit Card Chips Have Failed to Halt Fraud (So Far) (fortune.com)
An anonymous reader quotes Fortune:
New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology...
In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.
In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.
The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.
It's because the credit card companies don't want to pay for fraud. Right now they've gamed it so merchants pay for credit card fraud (merchant loses the merchandise, and the payment gets reversed). Chip + PIN basically makes it impossible for the merchant to be at fault in case of fraud, meaning either the cardholder or credit card company has to pay for fraud. So they gimped the chip in the U.S. by making it chip + sign, meaning it's still the merchant's responsibility to check the signature with the one on the card. And if they forget (or in the case of online orders, can't) and it turns out to be a fraudulent charge, the merchant has to pay for it.
(And if you're one of those people who've been duped into thinking the high interest rates pay for fraud, no they don't. They pay for cardholders who are delinquent on payments.)
If the majority of the cards have a chip, then the majority of fraud cases will be cards with chip. The point of moving from a magnetic strip to a chip, is that others cannot gain access to your card simply by swiping it. After chip conversion, that vector of attack is mostly gone, and criminals move on to other methods. For which cards with chip are just as good/bad as any other card.
Only a decade?
The uk had chip and pin in 2006 when i lived there. Not sure when they rolled it out out.
And in 2014 australia stopped accepting signatures at all.
Now though im pretty much 100% contactless and done mainly via my phone.
As a merchant it is even worse. After you have lost your merchandise and the payment is reversed we also need to pay a fine to the credit card company.
Checking signatures is worthless anyway, real peoples signatures never look exactly the same whereas a criminal can easily copy what he sees on the back of the card, or in the case of cloning the cards he can just sign the cloned card himself and thats what the merchant will compare against.
At least with a pin, the pin is either correct or not, and not displayed on the card itself.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.
You can't clone the cards and use them in online transactions. They are skimming the cards and using them for online transactions, most likely. Though the chip does generate a new CVV when used with the chip. If you run the magnetic stripe through, you get the real CVV which can be used online. Also there are tons of restaurants, fast food joints, gas stations, and banks that still use the magnetic stripe instead of the chip.
Strictly speaking - not defending this practice, just explaining it - merchants should decline to take your card if you've done this, per their agreement with the card issuers. The signature is there as a promise to pay, not as a means of identification. Yes, this is stupid. A better practice is the banks that allow you to put your picture on the card.
Help save the critically endangered Blue Iguana