Slashdot Mirror
Credit Card Chips Have Failed to Halt Fraud (So Far) (fortune.com)
An anonymous reader quotes Fortune:
New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology...
In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.
In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.
The chip prevents someone from skimming the information on the magnetic strip, and reusing that to pay for stuff. Of course someone can steal your credit card details, which are conveniently embossed right on the card for anyone to see.
...except, this was not about online purchases.
Swing and a miss there, Champ.
Without a PIN, and without a chip reader for online purchases the whole exercise has been a waste of time.
The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.
So, in 2018, one of the biggest economies, most technologically advanced country in the world still cannot use a 40 year old technology to authenticate a payment ? I know it might not be 100% failproof, but still... Even countries in eastern europe manage to do that...
And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!
1. The chip does nothing to crooks from using the card number, type, expiration date and 3 digit code on the back.
2. Many retailers I use my chip card at don't even use the chip reader functionality in their terminals, taping it off and indicating that the card needs to be swiped instead.
3. Most retailers never check my sig (even if indicated on the card).
4. I can run my card as 'credit' and can bypass the pin entry, totally rendering that useless.
The point of chip and pin is that the cards details don't go through merchants system at all. Instead the card is authenticated / authorized through a secure device that talks directly to the payment service. All the merchant gets is a token of the transaction. Of course if the merchant stupidly allows cards to be swiped instead then they're just as vulnerable to skimming / hacking / database theft as non chip and pin devices.
all you have to do is exactly what they did in europe and make the retailer liable for the fraud if they swipe
First, make the trader liable for problems at their end.
Second, the U.S. is over a decade behind Europe on this technology, meaning hackers have had ten years to figure out problems. It's the equivalent of running Windows XP or an unpatched Windows 7 on a modern network.
Third, why the hell is anyone expecting a trader to understand network security? These systems should be proof against even ingenious idiots. Plug it all in and it works, autoconfiguring. No default passwords, no default security holes, just something that works. Are the credit card companies and banks really this incompetent?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If the majority of the cards have a chip, then the majority of fraud cases will be cards with chip. The point of moving from a magnetic strip to a chip, is that others cannot gain access to your card simply by swiping it. After chip conversion, that vector of attack is mostly gone, and criminals move on to other methods. For which cards with chip are just as good/bad as any other card.
plus your drug dealer only accepts cash
proof by induction
"His name was James Damore."
Let's apply the same design to securing out IT:
- Secure Boot enabled, locked down and unable to be changed.
- Fully encrypted HDDs with decryption tied to user authentication.
- Tamper proof case, encryption keys destroy themselves if the computer is opened.
- No password.
I was mocking the USA when they decided to 40 years late adopt Chip+Pin, a technology which caused credit card fraud to plummet in the rest of the world... and then they only adopted half of the technology.
As this EMV technology (protocol) is also used by ING bank (and perhaps others) for their implementations of contactless payments ('contactloos betalen') I wonder what implications this article brings to ING's case.
Anybody who can share their insights here?
Checking signatures is worthless anyway, real peoples signatures never look exactly the same whereas a criminal can easily copy what he sees on the back of the card, or in the case of cloning the cards he can just sign the cloned card himself and thats what the merchant will compare against.
At least with a pin, the pin is either correct or not, and not displayed on the card itself.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The summary talks about merchant system misconfiguration.
That would imply that the chip simply isn't used.
Well, who would have thought that a purely decorative chip that is never used actually has no effect!
Obviously we all expected the gold shininess to make fraudsters run away...
Nope, thief kills you for your cash, no witness no identification
Having some cash with you can also save your life if robbed, a thief will just run away happy with your cash
If a thief knows you have cash he is more likely to rob you, cards are less useful to a thief, especially less organized ones. A thief will also be happy with your phone or jewellery, and will probably take your wallet and run rather than open it and inspect it in your presence.
It is safe (no risk of card skimming)
You instead have the risks of it being lost, stolen or damaged, not to mention forged cash.
you are noot feeding the bank (2% transaction fee)
Yes you are, businesses pay a lot to banks for the ability to accept cash payments, often more than the transaction fees associated with cards.
Banks charge businesses fees for processing their cash deposits, which have to be counted by both the bank and the retailer, the cash has to be transported to the bank and will usually require protection while in transit, banks charge retailers for providing large bags of small change, your insurance liability goes up if you have cash on the premises as it's an attractive theft target or could be destroyed in the event of fire or flood etc.
For the customer, the cost is the same wether paying by cash or card but many cards also offer benefits to the cardholder which they wouldn't get if using cash.
it is private (big brother does not knowwhat you buy)
It's private if your careful, and also don't have explicit surveillance being carried out against you.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Assuming you're in the US, when was the last time anyone actually even pretended to look at the back of your credit card to compare signatures?
"Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
Having some cash with you can also save your life if robbed, a thief will just run away happy with your cash
Maybe - I'd love to see some statistics on that. Personally I never carry much cash, and I do carry a pistol. If you try to rob me one or both of us is going to the hospital or the morgue. I am alright with the status quo there.
It is safe (no risk of card skimming)
For select definitions of safe. If the attack vector is simple fraud; say the deliberately sell you broken or defective item and then just disappear you have no recourse. But alright I will grant you this one at least for the case of places with physical buildings, names they want to continue using and printed receipts (although if you lose that and you paid cash; gawd help you).
you are noot feeding the bank (2% transaction fee)
True but those merchant fees are priced in; retailers would not accept cards unless they had determined by doing so they move product thanks to the ease of transactions and ultimately make more $$$. So when you pay cash you are just padding the big retailer's pockets. I mean maybe you like them better than the banks and that's your call but there is no gain in that for you. In fact its a loss for you. Unless you have terrible credit and have some card oriented to bad risk people, you almost certainly qualify for "rewards" of some kind even on a no-annual fee card. After all the exclusions and games that can still work out to 1.5% of your purchases back in cash or gift cards etc. Those come out of the merchant fees the banks charge. So when you use cash at retailer you are basically giving %1 or so to all the people who were smarter than you; used a card, read and understood the rewards programs offered to them.
it is private (big brother does not knowwhat you buy)
An argument from twenty years ago.. Now odds are pretty good there are cameras in the parking and your license plate was OCR'ed. If not that than the face recognition has you in the shop. If big brother wants that data they will get it; subpoenas are thing. If you are concerned about buying things from the inside of some dudes coat on the corner you might have something.
Think, big brother loves the plastic card for a reason....
doubtlessly it certainly makes things easier. I think all that talk of a cashless society for a while was driven by that. I don't hear of that (as often); given the other revelations about the NSA, Target corp, etc my conclusion is the PTBs have solved the problem of de-anonymizing cash to the degree they felt it was a problem.
The reality of 2018 is that most of the concerns about using CCs for pretty much your whole life are concers you will have with cash to, or simply don't make sense for other reasons given how the world has changed.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Since I got my chipped card, not once have I been asked to insert a PIN. In fact, I almost never even have to sign on the reader display.
People still think I'm crazy for carrying cash!
And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!
Here in Norway they've fixed this quite easily because around 2010 most the banks introduced regional blocks, the defaults vary a little but my bank's card by default only works in Norway. To expand the coverage you must log in to the online bank and enable it. You can permanently enable it for our neighboring countries in Scandinavia, but for the other regions (rest of Europe, North America, South America, Africa, Asia) you can only enable it for three months at a time. That has pretty much stopped international scams dead in their tracks, even if it is enabled the crooks don't know until they try and while the occasional tourist will forget and enabled it after being declined it will stand out as a sore thumb.
Combined with 2FA using the cell phone/one time codes for online purchases fraud here is extremely low. I found a page that said total credit/debit card fraud in Norway is around 150 MNOK/year, that's $17 million. Divided by 2.4 million households that's about $7, the average household income is about $51k so 0.013% is lost to fraud. Basically that's noise level, people lose more money on grocery prices due to shoplifting than that. I don't think these numbers include robbery where you're forced to enter/hand over the PIN though, just shoulder surfing and such.
Live today, because you never know what tomorrow brings
on purchases at most stores! I'd hate to think that my financial security was entrusted solely to a chip in a credit card.
Another thing I'd like to point out about merchant fees.
Handling cash is not 'free' from a retailers preservative either. There is much more possibility for shrink even if it does not involve fraud or theft. Bills stick together etc. If you don't close business out in time to get deposits to the banks; you can lose a days interest on those deposits. That matters for large operations. You have pay security people to safely transport cash to the depositing institution; fuel, salary, vehicle maintenance.
Some business are deciding not to accept cash; and there is a reason for that - if they can avoid those associated costs suddenly the CC merchant fees don't look so bad.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
There's a lot of misinformation here.
Chip cards aren't meant to prevent card breaches. For card-present transactions (in person at the store), the exact same encryption and cardholder data protection requirements are in place from the reader to the bank whether its EMV or old mag-stripe. For card-not-present transactions (online and e-commerce) EMV makes no difference at all.
Chip cards do one thing. They make it harder to make a fraudulent physical card. With mag-stripe it is trivial to take another credit card or even a subway gift card and recode its mag-stripe to use a stolen card number, so I can walk into a merchant and use that card.
The author appears to be confusing EMV standards with the PCI P2PE (point to point encryption) standard, which is meant to prevent breaches by doing many of the things the author describes.
This is really no different then when EMV rolled out elsewhere, except hackers have more access to the interconnectedness off things.
EMV in EU also rolled out with loose rules to start - merchants want cards to work - so fall back to mag stripe was allowed, and the bad guys figured out they could smash the chip on a stolen or cloned card. When fallback was removed, fraud went away.
The USA is also a different beast. Besides having to upgrade older infrastructure, the problem of customers with multiple cards having to remember multiple pins has to be solved. But keep in mind, if mag stripe fall back is removed, most of the fraud goes away. No one has yet to clone the chip, and if the EMV data is protected properly, there should not be enough information to use online (card not present).
PIN protects against card theft. Removing Mag stripe function protects against cloned cards - where most of the fraud is. It took EU time to get everything right, it will take USA time too.
Hypenosis! Now that's a word that ought to exist.
I've had to have all my cards replaced at least once in the past year due to failed chips. Additionally, all merchants take cards without chips anyway, so what's the point?
The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.
You can't clone the cards and use them in online transactions. They are skimming the cards and using them for online transactions, most likely. Though the chip does generate a new CVV when used with the chip. If you run the magnetic stripe through, you get the real CVV which can be used online. Also there are tons of restaurants, fast food joints, gas stations, and banks that still use the magnetic stripe instead of the chip.
When I visited New Zealand I marveled at how easily the metric system had pervaded everyday life. Although the UK formally switched to metric in 1965, it is still in the process of slowly seeping through popular culture. The general public still travels in miles, quotes Fahrenheit temperatures, and weighs people not even in imperial but in the Neolithic unit that preceded it. In the US, the public attitude is that if some little snowflake somewhere would be offended by switching over, we can't even contemplate doing it.
When I asked the Kiwis how difficult the transition had been, they replied: the government just named a date, there was a certain amount of grousing, but we all just did it out a general sense that the time had come.
So sorry, world, but the financial system will be leaking bank fraud through American mag stripes and signatures for all time to come.
Believe it or not, yesterday.
I'm not saying that's the norm, though.
Every time I make a "large" purchase.
I also never sign my cards. I always write "Please check id" in the signature strip.
...many merchants are failing to properly configure their systems
Those humans who tried unsuccessfully to implement the chip-based cards have failed. Human error, who would have ever thought that to be a cause of failure?
A lot of fraud comes from Poland too.
Citation needed.
Here in Poland we have EMV and 99% of cards issued by banks operating in Poland have magstripe and chip, and all transactions are authorized by a PIN. The only popular scam I've heard of here was to record the magstripe & PIN using a rigged ATM (with skimmer and camera over the pinpad), send the magstripe & PIN data to some other country (ie. in South America), and then try to grab cash using a cloned card there. The only time I have ever had to sign my card payment was when using my employer-issued lunch card, that had no chip and was magstripe&signature-only.
Banking technology in Poland is way ahead of the one in US because we have skipped a lot of now-dead technologies, like cheques, pagers, etc. Also, nowadays most points of sales accept contactless card payments, which, while they have their own problems (easy low-value PIN-less transactions after stealing the card, limited to some low numbers), at least are safe from skimmers, because the card doesn't need to touch the point of sale.
My first CC to incorporate a chip was compromised in less than a week. The wait staff ( my best guess due to it's limited use based on the length of time I had it ) simply copied the name, CC numbers and security code and voila, they have everything they need to make an online purchase or provide to a third party who is paying them to collect such things due to their access to so many.
I was somewhat puzzled when the transaction alert hit the phone that I had just paid for dinner for four to go about 1600 miles away :|
( People are awfully ballsy with many banks moving to the ability to instantly send text alerts for any purchases for any amount made from any of your accounts )
Called the bank a moment later to let them know the card was compromised.
( Dunno if the folks who used my card got to enjoy their dinner or not )
They marked the transaction as such, invalidated the card and sent me a new one within forty eight hours.
( I keep one other CC in the safe for exactly this reason. If one is compromised, I can easily switch to the other. )
As time has gone by, the bank knows what my typical purchases look like. When an oddball one shows up ( say an overseas one or out of State ) they
block it by default. I have to call them up, validate who I am and authorize the unblock so the charge can go through.
My best guess for the delay in chip + pin is the cost of implementing the system due to the sheer scale of the US CC market. From what I've read, the estimated cost to shift over to the chip + pin tech will be somewhere in the vicinity of $8-10B USD and end retailers, banks and CC folks like Visa and Mastercard are fighting over who is going to foot the bill. ( The US has somewhere North of ~1B Credit Cards in circulation )
We may get there one day . . . . lol
It doesn't matter anyway because the signature isn't there to verify the user. It is there to signify you accept the card holder agreement
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
for me handeling cash is a haslel (bad eyesight) so i'll take the 2% fee to make my life easier and safe time while trying to find the correct amount.(this is mainly due to the fact that both Norway and Sweden , which is where I am 99% of the time, has coins fror anyting under NOK/SEK 50 (rughfly USD 7) so you very quicly end up with lots of lose change. )
well since you apparently never buy anything more than $10 I don't think it matters. The only time i don't have to enter a pin is when buying a $5 meal at a fast food joint or at places that don't support chip transactions yet. Those are disappearing as that makes them liable for fraud.
Well that might very well be a fact, having no need to deal with drug dealers myself (never needed drugs I can't option thou legal channels) I can't really comment. But yea if you want to hide eligal activerty it seams like a vice policy only to accept cash
Having some cash with you can also save your life if robbed
Paying with cash will make you a target and get you killed if the robber panics.
Handling cash is not 'free' from a retailers preservative either.
Actually business often have to pay a fee to deposit cash.
Chip+PIN is not invincible either. In the Netherlands there are gangs operating right now that can skim the information from Chip+PIN and the banks aren't willing or at least giving a really hard time to reimburse the fraud because "fraud is impossible". Moreover chip implementations in the EU are rampantly being abused especially across public transportation where people are cloning chips to get onto trains and busses.
The truth about EMV (and I've seen and implemented EMV systems across both US and EU) is that it was an 'old' standard by the time it came out. There were no less than 2 papers that discussed exploits in the EMV system prior to the chip implementations in the EU (and the EU went all out implementing chips for health care, public transportation, drivers licenses, passports and ID cards).
You can, right now, read plain text all the 'important' information from a chip (card number etc) simply by querying it's offline capabilities which is one of the primary ways fraud is happening - thieves implement a skimmer and do an offline authorization against the chip (basically: Hey, our Internet broke, here's a transaction for you to sign) and then a few days or even weeks later (some banks allow up to 6 weeks) they "finish" the transaction elsewhere.
Custom electronics and digital signage for your business: www.evcircuits.com
I had a credit card get punched back in the late 1980's. Someone was trying to buy airline tickets in London and it got blocked.
After that I never had a problem with the card which was re-issued. Was using the same card up until 2014 when I was forced to get a "New" more protected chip card. Shortly after the very first use of the chip card I got a all that someone was trying to buy a computer.
Now 4 years later the same thing happened again.
27 years of no problems without the chip... now 2 problems in 4 years with the chip.
Have gone to using apple pay with my new phone. Hope that helps a bit, but too many vendors don't use apple pay still.
Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.
Some notes on this... Merchant agreements PROHIBIT merchants from asking for ID and DO NOT REQUIRE that merchants check signatures. In fact Visa et al actually essentially PUNISH vendors who do. Famously, Wal-Mart used to have a policy to check signatures and VISA successfully argued that they should not be on the hook to cover fraudulent purchases that Wal-Mart should have caught via signature checks (ie, they said Wal-Mart's employees were inconsistent). So over 10 years ago Wal-Mart changed their corporate policy and cashiers are instructed to NOT check signatures. The same amount of fraud happens, but VISA et al are now on the hook and can't blame Wal-Mart employees.
In Europe, the card vendors were forced by law into Chip+Pin. VISA has more profit that the GDP of many countries and they don't even loan out money. They don't care about a little fraud. Their concern in the USA was users might periodically forget their PINs and pay with cash instead. So they lobbied to keep signatures, and of course our congress persons don't listen to security experts if corporate interests disagree.
A lot is an article or set of articles for sale at an auction. Both sausage and stolen credit card numbers are often sold via online auctions.
Where do you live that an attempted robbery ends up in murder ?
Yeah, so, a robber ask you politely, do you have any valuable with you ?
You say no... and magically he just goes away
You say, here, take this and he kills you
Always happen
Strictly speaking - not defending this practice, just explaining it - merchants should decline to take your card if you've done this, per their agreement with the card issuers. The signature is there as a promise to pay, not as a means of identification. Yes, this is stupid. A better practice is the banks that allow you to put your picture on the card.
Help save the critically endangered Blue Iguana
The summary talks about merchant system misconfiguration.
That would imply that the chip simply isn't used.
Well, who would have thought that a purely decorative chip that is never used actually has no effect!
Obviously we all expected the gold shininess to make fraudsters run away...
In the US, most shop merchants (the kind without IT departments) get their payment terminals from banks or payment processors who offer zero configuration options. All misconfiguration is by the banks.
What is going in on a scam called PCI-DSS where they demand that you use PCI certified hardware that is so fragile that leaving them on an open network will get them pwned - so they will require you to pay them to 'scan' your website to check it's ok, even if that makes no sense, like you are serving a web site, and then charge you extra for not doing so because you aren't 'compliant'.
By these scams they have pointed the blame at the merchants who had no hand in designing the whole shitty system.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
If a thief knows you have cash he is more likely to rob you, cards are less useful to a thief, especially less organized ones. A thief will also be happy with your phone or jewellery, and will probably take your wallet and run rather than open it and inspect it in your presence.
What are you immagining, that people go around with cash hanging out of the jaket ?
Yes, a thief, will check the wallet in your presence and take whatever that is of value.
If there is nothing to take... he/she may get angry. Happens
You instead have the risks of it being lost, stolen or damaged, not to mention forged cash.
You are confused, you use cash to pay, you get it from the bank, it is not forged.
you are noot feeding the bank (2% transaction fee)
Yes you are, businesses pay a lot to banks for the ability to accept cash payments, often more than the transaction fees associated with cards.
Banks charge businesses fees for processing their cash deposits, which have to be counted by both the bank and the retailer, the cash has to be transported to the bank and will usually require protection while in transit, banks charge retailers for providing large bags of small change, your insurance liability goes up if you have cash on the premises as it's an attractive theft target or could be destroyed in the event of fire or flood etc.
For the customer, the cost is the same wether paying by cash or card but many cards also offer benefits to the cardholder which they wouldn't get if using cash.
You are even more confused, you probably are a shill, paid by the banks.
All plastic transactions pay to the bank and you will pay even more whan cash will be "premium"
It's private if your careful, and also don't have explicit surveillance being carried out against you.
ok, got it, you are just a paid drone.
It is ok, real people will understand, the others... are just drones
Assuming you're in the US, when was the last time anyone actually even pretended to look at the back of your credit card to compare signatures?
In most cases, it would be worthless to compare anyway. The signature made with a real pen on the back of a card rarely looks anything like a signature made with a bulky stylus on a slippery touch screen.
(Even worse are some delivery services where you "sign" the guy's tablet with nothing but your finger. That usually comes out as little more than a straight line.)
They rarely do exactly because it's useless.
Charging extra fees is illegal in some countries, depends where the retailer is based...
Even if a business isn't taking enough cash to justify an armored car, they still have bank fees and increases risk. The actual reason some small businesses prefer cash is tax evasion, a certain percentage of cash taken by a business will usually just disappear and never make it into the accounting system, but card payments leave a trail which is easily followed by the tax authorities.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Also, PIN would get in the way of their big campaign for just tapping your card to pay.
You are even more confused, you probably are a shill, paid by the banks.
What he said is absolutely true. I once designed a cash management system for a large retailer (a chain of grocery stores), and in the process saw a lot of detail about just what all of this costs. Stores pay banks to have cash delivered to them. Stores pay banks to accept cash deposits. Stores pay employees and managers for a lot of hours that are spent doing nothing but counting and handling cash, including lots of double-checking and oversight to minimize "shrinkage" (the retail term for the rate of theft). And stores lose a lot of money to shrinkage.
The system I designed used automated counting machines that shrink-wrapped and barcoded blocks of bills, and registered those blocks as a sort of inventory that was tracked. To minimize cash delivery and deposit fees, the retail chain essentially set up its own set of cash "warehouses" and hired their own armored cars to transport cash between them, to make sure that all stores had the cash on hand that they needed to make change and to minimize and centralize deposits. The retailer's finance department was even looking into using the cash inventory as collateral for short-term loans whose proceeds were to be invested to generate a revenue stream from the millions of dollars that were always tied up in cash inventory.
All of that together was intended to reduce the cost of cash to a level below that of credit card fees, because the aggregate cost of cash handling was actually more costly than credit transaction fees as a percentage of cash/card business, respectively.
Of course, what the retailer really wanted was to get its customers to switch to using debit cards, which have miniscule transaction fees and none of the cash handling costs. Debit cards are among the worst of all options for consumers, of course, without the anonymity of cash or the liability limitation of credit cards.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
What are you immagining, that people go around with cash hanging out of the jaket ?
Thieves can see when you open your wallet to pay for something, they can see if you've received change from a purchase, they can see if you've just used an ATM, they can also stake out the owner of a small business who goes from his store to the bank every day carrying the days takings and coming back with change to hand out in the store.
Yes, a thief, will check the wallet in your presence and take whatever that is of value.
If there is nothing to take... he/she may get angry. Happens
Depends on the crime, many robberies are opportunistic and the thief is looking to get away as quickly as possible (eg pickpockets), they don't have time to check the loot because doing so slows them down and increases the risk of being detected and/or caught.
You are confused, you use cash to pay, you get it from the bank, it is not forged.
You usually have to receive change unless you insist on counting out the exact amount every time, or refusing change.
All plastic transactions pay to the bank and you will pay even more whan cash will be "premium"
If i go into a retailer and buy $10 worth of goods my card is charged $10 or i can pay $10 in cash. The retailer will not let me pay $9 because i used cash, the charge is still $10. Wether the retailer pays a percentage of that $10 to the card processor or the cash handling service is not my concern.
ok, got it, you are just a paid drone.
Because i stated that cash is not always private? How does this make me a paid drone?
Do you always check for CCTV when paying cash? Do you always use different stores where none of the staff will recognise you? do you always avoid using any loyalty schemes? do you always refuse to provide your details for warranties and other services? cash even carries serial numbers on every bill, which can also be tracked...
Cash is only private if you are extremely careful with your transactions, in many cases there are still ways you can and will be tracked.
And one further issue which i hadn't thought of before, when travelling i've found the fx rates offered by various cards (especially those geared specifically towards travelling) are much better than you can exchange cash. Also you will typically end up with small change which cannot be exchanged back, and might get a poor rate on any larger bills you have to change back. You're also likely to be unfamiliar with the currency if you've not visited that country both frequently and recently so you are an easy target for fraud (ie fake bills).
For me to use cash when i travel is usually a lot more expensive than using cards, and far less convenient.
Yes cards sacrifice some level of privacy for this convenience, but in many cases it's not important and for those few cases where privacy is a concern cash (or crypto) is still an option. If anything, having a stable history the bank can see makes it easier for them to approve loans (which most people need if they ever want to buy any property). Similarly, i couldnt care less if my bank knows i just went to a restaurant, and many people will post such things to facebook telling the whole world about it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
..use plastic any more than absolutely necessary, and use cash and checks as often as possible.
Several years ago a breach of a payment system hit locations I used to use plastic at. Prior to that I had my eye on the news, week after week, of escalating rates of breaches of payment and data systems. Luckily for me none of my accounts or identity information was affected by the payment system breach at places I then frequented, but it was clear that no merchant or payment system provider was capable of safeguarding me and my accounts, therefore I had to take matters into my own hands, instituting an aggressive program of paying cash whenever possible, using plastic only when I have no other choice, and writing checks when possible.
The Equifax breach just cemented my opinion: if a company that large and important to our financial infrastructure can't even secure their systems against criminal activities, then perhaps nobody can. I continue to use cash for everything possble, and continue to look for ways to stop using electronic payment systems entirely.
I have and will continue to urge people who care about protecting themselves and their accounts to wean themselves off using plastic as soon and as much as possible, until the day comes that the financial sector can effectively secure them against criminal intrusion.
It appears that none of the major cards are requiring signatures any more:
https://www.creditcards.com/cr...
So instead of Chip+Signature, it's just Chip vs. Chip+PIN.
Chicago
cooperation irrelevant. people shot or stabbed for money, for car, after rape, etc.
nice civil world you have there, between your ears
Unfortunately Face ID is basically garbage. The Touch ID worked fine, was fast and typically was easy to use. Face ID I end up having to use the phone PIN 50% of the time, thus exposing it every time it fails a Face ID check for a payment.
> If every merchant would support contactless payments,
It means the credit card can be used at least once without having to enter the pin.
As for the phone - it was very often a source of surprise $8000 bill because ITunes didn't authenticate each individual purchase. The child purchases something with stored credentials, and doesn't know that it has an impact until a few weeks later. It's also the reason a game for cats company had to come up with a custom authentication method to prevent animals from accidentally making a purchase as well.
This may have recently improvied, but still doesn't change the fact that it was worse security than classic credit cards.
> You don't authenticate to your credit card.
You authenticate to the credit card (or at least the payment processor) if you enter a pin.
The article summary is dreadfully inaccurate and most of the comments are likewise inaccurate.
EMV does not support end-to-end card to issuer, or issuer to card encryption. The PCI data security standards (separate to EMV) do provide for point to point encryption, but that's not end to end encryption. EMV does nothing to ensure that "card data cannot be captured" (actually, it's quite easy to capture it; even the PIN can be transmitted in the clear in certain card simple card configurations; more complex card configs use enciphered PIN's). EMV does support three security levels (SDA, DDA, CDA) and only with SDA is it possible to clone publicly-accessible card data onto another card. Cards supporting DDA and CDA (SDA is deprecated in many countries outside the US) require more terminal processing and the data on the card cannot be cloned to another card.
EMV does provide what's effectively a DES-based transaction hash using a card-unique key which the card generates (to hash the transaction details) and which the terminal then sends to the cardholder bank which first tries to authenticate the hash, before checking if the rest of the transaction is good to go. And if all's good, the cardholder bank then generates a response hash which authenticates the transaction response back to the card. That stops man-in-the-middle attacks. Cards also use a sequential transaction serial number (ATC) to stop replay attacks. The card's unique key used to hash request and response data cannot be accessed and is one of three different keys used to hash different classes of request and response data.
There's a lot more there and most of it is publicly available from books one to four of the EMV standards, freely available from http://www.emvco.com/
Signatures allow me to say "I didn't sign this", not "I did". It's to protect us from banks. Chip and pin has been broken since 2010. For example, see https://www.lightbluetouchpape... Banks in the UK successfully scammed the courts for years with chip-and-pin, claiming that it was poor user security that allowed all frauds.
davecb@spamcop.net
So "Gemini Advisory" says card fraud is up, huh? But Visa says that fraud is down. Who's right? I don't know, and don't feel like looking into the details of both reports. It's likely that both are right, and they're talking about different types of fraud. My understanding is that overall, fraud is down significantly, but some types of fraud are up, such as card skimming at gas pumps (since the chip conversion deadline for those is still in the future and very few of them support chips right now.)
OK it's pure BS that anyone claimed it would end fraud. How can you jerks start off an article with a fat juicy lie like that? Nobody would have claimed something like that! Reduce fraud yes, but nobody would have claimed it would end it!
Had chip+PIN debit cards forever, they were very vulnerable to being used online. The numbers and CVV are printed on the card. You can write the numbers in your hand (w/ expiry date) then you've "defeated" it. In modern times, people were taking pictures of cards with smartphones camera or buying numbers on the Internet, so now there's some kind of 2FA which defaults to sending SMS to your phone number.
Sorry, AC. I meant that they cannot be used in card present online authorized transactions. I was tired when I wrote that. They can be used for card not present e-commerce transactions, yes. That is where they are still vulnerable.
I think it's at the option of the place you are buying from. Some places I always have to sign for small purchases, and for groceries, where I go the threshold is $50.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Give it another 12 months before getting judgy about whether or not chip & PIN is making a difference.
A thief will also be happy with your phone or jewellery, and will probably take your wallet and run rather than open it and inspect it in your presence.
I was once casually robbed off my wallet at gunpoint (though I presume finger point but I wasn't prepared for the fight over a few bits of plastic).
I actually saw that same thief 15minutes later again and asked if I could have my wallet back and he gave it back and complained to me about the lack of cash in it.
*Note: This lighthearted story brought to you from the Don't Try This At Home department.
The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.
This.
The huge advantage in EMV is that I can travel to most countries and my card simply works. Thailand, Japan, Germany, Colombia, South Africa, France, Turkey, Greece, Brazil... Pretty much everywhere except the United States where a lot of petrol stations refuse to accept foreign cards because they do not support EMV.
EMV isn't designed to protect against the kind of fraud that is commonplace now, that is the wholesale theft of card details, the number, expiry date and name printed on the front of every card because this is the information that is used in card fraud. This doesn't mean EMV is a failure, EMV is doing what it's meant to and means that anywhere I go, I can simply use my cards as if I were at home... except in the US.
Most card numbers are stolen online, either through infected PC's or by stealing them wholesale from merchant sites. First step in combating this is to make it illegal for merchants to store card data. The introduction of contractless payments is only accelerating the kind of fraud that is commonplace now as both Visa and Mastercard's implementation simply sends out your card number, name and expiry date in encryption so weak, it may as well be clear text to any device that asks for it. The device asking for it doesn't need to make a transaction immediately, it can simply store the information for later use. Even with a short range of less than 50 cm, imagine how many unique card numbers you'll get walking through a shopping centre or high street on a normal day. Not like anyone is going to pay any attention to some random guy with a handheld device, put a high-visibilty jacket on and you are pretty much invisible.
To stop the kind of fraud that is commonplace now we need to implement 2FA, any form of 2FA as long as we have a second factor of authentication. However this will never happen as it will discourage people from using their credit cards which means the banks will miss out on the percentage they're scraping off every transaction. Right now the cost of fraud pales in comparison to the risk of losing just a portion of that revenue stream. Also we'd need to change contactless to use a rolling code not based on your card number but this means the card has to be an active device which would discourage their use as many people won't be bothered to keep their credit card charged, so again, wont happen.
So combating card fraud is easy, however because there's more money being made by not doing these things than it currently costs to simply adsorb the cost of fraud, we'll continue to have to bear the cost and inconvenience of card fraud.
Calling someone a "hater" only means you can not rationally rebut their argument.
Checking signatures is worthless anyway, real peoples signatures never look exactly the same whereas a criminal can easily copy what he sees on the back of the card, or in the case of cloning the cards he can just sign the cloned card himself and thats what the merchant will compare against.
At least with a pin, the pin is either correct or not, and not displayed on the card itself.
Pin is safer, but it's all quite academic really. The majority of fraud uses neither the PIN or a signature. Card cloning has become very rare because it's difficult to do and if you've got the card number, expiry date and name... Utterly redundant.
The majority of card fraud is done via online purchases which only require the card number, cardholders name and expiry date (CVC/CVV verification is optional). The dumb criminals try buying big ticket items like TV's, the smart, organised ones simply make $5 purchases to front businesses they own. If you've got 10,000 card details, if only 3% work you've just netted $1,500 from a script that took a few minutes to run. Again, the organised criminals will randomise cards so you're not sending 10,000 transactions to the same bank. $5 is below the fraud detection level so if the cardholder doesn't notice, they can do it again in another month or two.
To combat this we're relying on banks blacklisting known bad merchants and detect new fraudulent merchants before they make too many transactions. It's not hard to set up a new merchant account, especially in a country where laws are "selectively enforced" (I.E. you can pay the copper to look the other way). As anyone who's managed an email server knows, blacklists suck.
Calling someone a "hater" only means you can not rationally rebut their argument.
There are plenty of terminals, it's just that 5% or so of them have tape over the chip slot or a note to swipe the stripe (though without such catchy wording). If there is fraud when the chip is not used, the cost is now on the business, but if they think it's not bad enough, there is still nothing to force them to make the chip slot work, 3 1/2 years later.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
I think we need to stop focusing on the cards. Those aren't really the root of the problem. It's the retailers that set up insecure or insufficiently secure networks to transmit this data in the first place.
Payment processors should take this out of the hands of all retailers and provide direct, secure communication from the payment terminals. That is, a private VPN from each terminal back to the payment processor. The terminal is still technically connected to the customer network but wouldn't be directly accessible. The data that comes back from the terminal to the retailer's POS system is stripped of any full identifying data but with enough info for the retailer to conduct business.
That would stop all the MITM attacks and the scouring of stored data on the retailers' networks which seems to be the vast majority of the breaches.
My sources are unreliable, but their information is fascinating. -- Ashleigh Brilliant
You should move somewhere (anywhere) else. :-)
It's OK Bender, there's no such thing as 2.