Slashdot Mirror

← Back to Stories (view on slashdot.org)

Credit Card Chips Have Failed to Halt Fraud (So Far) (fortune.com)

Posted by EditorDavid on from the swiped dept.

An anonymous reader quotes Fortune: New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology...

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.

39 of 229 comments (clear)

  1. Chip & PIN by Anonymous Coward · · Score: 4, Interesting

    Without a PIN, and without a chip reader for online purchases the whole exercise has been a waste of time.

  2. Re: Of course by Anonymous Coward · · Score: 5, Informative

    The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.

  3. Still no use for PIN by Kopp · · Score: 4, Insightful

    So, in 2018, one of the biggest economies, most technologically advanced country in the world still cannot use a 40 year old technology to authenticate a payment ? I know it might not be 100% failproof, but still... Even countries in eastern europe manage to do that...

    1. Re:Still no use for PIN by xlsior · · Score: 4, Interesting

      The reason that US creditcard companies don't want to force their users to use pin codes is simple: no one wants to be first. In most of the world, people have a single creditcard. The average American has half a dozen or more. Forcing Americans to remember a Pin just means that a not insignificant percentage of users will simply to switch one of their other cards that's 'less inconvenient' - therefore, nothing changes since none of the card companies want to lose their users to the competition.

    2. Re:Still no use for PIN by Solandri · · Score: 4, Informative

      It's because the credit card companies don't want to pay for fraud. Right now they've gamed it so merchants pay for credit card fraud (merchant loses the merchandise, and the payment gets reversed). Chip + PIN basically makes it impossible for the merchant to be at fault in case of fraud, meaning either the cardholder or credit card company has to pay for fraud. So they gimped the chip in the U.S. by making it chip + sign, meaning it's still the merchant's responsibility to check the signature with the one on the card. And if they forget (or in the case of online orders, can't) and it turns out to be a fraudulent charge, the merchant has to pay for it.

      (And if you're one of those people who've been duped into thinking the high interest rates pay for fraud, no they don't. They pay for cardholders who are delinquent on payments.)

    3. Re:Still no use for PIN by Anonymous Coward · · Score: 3, Informative

      As a merchant it is even worse. After you have lost your merchandise and the payment is reversed we also need to pay a fine to the credit card company.

    4. Re: Still no use for PIN by Bert64 · · Score: 5, Insightful

      I got this same explanation from a waitress, that they didn't use pin because of tipping... But that's utterly ridiculous, in the rest of the world they bring a wireless payment device to your table and it asks if you'd like to leave a tip, you enter the amount to tip and it calculates the total and then authorises the total using your pin. The payment device then prints out a receipt which shows how much you paid in total.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    5. Re:Still no use for PIN by Mortimer82 · · Score: 2

      Your average large merchant doesn't "pay" for the fraud, instead they pass the cost onto their honest customers. Rather than big merchants paying out their profits, they instead charge every honest customer a few cents extra to cover the fraud costs and maintain their same profits.

      The little independent merchants do unfortunately suffer, as they're not the ones with the clout to improve the situation or the market share to have their honest customers cover the cost.

    6. Re:Still no use for PIN by DarkOx · · Score: 2

      WAAAAYYY - less secure. You have moved secret handling (the PIN) from a special purpose devices with limited network interaction, that runs software that is not easily modified or updated by unauthorized parties; and moved it to a general purpose device.

      A device that is on network all the time, a device where users are likely to add all kinds of software. A device where published security issues in the platform might not get patched at all... The potential for an attacker to either obtain the secrets for use elsewhere or step into the authorization process is much greater

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    7. Re: Still no use for PIN by Waccoon · · Score: 5, Insightful

      While we're talking about obsolete practices, could we please abolish tipping, too?

    8. Re: Still no use for PIN by mark_reh · · Score: 2

      Tipping in cash is always preferred by servers.

      Tipping is a two way street. If you tip at the end of the transaction, the server benefits. If you tip at the start of the transaction, such as tipping a bartender when you order your first drink, he/she will treat you well for the rest of the evening. Both sides benefit.

      Of course, if you're a regular and get a reputation for tipping well, you'll be treated well every time you visit the place.

      What became of the legislation that was proposed to allow the restaurant owners to decide how much of the tips go to the servers? IRIC that was proposed as a means to relieve restaurant and bar owners of the burden of having to pay a higher minimum wage...

    9. Re:Still no use for PIN by Anne+Thwacks · · Score: 4, Interesting
      That is not true. Most people in Europe have several cards, and I am quite sure they have to use a PIN.

      I can also confirm that a lot of people in Nigeria have several cards, and they have to use PINs there, and one side effect has been to massively reduce fraud committed by the banks themselves. I assume the reluctance of American banks to force use of the PIN is because a large part of the fraud is committed by the banks themselves.

      Yes its true: American banks are noticeably less trustworthy than Nigerian banks. (cf Wells Fargo)

      --
      Sent from my ASR33 using ASCII
    10. Re: Still no use for PIN by hazardPPP · · Score: 4, Insightful

      Tipping in cash is always preferred by servers.

      Very true. I've had a waiter (in Canada) thank me for paying in cash, because he now had enough cash in the register to take his tips with him at the end of the day, instead of waiting to get the amount prepared for him at the start of his next shift (which could be in a couple of days). As I understood, it wasn't specifically about tipping in cash, but enough people paying in cash during the day (some of those people could leave $0 tip - the point was there to be cash available).

      Tipping is a two way street. If you tip at the end of the transaction, the server benefits. If you tip at the start of the transaction, such as tipping a bartender when you order your first drink, he/she will treat you well for the rest of the evening. Both sides benefit.

      Of course, if you're a regular and get a reputation for tipping well, you'll be treated well every time you visit the place.

      What became of the legislation that was proposed to allow the restaurant owners to decide how much of the tips go to the servers? IRIC that was proposed as a means to relieve restaurant and bar owners of the burden of having to pay a higher minimum wage...

      Tipping, as implemented in North America (Canada & the US), is pure bullshit. Hospitality workers are basically forced to rely on tips in order to make a livable wage, in many jurisdictions they specifically get shafted (the law specifies a lower minimum wage for restaurant workers than everyone else). As a result, you are culturally "forced" to tip large amounts even just for average/expected service (15%, or whatever is the local custom), because otherwise the people serving you are underpaid. Basically, this means that the prices in the menu are artificially deflated. You are expected to fork over an extra 15% (or whatever), so that's not a "tip" - it's an integral part of the cost you incur.

      Tipping should be an optional activity and a reward for exceptional service, not mercy money that allows workers to eat. Workers should be paid for their work by their employer. Salaries should be in line with employer expectations. If employees go above and beyond that, customers can reward them (if they want) with tips. Tips should not be the employees' financial lifeblood.

      There's plenty of places where it works like this. There's plenty of places where tipping is just rounding up (so on a large bill, something like 1-2% and nowhere hear 15%). There are places like Japan where there is no tip (in fact, I was told that tipping is insulting and that the waiter will angrily give you back your money). Guess what, the service is just fine (especially in Japan, where it's excellent).

    11. Re: Still no use for PIN by mark_reh · · Score: 2

      There's a lot of BS in the US. We give tax breaks to big corporations (and rich people) and the public schools and other basic infrastructure suffers. The same corporations don't pay their workers enough to live, so the government gives them food stamps and free medical care. The execs at those corps say they can't find well-educated talent in the US so they want H1B slaves that they can underpay. The US is giving all the money to corporate execs and other rich folks while dumbing down the population to Make America Great Again by having 99.9% of us work dirty, dangerous jobs for next to nothing, while we eat, drink, and breathe every pollutant our factories and power plants scan spew.

    12. Re:Still no use for PIN by nasor · · Score: 2

      Contrary to the common misconception in the US, the signature was never intended as a security feature. The signature on the back of the card merely indicates that you accept the CC company's terms and conditions; it was never intended to be compared to anything at the point of sale.

    13. Re: Still no use for PIN by hazardPPP · · Score: 3, Insightful

      Tipping is the capitalist way of doing it

      Tipping is the capitalist way of employers screwing their employees, the way it's done in North America.

      If you're paid decently by your employer, and tipping is just icing on the cake, turning a minimum-wage job into a higher-wage job, and that makes you work harder to be extra nice to the customers to earn tips - that's fine. No problem with that.

      If you get a lower minimum wage than everybody else because you get tips, well that's simply being screwed and exploited. Also, if tips are basically mandatory, the restaurant owner is lying to his customers about the price of the food and drinks.

    14. Re:Still no use for PIN by rickb928 · · Score: 2

      Signature has not been required for card-present transactions in the US by American Express since April 13, 2018. This is actually a global policy change for Amex.

      Merchant can, if they wish, require a signature, and some industries tend to. And there may be applicable laws in the US that require a signature for a variety of reasons, though I don't know them well enough to quote or reference here.

      I see many chip (EMV) transactions processed without even a PIN, in the US, a process that uses both fraud analysis, risk shifting, and customer identification to permit many large merchants to dispense with PIN for mostly small transactions. The immense inconvenience of having to enter a PIN for a substantial purchase doesn't seem to be a factor causing unacceptable friction, and fraud is changing in response to the chip introduction in the US, but not necessarily diminishing.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
  4. Re: Of course by Anonymous Coward · · Score: 3, Interesting

    And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!

  5. A couple points: by Anonymous Coward · · Score: 2, Interesting

    1. The chip does nothing to crooks from using the card number, type, expiration date and 3 digit code on the back.
    2. Many retailers I use my chip card at don't even use the chip reader functionality in their terminals, taping it off and indicating that the card needs to be swiped instead.
    3. Most retailers never check my sig (even if indicated on the card).
    4. I can run my card as 'credit' and can bypass the pin entry, totally rendering that useless.

  6. Well duh by DrXym · · Score: 2

    The point of chip and pin is that the cards details don't go through merchants system at all. Instead the card is authenticated / authorized through a secure device that talks directly to the payment service. All the merchant gets is a token of the transaction. Of course if the merchant stupidly allows cards to be swiped instead then they're just as vulnerable to skimming / hacking / database theft as non chip and pin devices.

    1. Re:Well duh by TheRaven64 · · Score: 3, Interesting

      That's the theory. Unfortunately, one of the flaws in the EMV protocol is that the authentication is unidirectional. The card must authenticate itself to the bank, but the bank doesn't have to authenticate itself to the card. This makes it comparatively easy to MITM the transaction. It's a shame that the US waited over 20 years until the EMV protocol had been thoroughly analysed and numerous flaws identified and then deployed it.

      --
      I am TheRaven on Soylent News
    2. Re:Well duh by goose-incarnated · · Score: 2

      That's the theory. Unfortunately, one of the flaws in the EMV protocol is that the authentication is unidirectional. The card must authenticate itself to the bank, but the bank doesn't have to authenticate itself to the card.

      That's untrue. The path for the transaction payload is Chip->terminal->merchant->bank->issuer and the payload returns along the same path.

      The chip's payload is encrypted with a key held only by the issuer, and the response is encrypted with the same key. The entities in between (the terminal, the merchant and the bank) have no way of decrypting the chip's payload, nor of encrypting a payload that the chip can decrypt.

      So unless the issuer is compromised there is no MITM attack going on.

      --
      I'm a minority race. Save your vitriol for white people.
    3. Re:Well duh by swillden · · Score: 2

      You're actually both right. EMV isn't a protocol, it's a whole family of protocols, most with their own family of variants. The security of these protocols varies widely.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  7. Duh ... by CptJeanLuc · · Score: 3, Informative

    If the majority of the cards have a chip, then the majority of fraud cases will be cards with chip. The point of moving from a magnetic strip to a chip, is that others cannot gain access to your card simply by swiping it. After chip conversion, that vector of attack is mostly gone, and criminals move on to other methods. For which cards with chip are just as good/bad as any other card.

  8. Re: Few things by Harlequin80 · · Score: 4, Informative

    Only a decade?

    The uk had chip and pin in 2006 when i lived there. Not sure when they rolled it out out.

    And in 2014 australia stopped accepting signatures at all.

    Now though im pretty much 100% contactless and done mainly via my phone.

  9. Re: Of course by Bert64 · · Score: 3, Informative

    Checking signatures is worthless anyway, real peoples signatures never look exactly the same whereas a criminal can easily copy what he sees on the back of the card, or in the case of cloning the cards he can just sign the cloned card himself and thats what the merchant will compare against.

    At least with a pin, the pin is either correct or not, and not displayed on the card itself.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  10. Re: Of course by Anonymous Coward · · Score: 2, Insightful

    The summary talks about merchant system misconfiguration.
    That would imply that the chip simply isn't used.
    Well, who would have thought that a purely decorative chip that is never used actually has no effect!
    Obviously we all expected the gold shininess to make fraudsters run away...

  11. Re:Pay cash where you can by Bert64 · · Score: 4, Insightful

    Having some cash with you can also save your life if robbed, a thief will just run away happy with your cash

    If a thief knows you have cash he is more likely to rob you, cards are less useful to a thief, especially less organized ones. A thief will also be happy with your phone or jewellery, and will probably take your wallet and run rather than open it and inspect it in your presence.

    It is safe (no risk of card skimming)

    You instead have the risks of it being lost, stolen or damaged, not to mention forged cash.

    you are noot feeding the bank (2% transaction fee)

    Yes you are, businesses pay a lot to banks for the ability to accept cash payments, often more than the transaction fees associated with cards.
    Banks charge businesses fees for processing their cash deposits, which have to be counted by both the bank and the retailer, the cash has to be transported to the bank and will usually require protection while in transit, banks charge retailers for providing large bags of small change, your insurance liability goes up if you have cash on the premises as it's an attractive theft target or could be destroyed in the event of fire or flood etc.

    For the customer, the cost is the same wether paying by cash or card but many cards also offer benefits to the cardholder which they wouldn't get if using cash.

    it is private (big brother does not knowwhat you buy)

    It's private if your careful, and also don't have explicit surveillance being carried out against you.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  12. Re: Of course by Kjella · · Score: 5, Interesting

    And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!

    Here in Norway they've fixed this quite easily because around 2010 most the banks introduced regional blocks, the defaults vary a little but my bank's card by default only works in Norway. To expand the coverage you must log in to the online bank and enable it. You can permanently enable it for our neighboring countries in Scandinavia, but for the other regions (rest of Europe, North America, South America, Africa, Asia) you can only enable it for three months at a time. That has pretty much stopped international scams dead in their tracks, even if it is enabled the crooks don't know until they try and while the occasional tourist will forget and enabled it after being declined it will stand out as a sore thumb.

    Combined with 2FA using the cell phone/one time codes for online purchases fraud here is extremely low. I found a page that said total credit/debit card fraud in Norway is around 150 MNOK/year, that's $17 million. Divided by 2.4 million households that's about $7, the average household income is about $51k so 0.013% is lost to fraud. Basically that's noise level, people lose more money on grocery prices due to shoplifting than that. I don't think these numbers include robbery where you're forced to enter/hand over the PIN though, just shoulder surfing and such.

    --
    Live today, because you never know what tomorrow brings
  13. Chip cards aren't meant to prevent breaches by bongk · · Score: 5, Interesting

    There's a lot of misinformation here.

    Chip cards aren't meant to prevent card breaches. For card-present transactions (in person at the store), the exact same encryption and cardholder data protection requirements are in place from the reader to the bank whether its EMV or old mag-stripe. For card-not-present transactions (online and e-commerce) EMV makes no difference at all.

    Chip cards do one thing. They make it harder to make a fraudulent physical card. With mag-stripe it is trivial to take another credit card or even a subway gift card and recode its mag-stripe to use a stolen card number, so I can walk into a merchant and use that card.

    The author appears to be confusing EMV standards with the PCI P2PE (point to point encryption) standard, which is meant to prevent breaches by doing many of the things the author describes.

  14. The industry knew it would take time by alphad0g · · Score: 2

    This is really no different then when EMV rolled out elsewhere, except hackers have more access to the interconnectedness off things.

    EMV in EU also rolled out with loose rules to start - merchants want cards to work - so fall back to mag stripe was allowed, and the bad guys figured out they could smash the chip on a stolen or cloned card. When fallback was removed, fraud went away.

    The USA is also a different beast. Besides having to upgrade older infrastructure, the problem of customers with multiple cards having to remember multiple pins has to be solved. But keep in mind, if mag stripe fall back is removed, most of the fraud goes away. No one has yet to clone the chip, and if the EMV data is protected properly, there should not be enough information to use online (card not present).

    PIN protects against card theft. Removing Mag stripe function protects against cloned cards - where most of the fraud is. It took EU time to get everything right, it will take USA time too.

    1. Re:The industry knew it would take time by rl117 · · Score: 2

      Agreed to a point. But they could have gone straight to chip+pin rather than the chip+signature setup which is almost pointless. When the rest of the whole world nearly is using chip+pin for nearly two decades now, it seems a bit odd to not use it. And regarding the magstripe fallback, has a date been set to drop it yet? If it was withdrawn from use and on new cards starting 2020, that would significantly curtain fraud.

  15. Re: Of course by jittles · · Score: 3, Informative

    The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.

    You can't clone the cards and use them in online transactions. They are skimming the cards and using them for online transactions, most likely. Though the chip does generate a new CVV when used with the chip. If you run the magnetic stripe through, you get the real CVV which can be used online. Also there are tons of restaurants, fast food joints, gas stations, and banks that still use the magnetic stripe instead of the chip.

  16. Re: Of course by AsylumWraith · · Score: 2

    Believe it or not, yesterday.

    I'm not saying that's the norm, though.

  17. Re: Of course by azrael29a · · Score: 2

    A lot of fraud comes from Poland too.

    Citation needed.

    Here in Poland we have EMV and 99% of cards issued by banks operating in Poland have magstripe and chip, and all transactions are authorized by a PIN. The only popular scam I've heard of here was to record the magstripe & PIN using a rigged ATM (with skimmer and camera over the pinpad), send the magstripe & PIN data to some other country (ie. in South America), and then try to grab cash using a cloned card there. The only time I have ever had to sign my card payment was when using my employer-issued lunch card, that had no chip and was magstripe&signature-only.

    Banking technology in Poland is way ahead of the one in US because we have skipped a lot of now-dead technologies, like cheques, pagers, etc. Also, nowadays most points of sales accept contactless card payments, which, while they have their own problems (easy low-value PIN-less transactions after stealing the card, limited to some low numbers), at least are safe from skimmers, because the card doesn't need to touch the point of sale.

  18. Re: Of course by guruevi · · Score: 2

    Chip+PIN is not invincible either. In the Netherlands there are gangs operating right now that can skim the information from Chip+PIN and the banks aren't willing or at least giving a really hard time to reimburse the fraud because "fraud is impossible". Moreover chip implementations in the EU are rampantly being abused especially across public transportation where people are cloning chips to get onto trains and busses.

    The truth about EMV (and I've seen and implemented EMV systems across both US and EU) is that it was an 'old' standard by the time it came out. There were no less than 2 papers that discussed exploits in the EMV system prior to the chip implementations in the EU (and the EU went all out implementing chips for health care, public transportation, drivers licenses, passports and ID cards).

    You can, right now, read plain text all the 'important' information from a chip (card number etc) simply by querying it's offline capabilities which is one of the primary ways fraud is happening - thieves implement a skimmer and do an offline authorization against the chip (basically: Hey, our Internet broke, here's a transaction for you to sign) and then a few days or even weeks later (some banks allow up to 6 weeks) they "finish" the transaction elsewhere.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  19. Re: Of course by BobPaul · · Score: 2

    Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.

    Some notes on this... Merchant agreements PROHIBIT merchants from asking for ID and DO NOT REQUIRE that merchants check signatures. In fact Visa et al actually essentially PUNISH vendors who do. Famously, Wal-Mart used to have a policy to check signatures and VISA successfully argued that they should not be on the hook to cover fraudulent purchases that Wal-Mart should have caught via signature checks (ie, they said Wal-Mart's employees were inconsistent). So over 10 years ago Wal-Mart changed their corporate policy and cashiers are instructed to NOT check signatures. The same amount of fraud happens, but VISA et al are now on the hook and can't blame Wal-Mart employees.

    In Europe, the card vendors were forced by law into Chip+Pin. VISA has more profit that the GDP of many countries and they don't even loan out money. They don't care about a little fraud. Their concern in the USA was users might periodically forget their PINs and pay with cash instead. So they lobbied to keep signatures, and of course our congress persons don't listen to security experts if corporate interests disagree.

  20. Re: Of course by ErikTheRed · · Score: 3, Informative

    Strictly speaking - not defending this practice, just explaining it - merchants should decline to take your card if you've done this, per their agreement with the card issuers. The signature is there as a promise to pay, not as a means of identification. Yes, this is stupid. A better practice is the banks that allow you to put your picture on the card.

    --

    Help save the critically endangered Blue Iguana
  21. Re: Of course by TechyImmigrant · · Score: 2

    The summary talks about merchant system misconfiguration.
    That would imply that the chip simply isn't used.
    Well, who would have thought that a purely decorative chip that is never used actually has no effect!
    Obviously we all expected the gold shininess to make fraudsters run away...

    In the US, most shop merchants (the kind without IT departments) get their payment terminals from banks or payment processors who offer zero configuration options. All misconfiguration is by the banks.

    What is going in on a scam called PCI-DSS where they demand that you use PCI certified hardware that is so fragile that leaving them on an open network will get them pwned - so they will require you to pay them to 'scan' your website to check it's ok, even if that makes no sense, like you are serving a web site, and then charge you extra for not doing so because you aren't 'compliant'.

    By these scams they have pointed the blame at the merchants who had no hand in designing the whole shitty system.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.