Slashdot Mirror
Credit Card Chips Have Failed to Halt Fraud (So Far) (fortune.com)
An anonymous reader quotes Fortune:
New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology...
In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.
In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.
Without a PIN, and without a chip reader for online purchases the whole exercise has been a waste of time.
The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.
So, in 2018, one of the biggest economies, most technologically advanced country in the world still cannot use a 40 year old technology to authenticate a payment ? I know it might not be 100% failproof, but still... Even countries in eastern europe manage to do that...
And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!
If the majority of the cards have a chip, then the majority of fraud cases will be cards with chip. The point of moving from a magnetic strip to a chip, is that others cannot gain access to your card simply by swiping it. After chip conversion, that vector of attack is mostly gone, and criminals move on to other methods. For which cards with chip are just as good/bad as any other card.
That's the theory. Unfortunately, one of the flaws in the EMV protocol is that the authentication is unidirectional. The card must authenticate itself to the bank, but the bank doesn't have to authenticate itself to the card. This makes it comparatively easy to MITM the transaction. It's a shame that the US waited over 20 years until the EMV protocol had been thoroughly analysed and numerous flaws identified and then deployed it.
I am TheRaven on Soylent News
Only a decade?
The uk had chip and pin in 2006 when i lived there. Not sure when they rolled it out out.
And in 2014 australia stopped accepting signatures at all.
Now though im pretty much 100% contactless and done mainly via my phone.
Checking signatures is worthless anyway, real peoples signatures never look exactly the same whereas a criminal can easily copy what he sees on the back of the card, or in the case of cloning the cards he can just sign the cloned card himself and thats what the merchant will compare against.
At least with a pin, the pin is either correct or not, and not displayed on the card itself.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Having some cash with you can also save your life if robbed, a thief will just run away happy with your cash
If a thief knows you have cash he is more likely to rob you, cards are less useful to a thief, especially less organized ones. A thief will also be happy with your phone or jewellery, and will probably take your wallet and run rather than open it and inspect it in your presence.
It is safe (no risk of card skimming)
You instead have the risks of it being lost, stolen or damaged, not to mention forged cash.
you are noot feeding the bank (2% transaction fee)
Yes you are, businesses pay a lot to banks for the ability to accept cash payments, often more than the transaction fees associated with cards.
Banks charge businesses fees for processing their cash deposits, which have to be counted by both the bank and the retailer, the cash has to be transported to the bank and will usually require protection while in transit, banks charge retailers for providing large bags of small change, your insurance liability goes up if you have cash on the premises as it's an attractive theft target or could be destroyed in the event of fire or flood etc.
For the customer, the cost is the same wether paying by cash or card but many cards also offer benefits to the cardholder which they wouldn't get if using cash.
it is private (big brother does not knowwhat you buy)
It's private if your careful, and also don't have explicit surveillance being carried out against you.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!
Here in Norway they've fixed this quite easily because around 2010 most the banks introduced regional blocks, the defaults vary a little but my bank's card by default only works in Norway. To expand the coverage you must log in to the online bank and enable it. You can permanently enable it for our neighboring countries in Scandinavia, but for the other regions (rest of Europe, North America, South America, Africa, Asia) you can only enable it for three months at a time. That has pretty much stopped international scams dead in their tracks, even if it is enabled the crooks don't know until they try and while the occasional tourist will forget and enabled it after being declined it will stand out as a sore thumb.
Combined with 2FA using the cell phone/one time codes for online purchases fraud here is extremely low. I found a page that said total credit/debit card fraud in Norway is around 150 MNOK/year, that's $17 million. Divided by 2.4 million households that's about $7, the average household income is about $51k so 0.013% is lost to fraud. Basically that's noise level, people lose more money on grocery prices due to shoplifting than that. I don't think these numbers include robbery where you're forced to enter/hand over the PIN though, just shoulder surfing and such.
Live today, because you never know what tomorrow brings
There's a lot of misinformation here.
Chip cards aren't meant to prevent card breaches. For card-present transactions (in person at the store), the exact same encryption and cardholder data protection requirements are in place from the reader to the bank whether its EMV or old mag-stripe. For card-not-present transactions (online and e-commerce) EMV makes no difference at all.
Chip cards do one thing. They make it harder to make a fraudulent physical card. With mag-stripe it is trivial to take another credit card or even a subway gift card and recode its mag-stripe to use a stolen card number, so I can walk into a merchant and use that card.
The author appears to be confusing EMV standards with the PCI P2PE (point to point encryption) standard, which is meant to prevent breaches by doing many of the things the author describes.
The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.
You can't clone the cards and use them in online transactions. They are skimming the cards and using them for online transactions, most likely. Though the chip does generate a new CVV when used with the chip. If you run the magnetic stripe through, you get the real CVV which can be used online. Also there are tons of restaurants, fast food joints, gas stations, and banks that still use the magnetic stripe instead of the chip.
Strictly speaking - not defending this practice, just explaining it - merchants should decline to take your card if you've done this, per their agreement with the card issuers. The signature is there as a promise to pay, not as a means of identification. Yes, this is stupid. A better practice is the banks that allow you to put your picture on the card.
Help save the critically endangered Blue Iguana