Credit Card Chips Have Failed to Halt Fraud (So Far)

An anonymous reader quotes Fortune: New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology...

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.

Chip & PIN

Without a PIN, and without a chip reader for online purchases the whole exercise has been a waste of time.

Re: Of course

The US opted for chip+signature, rather than chip+PIN like the rest of the world. Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.

Still no use for PIN

[Kopp]

So, in 2018, one of the biggest economies, most technologically advanced country in the world still cannot use a 40 year old technology to authenticate a payment ? I know it might not be 100% failproof, but still... Even countries in eastern europe manage to do that...

Re:Still no use for PIN

[xlsior]

The reason that US creditcard companies don't want to force their users to use pin codes is simple: no one wants to be first. In most of the world, people have a single creditcard. The average American has half a dozen or more. Forcing Americans to remember a Pin just means that a not insignificant percentage of users will simply to switch one of their other cards that's 'less inconvenient' - therefore, nothing changes since none of the card companies want to lose their users to the competition.

Re:Still no use for PIN

[Solandri]

It's because the credit card companies don't want to pay for fraud. Right now they've gamed it so merchants pay for credit card fraud (merchant loses the merchandise, and the payment gets reversed). Chip + PIN basically makes it impossible for the merchant to be at fault in case of fraud, meaning either the cardholder or credit card company has to pay for fraud. So they gimped the chip in the U.S. by making it chip + sign, meaning it's still the merchant's responsibility to check the signature with the one on the card. And if they forget (or in the case of online orders, can't) and it turns out to be a fraudulent charge, the merchant has to pay for it.

(And if you're one of those people who've been duped into thinking the high interest rates pay for fraud, no they don't. They pay for cardholders who are delinquent on payments.)

Re: Still no use for PIN

[Bert64]

I got this same explanation from a waitress, that they didn't use pin because of tipping... But that's utterly ridiculous, in the rest of the world they bring a wireless payment device to your table and it asks if you'd like to leave a tip, you enter the amount to tip and it calculates the total and then authorises the total using your pin. The payment device then prints out a receipt which shows how much you paid in total.

Re: Still no use for PIN

[Waccoon]

While we're talking about obsolete practices, could we please abolish tipping, too?

Re:Still no use for PIN

[Anne+Thwacks]

That is not true. Most people in Europe have several cards, and I am quite sure they have to use a PIN.

I can also confirm that a lot of people in Nigeria have several cards, and they have to use PINs there, and one side effect has been to massively reduce fraud committed by the banks themselves. I assume the reluctance of American banks to force use of the PIN is because a large part of the fraud is committed by the banks themselves.

Yes its true: American banks are noticeably less trustworthy than Nigerian banks. (cf Wells Fargo)

Re: Still no use for PIN

[hazardPPP]

Tipping in cash is always preferred by servers.

Very true. I've had a waiter (in Canada) thank me for paying in cash, because he now had enough cash in the register to take his tips with him at the end of the day, instead of waiting to get the amount prepared for him at the start of his next shift (which could be in a couple of days). As I understood, it wasn't specifically about tipping in cash, but enough people paying in cash during the day (some of those people could leave $0 tip - the point was there to be cash available).

Tipping is a two way street. If you tip at the end of the transaction, the server benefits. If you tip at the start of the transaction, such as tipping a bartender when you order your first drink, he/she will treat you well for the rest of the evening. Both sides benefit.

Of course, if you're a regular and get a reputation for tipping well, you'll be treated well every time you visit the place.

What became of the legislation that was proposed to allow the restaurant owners to decide how much of the tips go to the servers? IRIC that was proposed as a means to relieve restaurant and bar owners of the burden of having to pay a higher minimum wage...

Tipping, as implemented in North America (Canada & the US), is pure bullshit. Hospitality workers are basically forced to rely on tips in order to make a livable wage, in many jurisdictions they specifically get shafted (the law specifies a lower minimum wage for restaurant workers than everyone else). As a result, you are culturally "forced" to tip large amounts even just for average/expected service (15%, or whatever is the local custom), because otherwise the people serving you are underpaid. Basically, this means that the prices in the menu are artificially deflated. You are expected to fork over an extra 15% (or whatever), so that's not a "tip" - it's an integral part of the cost you incur.

Tipping should be an optional activity and a reward for exceptional service, not mercy money that allows workers to eat. Workers should be paid for their work by their employer. Salaries should be in line with employer expectations. If employees go above and beyond that, customers can reward them (if they want) with tips. Tips should not be the employees' financial lifeblood.

There's plenty of places where it works like this. There's plenty of places where tipping is just rounding up (so on a large bill, something like 1-2% and nowhere hear 15%). There are places like Japan where there is no tip (in fact, I was told that tipping is insulting and that the waiter will angrily give you back your money). Guess what, the service is just fine (especially in Japan, where it's excellent).

Re: Few things

[Harlequin80]

Only a decade?

The uk had chip and pin in 2006 when i lived there. Not sure when they rolled it out out.

And in 2014 australia stopped accepting signatures at all.

Now though im pretty much 100% contactless and done mainly via my phone.

Re:Pay cash where you can

[Bert64]

Having some cash with you can also save your life if robbed, a thief will just run away happy with your cash

If a thief knows you have cash he is more likely to rob you, cards are less useful to a thief, especially less organized ones. A thief will also be happy with your phone or jewellery, and will probably take your wallet and run rather than open it and inspect it in your presence.

It is safe (no risk of card skimming)

You instead have the risks of it being lost, stolen or damaged, not to mention forged cash.

you are noot feeding the bank (2% transaction fee)

Yes you are, businesses pay a lot to banks for the ability to accept cash payments, often more than the transaction fees associated with cards.
Banks charge businesses fees for processing their cash deposits, which have to be counted by both the bank and the retailer, the cash has to be transported to the bank and will usually require protection while in transit, banks charge retailers for providing large bags of small change, your insurance liability goes up if you have cash on the premises as it's an attractive theft target or could be destroyed in the event of fire or flood etc.

For the customer, the cost is the same wether paying by cash or card but many cards also offer benefits to the cardholder which they wouldn't get if using cash.

it is private (big brother does not knowwhat you buy)

It's private if your careful, and also don't have explicit surveillance being carried out against you.

Re: Of course

[Kjella]

And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!

Here in Norway they've fixed this quite easily because around 2010 most the banks introduced regional blocks, the defaults vary a little but my bank's card by default only works in Norway. To expand the coverage you must log in to the online bank and enable it. You can permanently enable it for our neighboring countries in Scandinavia, but for the other regions (rest of Europe, North America, South America, Africa, Asia) you can only enable it for three months at a time. That has pretty much stopped international scams dead in their tracks, even if it is enabled the crooks don't know until they try and while the occasional tourist will forget and enabled it after being declined it will stand out as a sore thumb.

Combined with 2FA using the cell phone/one time codes for online purchases fraud here is extremely low. I found a page that said total credit/debit card fraud in Norway is around 150 MNOK/year, that's $17 million. Divided by 2.4 million households that's about $7, the average household income is about $51k so 0.013% is lost to fraud. Basically that's noise level, people lose more money on grocery prices due to shoplifting than that. I don't think these numbers include robbery where you're forced to enter/hand over the PIN though, just shoulder surfing and such.

Chip cards aren't meant to prevent breaches

[bongk]

There's a lot of misinformation here.

Chip cards aren't meant to prevent card breaches. For card-present transactions (in person at the store), the exact same encryption and cardholder data protection requirements are in place from the reader to the bank whether its EMV or old mag-stripe. For card-not-present transactions (online and e-commerce) EMV makes no difference at all.

Chip cards do one thing. They make it harder to make a fraudulent physical card. With mag-stripe it is trivial to take another credit card or even a subway gift card and recode its mag-stripe to use a stolen card number, so I can walk into a merchant and use that card.

The author appears to be confusing EMV standards with the PCI P2PE (point to point encryption) standard, which is meant to prevent breaches by doing many of the things the author describes.