Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Chip Cards Are Being Compromised In the Millions (threatpost.com)

Posted by BeauHD on from the that's-a-lot-of-zeros dept.

According to a study from Gemini Advisory, some 60 million U.S. cards were compromised in the past 12 months. "Of those, 93 percent were EMV chip-enabled," reports Threatpost. "Also, crucially, 75 percent, or 45.8 million, were records stolen from in-person transactions." From the report: These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants, the likes of which continue to make headlines. Further results show that the U.S. leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records. In the past 12 months, about 15.9 million compromised non-U.S. payment cards were posted for sale on the underground, split between 11.3 million card-not-present (online transaction) records and 4.6 million card-present records, of which 4.3 million were EMV enabled. This means that the theft level of EMV-enabled card data in the U.S. is 868 percent higher than the rest of the world combined.

The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant compliance -- too many of them still use the mag-stripe function at PoS terminals. Gemini also said that card-present data "is also collected via a more manual method by skimmer groups, who are utilizing custom made hardware known as 'shimmers' to record and exfiltrate data from ATMs and POS systems. The firm also found that while most large U.S. merchants have fully transitioned to EMV, gas pump terminals and small/medium size businesses are emerging as the main targets for cybercriminals going forward.

106 comments

  1. What by Anonymous Coward · · Score: 5, Interesting

    too many of them still use the mag-stripe function

    If this is mostly happening via the old magnetic strip than what does the chip even have to do with this story?

    1. Re:What by Anonymous Coward · · Score: 2, Insightful

      Just reiterating the fact that the chips were a half-measure, never fully implemented as designed, and are thus useless and leave us vulnerable per the credit vendors' lobbied wishes? Yeah maybe just that.

    2. Re:What by hey! · · Score: 3, Informative

      If this is mostly happening via the old magnetic strip than what does the chip even have to do with this story?

      If you can intercept the conversation between the EMV chip and the terminal, you can skim enough information to produce a counterfeit mag stripe that will work. That's actually a long-standing vulnerability in the EMV system.

      There was supposedly a fix which involved programming different ICCV codes on the chip and in the mag stripe, but that fix depends on the card provisioners to implement. This is typical of security debacles: a fundamental weakness in the system isn't really fixed by a band-aid that requires everyone to do the right thing.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    3. Re:What by dpalley · · Score: 2

      They're saying the chips are EMV-enabled, but the vulnerable transactions are still using the old mag stripe.

    4. Re:What by gweihir · · Score: 1

      Good question.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:What by Anonymous Coward · · Score: 0

      But the basis of the article is numbers found available on dark web. The fact it is easier to dup a mag stripe is not relevant.

      Also: it never actually SAID that is where the vulnerablity came from! It may suit their purposes if you infer that however.... they probably sell the $500 terminals or service or something.

    6. Re:What by ShanghaiBill · · Score: 5, Interesting

      Just reiterating the fact that the chips were a half-measure

      Not even half, maybe a quarter measure. The chips can not only be bypassed, but because America doesn't use chip-and-PIN, the chip can be used directly by anyone stealing your card.

      It is like putting a titanium deadbolt on your front door, and having an aluminum screen door on the back of the house, and also putting the deadbolt cylinder in backwards so the thumbturn is on the outside.

      The rest of the world did this right. Only America screwed it up so badly, and mostly because the people with the ability to fix it (that banks) have no incentive to do so. They just push the losses off onto the customer or the merchant.

    7. Re:What by Anonymous Coward · · Score: 0

      The author wants to ding the chip card, facts be damned that the chip wasn't being used.

    8. Re: What by Anonymous Coward · · Score: 1

      Because all US EMV cards have magstripes. The solution is so stupid: Hold merchants responsible if the mag stripe is used and do not issue and more mag stripe cards. Foreign banks can get the ball rolling by refusing to accept magstripe and card not present (online/offline) unless accompanied by GPS coordinates. Then if the coordinates donâ(TM)t match the userâ(TM)s cell phone app location, void it.

    9. Re:What by TheGratefulNet · · Score: 2

      no. read my (long) post.

      it was not magstripe, it was outright forgery. I don't believe they ever had my card, but I suspect the equifax (etc) break-ins were the cause of most of this.

      there is 'skimming' and 'shimming' but in my case, I don't think it was a copy of the card; I think they frauded the system some other way.

      one thing the bank told me: if these were magstripe transactions, we would have voided them out as soon as you reported them to us, but since they used MAGIC CHIPS, of course, those are trustable so we are rejecting your claim.

      (not kidding)

      --

      --
      "It is now safe to switch off your computer."
    10. Re: What by Anonymous Coward · · Score: 3, Informative

      Most of the fraud is moving to online transactions, where all they need are the numbers and cvv code. Chips won't help. What is needed is 2 factor Auth to approve transactions.

    11. Re:What by Anonymous Coward · · Score: 0

      If you can intercept the conversation between the EMV chip and the terminal, you can skim enough information to produce a counterfeit mag stripe that will work.

      That seems like a poor design. Why would the chip need to be mathematically related to the stripe in any way?

    12. Re: What by Anonymous Coward · · Score: 1

      So 3-D Secure with strong authentication, which has been around for years and is becoming a requirement in Europe as per the PSD2. The problem is that they had to enforce it through regulation because even if it shifts liability from the merchant to the card issuer in case of fraud, it has quite an impact on sales conversions.

    13. Re: What by Anonymous Coward · · Score: 1

      We do have that where I live. In order to use my card, you need my password and a generated code from my code generator. Otherwise, my bank will not authorize the online transaction.

    14. Re:What by AmiMoJo · · Score: 1

      Why not just disable mag stripe payments on cards that have chips? The bank has to authorize the payment, and can simply decline if the terminal reports that it was by mag strip when the card has a chip.

      That's what happened in the UK. There are some exceptions for people who can't use a PIN (numerical dyslexia etc.) but for most people it's PIN only. Retailers had a few years to upgrade their terminals; they don't last forever anyway so it wasn't even an extra cost.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    15. Re: What by Anonymous Coward · · Score: 0

      In the UK (and the rest of the EU AFAIK) the majority of cardholders also have a small 2FA device which looks a bit like a calculator. You slot the card in, enter your pin and a challenge number from the web site and the chip is used to create a one time pass. Some banks require this for setting up new payments and other sensitive operations, some banks need it for much more. I suspect that over time the Secured by visa/mastercard challenge pages will also use these.

    16. Re: What by TRRosen · · Score: 1

      Ummm that's exactly how it works. If you don't take chip cards your liable for fraud. If you do VISA/MC is.

    17. Re:What by DutchUncle · · Score: 1

      >>> because the people with the ability to fix it (that banks) have no incentive to do so

      Not about "fix it", about doing it right in the first place. The merchants with many swipe readers - like gas stations (where the reader is integrated into the pump) and fast-food chains - didn't want to pay for new hardware with chip handlers, so they convinced the banks to delay. The same merchants didn't want to slow down transactions, so they didn't want the "wasted time" of PIN entry; after all, the chip guarantees that the card is valid and not cloned, right? Well, yes, but it says nothing about whether the PERSON is valid.

      Add in American exceptionalism (why should we do what everyone else is doing, even if it's right?)

    18. Re:What by Anonymous Coward · · Score: 0

      Why even have a stripe? My newest card is chip only. There is no magnetic stripe, hence immune to such failures.

    19. Re:What by aitikin · · Score: 1

      Because enough terminals don't have a chip reader. I just went through a gas station where the terminal didn't have a chip reader, just the mag strip. If they implemented it that way, my card would be useless there...although, they'd also have likely lost enough business to choose to upgrade or to make the decision to go cash only...

      --
      "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
    20. Re: What by Anonymous Coward · · Score: 0

      Iâ(TM)ve never pumped gas at a gas station in the United States that has a chip reader. Not once.

    21. Re:What by mjwx · · Score: 1

      If this is mostly happening via the old magnetic strip than what does the chip even have to do with this story?

      If you can intercept the conversation between the EMV chip and the terminal, you can skim enough information to produce a counterfeit mag stripe that will work. That's actually a long-standing vulnerability in the EMV system.

      There was supposedly a fix which involved programming different ICCV codes on the chip and in the mag stripe, but that fix depends on the card provisioners to implement. This is typical of security debacles: a fundamental weakness in the system isn't really fixed by a band-aid that requires everyone to do the right thing.

      Not sure why you're going on about card cloning... Hardly anyone clones cards any more as they're too easy to trace and there are far better uses for card details.

      The article said "compromised", not "cloned" so likely the card numbers are being used to make online transactions as all you need for that are your card number, cardholder name and expiry date (CVV/CVC is optional, not using it just attracts higher merchant fees and it's like criminals care about that with someone else's money). Dumb criminals try ordering a new TV, smart, organised criminals do $5 transactions across tens of thousands of card numbers to a fraudulent merchant account, pocketing the $4.50 they get after fees. Low dollar transactions are less likely to be noticed by cardholders and more likely to be ignored by banks/credit processors.

      If you want to fix that, we need to start using 2FA for online transactions, but that'll never happen as banks will miss out on too many fees as people start to use other payment options.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    22. Re:What by terrycarlino · · Score: 1

      Why have a strip?

      Because the gas station companies and many small merchants didn't want to absorb the cost of replacing their pumps and POS units. Not even when the banks told them they would be on the hook for any fraudulent charges. In most cases fraudulent charges to gas station companies and small business owners is a fraction of what they would pay to upgrade, so they just eat the cost, except they don't eat it. They pass the losses on to their customers or insurance companies. Or right them off as losses on their taxes.

      In other words there is no incentive for them to work to secure the system. Likewise banks are more afraid of friction, the reduction of revenue from charges and interest than they are of fraud. They make enough on charges and interest that losses to fraud are insignificant. They push those fraud charges on to their customers anyway, so why should they care.

      As a matter of fact since the customer in the U.S. can only be charged $50 for fraudulent charges, and in most cases they are not even required to pay that, customers don't really care about fraud either. It's mildly inconvenient but less inconvenient than having to remember a PIN (which most people would just compromise by using the same one for all their cards, or their birthday or last 4 of their social, or some other idiot combination.) or keeping up with some kind of authentication device.

      Security only happens when there is a real cost to not being secure. Else convenience triumphs.

  2. Poland and Serbia by Anonymous Coward · · Score: 1

    This is the mecca for fraud in Europe.

    1. Re:Poland and Serbia by Anonymous Coward · · Score: 1

      We have joke in Albania - Serbia two biggest export is asbestos and fraud.

    2. Re:Poland and Serbia by b0s0z0ku · · Score: 3, Interesting

      Here's the thing -- by allowing the Russians to take over Eastern Europe in 1945, the US created that particular mess. The US should have stuck to their guns in 1945 and required truly free elections in all of the countries concerned. We had nuclear weapons. Stalin did not.

      This being said, the stereotype of Eastern Europe being a mecca for fraud, corruption, and nothing else, is a bit of an outdated trope. Poland's economy is booming, though their politics are a bit shameful right now. Countries like Estonia have actually set themselves up as tech hubs right now, legit businesses and startups.

    3. Re:Poland and Serbia by DNS-and-BIND · · Score: 2

      It's always America's fault, isn't it? I mean, fuck peace, let's use our nuclear weapons. Because we got such good press for doing that when we did. I swear, warmongering assholes like you will be the death of us all.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    4. Re:Poland and Serbia by b0s0z0ku · · Score: 1

      US didn't need to actually use nukes. In 1945/6, the US could have basically dictated terms to Stalin, but they chose not to.

    5. Re:Poland and Serbia by DNS-and-BIND · · Score: 2

      So you KNOW that the US government at the time was riddled with Communist spies, right? Because they were. People like Harry Dexter White, Alger Hiss, Harry Hopkins, the list goes on. The Manhattan project was full of spies. The idea was that capitalism had reached its end, that socialism was the wave of the future, that we had all better get on board now before it all collapsed, stop me if any of this sounds familiar because they still say the same shit today. How was the US government supposed to resist the Soviets when so many people inside it wished to join the Communists?

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    6. Re:Poland and Serbia by Anonymous Coward · · Score: 0

      We had nuclear weapons. Stalin did not.

      Well, you had about one nuke per month in those days. That is not a game-changer. Stalin had enough men to roll through Europe from east to west - right through the few Americans present. A handful of (small) nukes wouldn't change that; Stalin did not mind sacrificing soldiers. Afterwards, there would be no place to land American planes in Europe, so further nuclear war would be difficult.

      (For those that don't know - rockets came years later. Nukes were very heavy things, dropped from slow planes. Workable against a Japan with little left of its air force, and a sufficiently small landmass to fly over. But try reaching Moscow in a 1945-era plane during a war.)

    7. Re:Poland and Serbia by mjwx · · Score: 1

      Here's the thing -- by allowing the Russians to take over Eastern Europe in 1945, the US created that particular mess. The US should have stuck to their guns in 1945 and required truly free elections in all of the countries concerned. We had nuclear weapons. Stalin did not.

      Actually, at the end of WWII... No-one had nuclear weapons. The US used both of its finished bombs on Japan and weren't in a position to mass manufacture more, let alone deliver them to Moscow... And Stalin bloody well knew it thanks to spies at Los Alamos. Hell, if the US had half decent counter intelligence, the Soviet nuclear program would have been put back decades, if it even managed to produce a bomb at all.

      However what Stalin did have was the largest army in the world and he did hold all of eastern Europe. Its not like the war weary allies could have challenged the Soviets and it would have harmed us to no end as we'd agreed on the split of Europe before the war even ended at the Yalta Conference. Going back on our word would have done more harm than all the Soviet tanks in existence.

      The Allies really didn't need to do anything to counter the Soviets, whilst western Europe rebuilt, Stalin spent increasing amounts on military expenditure at the expense of civilian infrastructure. Whilst the western quality of life improved, the soviet quality of life diminished, the demise of the Soviet union was something that really happened between 1945 and 1960, it just took another 30 years for the dominoes to finish falling.

      This being said, the stereotype of Eastern Europe being a mecca for fraud, corruption, and nothing else, is a bit of an outdated trope. Poland's economy is booming, though their politics are a bit shameful right now. Countries like Estonia have actually set themselves up as tech hubs right now, legit businesses and startups.

      Much of Eastern Europe is still a shithole, Poland and a few others have done extremely well in pulling themselves out of it but Romaina, Bulgaria and Russia itself remain havens for organised criminals. I don't see Russia changing for a while, the criminals are effectively embedded in the government. Poland has spent the last 30 years transitioning to a western country, their big problem right now is transitioning to a developed economy. They got big by being cheap, skilled labour. They cant continue to improve quality of life without changing that.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    8. Re:Poland and Serbia by dev-in-seattle · · Score: 1

      No the us wasn't riddled with commie spies under every blanket. There were a few. Guess what, we had spies in Russia too. The one that really hurt maybe was the guy that gave the Russians lots of details on how to make nukes. But there weren't spies who were changing our policies to somehow help the Russians. That's a ridiculous lie with no serious evidence - it would be incredible if it were true, but it's not. No one believed capitalism had reached the end, we just crushed the fascists, we were on top of the world. Also, here's something you could consider Mr Scaredy Pants - fear mongering with scare words like "he's a commie, or he's a liberal", those don't convince anyone. Your comments are simply not connected to reality.

    9. Re:Poland and Serbia by DNS-and-BIND · · Score: 1

      The US had a ton more Communist spies than is popularly known. A LOT of people back then believed that capitalism had met its end, socialism was the only way forward and it was just a matter of time, better help the system collapse and set up a Communist government in America before it was too late, etc. A lot of these people worked in Hollywood, the State Department, and other influential areas. Go ahead and try to find a Hollywood film from the 40s or 50s with a positive portrayal of business. They're all Mr. Potter, ugly capitalists with no redeeming features.

      Liberals believe in free speech - we're talking about leftists here.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  3. OMG Regulation by Anonymous Coward · · Score: 0

    Why aren't the payment processors issuing and responsible for the POS card processing hardware? Why is it left to the retailer to implement whatever patchwork they manage to come up with?

    1. Re:OMG Regulation by Fly+Swatter · · Score: 2

      a) that is a huge expense that probably is still under the amount of fraud they have to cover
      b) they can blame the retailer and again that is not fraud they have to cover
      c) if they do have to cover more fraud, they just raise the rates

      In the end its us that has to pay, both in higher prices and interest rates - they just pass the costs of incompetence on to you.

    2. Re: OMG Regulation by Anonymous Coward · · Score: 0

      It was a rhetorical question. In Australia EFTPOS machines are proveded by the banks, who retain ownership of and responsibility for their safe functioning.

      But not in the United States of Freedom.

    3. Re: OMG Regulation by Anonymous Coward · · Score: 0

      Same in Estonia, and very likely so in the rest of Europe/EU. Equipment upgrades at points of sale are faster, and happen continuously. It's as if the banks said: "If you don't upgrade, we'll take our device, and you won't get card-carrying customers to pay for your goods."

  4. Chip and PIN is no panacea by reanjr · · Score: 1

    The last couple of times I bought groceries, the chip was rejected three times, then fell back to magstrip.

    Turns out relying on chip and PIN is unreliable.

    1. Re:Chip and PIN is no panacea by gweihir · · Score: 2

      This seems to be a US problem. Late to the game and trouble getting it to work? Not good.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Chip and PIN is no panacea by b0s0z0ku · · Score: 1

      The last couple times I bought groceries, I paid good, old-fashioned, real, cash. Because cash payments are seldom rejected (outside of Zimbabwe dollars) and always work.

      I know. How non-millennial of me.

    3. Re:Chip and PIN is no panacea by Anonymous Coward · · Score: 0

      Where do you even get Zim dollars these days?

      Because I'm sure you know that Zimbabwe switched to US$ about ten years ago.

    4. Re:Chip and PIN is no panacea by b0s0z0ku · · Score: 1

      OK, for a more modern example, use Venezuela Bolivars.

    5. Re:Chip and PIN is no panacea by zidium · · Score: 1

      Hey! I am LITERALLY a trillionaire!

      Yes, sir, about 7 years ago, I purchased four $250 Billion Dollar Zimbabwe notes, therefore officially making me a trillionaire, in Dollars!

      --
      Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
    6. Re: Chip and PIN is no panacea by Anonymous Coward · · Score: 0

      Cleaning the contacts by scrubbing them briefly with a thumb will usually fix that.

    7. Re:Chip and PIN is no panacea by moronoxyd · · Score: 1, Informative

      Last I checked the democracies at least in western Europe work pretty well.

      Gerrymandering, voter suppression, election irregularities, fixing the courts with partisan judges, the administration calling the fourth estate the enemies of the people -- all stuff that's undermining democracies, and all stuff that the US is currently known for.

      (To be fair: Some of those problems do exist in a few eastern European countries.)

    8. Re:Chip and PIN is no panacea by Anonymous Coward · · Score: 0

      Where do you even get Zim dollars these days?

      eBay

    9. Re: Chip and PIN is no panacea by reanjr · · Score: 1

      Could be wrong, but most countries I imagine can get away without the fallback. American consumers don't use nor do they carry cash. As many Europeans seem to find weird: we use credit cards to pay for gum. A downed payment machine is a good way to lose a customer permanently.

  5. Good. by b0s0z0ku · · Score: 1

    Honestly, this doesn't make me too upset, since consumers will always get their money back at the end of the day.

    Anything that reduces the profits of the card companies, card-using merchants, and card-issuing banks doesn't make me the slightest bit sad. Think of it as the world throwing some sand into the gears of the transition to a cash "free" (aka privacy-free) economy. Anything that creates just a little bit more friction is a net positive.

    1. Re:Good. by Fly+Swatter · · Score: 1

      You do realize who winds up paying those costs in the end, don't you?

    2. Re:Good. by b0s0z0ku · · Score: 1

      Yes. And if cards become more expensive to use and accept, it will do a little bit to discourage their use, which is good for preserving a privacy-friendly economy.

    3. Re:Good. by helpfulcorn · · Score: 1

      Not always, I recently had $155 charged to my card from a Kohl's in Iowa. I've never been to Iowa, I never shop at Kohls, and it turns out that a lot of other people did also get theirs charged when I googled the ident/charge name/whatever for the specific charge. This was a company card for my business that is only used for business purposes, and actually very rarely at that.

      So when trying to deal with my bank they initially told me that I had to wait for it to post, then after that they told me there was no proof any fraud had happened. I tried multiple times with multiple "security" people, they basically just blamed me and one even said that I "must have bought something online such as a washing machine and don't remember", because Kohl's sells washing machines I guess. After a week of trying to deal with it, I just gave up, I was too busy with work and a new baby to switch banks.

      Then it happened again! After more online "investigation" on my part, it turned out that evidently a lot of people put card numbers on white plastic or something (even though I have chip and pin which this same bank told me would make everything more secure -- I never believed that), go to Kohl's and use their Kohl's cash system in order to steal money. This it was a little less, around $115, and yet again I went through the same thing, but this time they gave me my money back.

      I've switched banks since then I'm still out not only around $150 and the lost time I spent dealing with it that I could have been programming or doing anything productive. So while I hate the card companies, it doesn't mean that money magically appears back into your account or it isn't a fucking pain in the ass and have other indirect impacts.

    4. Re:Good. by b0s0z0ku · · Score: 1

      If you had proof you weren't in Iowa, you should have filed a complaint with your state's department of bank regulation if your bank didn't fix the issue.

    5. Re:Good. by helpfulcorn · · Score: 1

      Yet more stuff to do to cost me time and money that won't be reimbursed no matter what, the point still stands it isn't just money being taken out that's put back in just because you point out a fraudulent charge.

    6. Re: Good. by orlanz · · Score: 1

      I have never had this much trouble for fraudulent charges. I suddenly discovered a $25 charge for the last 4 months that looked legit (Spotify) but I knew I never purchased.

      A 5 minute email and two days later, I was fully credited. For stuff that was 4 months old! They did tell me 2 months afterward that their investigation concluded that they appeared fraudulent and the credits will stand, closing the topic.

      I don't understand why people have so much trouble disputing charges.

    7. Re: Good. by TheGratefulNet · · Score: 1

      read my long post.

      I disputed them, I had proof and my bank STILL threw me under the bus.

      go read my post. its long but it explains it all.

      --

      --
      "It is now safe to switch off your computer."
    8. Re: Good. by Anonymous Coward · · Score: 0

      Price increases to cover card misuse will be baked in to cash transactions too.

    9. Re:Good. by Anonymous Coward · · Score: 0

      Complaining to them won't work. If you can get consumer report or some other TV journalists interested - it could end differently. If they somehow get on TV, they want to seem nicer than they are.

  6. Bait and switch headline much? by Wrath0fb0b · · Score: 5, Insightful

    The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant complianceâ"too many of them still use the mag-stripe function at PoS terminals. ...
    If the EMV functionalities are not fully deployed, the track 1 and track 2 data stolen from the chip transaction can be easily encoded by the fraudster onto any magnetic strip.

    So to get this straight, you get a plastic card, it supports both the newfangled way and the old-and-busted way (or else people would be up in arms that it wasn't compatible with 100% of readers). By the way, the new hotness is just the old version plus a transaction-unique cryptographic token. Now, when this is deployed, people figure out -- they skim the new way and then use it to create mag-stripe cards that can be used only at places that don't require a chip. But somehow this is a problem with the chip cards?

    Nooooo, it's a problem with places that don't require a chip. We've known since the 80s that you can copy a magnetic strip with a 2-tape boombox (seriously, it will work).

    TLDR: There's nothing wrong with the chip cards themselves. But there is something wrong with merchants that haven't upgraded to EMV, and definitely something wrong with /. editors that write a completely ass-backwards headline.

    1. Re:Bait and switch headline much? by Tony+Isaac · · Score: 4, Informative

      Those merchants are having to pay for their lack of adoption. Based on Visa and Mastercard rules, if the merchant doesn't support chip cards, and there is a fraudulent transaction using the magnetic strip, the merchant is out the money. If the issuing bank doesn't provide a chip card, the bank is out the money. These incentives will talk more loudly than people preaching better security.

    2. Re:Bait and switch headline much? by TheRaven64 · · Score: 2

      A lot of the fraud was solved in the rest of the world by a simple change to the merchant banking rules: merchants may not take the card out of sight of the customer. If you want people to pay at the table in a restaurant, you come around with a wireless card reader. This removes 99% of the opportunities for skimming and it means that if a merchant does take the card away it's so unusual that the customer will likely remember it when they discover fraudulent transactions and can easily report the source. It's weird visiting the US and seeing that it's still standard to allow waiters to take the card away into a back room where they can make a clone and bring back the original.

      --
      I am TheRaven on Soylent News
    3. Re:Bait and switch headline much? by thegarbz · · Score: 1

      These incentives will talk more loudly than people preaching better security.

      Or back in reality: People don't care. That is shown quite clearly by the USA having some of the slowest and most lacklustre adoption to CHIP + STUPIDITY in the developed world.

      I mean you could do it like the rest of the world where the evil government forces a multinational megacorp literally swimming in cash to dip into that cash to provide updated systems to their merchants and then force adoption of said system by making the use of a mag stripe illegal. But no, evil government is evil, free market will solve everything, and in theory communism also works.

    4. Re:Bait and switch headline much? by Anonymous Coward · · Score: 0

      Chip and pin in two rules:
      - pin not present during a fraudulent transaction, merchant loses money
      - pin present during a fraudulent transaction, card owner loses money

      Banks never lose any money.

    5. Re:Bait and switch headline much? by Anonymous Coward · · Score: 0

      You may or may not remember the waiter taking your card away. But the bank can easily see that "most accounts with fraud complaints these last months was used in that particular restaurant." And the restaurant will know on whose shift those cards were used.

      Back room card cloning (or just writing down the numbers for later use) don't last very long. I guess there is always a new idiot waiter trying that trick though.

      If you're worried, sand off the magstrip, and the raised numbers as well. With only the chip left, no fallbacks and no cloning.

    6. Re:Bait and switch headline much? by Wrath0fb0b · · Score: 1

      But you can't clone an EMV card anyway. So the best a waiter can do with a clone is use it at a merchant that still accepts magstripe.

      Once that goes away, the problem goes away.

    7. Re:Bait and switch headline much? by Anubis+IV · · Score: 1

      Not only that, the transaction fees are higher as well. I was talking this last week with a friend who owns a small music shop, and he was saying that their credit card processing fees for card-not-present transactions are twice those of card-present transactions. They'll be switching to a new version of their POS system that allows them to associate a card read/swipe with a contract (i.e. each subsequent monthly charge counts as a card-present transaction), rather than having to rely on entering payment information by hand (i.e. monthly charges are treated as card-not-present transactions) from the paper forms that they've been forced to use up to this point.

      Despite the cost of the new system, he was visibly excited about the upgrade because their bottom line will improve dramatically overnight, given that rentals are the bulk of their business and are conducted nearly exclusively via credit card. The new POS system should pay for itself in no time, simply on account of what they're losing right now to those processing fees.

    8. Re:Bait and switch headline much? by Agent0013 · · Score: 1

      You seem to be unaware that the chip and pin cards can be hacked also. Fraud isn't gone in Europe where they use these things. It was always a story told to us about how we needed this extra security with no facts to back it up.

      --

      -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
    9. Re:Bait and switch headline much? by Agent0013 · · Score: 1

      As does any online purchasing?

      --

      -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
  7. Banks and Bitcoin by Anonymous Coward · · Score: 0

    And that is why the banks are interested in crypto debit cards. They don't want to deal with security issues. with crypto, they can pass those issues to the card user.

  8. Slow adoptance by Dan+East · · Score: 3, Interesting

    The headline is misleading. It is not the transactions by chip that are being compromised. The fact that a card swiped the old fashioned way happened to have a chip is moot - it is the same attack vector on the legacy magnetic strip.

    There must be significant expense involved for merchants to switch to the chip readers, as most of the POS now systems have chip readers, but some retailers don't support them. More than likely it is price gouging by the vendors that configure and manage the POS units.

    Finally, in my area, Lowes Home Improvement has the totally bizarre setup where if I want to use my bank card as a debit card (requiring PIN) I must swipe, and if I want to use it as credit card (requiring signature) I must insert it. However, it asks you AFTER you have inserted or swiped, so if you choose the wrong option then you have to remove or re-swipe the card. The local store has resorted to putting handwritten notes on the POS terminals advising which to do (insert or swipe) depending on whether you want credit or debit. That leads me to believe there is some recurring per-transaction cost using chip with debit.

    --
    Better known as 318230.
  9. IMPERSONATING me AGAIN? apk by Anonymous Coward · · Score: 0

    You're caught impersonating me c6gunner (your name's the submitter signing "APK") https://linux.slashdot.org/com... as you ALTERED /.ers PRAISE of my work (not yours you don't even HAVE, lol).

    (You shouldn't throw stones when you live in a glass house boys - especially vs. me: RIGHT, ZIP? https://developers.slashdot.or... CAUGHT LYING TOO (you DO have a registered /. acc't. but STALK me anonymously instead - punk) https://news.slashdot.org/comm... )

    HOWEVER: In your "impersonations" trying to make me "look bad" or a liar (like your kind is)? Hope you're RIGHT (considering I'm only sure hosts stop portsmash vs. Spectre/Meltdown) https://tech.slashdot.org/comm...

    APK

    P.S.=> GROW UP weezils - you do it to yourselves trying to "take me on" & FAILING like you always do (especially on tech) + so then you start STALKING me by UNIDENTIFIABLE anonymous posts OR by IMPERSONATING me (weak BITCH tactics only a HOMO would do, lol)... apk

  10. Whenever I travel to the US... by beezly · · Score: 3, Informative

    Whenever I travel to the US, one of the first things that I notice is different is the lax approach to card security. In most of Western Europe, pretty much every card transaction uses the chip. I can disable the mag-stripe on some of my cards (through the banks' online systems), and using magstripe anywhere increases the chance of a transaction being picked up by the banks' automated fraud detection systems. Then when you get to the US, you go into a restaurant, settle up by card with no signature and no pin, and then the restaurant can manipulate the transaction later to add whatever tip you wrote on the bill. Madness!

    1. Re:Whenever I travel to the US... by Anonymous Coward · · Score: 1

      Then when you get to the US, you go into a restaurant, settle up by card with no signature and no pin, and then the restaurant can manipulate the transaction later to add whatever tip you wrote on the bill.

      Actually, this could happen in Europe as well if there was incentive for it.

      Credit card processing mechanisms can have multiple phases for a single transaction. Normally it's one phase: you pay for your merchandise immediately, and the exact amount is added to your balance. However, for online orders, it's two phase: one phase puts a hold on your account for the exact amount of the order but does not actually add it to your balance. When the order ships, the hold is turned into an actual charge and that same amount is now added to your balance. If the order never ships (out of stock), the hold is expired (or eventually expires) and nothing is actually added to your balance.

      Gas pumps and restaurants operate slightly differently. Both will put a hold on your account when you initially swipe the card: $125 at the gas station and food bill plus some maximum possible tip amount, respectively. When you finish pumping the gas, you are charged for less than the $125 hold; similarly, when you finish adding tip to the restaurant bill you a charged for an amount that is less than or equal to the hold amount. You can be charged *less* than the hold amount, but never more.

      If you're curious, the second charge transaction occurs via opaque identifier that is generated when the hold is created. Additionally, the hold + current balance amount is what is compared to your maximum available credit; hold + current balance cannot exceed that number. That is why sometimes your card can get rejected for insufficient funds despite appearing to have a balance less than your maximum available credit. Finally, the expiration period for holds is 30 days IIRC.

    2. Re:Whenever I travel to the US... by viperidaenz · · Score: 3, Informative

      You can disable the magstripe with a magnet too.

      That might stop it working in ATM's though.
      Some bank ATM's rewrite the magstripe every time you use it with a different security code. They recommend you insert your card in their ATM's when you return from holiday, as if it was skimmed and they've update the security code since then, the fraud detection kicks in immediately when the skimmed card is used.

      National Australia Bank calls it LENSecure

    3. Re:Whenever I travel to the US... by beezly · · Score: 1

      Yeah - some ATMs in the UK still don't use magstripe, although the numbers are decreasing and their usually easy to identify (the displays look like something out of War Games).

  11. Slow adoptance because of banks by johnjones · · Score: 3, Informative

    the retailers put up with allowing mag stripe because the banks do

    if EMV actually made the retailer liable for fraud then they would make sure you use pay wave/pass (NFC) and a PIN
    by using a CHIP and PIN it first of all verifies LOCALLY on the chip then generates a One Time Code that gets sent to the issuing network (bank) There is ZERO

    repeat ZERO ways to skim chip and PIN its all down to the Mag Stripe

    before some bright spark complains about having to input the numbers into ecommerce sites... Yes this can be secured by 2FA that the banks in europe ask for (you get redirected during the payment process to the banks website that then ask's for your 2FA details )

    basically its american banks being lazy and dont care about loosing customer details... its just a cost of business to them and they dont care about the retailers experience either otherwise they would have made made NFC cheap and easy

    basically banks need to reduce they fee's they charge retailers in return for securing things 0.5% is common in Europe

    1. Re:Slow adoptance because of banks by viperidaenz · · Score: 1

      Lucky for Europeans. 2.5% is common in New Zealand.

    2. Re:Slow adoptance because of banks by Anonymous Coward · · Score: 0

      Needing to enter card number online is exactly why I signed up for Privacy virtual debit cards. If the website doesn't take Paypal, Visa Checkout, Google Pay, etc use a Privacy vcard.

      Shameless referral link: https://cashback.privacy.com/sJS2wEHpZ

      With EMV, NFC, Paypal/GP/VisaCheckou and Privacy I would say I've reduced my magstrip and real card number use down to less than 10% of transactions.

  12. Cash by Anonymous Coward · · Score: 0

    Yet another reason cash will always be best. Itâ(TM)s in-hackable.

    1. Re:Cash by rogoshen1 · · Score: 1

      No, it's just as hackable; albeit requiring slightly lower tech tools.

      Instead of a skimmer; they'd use something sharp and pointy or something heavy and blunt. At least with credit or debit you have some recourse; carrying cash you're SOL.

    2. Re:Cash by Vlad_the_Inhaler · · Score: 1

      The "sharp and pointy" approach has its own problems.
      I use cash for low-value transactions and card for the few high-value ones. The border is somewhere over $50.

      --
      Mielipiteet omiani - Opinions personal, facts suspect.
  13. But what about Apple/Google Pay by Anonymous Coward · · Score: 0

    If one uses Google or Apple Pay, which takes advantage of virtual card numbers (not your real card number), does this make you safe from the described card attacks?

    1. Re:But what about Apple/Google Pay by viperidaenz · · Score: 1

      You're also safe using a regular contactless card.

  14. Was this posted yesterday? by Anonymous Coward · · Score: 0

    Yes, as reported by Fortune anyway.

  15. MST with your watch, token sent by p51d007 · · Score: 1

    I started using my watch, samsung pay, because, as I understand it, between my bank & the watch/phone/app, it sends a ONE TIME token through the POS reader, instead of the card information. If that is exactly how it works, even if they get a "card number" it won't do a thief any good because it's only good for a one time use.

    1. Re:MST with your watch, token sent by viperidaenz · · Score: 2

      That's also how chip cards and contactless cards work too.
      Except when you're in the USA and all the terminals still allow the use of magstripes, regardless of the card having a chip, then you can bypass the chip completely.

    2. Re:MST with your watch, token sent by Anonymous Coward · · Score: 0

      The nice thing about Samsung Pay's magstrip emulation approach is it enables tokenization on magstrip transactions. This is something that Google Pay and Apple Pay do not do because they don't have the magstrip emulation chip/coil, just NFC. This is the one and only reason I am considering a Samsung phone over a Pixel or Android One phone for my next phone.

    3. Re:MST with your watch, token sent by Anonymous Coward · · Score: 0

      You can't bypass the chip, if there is no magstripe. You can destroy that fallback mechanism.

  16. my story (tldr; wells fargo is clueless) by TheGratefulNet · · Score: 5, Informative

    sigh. I'd like to type in pages but I won't.

    long story short, I got a text from wells saying they thought something was 'up' with some purchases. I never check sms (I use email and ignore sms) but I later found that text and called wells to check if it was real. it was real and there were thousands of dollars of charges I didn't make. I never lost my card and it was never out of my posession.

    I called wells and we went thru the charges. I told them which were mine and which were unknown to me. I thought that was it and waited to hear back. weeks later, I get a letter in the mail from them saying that they 'investigated' it and since the card was never lost and it was a CHIP BASED CARD, it could NOT BE THEIR FAULT and I was told I had to pay the thousands of dollars of charges!

    I was shocked. I was a member of that bank for over 20 years (yeah, I know, I should have left years ago when wells first had issues reported against them).

    the weeks that they let it sit were weeks that evidence was starting to fade away (video 'tapes' being recycled at stores, etc). I think that was also part of wells' plan, to delay me and make me miss some deadlines.

    I forced them to re-open the 'closed' case and I filed a police report. I was not asked to at first, but when I went to the bank in person and made an issue of this, they asked that I make a formal police report, which I then did.

    get this: one week later, I get letters in the mail from the local court system. they caught 2 people and I was informed that sentencing was going to happen in 1 week and I was allowed to attend, if I wanted. (I suspect that the forged card had my name on it or receipts from stores had my name on it).

    here's the kicker: it took ALL OF THIS in order to convince my bank that it was not me. their line, all along was 'it was a chip card and it never left your possesion, in your own words, and chip cards are PERFECT, so pay up, it was you!'. that was their line and until I showed them court papers, they would not give in.

    tell everyone you know about this. the chip cards are less than useless in the US and banks are still putting their fingers in their ears and saying 'I cant hear you, its still your fault, pay up!'.

    their security system is at fault and yet they blame us.

    it took me MONTHS to get this all cleared out. did I get anything for my time? no. of course not.

    wells fargo can eat shit and die. anyone still with them should leave immediately. I was a 20+ year member and they threw me under the bus for a few thousand dollars. they don't deserve to have a single customer. please leave if you are with them.

    and be very careful with your 'chip' card. there's nothing secure about it. the thieves have it all worked out already ;(

    --

    --
    "It is now safe to switch off your computer."
    1. Re: my story (tldr; wells fargo is clueless) by Anonymous Coward · · Score: 1

      I donâ(TM)t think that WF disbelieved you or thinks that chip cards are invulnerable.

      Shifting the cost of fraud away from them and onto you was one of the âoeselling pointsâ that got US card issuers to finally embrace this âoeupgradeâ.

      They donâ(TM)t care about the chip card fraud because they donâ(TM)t have to under the new system. Pretty cool, right?

    2. Re: my story (tldr; wells fargo is clueless) by DarenN · · Score: 1

      hifting the cost of fraud away from them and onto you was one of the âoeselling pointsâ that got US card issuers to finally embrace this âoeupgradeâ.

      No, it wasn't. There was no selling point. MasterCard, Amex, Diners and Visa told them that if they did not use chip, they were liable for fraud. Simple as that. So the rule now is, if the card is not chip enabled, the Issuer (your bank) are liable. If the card is chip enabled but the POS does not support chip, the merchant is liable. That was what liability shift meant - it did not shift liability to the consumer.

      I'd be interested in the GP's understanding of what actually happened. There's only been one practical breach of EMV enabled card system, and it involved a highly technical operation precisely placing a dummy chip over the original chip in the card that flipped a couple of bits and indicated that the terminal had verified the PIN offline. It was quickly remedied without any hardware change. Any other fraud has been either using the magstripe, or card-not-present (like online).

      --
      Rational thought is the only true freedom
  17. Problem non existant in NZ by viperidaenz · · Score: 1

    The merchants are liable for card fraud if a magstripe is used.
    Most of the merchants don't own the terminals, they're leased.

    It didn't take long for the full rollout of emv chip+pin.

    The only annoying thing now is all the terminals support NFC, but a lot of merchants don't have it enabled because the fees are higher. If contactless transactions cost the same as credit cards I wouldn't need to carry my wallet around when I go out for lunch.

    1. Re:Problem non existant in NZ by ledow · · Score: 1

      I think if NZ is anything like the UK, it's nothing to do with magstripe liability.

      The second "Chip + PIN" (as we called it) came out, the new deals to all merchants basically said "all liability is yours". Whether Chip, NFC or magstripe.

      It was literally "if you want our shiny new, you take responsibility for all fraud in your shop". Which is ridiculous and should have been illegal but these card companies are international and it's hard to apply law to them to combat that when they own the industry.

      There's a reason that small shops hate you paying by card and it has nothing to do with the fees, equipment, hassle, etc. It's because if your card later turns out to be stolen, they have to pay for everything they lost and have no comeback. Even if you had the PIN and the transaction was authorised at the time.

      So guess where people go when they've stolen a credit card and don't want to be seen on CCTV etc. using it?

    2. Re:Problem non existant in NZ by viperidaenz · · Score: 1

      NZ is probably a bit unique.
      We have a debit card network (I think it's still called EFTPOS) which means transactions for debit cards don't go through Visa/Mastercard/etc. It's a pretty much zero fee network.
      The reason small shops here hate you paying by credit card or NFC is the fees. Those all go through the credit card networks and they've just gone from free transactions for debit cards to 2.5% fees for credit cards. Sometimes even larger for small transactions.

      Here's an agreement for merchant credit card services: https://www.westpac.co.nz/asse...
      As long as the customer enters a PIN or the signature matches and the terminals says "ACCEPTED", the transaction will be paid. The only way the merchant will not get paid is if the card holder is successful in a charge back.

  18. I can vouch for this. by Anonymous Coward · · Score: 0

    I knew an independent merchant a few years back and the problem was the middlemen were taking a higher percentage of transactions if you got the fancier equipment, and either didn't allow outright hardware purchase or gouged on it claiming the backend processing was higher.

    End result merchants didn't want to lose the extra percentage points in their transaction fees and went with the equipment that wouldn't (at the time) cost it.

    The whole equipment situation is a mess too, because most of them were sending unencrypted data, either over telephone lines, or via http (not https!) Whole thing was an ugly mess.

  19. bitcoin user not affected [nt] by themusicgod1 · · Score: 1

    nt

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  20. US is like a developing country by Anonymous Coward · · Score: 0

    When I visited the US a couple of years ago, I was surprised to see how backwards everything was. I had to constantly explain that although my card has a magnetic strip, it does not tap into any of the data on the card. It's chip, or nothing. I had to leave stores more than once, because their terminals didn't support chips. Strips are not used at all anymore where I live, they are simply considered too insecure, so no data are stored on them, they are only there because the cards themselves are produced that way. And this is the exact reason why we have stopped using them.

    The reasons why banks have implemented it, is because they are responsible for fraud with the cards, as long as they cannot prove that the owner of the card has been careless with their pin. If they authorize payment without PIN, all the owner has to do is say they didn't make that purchase. Guess that gave the banks an incentive to fix their security issues.

    1. Re:US is like a developing country by Anonymous Coward · · Score: 0

      My newest card was made without a stripe. Not using the stripe is apparently big enough that they started saving money on not making a stripe.

    2. Re:US is like a developing country by Anonymous Coward · · Score: 0

      I'm just waiting for a card that employs the same magstrip emulation in a secure way like how Samsung pay works. Something like the long dead Coin card, but smarter and tokenized. Something like that would not need a black colored bar at all as the magnetic field comes from a coil, and on the Coin card the black strip was fake and was only used to make sure you swiped the correct side of the card.

      One can dream.

  21. Said enough by Anonymous Coward · · Score: 0

    I know It has already said enough, but I am also suprised by this info. I starting to notice last couple of months, that we are not behind America regarding the usage of technologie, but America is way behind the modern world, with a lot of technologies.(Like your Robocall issues)

    Maybe these are the cons of a free society?

    Itâ(TM)s not that I am mad, or disapointed, but really supprised, always was in the illusion America is high tech, and I should move to there to be in touch with the latest and greatest. But now realizing it would set me back almost 10 Years. And maybe they are high tech but low tech in the implementation. The higer (lobby) forces to strong to fight?.

    People interested in Tech and Politics - yall should be doing something to lift US to the next level man. Stop with only substracting value feom people (Mass data new gold), and start giving something back. (Good secure systems, which do not allow tracking, stalking and stealing)

    Never meet your heroâ(TM)s - starting to understand what it means now :P sorry little disapointed still. Donâ(TM)t want to believe this story.

    1. Re:Said enough by Anonymous Coward · · Score: 0

      As long as the mindset of "profit over all else" exists things like that will never happen.

    2. Re:Said enough by terrycarlino · · Score: 1

      Typically the problem has been that the U.S. is an early adopter. We got cell phones first so there were competing standards. By the time other countries jumped on the bandwagon a clear technology winner was established and so they never faced the competing standards with installed infrastructure problem.

      The U.S. invented the credit card. The same applies.

      Second is scope. The U.S. is big, with fifty different legal standards for most things. Many people consider this a feature not a bug, but this means that in many cases federal regulators can't just impose requirements on banks and retailers.

      Like everything else its a matter of winners and losers. Who loses if security is bad and who wins if its good? Like the casinos the banks never lose. It's unclear if normal customers win if security is good. Most people never get hit by fraud in a way that hurts. I've had banks replace my cards dozens of times due to fraudulent charges over the years, never been charged a cent for the charges, or even been inconvenienced, except for having to change the charge number in my on line accounts.

      Have I paid more for products or service over that time due to the collective cost of fraud? Probably, but I can't quantify that amount. And I'm not totally convinced the banks, credit card companies and retailers wouldn't have charged the same and pocketed the difference anyway.