Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards

schwit1 writes "U.S. banks and merchants are shifting to a more secure way of authorizing credit card transactions in which customers will enter a personal identification number (PIN) at checkout instead of signing a receipt. The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here. The change is especially relevant given the massive fraud perpetrated against customers of Target in the fall. During a Congressional hearing last week, Target CFO John Mulligan said the company is accelerating the $100 million effort to switch to the so-called "chip and pin" system. The change won't happen all at once. Banks must issue cards with microprocessors and merchants need the right equipment to process the chip and PIN transactions, which is likely to happen gradually. But Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future."

Re:Tin foil hats!

[cryptizard]

Pretty sure you have no idea what chip and PIN is. It only works with direct electrical contact. You are probably confusing it with RFID which we already have and nobody really uses.

Re:Skim software

[cryptizard]

Chip and PIN cards use a challenge-response protocol so even if you skim all the information you can only make one charge before it becomes invalid. There is actually a microprocessor on the card that does crypto so the credentials transferred only allow a single authorized transaction. So if the charge goes through for the thing you were supposed to be buying, then you know you aren't getting scammed. Technically they could block the charge and do another one that gives the money to them, but that is a lot harder and more likely to be noticed.

Re:I guess they have never heard of two factor aut

[gl4ss]

yeah you try getting people to both sign and enter a pin and wait in line as others do so.

the signing is a FUCKING JOKE. one of the funniest things in USA was self service checkout with a credit card paying option where the "signature" was scribbled on a touchscreen(and captured at maybe 300px80px resolution). perfectly usable for buying stuff with any card you found on the street - on a mighty expensive card processing device.

chip/pin is just how the rest of the world does it. you can pay to pizza guys with it(chip/pin debit cards, cash balance verified on the fly) in finland, they carry portable terminals that cost pretty much nothing(sagem seems to be the biggest manufacturer).

Misleading liability claim

[KitFox]

I find it interesting that the summary above pushes to point out that merchants will be liable for fraud. As it stands currently, merchants are already liable for fraud. A claim results in the merchant losing the money of the transaction. The bank and user recover the money.

Reading the first linked article indicates that the "weakest link" becomes liable. If the merchant has C&P and the bank has not issued a C&P card, the BANK will be liable for the fraudulent transaction. This is a major difference from the current situation, where the bank would simply extract the money from the merchant and the merchant would take a loss.

Re:Tin foil hats!

[cryptizard]

With the machine that is given out by the credit card companies you need to pretty much touch it, but security researchers have shown that you can use higher powered equipment to read it from up to 15-20 feet away.

Re:Sorry, it's horribly insecure,

[boristdog]

In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

IF you could clearly sign all of those touch-screen signature pads, AND some system actually compared what was input to your signature on file, then maybe. But very few of those are properly positioned or are properly sensitive enough for anyone to sign more than a few squiggly lines. I used to just draw a picture of a cow on them and my signature was always accepted.

Re:It's about time.

[Andrewkov]

You don't give them your PIN, you give them the 3 numbers on the back of the card. You only need to have your chip read and PIN entered when using the card at a physical store.

Re:It's about time.

[fredrik70]

You can use the chip and pin cards for old-style transactions as well. If I go to the states with my card I just swipe and sign as everyone else.

Re:Sorry, it's horribly insecure,

[west]

The fact that EMV (chip & pin) is not perfectly secure is *massively* less of a problem than credit/debit card skimming.

ATM fraud has been squeezed out of pretty much the rest of the world and is migrating to the USA in droves. When Canada switched, ATM fraud basically killed organized rings. These rings are reluctantly moving to the US (a draconian justice system does have *some* upside) and along with an small army of engineers working on whisper thin skimmers and business ideas like ATM fraud franchises, things look pretty scary if the US doesn't switch.

The downside is, unlike Canada, there's no single inter-branch network like Canada that can kick members off who don't upgrade. Instead there's thousands of banks who may not want the expense of switching to EMV. And as long as there are any mag-stripe only ATMs on the network you belong to, you're vulnerable to having your cards skimmed. So, the US will have it much tougher. (POS fraud is not nearly as big a problem. It's pretty hard to get $100K out of one POS terminal using 2,000 cards without the operator getting suspicious. And then you take a massive loss fencing the goods. ATM is what organized crime goes after.)

On the upside, the US is on the forefront of real-time risk assessment of transactions. They're getting better and better at assessing suspicious transactions. Still, there'll be more and more false positives as fraud goes up, so remember to carry multiple cards...

Re:It's about time.

[rossdee]

"There is no new PIN, it's the same one used for the ATM"

  At The Moment my credit card doesn't have a PIN

And I don't use it for getting cash, since that transaction costs, and they charge interest straight away.

Re:It's about time.

[Zmobie]

Most people don't use their strict credit cards at an ATM (check cards are obviously different...) because of the ridiculous rates they charge for cash advances and therefore have not set up or are even aware of that feature. I have multiple credit lines that I have never done that with because I have no desire to use my card for that purpose.

Like Travelling back in time

[Anonymous Coward]

Visiting the US from Canada is like travelling back in time. Debit cards? What are those? I was stunned that I had to pay for gas at the pump with a credit card - there is NO widespread use of debit cards. Credit card carbon paper and swipers? What year is this? Pay phones that only take one kind of card payment, and no others, because of exclusivity deals between the phone company and a card company. Unheard of. What a crazy messed up system you guys have there. Come to Canada. Come to the future, now.

Re:It's about time.

[beelsebob]

Except if america caught up with the rest of the world, each of those credit and debit pairs would be one card ;).

Re:It's about time.

[beelsebob]

... RFID is orders of magnitude less secure than a regular magnetic strip.

Lucky that chip-and-pin cards don't have RFID on them then ;). They must be inserted into the reader for the chip to be used, and even then, the chip is not (and can not be) read, instead, it's used to encrypt, and sign your PIN, so that the bank can verify that it's really you (or someone who knows your PIN, and has your card – whee, two fold security, something you know, and something you have) there.

Re:It's about time.

[orlanz]

That is a VERY foolish thing to do on the part of the consumers. You are consolidating and increasing risk. Funny part is that the risk balance shifts to the consumer away from the bank/lender. The overall risk is higher, the lender's is lower, and the consumer's is higher. What a great world.

The rest of the world isn't ahead of the US in this regard. They are behind. Because the credit risk in the world is higher, lenders want to offload more of their risk to the users. This is why the rest of the world has credit/debit + pin consolidation.

Re:It's about time.

[rjstanford]

The nice thing is that we don't have to guess.

You see, this is already in use damn near everywhere else on the planet that uses credit cards.

They used to use the same cards as the US. They switched. Fraud went down. Vendors and banks did, indeed, opt-in. Nobody's brain melted from having to remember their PIN.

Just relax. It'll be fine.

Re:It's about time.

[suutar]

It used to be that way, til November 2009, but now the banks have to actually prove that it was the customer's error (Wikipedia's article on chip and pin [wikipedia.org] mentions this in the "Bank's Liability" and "Criticism" sections).