Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses Crime Security The Almighty Buck Upgrades Technology

Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards 731

schwit1 writes "U.S. banks and merchants are shifting to a more secure way of authorizing credit card transactions in which customers will enter a personal identification number (PIN) at checkout instead of signing a receipt. The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here. The change is especially relevant given the massive fraud perpetrated against customers of Target in the fall. During a Congressional hearing last week, Target CFO John Mulligan said the company is accelerating the $100 million effort to switch to the so-called "chip and pin" system. The change won't happen all at once. Banks must issue cards with microprocessors and merchants need the right equipment to process the chip and PIN transactions, which is likely to happen gradually. But Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future."
This discussion has been archived. No new comments can be posted.

Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards

Comments Filter:
  • It's about time. (Score:5, Insightful)

    by Bill_the_Engineer ( 772575 ) on Tuesday February 11, 2014 @08:51AM (#46216913)
    Finally the US banking system is catching up to the rest of the world.
    • by SerpentMage ( 13390 ) on Tuesday February 11, 2014 @09:01AM (#46216985)

      I was about to write this as well. We have been using pins for credit cards in Switzerland for the last 10 years...

      • by N0Man74 ( 1620447 ) on Tuesday February 11, 2014 @09:29AM (#46217241)

        I was about to write this as well. We have been using pins for credit cards in Switzerland for the last 10 years...

        Yeah, why hasn't the US got on board yet with implementing technology that allows banks and issuers to absolve themselves of responsibility and push the blame onto the consumers?

        If fraud happens on these new cards, it becomes up to the consumers to prove that it was fraud and that they did not compromise their PIN.

        As a bonus, the consumers get to be forced to memorize a new PIN!

        It's Win WIn.

        • by SirSlud ( 67381 ) on Tuesday February 11, 2014 @10:24AM (#46217757) Homepage

          "the consumers get to be forced to memorize a new PIN!"

          Sometimes it's funny to hear Americans complain about how difficult life is. Change is so scary!

        • Re:It's about time. (Score:5, Informative)

          by suutar ( 1860506 ) on Tuesday February 11, 2014 @11:26AM (#46218421)
          It used to be that way, til November 2009, but now the banks have to actually prove that it was the customer's error (Wikipedia's article on chip and pin [wikipedia.org] mentions this in the "Bank's Liability" and "Criticism" sections).
        • by taustin ( 171655 )

          If fraud happens on these new cards, it becomes up to the consumers to prove that it was fraud and that they did not compromise their PIN.

          I'm not aware of any changes in the law regarding credit cards, which say that the consumer is only responsible for the first $50 (and not even that once it's been reported). Do you have a source on that claim? No? Why am I no surprised?

      • Serious question here, given you've lived with chip and PIN.

        How does this work with transactions over the telephone? Even now, not every business has a website. Additionally, I know I've paid a few bills over the years by calling the company and giving them my credit card number.

        And, if the answer is "you give them the PIN over the phone" - doesn't that mean the supposed increased security in chip and PIN is somewhat illusory, given you can break the "something you have + something you know" model?

        • Re:It's about time. (Score:4, Informative)

          by Andrewkov ( 140579 ) on Tuesday February 11, 2014 @09:35AM (#46217305)

          You don't give them your PIN, you give them the 3 numbers on the back of the card. You only need to have your chip read and PIN entered when using the card at a physical store.

        • Re:It's about time. (Score:4, Informative)

          by fredrik70 ( 161208 ) on Tuesday February 11, 2014 @09:38AM (#46217345) Homepage

          You can use the chip and pin cards for old-style transactions as well. If I go to the states with my card I just swipe and sign as everyone else.

          • I do the same. And, predictably, I've had my credit card number stolen and then had to replace the card.

            When I was talking to the person on the phone that was telling me that my card number was stolen, they asked me if I'd bought anything online recently, or what have you. I told them that I'd bought petrol in the States, and they went, "Oooooh, that must be it. Okay."

        • Here in Canada, phone transactions usually require the CVV2 code on the back of the card. You don't enter your PIN, because you're not verifying using the chip.

    • by jellomizer ( 103300 ) on Tuesday February 11, 2014 @09:13AM (#46217077)

      I don't get why they are trying to catch up, banks are dropping the ball here, and they should focus on exceeding the rest of the world.

      Why is the US behind everyone, well because we were first to come up with the initial infrastructure, by the time something new came along, we had a large complete infrastructure. So now the infrastructure is out of date, this happens. But when it does we need to try to invest into the next step, not the current, otherwise we will always be catching up.

      • by TyFoN ( 12980 )

        The US is behind because no one have ever trusted your banks. Even the FED is 7 different units to make sure there is no central authority.

        It's also why the US has the one of the largest cash to card ratios in the world.

        • There is a heck of a lot of investments to an organization that no one trusts.
          They may not trust US banks, but they trust them more than most other countries.

      • There's a giant warehouse looking building on the Miami river - prime, high dollar real-estate. At one time, it housed a Visa clearinghouse - where they would process all the credit card slips, by hand labor - reading the imprints and keypunch entering them into the computer. That building still has no windows facing the river.

        Handling money is huge business, they've gotten more efficient over the years, but the basic rates that are charged for processing the transactions are still more or less intact, 2i

      • by pikine ( 771084 ) on Tuesday February 11, 2014 @10:51AM (#46218027) Journal

        That's because the outdated infrastructure had been economically viable to use, so there had been no reason to update it, until now, that is.

        Many ways of the US rely on an honor system. There used to be unattended shops where you take the goods and put money in a box. The box didn't use to require a lock. This might be possible in a small town where everyone trusted each other, but in a city where crime is rampant, this business model is simply not economically viable. Public transportation used to allow monthly or weekly pass holders to board from the rear doors without verifying their passes, but they don't allow that anymore because nowadays enough non-paying passengers take advantage of that such that the honor system is no longer economically viable.

        The honor system is always able to absorb a small percentage of fraud cases and remain economically viable. It's only when the fraud rate rises past a certain threshold when the system breaks down.

        When a merchant displays a credit card logo, you trust the merchant. When the merchant hands you a receipt and you sign it, the merchant trusts you to pay. Again, this is an honor system. The rest of the world also started off with a complete "out of date" manual-imprint or swipe-card honor system. They were forced to upgrade the infrastructure because they suffered enough fraud such that the old system was no longer economically viable. The new smart card system is designed to enforce contractual agreement so that you don't need to rely on the honor system anymore, making credit payments economically viable again.

        The US simply held off this long because the honor system had worked until now. Economic viability is the reason. The bad news is that the US has morally declined to the level of the rest of the world. The good news is that the US upheld its morals longer, being the last to abandon the honor system.

    • I guess we need to drive on the left side of the road and stop wearing deodorant too.
    • Yeeeeeah, it sounds like we're rolling out an amazing new technology called a debit card.
      • That's odd, none of my debit cards have chips in them. Must be not the same after all, even if they both happen to use a PIN (but then again, so do a lot of doors... does that mean the new credit cards can work as doors too?)

    • by davecb ( 6526 ) <davecb@spamcop.net> on Tuesday February 11, 2014 @09:23AM (#46217173) Homepage Journal
      One of Ross Anderson's 2010 highlights was a paper on why Chip and PIN is broken [lightbluetouchpaper.org]for which he got coverage on Newsnight and a best paper award. Later, the banks tried to suppress this research [lightbluetouchpaper.org].

      Ross [cam.ac.uk]is a security researcher at University of Cambridge.

      In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

      • by boristdog ( 133725 ) on Tuesday February 11, 2014 @09:31AM (#46217259)

        In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

        IF you could clearly sign all of those touch-screen signature pads, AND some system actually compared what was input to your signature on file, then maybe. But very few of those are properly positioned or are properly sensitive enough for anyone to sign more than a few squiggly lines. I used to just draw a picture of a cow on them and my signature was always accepted.

        • In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

          IF you could clearly sign all of those touch-screen signature pads, AND some system actually compared what was input to your signature on file, then maybe. But very few of those are properly positioned or are properly sensitive enough for anyone to sign more than a few squiggly lines. I used to just draw a picture of a cow on them and my signature was always accepted.

          It's not about authentication, it's about nonrepudiation. Next time you are at a POS terminal with a digitizer, take a look around and count how many cameras are watching you. Then think about how you would deny it was you signing, and get away with it. Therein lies the importance of the signature. Remember, trust is required of *all* parties and the system is designed to generate it (except where it's not profitable, and then it's simply ignored).

      • Worst case scenario (criminal has your card and it isn't cancelled) chip+PIN is no worse than mag stripe+signature. In all other cases, chip+PIN is far superior.

      • Even without the PIN security, it is still better than magnetic stripe because you can't easily clone the card. You have to physically steal it, not do an attack like the Target one where they skimmed all the information from thousands of customers without them knowing.
      • by west ( 39918 ) on Tuesday February 11, 2014 @09:48AM (#46217457)

        The fact that EMV (chip & pin) is not perfectly secure is *massively* less of a problem than credit/debit card skimming.

        ATM fraud has been squeezed out of pretty much the rest of the world and is migrating to the USA in droves. When Canada switched, ATM fraud basically killed organized rings. These rings are reluctantly moving to the US (a draconian justice system does have *some* upside) and along with an small army of engineers working on whisper thin skimmers and business ideas like ATM fraud franchises, things look pretty scary if the US doesn't switch.

        The downside is, unlike Canada, there's no single inter-branch network like Canada that can kick members off who don't upgrade. Instead there's thousands of banks who may not want the expense of switching to EMV. And as long as there are any mag-stripe only ATMs on the network you belong to, you're vulnerable to having your cards skimmed. So, the US will have it much tougher. (POS fraud is not nearly as big a problem. It's pretty hard to get $100K out of one POS terminal using 2,000 cards without the operator getting suspicious. And then you take a massive loss fencing the goods. ATM is what organized crime goes after.)

        On the upside, the US is on the forefront of real-time risk assessment of transactions. They're getting better and better at assessing suspicious transactions. Still, there'll be more and more false positives as fraud goes up, so remember to carry multiple cards...

      • by tgd ( 2822 )

        In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

        Which is okay, as US cards are going Chip+Signature, not Chip+PIN.

    • by dr.Flake ( 601029 ) on Tuesday February 11, 2014 @10:17AM (#46217683)

      Welcome to the 21st century.

      Now if you guys could do something about the insationable hunger for credit. You guys already live from the credit of the rest of the world. Sure it stimulates the economy, but in the real world you can only spend a dollar once.

  • by u38cg ( 607297 ) <calum@callingthetune.co.uk> on Tuesday February 11, 2014 @08:54AM (#46216935) Homepage
    Why the hell has it taken y'all so long?
    • Why the hell has it taken y'all so long?

      Corporate lobbying, banks putting profits over security, and a general unwillingness to pass laws putting the onus on the card processors to actually implement any security and be responsible when it goes wrong.

    • Re:One question (Score:5, Insightful)

      by alen ( 225700 ) on Tuesday February 11, 2014 @09:11AM (#46217059)

      the USA had credit cards first
      any time you are first you build up a system and its hard to change. if you adopt a tech later in its lifecycle you go with the latest tech at the time

      • Re:One question (Score:4, Insightful)

        by Alioth ( 221270 ) <no@spam> on Tuesday February 11, 2014 @09:16AM (#46217097) Journal

        That isn't a good explanation in this case. The UK (and pretty much every European Union country) for instance had a swipe and sign credit card infrastructure just like the United States decades before the introduction of chip and PIN, yet the UK changed to chip and pin 10 years ago despite having the same infrastructure issue as the US.

        • While I'll accept your counter, it should also be noted that most EU countries are much smaller than the US, which does make it a bit easier to change that infrastructure. If the entire EU all had to switch at exactly the same time, that would be more akin to the US because every state has laws that are just a little bit different. That said, it's still no excuse for us taking this much longer to switch.

          • by Alioth ( 221270 )

            Nobody does it like that, though. For instance, Chip+PIN wasn't all done at the same time in the UK - there was a transition period of about a decade (I think the first time I saw a chip in my credit card was a full 7 years before I saw a Chip+PIN reader in a store). There's no reason why the US has to do it all in one big bang either, and the US as a whole is smaller than the EU as a whole in terms of population.

        • From the article it states that the banks here had to find a way to make chip and pin work while still complying with "the Durbin amendment" that required all credit card transactions be able to work on at least two networks. So if the article is be believed one of the major hold ups was due to the US government adding requirements. Requirements that just don't apply in these other countries.

      • The first proper credit card in the US was 1958, the first outside the US was 1966 (according to Wikipedia). I'm not sure that an 8 year head start investment of infrastructure from 50 years ago is a plausible explanation.

        It's easy to make excuses to save national face, but given the massive fraud reduction that chip and pin brings the likely result is that you have spent the last 10 years or so paying for the increased credit fraud in the US through charges or through increased interest rates on credit c
      • by Guppy06 ( 410832 )

        You're not old enough to remember credit card use before they had magnetic strips, are you? There's a reason why the name and numbers on them are (still) raised off the surface of the card.

        The magnetic strip system itself had to be "adopted later in its lifecycle."

  • Better late.... (Score:4, Interesting)

    by rmdingler ( 1955220 ) on Tuesday February 11, 2014 @08:56AM (#46216949) Journal
    The anti-counterfeiting technology implementation for currency was delayed, in part, by lobbying companies involved in vending.

    Increased expenditures for new card readers and technology has been rebuffed universally because the retailers aren't typically the ones out of the cash when a fraudulent credit card is used.

    The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.

    • by SJHillman ( 1966756 ) on Tuesday February 11, 2014 @09:31AM (#46217257)

      "The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire."

      But with a name like that, surely they were asking for it...

    • by EvilSS ( 557649 )

      The anti-counterfeiting technology implementation for currency was delayed, in part, by lobbying companies involved in vending.

      Increased expenditures for new card readers and technology has been rebuffed universally because the retailers aren't typically the ones out of the cash when a fraudulent credit card is used.

      The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.

      Actually, the big retailers have been asking for this for a while now, it's been the card companies that have been dragging their feet on it.

  • Why the hell would they switch to a pin system, rather than adding it as a second factor? The signature is useful for forensic analysis of the fraud after the fact. It is hard to beleive this is about security, and easy to believe it is about them saving money by not having to deal with signatures and the overhead, etc.
    • by gl4ss ( 559668 ) on Tuesday February 11, 2014 @09:11AM (#46217057) Homepage Journal

      yeah you try getting people to both sign and enter a pin and wait in line as others do so.

      the signing is a FUCKING JOKE. one of the funniest things in USA was self service checkout with a credit card paying option where the "signature" was scribbled on a touchscreen(and captured at maybe 300px80px resolution). perfectly usable for buying stuff with any card you found on the street - on a mighty expensive card processing device.

      chip/pin is just how the rest of the world does it. you can pay to pizza guys with it(chip/pin debit cards, cash balance verified on the fly) in finland, they carry portable terminals that cost pretty much nothing(sagem seems to be the biggest manufacturer).

    • by 3247 ( 161794 )

      Why the hell would they switch to a pin system, rather than adding it as a second factor? The signature is useful for forensic analysis of the fraud after the fact.

      Is it? Really?

    • The signature is useful for forensic analysis of the fraud after the fact.

      Can you cite a single case of anyone ever being convicted of fraud because of "forensic analysis" of their signature on a credit card receipt? You watch way too much CSI.

  • Your credit cards don't even have the microprocessors yet? So you can not use them at cash machines in large parts of the world anymore?
    • They're almost all backwards compatible. I've never been to a place where I couldn't use the ATM. Sometimes vendors won't accept it because they only have the hardware for chip and PIN, but ATMs usually work.
    • by jaymz666 ( 34050 )

      Why uses a credit card at a cash machine? The fees are outrageous.
      Payment terminals yes, to get cash, hell to the no

      • Don't know if its different in other parts of the world, but in the US as long as the machine is owned by your bank they have no fees. Go with a big enough bank and they have them pretty much everywhere. Some other banks (like Ally) that don't have their own ATM's actually refund you the fee that the machine charges so that it becomes effectively free to use any ATM.

        About 2 years ago or so a few of the major banks actually announced plans to charge people for debit card usage (it seems to encourage pullin

        • by jaymz666 ( 34050 )

          The topic is credit cards.

          You use a credit card at a cash machine and you are charged a cash advance interest rate immediately.

        • by nojayuk ( 567177 )

          It IS different in other parts of the world, like here in the UK. Most public ATMs are part of the Link network and debit cards for most of the big banks will work in any of them with no transaction fee.

          The next step being rolled out here is contactless debit cards which can be used with a wireless reader to make purchases of up to 20 quid without entering a PIN or otherwise authorising the transaction. I think the idea is the banks will eat the losses from any fraudulent transactions as long as they're for

    • by Alioth ( 221270 )

      I've had to bale out a couple of friends of mine visiting from the US when they got to a shop and their chip-less credit or debit card couldn't be used at all. The ATMs however seemed to mostly still accept chipless cards.

  • by tobe ( 62758 ) on Tuesday February 11, 2014 @09:09AM (#46217027)

    In all the time I've spent in America I don't believe I've ever seen anyone really check the signature against the card.. always amazed me how lax and open to fraud that system was. In the UK we switched to chip and pin about 10 years ago.. and we were generally lagging the rest of the EU on that matter.

    But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe (http://www.bbc.co.uk/news/technology-21085738) and surely enough of the initial results are in to guide the decision making there.

    • by jareth-0205 ( 525594 ) on Tuesday February 11, 2014 @09:18AM (#46217119) Homepage

      Fingerprint is a terrible security mechanism. Not only does it give someone a reason to steal you *finger*, you also leave your fingerprint on everything you touch. Credentials shouldn't be revealed unless you are actually in the process of using them.

    • Re: (Score:2, Interesting)

      Most times I don't even sign my cards. Yes, I know I'm supposed to, but I've gone for years without signing it. It always seemed odd to me to give a potential credit card thief a copy of my signature along with my card. Maybe once did someone even look for the signature and even then it was more of a "Oh, you didn't sign it" than a "We can't accept that card unsigned."

      • by EvilSS ( 557649 )

        It always seemed odd to me to give a potential credit card thief a copy of my signature along with my card.

        Yea, it's much better to leave the card blank so the their can sign it themselves so the sig will match.

    • Re: (Score:2, Interesting)

      Europeans are much more shifty people who steal. This is why you are disarmed, have to register your address with the police, carry an internal passport, go through extensive background checks to be allowed to open bank accounts, register your TV sets, submit to home searches by tax collectors, etc. etc. The data breech motivating this change in the USA was perpetrated by a European lowlife. It's unfortunate that the upstanding people of America couldn't insulate themselves from this foreign pollution.
      • Re: (Score:2, Offtopic)

        by Chrisq ( 894406 )

        Europeans are much more shifty people who steal .... It's unfortunate that the upstanding people of America couldn't insulate themselves from this foreign pollution.

        Spoken like a true Native American. Unfortunately you are centuries too late.

  • Good god, it's been so long since I signed for a credit card transaction I can barely even remember it. Next you'll be telling me that the USA prefers to write on bits of paper to send money, taking ages for it to finally be transacted. I wonder. Are there people who are responsible for driving around a nuclear-powered, one-ton robotic laboratory on another planet, who swing by the supermarket before going home and pay for their goods after signing a little bit of paper?

    Mind you, chip-and-PIN is hardly secu

  • by KitFox ( 712780 ) on Tuesday February 11, 2014 @09:12AM (#46217075)

    I find it interesting that the summary above pushes to point out that merchants will be liable for fraud. As it stands currently, merchants are already liable for fraud. A claim results in the merchant losing the money of the transaction. The bank and user recover the money.

    Reading the first linked article indicates that the "weakest link" becomes liable. If the merchant has C&P and the bank has not issued a C&P card, the BANK will be liable for the fraudulent transaction. This is a major difference from the current situation, where the bank would simply extract the money from the merchant and the merchant would take a loss.

    • by davecb ( 6526 )
      In the UK, the Banks famously collected from the cardholder, arguing that they had lost their pin. This took years to overturn...
  • by Ken D ( 100098 ) on Tuesday February 11, 2014 @09:20AM (#46217137)

    Chip & pin has never been about security. It's about the ability for CC issuers to eliminate the repudiation of fraudulent transactions by claiming that their authorization system is fraud proof and therefore every transaction is a priori an authorized transaction: http://www.thisismoney.co.uk/m... [thisismoney.co.uk]

  • Chip and pin would be much safer if you entered the pin into the card, instead of into the merchant's equipment.

    • True, but it would cost an obscene amount of money and/or be obnoxiously large. Fortunately you usually enter the pin on the small, bank issued card reader and not the POS, and it's much harder to put a hardware skimmer or malicious software on that thing.
  • by Frankie70 ( 803801 ) on Tuesday February 11, 2014 @09:59AM (#46217541)

    So what happens at a restaurant. The waiter gets the check. You go with him to whether the credit card machine is set up to punch your PIN?

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...