Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards 731
schwit1 writes "U.S. banks and merchants are shifting to a more secure way of authorizing credit card transactions in which customers will enter a personal identification number (PIN) at checkout instead of signing a receipt. The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here. The change is especially relevant given the massive fraud perpetrated against customers of Target in the fall. During a Congressional hearing last week, Target CFO John Mulligan said the company is accelerating the $100 million effort to switch to the so-called "chip and pin" system.
The change won't happen all at once. Banks must issue cards with microprocessors and merchants need the right equipment to process the chip and PIN transactions, which is likely to happen gradually. But Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future."
It's about time. (Score:5, Insightful)
Re:It's about time. (Score:4, Insightful)
I was about to write this as well. We have been using pins for credit cards in Switzerland for the last 10 years...
Re:It's about time. (Score:5, Insightful)
I was about to write this as well. We have been using pins for credit cards in Switzerland for the last 10 years...
Yeah, why hasn't the US got on board yet with implementing technology that allows banks and issuers to absolve themselves of responsibility and push the blame onto the consumers?
If fraud happens on these new cards, it becomes up to the consumers to prove that it was fraud and that they did not compromise their PIN.
As a bonus, the consumers get to be forced to memorize a new PIN!
It's Win WIn.
Re:It's about time. (Score:5, Funny)
"the consumers get to be forced to memorize a new PIN!"
Sometimes it's funny to hear Americans complain about how difficult life is. Change is so scary!
Re: (Score:3, Informative)
Except if america caught up with the rest of the world, each of those credit and debit pairs would be one card ;).
Re:It's about time. (Score:5, Informative)
That is a VERY foolish thing to do on the part of the consumers. You are consolidating and increasing risk. Funny part is that the risk balance shifts to the consumer away from the bank/lender. The overall risk is higher, the lender's is lower, and the consumer's is higher. What a great world.
The rest of the world isn't ahead of the US in this regard. They are behind. Because the credit risk in the world is higher, lenders want to offload more of their risk to the users. This is why the rest of the world has credit/debit + pin consolidation.
Re:It's about time. (Score:5, Insightful)
This puts the risk entirely on the consumer side. They have to monitor their account daily now.
Your debit card is somehow compromised, someone makes a purchase with it that takes your account to well below the balance you expect to be there, your rent is due and has been set to be paid and the balance in your account is hundreds less than you expect it to be.
Rent bounces, you're charged a fee. Or better yet, your bank approves the rent to go through and you are negative, all your other charges go through for lunch, for groceries, whatever. You get hit with fees for all these transactions. Then you have to fight with the bank.
Yeah, no risk at all.
This may sound hypothetical but I assure you, it's not.
Re: (Score:3)
Actually, no. All debit transactions made through the typical POS systems in Europe are entirely reversible within something like a day or so. So the procedure is the same - you notice a problem,
I don't look at my online statements every day. By the time I notice a debit problem, the account will have been empty for on average two weeks, potentially an entire month. That's a significant problem when the checks written on that account start bouncing. Yeah, how nice, my account has been empty for two weeks but they'll maybe put it back within a day, if they decide that there was a problem.
I'll stick with the banks being stuck while the problem is resolved, thanks.
The only way you have a real problem is if someone steals your card and your PIN and manages to make an ATM withdrawal up to the maximum daily limit
Debit cards in the US are not lim
Re: (Score:3)
Not if you don't want to. You are able to change your Pins at a ATM
Re:It's about time. (Score:5, Informative)
Re: (Score:3)
If fraud happens on these new cards, it becomes up to the consumers to prove that it was fraud and that they did not compromise their PIN.
I'm not aware of any changes in the law regarding credit cards, which say that the consumer is only responsible for the first $50 (and not even that once it's been reported). Do you have a source on that claim? No? Why am I no surprised?
Re:It's about time. (Score:5, Informative)
"There is no new PIN, it's the same one used for the ATM"
At The Moment my credit card doesn't have a PIN
And I don't use it for getting cash, since that transaction costs, and they charge interest straight away.
Re: (Score:3)
Re:It's about time. (Score:5, Informative)
Most people don't use their strict credit cards at an ATM (check cards are obviously different...) because of the ridiculous rates they charge for cash advances and therefore have not set up or are even aware of that feature. I have multiple credit lines that I have never done that with because I have no desire to use my card for that purpose.
Re: (Score:3)
Serious question here, given you've lived with chip and PIN.
How does this work with transactions over the telephone? Even now, not every business has a website. Additionally, I know I've paid a few bills over the years by calling the company and giving them my credit card number.
And, if the answer is "you give them the PIN over the phone" - doesn't that mean the supposed increased security in chip and PIN is somewhat illusory, given you can break the "something you have + something you know" model?
Re:It's about time. (Score:4, Informative)
You don't give them your PIN, you give them the 3 numbers on the back of the card. You only need to have your chip read and PIN entered when using the card at a physical store.
Re:It's about time. (Score:5, Informative)
The nice thing is that we don't have to guess.
You see, this is already in use damn near everywhere else on the planet that uses credit cards.
They used to use the same cards as the US. They switched. Fraud went down. Vendors and banks did, indeed, opt-in. Nobody's brain melted from having to remember their PIN.
Just relax. It'll be fine.
Re: (Score:3)
The three banks in Sweden I have accounts with do it sort of in that way:
Chip/pin card, hardware token...
Bank website shows a string of numbers, you put the card in the hardware token, press Login, type in the string, then your pin, get a string from token to type into website login.
There's another button for a Signing process, to authorize transactions. Another option(that very few card processors support so far, due to the prevalence of US stone age cards....It's mostly western/Northern europe card proces
Re:It's about time. (Score:4, Informative)
You can use the chip and pin cards for old-style transactions as well. If I go to the states with my card I just swipe and sign as everyone else.
Re: (Score:3)
I do the same. And, predictably, I've had my credit card number stolen and then had to replace the card.
When I was talking to the person on the phone that was telling me that my card number was stolen, they asked me if I'd bought anything online recently, or what have you. I told them that I'd bought petrol in the States, and they went, "Oooooh, that must be it. Okay."
Re:It's about time. (Score:5, Funny)
/ducks
Re:It's about time. (Score:5, Funny)
no you don't. you use petrol, you just call it gas. even thought it's a liquid. /ducks
Re: (Score:2)
Here in Canada, phone transactions usually require the CVV2 code on the back of the card. You don't enter your PIN, because you're not verifying using the chip.
Re:It's about time. (Score:5, Insightful)
I don't get why they are trying to catch up, banks are dropping the ball here, and they should focus on exceeding the rest of the world.
Why is the US behind everyone, well because we were first to come up with the initial infrastructure, by the time something new came along, we had a large complete infrastructure. So now the infrastructure is out of date, this happens. But when it does we need to try to invest into the next step, not the current, otherwise we will always be catching up.
Re: (Score:2)
The US is behind because no one have ever trusted your banks. Even the FED is 7 different units to make sure there is no central authority.
It's also why the US has the one of the largest cash to card ratios in the world.
Re: (Score:2)
There is a heck of a lot of investments to an organization that no one trusts.
They may not trust US banks, but they trust them more than most other countries.
Re: (Score:3)
There's a giant warehouse looking building on the Miami river - prime, high dollar real-estate. At one time, it housed a Visa clearinghouse - where they would process all the credit card slips, by hand labor - reading the imprints and keypunch entering them into the computer. That building still has no windows facing the river.
Handling money is huge business, they've gotten more efficient over the years, but the basic rates that are charged for processing the transactions are still more or less intact, 2i
Economic viability is the reason (Score:4, Interesting)
That's because the outdated infrastructure had been economically viable to use, so there had been no reason to update it, until now, that is.
Many ways of the US rely on an honor system. There used to be unattended shops where you take the goods and put money in a box. The box didn't use to require a lock. This might be possible in a small town where everyone trusted each other, but in a city where crime is rampant, this business model is simply not economically viable. Public transportation used to allow monthly or weekly pass holders to board from the rear doors without verifying their passes, but they don't allow that anymore because nowadays enough non-paying passengers take advantage of that such that the honor system is no longer economically viable.
The honor system is always able to absorb a small percentage of fraud cases and remain economically viable. It's only when the fraud rate rises past a certain threshold when the system breaks down.
When a merchant displays a credit card logo, you trust the merchant. When the merchant hands you a receipt and you sign it, the merchant trusts you to pay. Again, this is an honor system. The rest of the world also started off with a complete "out of date" manual-imprint or swipe-card honor system. They were forced to upgrade the infrastructure because they suffered enough fraud such that the old system was no longer economically viable. The new smart card system is designed to enforce contractual agreement so that you don't need to rely on the honor system anymore, making credit payments economically viable again.
The US simply held off this long because the honor system had worked until now. Economic viability is the reason. The bad news is that the US has morally declined to the level of the rest of the world. The good news is that the US upheld its morals longer, being the last to abandon the honor system.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That's odd, none of my debit cards have chips in them. Must be not the same after all, even if they both happen to use a PIN (but then again, so do a lot of doors... does that mean the new credit cards can work as doors too?)
Sorry, it's horribly insecure, (Score:5, Interesting)
Ross [cam.ac.uk]is a security researcher at University of Cambridge.
In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".
Re:Sorry, it's horribly insecure, (Score:5, Informative)
In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".
IF you could clearly sign all of those touch-screen signature pads, AND some system actually compared what was input to your signature on file, then maybe. But very few of those are properly positioned or are properly sensitive enough for anyone to sign more than a few squiggly lines. I used to just draw a picture of a cow on them and my signature was always accepted.
Re: (Score:3)
In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".
IF you could clearly sign all of those touch-screen signature pads, AND some system actually compared what was input to your signature on file, then maybe. But very few of those are properly positioned or are properly sensitive enough for anyone to sign more than a few squiggly lines. I used to just draw a picture of a cow on them and my signature was always accepted.
It's not about authentication, it's about nonrepudiation. Next time you are at a POS terminal with a digitizer, take a look around and count how many cameras are watching you. Then think about how you would deny it was you signing, and get away with it. Therein lies the importance of the signature. Remember, trust is required of *all* parties and the system is designed to generate it (except where it's not profitable, and then it's simply ignored).
Re: (Score:2)
Worst case scenario (criminal has your card and it isn't cancelled) chip+PIN is no worse than mag stripe+signature. In all other cases, chip+PIN is far superior.
Re: (Score:2)
Re:Sorry, it's horribly insecure, (Score:5, Informative)
The fact that EMV (chip & pin) is not perfectly secure is *massively* less of a problem than credit/debit card skimming.
ATM fraud has been squeezed out of pretty much the rest of the world and is migrating to the USA in droves. When Canada switched, ATM fraud basically killed organized rings. These rings are reluctantly moving to the US (a draconian justice system does have *some* upside) and along with an small army of engineers working on whisper thin skimmers and business ideas like ATM fraud franchises, things look pretty scary if the US doesn't switch.
The downside is, unlike Canada, there's no single inter-branch network like Canada that can kick members off who don't upgrade. Instead there's thousands of banks who may not want the expense of switching to EMV. And as long as there are any mag-stripe only ATMs on the network you belong to, you're vulnerable to having your cards skimmed. So, the US will have it much tougher. (POS fraud is not nearly as big a problem. It's pretty hard to get $100K out of one POS terminal using 2,000 cards without the operator getting suspicious. And then you take a massive loss fencing the goods. ATM is what organized crime goes after.)
On the upside, the US is on the forefront of real-time risk assessment of transactions. They're getting better and better at assessing suspicious transactions. Still, there'll be more and more false positives as fraud goes up, so remember to carry multiple cards...
Re: (Score:3)
In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".
Which is okay, as US cards are going Chip+Signature, not Chip+PIN.
Re:It's about time. (Score:4, Insightful)
Welcome to the 21st century.
Now if you guys could do something about the insationable hunger for credit. You guys already live from the credit of the rest of the world. Sure it stimulates the economy, but in the real world you can only spend a dollar once.
Re:It's about time. (Score:4, Funny)
Damn...I've been avoiding cards with chips in them all these years.
I don't want a smart card.
You should also avoid cards with magnetic strips on them. Damn dirty electromagnetic field technology!
And what good does this do you when you buy online?
Nothing. Of course, any improvement in security that doesn't improve security in every possible case should be discounted completely!
Re:It's about time. (Score:5, Informative)
... RFID is orders of magnitude less secure than a regular magnetic strip.
Lucky that chip-and-pin cards don't have RFID on them then ;). They must be inserted into the reader for the chip to be used, and even then, the chip is not (and can not be) read, instead, it's used to encrypt, and sign your PIN, so that the bank can verify that it's really you (or someone who knows your PIN, and has your card – whee, two fold security, something you know, and something you have) there.
Re:It's about time. (Score:4, Interesting)
And what good does this do you when you buy online?
Buying online - at least when its physical goods - requires a shipping address. That's a big risk for a thief to take as even if they're using an address they don't live at, if the fraud is discovered while the item is in transit the address may be being monitored by authorities.
Re: (Score:2)
Not to mention that schemes like Verified By Visa mean you often now have to enter a password into a bank-served iframe that verifies you.
Re: (Score:2)
Not to mention that schemes like Verified By Visa mean you often now have to enter a password into a bank-served iframe that verifies you.
Which just gets people used to typing their password into a random web frame, if they can even remember what it is. This is why I normally use my Amex card for ordering online, it doesn't have any of this crap.
Re:It's NOT about time (Score:3)
One question (Score:3)
Re: (Score:3)
Corporate lobbying, banks putting profits over security, and a general unwillingness to pass laws putting the onus on the card processors to actually implement any security and be responsible when it goes wrong.
Re:One question (Score:5, Insightful)
the USA had credit cards first
any time you are first you build up a system and its hard to change. if you adopt a tech later in its lifecycle you go with the latest tech at the time
Re:One question (Score:4, Insightful)
That isn't a good explanation in this case. The UK (and pretty much every European Union country) for instance had a swipe and sign credit card infrastructure just like the United States decades before the introduction of chip and PIN, yet the UK changed to chip and pin 10 years ago despite having the same infrastructure issue as the US.
Re: (Score:3)
While I'll accept your counter, it should also be noted that most EU countries are much smaller than the US, which does make it a bit easier to change that infrastructure. If the entire EU all had to switch at exactly the same time, that would be more akin to the US because every state has laws that are just a little bit different. That said, it's still no excuse for us taking this much longer to switch.
Re: (Score:3)
Nobody does it like that, though. For instance, Chip+PIN wasn't all done at the same time in the UK - there was a transition period of about a decade (I think the first time I saw a chip in my credit card was a full 7 years before I saw a Chip+PIN reader in a store). There's no reason why the US has to do it all in one big bang either, and the US as a whole is smaller than the EU as a whole in terms of population.
Re: (Score:2)
From the article it states that the banks here had to find a way to make chip and pin work while still complying with "the Durbin amendment" that required all credit card transactions be able to work on at least two networks. So if the article is be believed one of the major hold ups was due to the US government adding requirements. Requirements that just don't apply in these other countries.
Re: (Score:3)
It's easy to make excuses to save national face, but given the massive fraud reduction that chip and pin brings the likely result is that you have spent the last 10 years or so paying for the increased credit fraud in the US through charges or through increased interest rates on credit c
Re: (Score:3)
You're not old enough to remember credit card use before they had magnetic strips, are you? There's a reason why the name and numbers on them are (still) raised off the surface of the card.
The magnetic strip system itself had to be "adopted later in its lifecycle."
Better late.... (Score:4, Interesting)
Increased expenditures for new card readers and technology has been rebuffed universally because the retailers aren't typically the ones out of the cash when a fraudulent credit card is used.
The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.
Re:Better late.... (Score:5, Funny)
"The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire."
But with a name like that, surely they were asking for it...
Re: (Score:3)
The anti-counterfeiting technology implementation for currency was delayed, in part, by lobbying companies involved in vending.
Increased expenditures for new card readers and technology has been rebuffed universally because the retailers aren't typically the ones out of the cash when a fraudulent credit card is used.
The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.
Actually, the big retailers have been asking for this for a while now, it's been the card companies that have been dragging their feet on it.
I guess they have never heard of two factor auth (Score:2)
Re:I guess they have never heard of two factor aut (Score:5, Informative)
yeah you try getting people to both sign and enter a pin and wait in line as others do so.
the signing is a FUCKING JOKE. one of the funniest things in USA was self service checkout with a credit card paying option where the "signature" was scribbled on a touchscreen(and captured at maybe 300px80px resolution). perfectly usable for buying stuff with any card you found on the street - on a mighty expensive card processing device.
chip/pin is just how the rest of the world does it. you can pay to pizza guys with it(chip/pin debit cards, cash balance verified on the fly) in finland, they carry portable terminals that cost pretty much nothing(sagem seems to be the biggest manufacturer).
Re: (Score:3)
And if someone hacks your card, they blame you (because you must have given away your PIN) and you have no way to prove it.
Incorrect. There are a variety of ways that your PIN can be compromised, and banks are well aware of that. Anything from shoulder surfing to keystroke logging will work.
My credit card (with chip and PIN) was skimmed last year (based on the timing I believe from a restaurant in Winnipeg) and my bank removed all of the charges with minimal intervention on my part.
Re: (Score:3)
My (Canadian debit) card has been scanned twice, and both times the bank called me up, notified me of the fraudulent charges on my account, and the money was back in my account in under two weeks.
Re: (Score:2)
Why the hell would they switch to a pin system, rather than adding it as a second factor? The signature is useful for forensic analysis of the fraud after the fact.
Is it? Really?
Re: (Score:3)
The signature is useful for forensic analysis of the fraud after the fact.
Can you cite a single case of anyone ever being convicted of fraud because of "forensic analysis" of their signature on a credit card receipt? You watch way too much CSI.
Really? (Score:2)
Re: (Score:2)
Re: (Score:2)
Why uses a credit card at a cash machine? The fees are outrageous.
Payment terminals yes, to get cash, hell to the no
Re: (Score:2)
Don't know if its different in other parts of the world, but in the US as long as the machine is owned by your bank they have no fees. Go with a big enough bank and they have them pretty much everywhere. Some other banks (like Ally) that don't have their own ATM's actually refund you the fee that the machine charges so that it becomes effectively free to use any ATM.
About 2 years ago or so a few of the major banks actually announced plans to charge people for debit card usage (it seems to encourage pullin
Re: (Score:3)
The topic is credit cards.
You use a credit card at a cash machine and you are charged a cash advance interest rate immediately.
Re: (Score:2)
It IS different in other parts of the world, like here in the UK. Most public ATMs are part of the Link network and debit cards for most of the big banks will work in any of them with no transaction fee.
The next step being rolled out here is contactless debit cards which can be used with a wireless reader to make purchases of up to 20 quid without entering a PIN or otherwise authorising the transaction. I think the idea is the banks will eat the losses from any fraudulent transactions as long as they're for
Re: (Score:2)
I've had to bale out a couple of friends of mine visiting from the US when they got to a shop and their chip-less credit or debit card couldn't be used at all. The ATMs however seemed to mostly still accept chipless cards.
Umm.. just as Europe moves beyond chip and pin... (Score:5, Interesting)
In all the time I've spent in America I don't believe I've ever seen anyone really check the signature against the card.. always amazed me how lax and open to fraud that system was. In the UK we switched to chip and pin about 10 years ago.. and we were generally lagging the rest of the EU on that matter.
But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe (http://www.bbc.co.uk/news/technology-21085738) and surely enough of the initial results are in to guide the decision making there.
Re:Umm.. just as Europe moves beyond chip and pin. (Score:4, Insightful)
Fingerprint is a terrible security mechanism. Not only does it give someone a reason to steal you *finger*, you also leave your fingerprint on everything you touch. Credentials shouldn't be revealed unless you are actually in the process of using them.
Re: (Score:2, Interesting)
Most times I don't even sign my cards. Yes, I know I'm supposed to, but I've gone for years without signing it. It always seemed odd to me to give a potential credit card thief a copy of my signature along with my card. Maybe once did someone even look for the signature and even then it was more of a "Oh, you didn't sign it" than a "We can't accept that card unsigned."
Re: (Score:2)
It always seemed odd to me to give a potential credit card thief a copy of my signature along with my card.
Yea, it's much better to leave the card blank so the their can sign it themselves so the sig will match.
Re: (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2, Offtopic)
Europeans are much more shifty people who steal .... It's unfortunate that the upstanding people of America couldn't insulate themselves from this foreign pollution.
Spoken like a true Native American. Unfortunately you are centuries too late.
Dichotomy (Score:2)
Good god, it's been so long since I signed for a credit card transaction I can barely even remember it. Next you'll be telling me that the USA prefers to write on bits of paper to send money, taking ages for it to finally be transacted. I wonder. Are there people who are responsible for driving around a nuclear-powered, one-ton robotic laboratory on another planet, who swing by the supermarket before going home and pay for their goods after signing a little bit of paper?
Mind you, chip-and-PIN is hardly secu
Misleading liability claim (Score:5, Informative)
I find it interesting that the summary above pushes to point out that merchants will be liable for fraud. As it stands currently, merchants are already liable for fraud. A claim results in the merchant losing the money of the transaction. The bank and user recover the money.
Reading the first linked article indicates that the "weakest link" becomes liable. If the merchant has C&P and the bank has not issued a C&P card, the BANK will be liable for the fraudulent transaction. This is a major difference from the current situation, where the bank would simply extract the money from the merchant and the merchant would take a loss.
Re: (Score:2)
Who wants another ^&#$ thing to remember (Score:3)
Chip & pin has never been about security. It's about the ability for CC issuers to eliminate the repudiation of fraudulent transactions by claiming that their authorization system is fraud proof and therefore every transaction is a priori an authorized transaction: http://www.thisismoney.co.uk/m... [thisismoney.co.uk]
Chip and pin security (Score:2)
Chip and pin would be much safer if you entered the pin into the card, instead of into the merchant's equipment.
Re: (Score:2)
Restaurant (Score:3)
So what happens at a restaurant. The waiter gets the check. You go with him to whether the credit card machine is set up to punch your PIN?
Re: (Score:3)
They tend to be hand-held wireless devices that are left at the table.
Re:Tin foil hats! (Score:5, Informative)
Re: (Score:3, Insightful)
Actually, modern cards not only have the contact chip but also a "Contactless" mode that can be used for small payments.
So you can pay for your Starbucks or bus fare instantly just by tapping your Visa card, no need to swipe or insert the card and enter a PIN number. This is all still more secure than Swipe & Sign, because the cards can't be easily cloned and theres a relatively low transaction limit.
Re: (Score:2)
Re: (Score:2)
Pretty sure you have no idea what chip and PIN is. It only works with direct electrical contact. You are probably confusing it with RFID which we already have and nobody really uses.
It's only SUPPOSED to work with direct electrical contact. I'm wearing a badge this minute in a (mostly) optically transparent sleeve. It has a 12-point chip (there's also a magnetic stripe on the back, but the sleeves are only required for the "new" ones - We go to a lot of areas run by other entities that still require a swipe/handprint to get through the door.) We have readers attached to every computer that make electrical contact with this chip and allow us to enter our password to log in. But, eve
Re: (Score:3)
The approximate way that chip and pin works in cards is that unique transaction information is sent to the chip. The chip then signs the response with the entered pin and that's sent for authorization. Even if a particular transaction is sent to the chip from 20 feet away, and the PIN is also sent, the most you'll be able to do is to fraudulently authorize a single transaction. IIRC (may be remembering an obsolete spec, its been a few years) part of the auth is even time-based, so even that's not much us
Re:Tin foil hats! (Score:4, Informative)
Re: (Score:3)
Re: (Score:3)
Anyway, it can't ever be purely proximity based (like the contactless payments systems that you are presumably worried about) because it requires your PIN to authorise the transaction. Since its challenge/response there is presumably little benefit to eavesdropping on one transaction - you're not going to capture anything that will allow you to perform additional transactions in future.
Re:Skim software (Score:5, Informative)
Re: (Score:2)
Well the target problem happened because someone managed to install skimming software on all of the computers. If the security of your checkout system is compromised then can't you just skim the pin number instead of trying to forge the signature?
The card terminal (with card reader and PIN entry) is usually a separate unit that is audited against security requirements of the financial institutions. While that does not mean it can't be hacked at all, it makes hacking much harder.
Re: (Score:3)
Re: (Score:2)
As my cousin found out one night in Calgary, AB. When a couple of women got him drunk, took him outside where their boyfriends beat him down and forced his PIN number out of him... The bank used the fact that he gave them his pin as enough reason not to reimburse the losses.
Personally I think thats why they are doing it, likewise if a keylogger gets your PW/PIN and get into your banking you might be left footing the bill.
Most all resellers have a markup of ~3% just to accommodate credit card company fees. Those who pay with cash, are essentially ripped off. Those who use credit cards at least supposedly get the security/extra warranty/insurance/other services they provide.
One must keep a good eye on everything the financial institutions are doing,as every change is in their self-interest.
This is made worse by many banks issuing devices that can check a pin [co-operativebank.co.uk] and can tell you if it is right or wrong. It even works with cards from other banks - I've tried it. This means you haven't even got the option of giving a false number. Granted three wrong numbers locks out the card, but if this were a Muslim gang you'd probably get the option of losing a tooth for the first wrong number, a finger for the second, and your head for the third.
Re: (Score:2)
I live in South Africa - over here the transition credit cards being having EMV chips took place during 1999-2007. I haven't seen a non-chipped card issued since then, and most of the card readers I see in shops these days don't even have the ability to read magnetic strips anymore. Since 2006 liability for unauthorised (card present) transactions was shifted to merchant who accept card payments without relying on the chip and PIN, instead of to the card-owner or bank. Basically a credit card without a chip
Re: (Score:2)
Re: (Score:3)
If the network hardware was compromised, what would've stopped the hackers from collecting the PINs as well?
The pin is useless without the card and unlike magnetic strip cards the card cannot be easily duplicated
With this increase in security encourage hackers to go after debit cards more - which would be worse for consumers (fewer fraud protections there)?
Not if credit and debitt cards have the same chip+pin system
Will there even really be a difference between credit and debit cards anymore?
It terms of security they will be equally secure
How will this affect online transactions (especially for web developers)?
It won't. Chip and pin does not work online, so other security mechanism's have to be used such as quoting the 3 fig number on the back of the card or a extra verification step involving a password or a one time key.
This sounds like a bigger change than some people realize.