×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards

timothy posted about 9 months ago | from the upgrade-your-skimmers dept.

Businesses 731

schwit1 writes "U.S. banks and merchants are shifting to a more secure way of authorizing credit card transactions in which customers will enter a personal identification number (PIN) at checkout instead of signing a receipt. The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here. The change is especially relevant given the massive fraud perpetrated against customers of Target in the fall. During a Congressional hearing last week, Target CFO John Mulligan said the company is accelerating the $100 million effort to switch to the so-called "chip and pin" system. The change won't happen all at once. Banks must issue cards with microprocessors and merchants need the right equipment to process the chip and PIN transactions, which is likely to happen gradually. But Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future."

Sorry! There are no comments related to the filter you selected.

It's about time. (5, Insightful)

Bill_the_Engineer (772575) | about 9 months ago | (#46216913)

Finally the US banking system is catching up to the rest of the world.

Re:It's about time. (3, Insightful)

SerpentMage (13390) | about 9 months ago | (#46216985)

I was about to write this as well. We have been using pins for credit cards in Switzerland for the last 10 years...

Re:It's about time. (4, Insightful)

N0Man74 (1620447) | about 9 months ago | (#46217241)

I was about to write this as well. We have been using pins for credit cards in Switzerland for the last 10 years...

Yeah, why hasn't the US got on board yet with implementing technology that allows banks and issuers to absolve themselves of responsibility and push the blame onto the consumers?

If fraud happens on these new cards, it becomes up to the consumers to prove that it was fraud and that they did not compromise their PIN.

As a bonus, the consumers get to be forced to memorize a new PIN!

It's Win WIn.

Re:It's about time. (0)

Anonymous Coward | about 9 months ago | (#46217373)

As a bonus, the consumers get to be forced to memorize a new PIN!

There is no new PIN, it's the same one used for the ATM

Re:It's about time. (4, Informative)

rossdee (243626) | about 9 months ago | (#46217491)

"There is no new PIN, it's the same one used for the ATM"

  At The Moment my credit card doesn't have a PIN

And I don't use it for getting cash, since that transaction costs, and they charge interest straight away.

Re:It's about time. (2)

93 Escort Wagon (326346) | about 9 months ago | (#46217277)

Serious question here, given you've lived with chip and PIN.

How does this work with transactions over the telephone? Even now, not every business has a website. Additionally, I know I've paid a few bills over the years by calling the company and giving them my credit card number.

And, if the answer is "you give them the PIN over the phone" - doesn't that mean the supposed increased security in chip and PIN is somewhat illusory, given you can break the "something you have + something you know" model?

Re:It's about time. (4, Informative)

Andrewkov (140579) | about 9 months ago | (#46217305)

You don't give them your PIN, you give them the 3 numbers on the back of the card. You only need to have your chip read and PIN entered when using the card at a physical store.

Eoin (-1)

Anonymous Coward | about 9 months ago | (#46217319)

You don't give a PIN over the phone.

In the same way you don't provide a signature over the phone.

Re:It's about time. (3, Informative)

fredrik70 (161208) | about 9 months ago | (#46217345)

You can use the chip and pin cards for old-style transactions as well. If I go to the states with my card I just swipe and sign as everyone else.

Re:It's about time. (1)

Momomoto (118483) | about 9 months ago | (#46217349)

Here in Canada, phone transactions usually require the CVV2 code on the back of the card. You don't enter your PIN, because you're not verifying using the chip.

Re:It's about time. (1)

Anonymous Coward | about 9 months ago | (#46217395)

French here, we've been using pins for the last 25 years or so.

Chip and Pin is only for payment at a physical point of sale. Online transactions use your card number+expiration date+CVV (or whatever it's called) number, and aren't any more or less secure than with chipless cards.

Since, chip and pin doesn't give out the CVV number, and online payment doesn't use your PIN, the two kinds of transactions are somewhat isolated from each other. The most basic rule is to never give out your PIN to anyone but a machine with your credit card issuer's logo on it.

Re:It's about time. (0)

cayenne8 (626475) | about 9 months ago | (#46217049)

Damn...I've been avoiding cards with chips in them all these years.

I don't want a smart card.

And what good does this do you when you buy online?

Re:It's about time. (3, Funny)

jareth-0205 (525594) | about 9 months ago | (#46217093)

Damn...I've been avoiding cards with chips in them all these years.

I don't want a smart card.

You should also avoid cards with magnetic strips on them. Damn dirty electromagnetic field technology!

And what good does this do you when you buy online?

Nothing. Of course, any improvement in security that doesn't improve security in every possible case should be discounted completely!

Re:It's about time. (3, Interesting)

MBGMorden (803437) | about 9 months ago | (#46217105)

And what good does this do you when you buy online?

Buying online - at least when its physical goods - requires a shipping address. That's a big risk for a thief to take as even if they're using an address they don't live at, if the fraud is discovered while the item is in transit the address may be being monitored by authorities.

Re:It's about time. (1)

jareth-0205 (525594) | about 9 months ago | (#46217153)

Not to mention that schemes like Verified By Visa mean you often now have to enter a password into a bank-served iframe that verifies you.

Re:It's about time. (0)

Anonymous Coward | about 9 months ago | (#46217387)

Nah, those solutions went extinct here long time ago. That's where it all started actually, but with that you can't integrate card payment into any app not using html, paypal replaced them pretty quick.

Verified by visa (0)

Anonymous Coward | about 9 months ago | (#46217479)

Ah yes, "Verified by Visa", because 2-factor authentication is mathematically identical to 1*2-factor authentication

Contactless (0)

Anonymous Coward | about 9 months ago | (#46217205)

That's why when you buy online you have the digits on the back of your card.
It's called CVC or CVV depending on the association (Visa or MC).

Most of all, chip and pin transaction is not only upgrading the system for transactionnal purpose, it allows the issuer to ensure non-repudiationnal transaction, making the holder more liable for his purchase.

The only fraud detected on the rest of the world is based on mag stripe activity

Re:It's NOT about time (2)

davecb (6526) | about 9 months ago | (#46217255)

It allows the Bank to make a good argument for not paying you back, as you must have lost your pin. Previously they had to collect from the merchants, who are much bigger customers of the Bank, and so are listened to more than individuals. This was a problem for years in the UK, until the courts wised up.

Re:It's about time. (5, Insightful)

jellomizer (103300) | about 9 months ago | (#46217077)

I don't get why they are trying to catch up, banks are dropping the ball here, and they should focus on exceeding the rest of the world.

Why is the US behind everyone, well because we were first to come up with the initial infrastructure, by the time something new came along, we had a large complete infrastructure. So now the infrastructure is out of date, this happens. But when it does we need to try to invest into the next step, not the current, otherwise we will always be catching up.

Re:It's about time. (1)

TyFoN (12980) | about 9 months ago | (#46217169)

The US is behind because no one have ever trusted your banks. Even the FED is 7 different units to make sure there is no central authority.

It's also why the US has the one of the largest cash to card ratios in the world.

Re:It's about time. (1)

jellomizer (103300) | about 9 months ago | (#46217437)

There is a heck of a lot of investments to an organization that no one trusts.
They may not trust US banks, but they trust them more than most other countries.

Re:It's about time. (2)

JoeMerchant (803320) | about 9 months ago | (#46217285)

There's a giant warehouse looking building on the Miami river - prime, high dollar real-estate. At one time, it housed a Visa clearinghouse - where they would process all the credit card slips, by hand labor - reading the imprints and keypunch entering them into the computer. That building still has no windows facing the river.

Handling money is huge business, they've gotten more efficient over the years, but the basic rates that are charged for processing the transactions are still more or less intact, 2ish % per transaction, though minimum processing fees are largely gone now. With all that extra operating capital from increases in efficiency, they cover the fraud and just let the machine roll on, making money.

If there ever is a big shake-up, 2% could plummet to less than 1/2%, although the economy as a whole would benefit marginally, a large industry would have to shrink and become much more efficient with that change.

Re:It's about time. (2)

misexistentialist (1537887) | about 9 months ago | (#46217121)

I guess we need to drive on the left side of the road and stop wearing deodorant too.

Re:It's about time. (1)

slashmydots (2189826) | about 9 months ago | (#46217163)

Yeeeeeah, it sounds like we're rolling out an amazing new technology called a debit card.

Re:It's about time. (1)

SJHillman (1966756) | about 9 months ago | (#46217221)

That's odd, none of my debit cards have chips in them. Must be not the same after all, even if they both happen to use a PIN (but then again, so do a lot of doors... does that mean the new credit cards can work as doors too?)

Sorry, it's horribly insecure, (5, Interesting)

davecb (6526) | about 9 months ago | (#46217173)

One of Ross Anderson's 2010 highlights was a paper on why Chip and PIN is broken [lightbluetouchpaper.org] for which he got coverage on Newsnight and a best paper award. Later, the banks tried to suppress this research [lightbluetouchpaper.org] .

Ross [cam.ac.uk] is a security researcher at University of Cambridge.

In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

Re:Sorry, it's horribly insecure, (5, Informative)

boristdog (133725) | about 9 months ago | (#46217259)

In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".

IF you could clearly sign all of those touch-screen signature pads, AND some system actually compared what was input to your signature on file, then maybe. But very few of those are properly positioned or are properly sensitive enough for anyone to sign more than a few squiggly lines. I used to just draw a picture of a cow on them and my signature was always accepted.

Re:Sorry, it's horribly insecure, (0)

Anonymous Coward | about 9 months ago | (#46217297)

The pin, all by itself, won't do jack shit. You still need the card itself. As for the signature protection, it is far from perfect. It can always be faked by the person using a stolen card. At least when you grab a card with a chip you don't have the PIN code displayed on the card itself.

BTW: FUCK BETA!!!

Re:Sorry, it's horribly insecure, (1)

compro01 (777531) | about 9 months ago | (#46217357)

Worst case scenario (criminal has your card and it isn't cancelled) chip+PIN is no worse than mag stripe+signature. In all other cases, chip+PIN is far superior.

Re:Sorry, it's horribly insecure, (1)

cryptizard (2629853) | about 9 months ago | (#46217361)

Even without the PIN security, it is still better than magnetic stripe because you can't easily clone the card. You have to physically steal it, not do an attack like the Target one where they skimmed all the information from thousands of customers without them knowing.

Re: Sorry, it's horribly insecure, (1)

nausicaa (461792) | about 9 months ago | (#46217419)

So a signature is more secure? I highly doubt that. Also, only bad banks will tell you this all the time, I was actually contacted by my bank when they suspected a fraudulent transaction. Didn't have to pay, and had the option to get a new one mailed right away and the old one disabled. If you lose your card you should always report it ASAP. It's also good to make the security code on the back unreadable, as well as be aware of your surroundings, something you really should be all the time.

Re:Sorry, it's horribly insecure, (4, Informative)

west (39918) | about 9 months ago | (#46217457)

The fact that EMV (chip & pin) is not perfectly secure is *massively* less of a problem than credit/debit card skimming.

ATM fraud has been squeezed out of pretty much the rest of the world and is migrating to the USA in droves. When Canada switched, ATM fraud basically killed organized rings. These rings are reluctantly moving to the US (a draconian justice system does have *some* upside) and along with an small army of engineers working on whisper thin skimmers and business ideas like ATM fraud franchises, things look pretty scary if the US doesn't switch.

The downside is, unlike Canada, there's no single inter-branch network like Canada that can kick members off who don't upgrade. Instead there's thousands of banks who may not want the expense of switching to EMV. And as long as there are any mag-stripe only ATMs on the network you belong to, you're vulnerable to having your cards skimmed. So, the US will have it much tougher. (POS fraud is not nearly as big a problem. It's pretty hard to get $100K out of one POS terminal using 2,000 cards without the operator getting suspicious. And then you take a massive loss fencing the goods. ATM is what organized crime goes after.)

On the upside, the US is on the forefront of real-time risk assessment of transactions. They're getting better and better at assessing suspicious transactions. Still, there'll be more and more false positives as fraud goes up, so remember to carry multiple cards...

Tin foil hats! (-1)

gnick (1211984) | about 9 months ago | (#46216933)

So, is it time to take those shielded wallets seriously?

Re:Tin foil hats! (5, Informative)

cryptizard (2629853) | about 9 months ago | (#46216963)

Pretty sure you have no idea what chip and PIN is. It only works with direct electrical contact. You are probably confusing it with RFID which we already have and nobody really uses.

Re:Tin foil hats! (0)

Anonymous Coward | about 9 months ago | (#46217039)

We use RFID in Canada but the maximum purchase amount is fairly limited and the card needs to pretty much touch the machine. Our credit cards were converted to "Chip and Pin" some time ago and i dont think there are any more of the "swipe and sign" type left.

Re:Tin foil hats! (3, Informative)

cryptizard (2629853) | about 9 months ago | (#46217085)

With the machine that is given out by the credit card companies you need to pretty much touch it, but security researchers have shown that you can use higher powered equipment to read it from up to 15-20 feet away.

Re:Tin foil hats! (0)

Anonymous Coward | about 9 months ago | (#46217139)

Nobody really uses RFID but if it's activated in your chip then it's enough for a thief to steal you a small amount just by sitting next to you in the bus.

Re:Tin foil hats! (3, Insightful)

__Reason__ (181288) | about 9 months ago | (#46217183)

Actually, modern cards not only have the contact chip but also a "Contactless" mode that can be used for small payments.

So you can pay for your Starbucks or bus fare instantly just by tapping your Visa card, no need to swipe or insert the card and enter a PIN number. This is all still more secure than Swipe & Sign, because the cards can't be easily cloned and theres a relatively low transaction limit.

Re:Tin foil hats! (1)

cryptizard (2629853) | about 9 months ago | (#46217199)

Yes, I said we already have RFID (you call it contactless) even without chip and PIN so it is completely unrelated.

Re:Tin foil hats! (0)

Anonymous Coward | about 9 months ago | (#46217213)

Both are widely used in Canada.

The only card that is swipe and sign is my Costco Amex.

Re:Tin foil hats! (1)

gnick (1211984) | about 9 months ago | (#46217267)

Pretty sure you have no idea what chip and PIN is. It only works with direct electrical contact. You are probably confusing it with RFID which we already have and nobody really uses.

It's only SUPPOSED to work with direct electrical contact. I'm wearing a badge this minute in a (mostly) optically transparent sleeve. It has a 12-point chip (there's also a magnetic stripe on the back, but the sleeves are only required for the "new" ones - We go to a lot of areas run by other entities that still require a swipe/handprint to get through the door.) We have readers attached to every computer that make electrical contact with this chip and allow us to enter our password to log in. But, even WE have equipment that can read them from 1-2" away outside the sleeve - That's not because there's embedded RFID somewhere in the plastic laminate; it's because, at least with the system we use, you can sufficiently excite them without direct contact. I assure you that the system is not second rate (at least the "powers that be" don't think so) - Our overlords are just as motivated as the big banks to keep things locked down.

I realize that you can claim that if they can be excited remotely that it implies RFID, but at least in this case it's a side effect rather than a design feature.

Re:Tin foil hats! (2)

MullerMn (526350) | about 9 months ago | (#46217087)

Chip and pin is not proximity based. You put your card in a handset and enter your pin to authorise the transaction like at a cashpoint. The handset never gets access to the PIN in the card, only the one you enter on the pad. It's genuinely surprising that there is still somewhere where this is not the standard. I can't remember the last time I had to sign for a card transaction.

One question (2)

u38cg (607297) | about 9 months ago | (#46216935)

Why the hell has it taken y'all so long?

Re:One question (2)

gstoddart (321705) | about 9 months ago | (#46217023)

Why the hell has it taken y'all so long?

Corporate lobbying, banks putting profits over security, and a general unwillingness to pass laws putting the onus on the card processors to actually implement any security and be responsible when it goes wrong.

Re:One question (4, Insightful)

alen (225700) | about 9 months ago | (#46217059)

the USA had credit cards first
any time you are first you build up a system and its hard to change. if you adopt a tech later in its lifecycle you go with the latest tech at the time

Re:One question (3, Insightful)

Alioth (221270) | about 9 months ago | (#46217097)

That isn't a good explanation in this case. The UK (and pretty much every European Union country) for instance had a swipe and sign credit card infrastructure just like the United States decades before the introduction of chip and PIN, yet the UK changed to chip and pin 10 years ago despite having the same infrastructure issue as the US.

Re:One question (2)

SJHillman (1966756) | about 9 months ago | (#46217251)

While I'll accept your counter, it should also be noted that most EU countries are much smaller than the US, which does make it a bit easier to change that infrastructure. If the entire EU all had to switch at exactly the same time, that would be more akin to the US because every state has laws that are just a little bit different. That said, it's still no excuse for us taking this much longer to switch.

Re:One question (1)

usuallylost (2468686) | about 9 months ago | (#46217273)

From the article it states that the banks here had to find a way to make chip and pin work while still complying with "the Durbin amendment" that required all credit card transactions be able to work on at least two networks. So if the article is be believed one of the major hold ups was due to the US government adding requirements. Requirements that just don't apply in these other countries.

Re:One question (2)

MullerMn (526350) | about 9 months ago | (#46217187)

The first proper credit card in the US was 1958, the first outside the US was 1966 (according to Wikipedia). I'm not sure that an 8 year head start investment of infrastructure from 50 years ago is a plausible explanation.

It's easy to make excuses to save national face, but given the massive fraud reduction that chip and pin brings the likely result is that you have spent the last 10 years or so paying for the increased credit fraud in the US through charges or through increased interest rates on credit card debt.

Someone has dragged the process out for their own gain and they'll do it again next time round if you accept it.

Re:One question (0)

Anonymous Coward | about 9 months ago | (#46217115)

Why the hell has it taken y'all so long?

Also: where the hell are you from?

Better late.... (3, Interesting)

rmdingler (1955220) | about 9 months ago | (#46216949)

The anti-counterfeiting technology implementation for currency was delayed, in part, by lobbying companies involved in vending.

Increased expenditures for new card readers and technology has been rebuffed universally because the retailers aren't typically the ones out of the cash when a fraudulent credit card is used.

The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.

Re:Better late.... (5, Funny)

SJHillman (1966756) | about 9 months ago | (#46217257)

"The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire."

But with a name like that, surely they were asking for it...

Re:Better late.... (2)

EvilSS (557649) | about 9 months ago | (#46217311)

The anti-counterfeiting technology implementation for currency was delayed, in part, by lobbying companies involved in vending.

Increased expenditures for new card readers and technology has been rebuffed universally because the retailers aren't typically the ones out of the cash when a fraudulent credit card is used.

The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.

Actually, the big retailers have been asking for this for a while now, it's been the card companies that have been dragging their feet on it.

I guess they have never heard of two factor auth (2)

Zero__Kelvin (151819) | about 9 months ago | (#46216969)

Why the hell would they switch to a pin system, rather than adding it as a second factor? The signature is useful for forensic analysis of the fraud after the fact. It is hard to beleive this is about security, and easy to believe it is about them saving money by not having to deal with signatures and the overhead, etc.

Re:I guess they have never heard of two factor aut (5, Informative)

gl4ss (559668) | about 9 months ago | (#46217057)

yeah you try getting people to both sign and enter a pin and wait in line as others do so.

the signing is a FUCKING JOKE. one of the funniest things in USA was self service checkout with a credit card paying option where the "signature" was scribbled on a touchscreen(and captured at maybe 300px80px resolution). perfectly usable for buying stuff with any card you found on the street - on a mighty expensive card processing device.

chip/pin is just how the rest of the world does it. you can pay to pizza guys with it(chip/pin debit cards, cash balance verified on the fly) in finland, they carry portable terminals that cost pretty much nothing(sagem seems to be the biggest manufacturer).

Re:I guess they have never heard of two factor aut (1)

operagost (62405) | about 9 months ago | (#46217407)

And if someone hacks your card, they blame you (because you must have given away your PIN) and you have no way to prove it.

Re:I guess they have never heard of two factor aut (1)

3247 (161794) | about 9 months ago | (#46217073)

Why the hell would they switch to a pin system, rather than adding it as a second factor? The signature is useful for forensic analysis of the fraud after the fact.

Is it? Really?

Re:I guess they have never heard of two factor aut (2)

ShanghaiBill (739463) | about 9 months ago | (#46217225)

The signature is useful for forensic analysis of the fraud after the fact.

Can you cite a single case of anyone ever being convicted of fraud because of "forensic analysis" of their signature on a credit card receipt? You watch way too much CSI.

Re:I guess they have never heard of two factor aut (1)

hink (89192) | about 9 months ago | (#46217293)

Do the math it IS two factor authentication.
1) something physical you have (card with chip)
2) something you know (PIN)

So, you might think, "aha, it will be THREE factors, woohoo!". However, chip, PIN, and signature, can't really be considered three factor authentication, unless the signature is checked in real (or near real) time.

Open (-1)

Anonymous Coward | about 9 months ago | (#46216973)

Hopefully all the hardware and technology will be 100% open and all the software these systems use will be open source.

Really? (1)

Zorpheus (857617) | about 9 months ago | (#46216997)

Your credit cards don't even have the microprocessors yet? So you can not use them at cash machines in large parts of the world anymore?

Re:Really? (1)

cryptizard (2629853) | about 9 months ago | (#46217007)

They're almost all backwards compatible. I've never been to a place where I couldn't use the ATM. Sometimes vendors won't accept it because they only have the hardware for chip and PIN, but ATMs usually work.

Re:Really? (1)

jaymz666 (34050) | about 9 months ago | (#46217063)

Why uses a credit card at a cash machine? The fees are outrageous.
Payment terminals yes, to get cash, hell to the no

Re:Really? (1)

MBGMorden (803437) | about 9 months ago | (#46217167)

Don't know if its different in other parts of the world, but in the US as long as the machine is owned by your bank they have no fees. Go with a big enough bank and they have them pretty much everywhere. Some other banks (like Ally) that don't have their own ATM's actually refund you the fee that the machine charges so that it becomes effectively free to use any ATM.

About 2 years ago or so a few of the major banks actually announced plans to charge people for debit card usage (it seems to encourage pulling cash out of the ATM instead) but the public outcry was loud enough that they all backed away from the idea.

Re:Really? (2)

jaymz666 (34050) | about 9 months ago | (#46217227)

The topic is credit cards.

You use a credit card at a cash machine and you are charged a cash advance interest rate immediately.

Re:Really? (1)

nojayuk (567177) | about 9 months ago | (#46217303)

It IS different in other parts of the world, like here in the UK. Most public ATMs are part of the Link network and debit cards for most of the big banks will work in any of them with no transaction fee.

The next step being rolled out here is contactless debit cards which can be used with a wireless reader to make purchases of up to 20 quid without entering a PIN or otherwise authorising the transaction. I think the idea is the banks will eat the losses from any fraudulent transactions as long as they're for small amounts. The same cards will do chip-and-PIN authorisation for larger amounts.

Re:Really? (1)

Alioth (221270) | about 9 months ago | (#46217117)

I've had to bale out a couple of friends of mine visiting from the US when they got to a shop and their chip-less credit or debit card couldn't be used at all. The ATMs however seemed to mostly still accept chipless cards.

Skim software (0)

tie_guy_matt (176397) | about 9 months ago | (#46217001)

Well the target problem happened because someone managed to install skimming software on all of the computers. If the security of your checkout system is compromised then can't you just skim the pin number instead of trying to forge the signature? Actually it is pretty hard to really forge a signature. But then again they can't have a signature expert look at every signature so if it kindof looks like your name then it probably passes the system. Just like I imagine it will be easy to steal your pin card (for most people it will probably be their birthday.) I guess in the end we just all end up spending more on interest or anual fees (unless you get a card with no interest and pay off your bill every month -- in the industry people like that are called "deadbeats") to pay for all of the credit card fraud. It is not like the credit card companies are going to tap into their profits to pay for this.

Re:Skim software (4, Informative)

cryptizard (2629853) | about 9 months ago | (#46217041)

Chip and PIN cards use a challenge-response protocol so even if you skim all the information you can only make one charge before it becomes invalid. There is actually a microprocessor on the card that does crypto so the credentials transferred only allow a single authorized transaction. So if the charge goes through for the thing you were supposed to be buying, then you know you aren't getting scammed. Technically they could block the charge and do another one that gives the money to them, but that is a lot harder and more likely to be noticed.

Re:Skim software (0)

Anonymous Coward | about 9 months ago | (#46217095)

I guess you missed this bit:

"The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here."

That statement pretty much shows that chip and pin is the more secure system.

Re:Skim software (0)

Anonymous Coward | about 9 months ago | (#46217143)

Not easily. You'd have to physically compromise the card terminal at the checkout (not just throw some malware on an out of date XP POS terminal). The PIN never leaves the card terminal it simply verifies it with the chip on the card which generates some kind of authorisation code/has for the transaction which is sent to the bank who then either accept or decline the payment. Even if you added a fake pinpad or CCTV or similar (like some cash point skimmers use) to capture customers' PINs you wouldn't be able to clone the rest of the card info - the important info never leaves the card on the chip and the mechanics of inserting your card into the PIN pad are such that any mag stripe based skimmer would be obvious. It's like carrying your own, clean, secure payment processing computer in your pocket.

(Or, at least, that's roughly how they work...)

Of course it's easy to install a mag stripe skimmer on cash machines and some other terminals (service station pay@pump petrol and train ticket machines spring to mind) and I think ATMs still tend to use the mag strip (although I may be wrong here) so you can clone the mag stripe, capture the PIN and then use that in magstripe base transactions (either with PIN or signature).

Re:Skim software (1)

3247 (161794) | about 9 months ago | (#46217151)

Well the target problem happened because someone managed to install skimming software on all of the computers. If the security of your checkout system is compromised then can't you just skim the pin number instead of trying to forge the signature?

The card terminal (with card reader and PIN entry) is usually a separate unit that is audited against security requirements of the financial institutions. While that does not mean it can't be hacked at all, it makes hacking much harder.

Re: Skim software (0)

Anonymous Coward | about 9 months ago | (#46217379)

You can do this without moving to chip-and-pin. I believe Subway has moved to external card readers for all of their card transactions, despite the fact that most POS terminals have an integrated card reader. Subway got pwned pretty bad, so I wouldn't be surprised if they encrypted everything at the pin pad now.

A big reason you wouldn't want to do this is if you wanted to track purchases by card number. Target is well-known to do extensive data mining

Not the only reason .. (0)

Anonymous Coward | about 9 months ago | (#46217011)

The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here.

And it also happens because US lawmakers refuse to pass any legislation to protect consumers and their privacy which has any teeth, and companies just say "oops, sorry" instead of getting fined.

Because in America, if you do anything which doesn't give businesses license to be incompetent and seek maximum profit, you stop getting paid by corporate lobbyists.

Oh, and you suck because you keep doing farm subsidies and then telling everyone else they can't because you're protectionist douchebags.

Umm.. just as Europe moves beyond chip and pin... (4, Interesting)

tobe (62758) | about 9 months ago | (#46217027)

In all the time I've spent in America I don't believe I've ever seen anyone really check the signature against the card.. always amazed me how lax and open to fraud that system was. In the UK we switched to chip and pin about 10 years ago.. and we were generally lagging the rest of the EU on that matter.

But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe (http://www.bbc.co.uk/news/technology-21085738) and surely enough of the initial results are in to guide the decision making there.

Re:Umm.. just as Europe moves beyond chip and pin. (3, Insightful)

jareth-0205 (525594) | about 9 months ago | (#46217119)

Fingerprint is a terrible security mechanism. Not only does it give someone a reason to steal you *finger*, you also leave your fingerprint on everything you touch. Credentials shouldn't be revealed unless you are actually in the process of using them.

Re:Umm.. just as Europe moves beyond chip and pin. (1, Interesting)

Jason Levine (196982) | about 9 months ago | (#46217161)

Most times I don't even sign my cards. Yes, I know I'm supposed to, but I've gone for years without signing it. It always seemed odd to me to give a potential credit card thief a copy of my signature along with my card. Maybe once did someone even look for the signature and even then it was more of a "Oh, you didn't sign it" than a "We can't accept that card unsigned."

Re:Umm.. just as Europe moves beyond chip and pin. (1)

Anonymous Coward | about 9 months ago | (#46217301)

I usually just write "Please check ID" in the signature box on my cards, for the same reason you say is odd. Why give a thief your signature to practice and get "close enough", when I have a signature next to a picture of me on my driver's license?

Not that it really matters these days, since every store has a terminal for you to swipe your own card. I've been drawing smiley faces for the past few years when those ask me to sign, and so far, nobody has said anything - not the bank, not the stores, nobody.

Re:Umm.. just as Europe moves beyond chip and pin. (1)

EvilSS (557649) | about 9 months ago | (#46217341)

It always seemed odd to me to give a potential credit card thief a copy of my signature along with my card.

Yea, it's much better to leave the card blank so the their can sign it themselves so the sig will match.

Re:Umm.. just as Europe moves beyond chip and pin. (1)

EvilSS (557649) | about 9 months ago | (#46217359)

their --> theif

Re:Umm.. just as Europe moves beyond chip and pin. (0)

Anonymous Coward | about 9 months ago | (#46217487)

I've never signed my cards either... once, and only once, did a cashier ever notice. And they gave me a pen and said I should just sign the card right then anyway. For security, you know.

Re:Umm.. just as Europe moves beyond chip and pin. (2, Interesting)

misexistentialist (1537887) | about 9 months ago | (#46217243)

Europeans are much more shifty people who steal. This is why you are disarmed, have to register your address with the police, carry an internal passport, go through extensive background checks to be allowed to open bank accounts, register your TV sets, submit to home searches by tax collectors, etc. etc. The data breech motivating this change in the USA was perpetrated by a European lowlife. It's unfortunate that the upstanding people of America couldn't insulate themselves from this foreign pollution.

Re:Umm.. just as Europe moves beyond chip and pin. (1, Offtopic)

Chrisq (894406) | about 9 months ago | (#46217365)

Europeans are much more shifty people who steal .... It's unfortunate that the upstanding people of America couldn't insulate themselves from this foreign pollution.

Spoken like a true Native American. Unfortunately you are centuries too late.

Re:Umm.. just as Europe moves beyond chip and pin. (1)

operagost (62405) | about 9 months ago | (#46217433)

You just proved why the world doesn't get America. You are what you make of yourself, not what's in your DNA.

Re:Umm.. just as Europe moves beyond chip and pin. (0)

Anonymous Coward | about 9 months ago | (#46217417)

The only common thing in my signatures are that they are all equally unrecognizable. Give me a keyboard.

Chip&Pin isn't perfect either. (0)

Anonymous Coward | about 9 months ago | (#46217043)

But it's better than nothing. I've been waiting for a long time for it.

And I think it's a bit incorrect to say that the US is the last major market to not use it. For one thing, some banks do issue chip&pin cards, even if almost no merchants have the equipment to use them. And two, I haven't seen chip&pin in South Africa or India although a google search indicates they're starting to roll out there. Maybe those aren't major markets according to some. I didn't notice when I was in Japan either, but nobody batted an eye when I used my chipless cards – unlike some some shops in Europe where the cashier looked twice at my chipless card.

Dichotomy (1)

simplypeachy (706253) | about 9 months ago | (#46217065)

Good god, it's been so long since I signed for a credit card transaction I can barely even remember it. Next you'll be telling me that the USA prefers to write on bits of paper to send money, taking ages for it to finally be transacted. I wonder. Are there people who are responsible for driving around a nuclear-powered, one-ton robotic laboratory on another planet, who swing by the supermarket before going home and pay for their goods after signing a little bit of paper?

Mind you, chip-and-PIN is hardly secure. The attitudes and policies of merchants is incredible, if you ever have an insider's view.

Contactless (0)

Anonymous Coward | about 9 months ago | (#46217287)

You're so right for merchants.
This is one weakest link and that's why PCI standard stands for.

However, online shopping on mom and pop's shop does not prevent your card numbers from being hacked, PCI being too complex to setup, a complete program should be set by the EMV companies.

Back to the former question, are we speaking of the security of the protocol here (chip and pin) or the end to end process, including archive..... :)

Misleading liability claim (5, Informative)

KitFox (712780) | about 9 months ago | (#46217075)

I find it interesting that the summary above pushes to point out that merchants will be liable for fraud. As it stands currently, merchants are already liable for fraud. A claim results in the merchant losing the money of the transaction. The bank and user recover the money.

Reading the first linked article indicates that the "weakest link" becomes liable. If the merchant has C&P and the bank has not issued a C&P card, the BANK will be liable for the fraudulent transaction. This is a major difference from the current situation, where the bank would simply extract the money from the merchant and the merchant would take a loss.

Re:Misleading liability claim (1)

davecb (6526) | about 9 months ago | (#46217207)

In the UK, the Banks famously collected from the cardholder, arguing that they had lost their pin. This took years to overturn...

I always preferred fish and cushion myself. (0)

Anonymous Coward | about 9 months ago | (#46217127)

I always preferred fish and cushion myself: http://www.youtube.com/watch?v=B80SyRmtbdI

Who wants another ^&#$ thing to remember (2)

Ken D (100098) | about 9 months ago | (#46217137)

Chip & pin has never been about security. It's about the ability for CC issuers to eliminate the repudiation of fraudulent transactions by claiming that their authorization system is fraud proof and therefore every transaction is a priori an authorized transaction: http://www.thisismoney.co.uk/m... [thisismoney.co.uk]

Still Be Careful (0)

Anonymous Coward | about 9 months ago | (#46217155)

I worked for a major retailer in Canada and thieves can be very resourceful. I've seen card scanners and pin pad overlays that slot perfectly into place. The only hint was a very subtle color difference in the paint they used and the one used on the machine it was installed on. Most customers couldn't tell the difference. Then, you also have complete unit swaps, mostly at smaller stores where there are no dedicated resources for security.

Great (0)

slapout (93640) | about 9 months ago | (#46217171)

Great. Now instead of having to steal a card and fake a signature, a criminal can just carry around one "super-card" that has a bunch of people's info on it and let it randomly select which one it uses for the purchase.

Re:Great (2)

cryptizard (2629853) | about 9 months ago | (#46217279)

lolwut? What does this have to do with chip and PIN? You can definitely do that now with magnetic stripe, because all the info is available and unencrypted (there is actually a product that will do it on purpose so you don't have to carry around as many cards), but it actually isn't possible with chip and PIN because it is a challenge response system. There are still some flaws with it, but it is better than the magnetic stripe cards by a long shot. Take your weird fear mongering somewhere else please.

Part of the reason they have so much card fraud (-1)

Anonymous Coward | about 9 months ago | (#46217263)

The other part is their legacy from the slave trade ... to many niggers

Less Liability (1)

Anonymous Coward | about 9 months ago | (#46217367)

As my cousin found out one night in Calgary, AB. When a couple of women got him drunk, took him outside where their boyfriends beat him down and forced his PIN number out of him... The bank used the fact that he gave them his pin as enough reason not to reimburse the losses.

Personally I think thats why they are doing it, likewise if a keylogger gets your PW/PIN and get into your banking you might be left footing the bill.

Most all resellers have a markup of ~3% just to accommodate credit card company fees. Those who pay with cash, are essentially ripped off. Those who use credit cards at least supposedly get the security/extra warranty/insurance/other services they provide.

One must keep a good eye on everything the financial institutions are doing,as every change is in their self-interest.

Re:Less Liability (1)

Chrisq (894406) | about 9 months ago | (#46217439)

As my cousin found out one night in Calgary, AB. When a couple of women got him drunk, took him outside where their boyfriends beat him down and forced his PIN number out of him... The bank used the fact that he gave them his pin as enough reason not to reimburse the losses.

Personally I think thats why they are doing it, likewise if a keylogger gets your PW/PIN and get into your banking you might be left footing the bill.

Most all resellers have a markup of ~3% just to accommodate credit card company fees. Those who pay with cash, are essentially ripped off. Those who use credit cards at least supposedly get the security/extra warranty/insurance/other services they provide.

One must keep a good eye on everything the financial institutions are doing,as every change is in their self-interest.

This is made worse by many banks issuing devices that can check a pin [co-operativebank.co.uk] and can tell you if it is right or wrong. It even works with cards from other banks - I've tried it. This means you haven't even got the option of giving a false number. Granted three wrong numbers locks out the card, but if this were a Muslim gang you'd probably get the option of losing a tooth for the first wrong number, a finger for the second, and your head for the third.

Chip and pin security (1)

MobyDisk (75490) | about 9 months ago | (#46217411)

Chip and pin would be much safer if you entered the pin into the card, instead of into the merchant's equipment.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?