[HN Gopher] Is your chip card secure? Much depends on where you ... ___________________________________________________________________ Is your chip card secure? Much depends on where you bank Author : MindGods Score : 127 points Date : 2020-07-30 15:19 UTC (7 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | bryanthompson wrote: | On this topic, if anyone can point me toward a US-based issuer | where I can open an account and get a card that supports credit | pin (not pin for cash advance on a credit card), I'll happily | venmo you a pizza or something. The issuers I have spoken to[1] | all tell me it is impossible to get such a card in the US, which | seems ridiculous. | | [1]: https://wallethub.com/credit-cards/chip-and-pin/ I discussed | each of the cards noted here with the issuers, not one is | actually chip+pin credit. | neom wrote: | HSBC | techsupporter wrote: | * Spokane Teachers Federal Credit Union (Mastercard) | | * Andrews FCU (Visa, one of the cards is also contactless) - | Must ask for the "international travel" card, the default is | chip-and-sign | | * State Department FCU (Visa) - Must ask for the "international | travel" card, the default is chip-and-sign | | * Target REDcard Mastercard (you have to get the normal store | card and hope to get swapped out to the Mastercard after a few | months/years/epochs; you can't get the Mastercard from the | first go) | nhf wrote: | Also the UNFCU credit cards. | PascLeRasc wrote: | I believe AmEx charge cards (Green, Gold, Platinum, possibly | others but these are the good ones) are all chip-and-pin. The | Blue Cash one on that website isn't. | ceejayoz wrote: | My Gold is definitely not chip-and-pin. Chip, yes. Pin, no. | lotsofpulp wrote: | I have inquired about this also and found no solution. If I use | my US based credit cards abroad where chip and pin is the norm, | I end up getting asked to sign a printed receipt. | | I imagine the card networks just don't want to spend money to | change the infrastructure to support chip and pin because the | merchant pays for most the losses in the US? | bryanthompson wrote: | The liability shift in the US that affected most retailers | occurred in October 2015 -- basically, merchants are and have | been liable for fraud that occurs on swiped transactions. I'd | be curious to find out how the example presented by the | parent article could change this -- a valid-looking card that | only has swipe would definitely be taken by a merchant for | fraud, and if the card doesn't claim to be EMV-capable, it | seems like this would not be the merchant's fault. I would | think in 2020, however, a mag stripe only card would raise | red flags with humans at the counter, but gift cards are this | way, so perhaps they would just breeze right through. | lotsofpulp wrote: | Previous commenter and I were talking about chip and pin, | not just chip (aka EMV). | | With EMV, someone can still use your card after they steal | it. With chip and pin, that is far more difficult. I don't | know if merchant off the hook even with just chip, I | presume the card networks kept some weasel language in | order to allow them to blame the merchant. | Symbiote wrote: | EMV is the standard for the debit/credit cards with | chips. It includes modes with PINs, signatures, and | neither, depending on the configuration of the card (i.e. | the bank) and the reader (i.e. the shop's | bank/intermediary). | | https://en.wikipedia.org/wiki/EMV | xenospn wrote: | Had many arguments with cashiers in Europe who refused to let | me sign receipts and insisted I just enter a pin. | jacques_chester wrote: | I was (politely) threatened with arrest on a British | commuter train when the ticket inspector's credit card | device insisted on a PIN for an American credit card. | | He literally didn't believe me when I said American cards | still ask for signatures. By luck there was an American | also riding in the cabin who piped up to verify my story | and I was allowed to pay when I reached my destination. | | In Australia the same card works with contactless payment, | which never asks for a signature, up to AU$100. But as soon | as I go over that limit it's a card dip + signature. | bryanthompson wrote: | Also interesting how there are such specific requirements | at grocery stories. None of my US-based cards could be used | in several grocery stores in the Netherlands. When the | cashier looked at my cards, they immediately knew it was | because I didn't support whatever networks they expect. | thesimon wrote: | Maestro or VPay they expected, the european old-school | debit brands. | graton wrote: | First Tech Federal Credit Union offers Chip and Pin Mastercard. | | https://www.firsttechfed.com/ | | https://www.firsttechfed.com/help/support/frequently-asked-q... | | What is the difference between Chip and PIN versus Chip and | Signature? Chip and PIN is the most secure type of credit card | technology. Instead of a signature being used for identity | verification, it requires you to enter a four-digit Personal | Identification Number (PIN) that must correspond to information | contained in a computer chip embedded within the card. The Chip | and PIN authentication method has been a global standard across | Europe and Asia for many years which means using your card | while traveling overseas will be even more convenient. | Authorizing your transactions with a PIN is not new to debit | card transactions, but is a new way to authorize payments with | a credit card. | | You may occasionally still be asked to sign for transactions | while using your chip card. Please be assured that while these | transactions are still secure, many merchants do not yet | support chip and PIN so you may encounter this from time to | time. First Tech is committed to ensuring chip and PIN | technology is available wherever merchants accept it. Learn | more at firsttechfed.com/mastercard. | techsupporter wrote: | Can confirm; I have First Tech and Spokane Teachers cards and | both are chip-and-PIN. If either of them would start offering | contactless on these cards, I'd have the perfect travel card. | astura wrote: | Last I knew Barclays is the only one who offers a credit PIN | that you can use at kiosks that only accept PINs. I also heard | Navy Federal was rolling it out but their services are a | military+family only | | This article says there's a few, ymmv | | https://www.creditcardinsider.com/blog/chip-and-pin-credit-c... | nhf wrote: | Barclays has chip and PIN capability, but it doesn't default | to PIN if signature is available - it will only trigger if | that's the only verification method, which is almost never | the case in the US. | | (Source: I have one, and the only time I've entered the PIN | is at a British train ticket machine.) | Nursie wrote: | So this effectively lets you use chip data to recreate a magnetic | stripe, which passes validation when the banks don't check | against the right CVV. | | Yeah, not great. OTOH I worked on an early EMV implementation | almost 20 years ago now, and it was obvious even then that mag | stripe was a huge security problem. I'm amazed we're _still_ | talking about mag stripes and issuing cards with them in 2020. | | They should have been retired over a decade ago. | humaniania wrote: | Maybe it would make sense to limit magstripe transactions to | $40 or let people decide their own limit. | LeifCarrotson wrote: | If a transaction doesn't get made because it was over $40, | that represents unacceptable missed profits, if some | unfortunate consumer gets their identity stolen[1], well, | they should have been more careful. | | It would make sense to eliminate magstripes, to limit them to | $40, to let people decide their own limit, or any number of | other things - the trouble is that the incentives of the | businesses, banks, and credit card companies are more to make | every transaction a success and to blame the consumer when | they're too successful. | | [1]: Yes, I recognize this is bad framing, the fault isn't | with the victim nor really with the perpetrator but the | incompetent designer of the lock. | pc86 wrote: | > the fault isn't with the victim nor really with the | perpetrator | | The perpetrator isn't at fault? | Spivak wrote: | The perpetrator defrauded the bank, not you. The fault | for your account not showing the correct balance should | be on the bank. | asveikau wrote: | The perpetrator is in one sense to blame but this isn't a | good justification for lax security on the part of the | card issuers. | | You wouldn't leave your door unlocked at night because | it's the burglar's responsibility to be a better citizen. | IshKebab wrote: | > If a transaction doesn't get made because it was over | $40, that represents unacceptable missed profit | | Contactless already has transaction limits so clearly | payment method-specific transaction limits do not create | "unacceptable missed profit". | [deleted] | woodruffw wrote: | > Contactless already has transaction limits so clearly | payment method-specific transaction limits do not create | "unacceptable missed profit". | | This isn't true with US payment cards, in my experience. | I've charged over $1000 on a credit card multiple times | while using contactless methods (both RFID and Apple Pay, | specifically). I was also able to do the same with my | (American) cards while in Europe. | Nursie wrote: | Apple/Android pay is generally unlimited here in the UK, | but using contactless cards is limited to PS40, blanket. | | This is because contactless card payments have no | cardholder verification. | | I am quite surprised if you can do that with your cards | in Europe as the limit is usually enforced on/by the | merchant, not the card. | Thlom wrote: | Can tap-to-pay with no verification up to 500NOK | (approximately $55), over that amount I have to type my | pin. No limit with pin as far as I can tell. | tomatocracy wrote: | I believe the way it works (in some European countries at | least - perhaps also the UK) is that if the retailer uses mag | stripe then effectively they bear the fraud risk, whereas | with chip and PIN the bank/card company does (not sure how | this works for card holders who are unable to use chip and | PIN due to disabilities, which is another reason mag stripes | haven't gone away completely). This seems like a reasonable | compromise to me. | Symbiote wrote: | I don't think disability requires using the magstripe. The | chip can mark what security is required, just like many | American cards are "Chip and Sign". | tialaramex wrote: | This is called "Liability shift" yes. Shift is imposed | where a retailer cannot/ does not accept chip cards rather | than where for whatever reason a chip card wasn't able to | be used. In the US shift was supposed to be imposed | everywhere left this summer, I expect COVID-19 is offered | as another reason to yet again delay, but retails stores | are already covered, it's mostly things like some | unattended 24 hour gasoline pumps that are still mag-stripe | in the US. | | Also most (all?) card holders don't have a problem with the | chip, they may be unable to remember a PIN, or unable to | enter one, in which case the chip terminal requests a human | witness them signing something or asks the retailer to | accept just the chip. Americans using European terminals | may not have a PIN either, their chips tell the terminal | this user doesn't have a PIN, they may be asked to sign | something instead. | alistairSH wrote: | _Americans using European terminals may not have a PIN | either, their chips tell the terminal this user doesn 't | have a PIN, they may be asked to sign something instead._ | | Or, in the case of unmonitored "kiosks", the American is | just left with a failed transaction. This was my | experience with train ticket terminals in Italy and | unattended petrol stations in the UK. Fortunately, in | both cases, my secondary card has a PIN enabled. It was | irritating that my primary card didn't offer a PIN, so I | cancelled it upon my return to the US. | | Edit - this was 5 years ago, may have changed since, not | sure as I changed cards to one that explicitly offered | chip/pin at the time. | aerostable_slug wrote: | This kind of thing is done today with EMV cards to determine | whether the customer needs to enter a PIN or not. Under a | threshold: swipe and go because the level of possible fraud | is acceptable vs. the impact on the customer. Above a | threshold, PIN required. | lotsofpulp wrote: | Not in the US. | kevin_thibedeau wrote: | Won't work for gas stations which are the last holdouts. | joncrane wrote: | You sure? Most of the gas stations I use to fill up have me | leave the card in for the chip reader, as opposed to slide | it in and out quickly as before. | Alupis wrote: | Stumbled across my first one of these the other day. | | It's not obvious at all that you should leave it in - | particularly when accustomed to the ubiquitous slide-in- | and-out-fast kind. | | This one tried to lock my card in, but when I reflexively | yanked on it to pull it out, somehow it lost contact with | the chip or something. What followed was a stuck card in | this machine, and the machine stuck on "verifying"... no | cancel buttons worked either. Eventually, after a long | and disconcerting minute had passed, it finally released | my card and told me to go inside for payment. | | Definitely not user friendly in the slightest... and just | an awful way to start your morning on your way to work. | 0xffff2 wrote: | I travel a decent amount in the Western US, mostly in | California and Oregon. I have never once encountered | this. | SEJeff wrote: | Until EVs are more mainstream I guess, but that won't | probably be for another 5-10 years. | Thlom wrote: | Haha. A bit unrelated, not sure how it works in the rest | of the world, but inNorway EV charging stations doesn't | even have a card reader, you have to sign up with an app | and register your card there. And each charging company | has their own app. Absolutely bonkers. You can get a chip | for your key chain and tie it to all your apps so you can | read that at the charging station, but still. | SAI_Peregrinus wrote: | The chain "Speedway" has chip card readers at their pumps, | at least in my region (western NY). | kevin_thibedeau wrote: | The New York Speedways are all conversions from Mobil | stations and they just upgraded their pumps. Few other | stations are supporting chip cards. | lsllc wrote: | There's no reason why contactless EMV should not be | required even at a gas station (not needing a limit). | aerostable_slug wrote: | Gas pump readers are very expensive. The solution for the | wise customer is to go inside and use the POS terminal at | the counter if possible. | | Old school gas station attack: many gas stations queue | and forward transactions for reconciliation in batches, | waiting to do so when they don't have connectivity. | People have taken advantage of this fact by climbing up | on the roof of stations with satellite connections for | their POS terminals, tin-foiling them or otherwise | blocking their transmission, then buying a bunch of gas | with a stolen credit card. Head down to the next gas | station, lather rinse repeat, and by the time things get | figured out you've got maybe a hundred gallons of gas and | a bunch of candy bars you can trade for meth (this is not | a Bond Villain-level crime). | tialaramex wrote: | > The solution for the wise customer is to go inside and | use the POS terminal at the counter if possible. | | That's irrelevant to this attack. Bad guys aren't obliged | to use that terminal, and they're the ones relying on | access to a mag-stripe reader. | | However for that "old school" attack EMV could help if it | was deployed. Because EMV cards have state, they can have | arbitrary rules about how often they're willing to | perform offline transactions and how much value for. So | e.g. a card can decide it won't do more than five offline | transactions or more than $100 of transactions without | going online. | jgalt212 wrote: | Mag stripes via fingerprinting of the actual stripe, can make | make them more secure than EMV or contactless. | | _Both the standard card data and the underlying magnetic | fingerprint of the card is read, all in a single swipe._ [1] | | [1] https://www.magtek.com/product/magnesafe-intellihead | Nursie wrote: | That's still not really "more secure" than EMV, which | includes active security measures like PIN validation | capabilities, various active anti-fraud measures like offline | velocity checks, transaction amounts encoded in cryptographic | tokens, and which can in theory be remotely disabled etc. | | I guess it makes it "more /just as able to be authenticated | as a genuine card" though. | jgalt212 wrote: | Yes, I hear you. It would then come down to what's easier | to do correctly, authenticate an EMV transaction or read | and validate the fingerprint of a card's mag stripe. | | To the best of my knowledge, I don't think anyone has been | able to replicate a mag stripe's fingerprint on another | card's mag stripe. However, this security measure has | probably seen a few orders of magnitude less adversaries | than EMV and RFID have. | Shivetya wrote: | First I would love to find a way to find which banks or | processors are vulnerable. | | Second is, is there a way to gain the safety of the chip and | pin with online purchases. Currently I obscure my CC info by | using PayPal where available and when in the real world I live | by Apple pay. If I could disable access to my card by stripe | for real world where Apple pay is not usable I would. | brendoelfrendo wrote: | Hm, that makes me wonder; is it possible to demagnetize or | scramble the data on the mag stripe without harming the chip? | I'm not sure how sensitive the chips are to magnetic | interference, but if you can pull it off, you can make your | own chip-only cards. | andrewnicolalde wrote: | There certainly is. I have done this with a non-payment | card. All you need is a magstripe reader/writer. A few tens | of passes of writing random data to the magstripe should do | the trick. | | Not sure how this would impact the usability of your card | though, in case you do end up relying on the magstripe. | grishka wrote: | > Second is, is there a way to gain the safety of the chip | and pin with online purchases. | | Yes, there's this 2FA thing where you're redirected to your | bank's website and you have to enter the code they send to | your phone. I've had this for ages and I'm surprised there | are still places where it's not mainstream. | | Magstripes tho? I remember using mine when I visited the US | in 2016 and that's about the only time when I used it. It was | weird too, because most terminals had the chip slot but | cashiers insisted that you swipe. The most bizarre part is | that sometimes the transaction went through with _just the | swipe_ -- no PIN, nothing. | Nursie wrote: | >Second is, is there a way to gain the safety of the chip and | pin with online purchases. | | In the UK we have had "Verified by Visa" and "Mastercard 3D | Secure" for many/most online transactions for a long time (12 | years?) | | It's effectively a form of 2FA, the transaction flow diverts | to a bank portal where you authorise the transaction with a | password, or a selection of digits from a passcode. This | never goes near retailer systems. | | It's not the same level.of assurance as EMV, but it is | something, and any transactions that don't go via that system | are more likely to be declined or flagged as fraud. | 0xffff2 wrote: | How do those work over there? We have both in the US as | well, but I've always refused to use them because signing | up for either seems to transfer a significant chunk of the | liability for fraudulent transactions away from the bank | and on to the consumer. | te_chris wrote: | You don't sign up to anything, it's with the issuing bank | or provider. | im3w1l wrote: | What if you sidestepped all the chip cleverness and just put | cameras to capture the name, CC number, expiration and 3 digits? | You'd still need a billing address I guess, but you might be able | to get that by looking up the name and disambiguating using the | location of the terminal. | Nextgrid wrote: | A lot of merchants are starting to use 3D Secure now which is | essentially two-factor authentication. | Nursie wrote: | Starting to? | | It's been pretty standard for over ten years... (I'm in the | UK, I have no idea how our market compares to yours) | untog wrote: | I used to live in the UK (and still visit often) but now | live in the US. You'd be _amazed_ how far behind US banking | is, even compared to the UK ten years ago. | Nextgrid wrote: | I said "starting" to include the US which I expect to be | still far behind. I agree that in the UK it's been standard | and in fact EU regulations now make this mandatory anyway. | tricolon wrote: | I'm in the US and have never heard of it. | kergonath wrote: | It's common in Europe (I think it's even mandatory now, | though not necessarily for each transaction). | ceejayoz wrote: | > It's been pretty standard for over ten years. | | It's unheard of in the US. | oneplane wrote: | Depends on where you bank I suppose. Also depends on where you | credit. | | I can't use my bank card without mutual validation, same with | my credit card. Even if you do it manually we still get a | challenge-response that you use a hardware device or an app | for. | ceejayoz wrote: | > What if you sidestepped all the chip cleverness and just put | cameras to capture the name, CC number, expiration and 3 | digits? | | Apple Cards have just the name on them, which is a nice step in | the right direction. (No contactless, though, which is weird.) | WorldMaker wrote: | Apple Cards also have the nice feature that the entire mag- | stripe CC number is virtual and different/distinct from the | number used by contactless/Apple Pay, the number used by the | EMV, _and_ the number given by the App for cases where | something requests you manually type in a CC number. Most of | those numbers can be changed in the App when needed. So even | in the cases where someone skims or leaks an Apple Card CC | number you typically have more protection than an average | card. | Nursie wrote: | Why would you need it, you've got an iPhone right? | | (semi serious here - I'm sure they want you to use Apple Pay) | frogblast wrote: | A contactless card just proves physical possession of the | card. An Apple Pay payment means that a password or | biometric authentication was performed, AND possession of | the device, which raises the barrier to fraud. So there is | a good reason to wanting to discourage the use of the card | when possible. | SomeHacker44 wrote: | There is a little thing called COVID. All my main payment | cards are contactless now. I am not an Apple card customer. | Nursie wrote: | Sure, but if you have an Apple card you're going to have | an Apple phone, most probably, and that can do the | contactless bit for you. Not sure if apple cards and | android phones work, but android-pay is the other option | for most cards. | | Both are more secure than using the card directly with | contactless - you have verified to your phone that it is | you using it, by logging in with face ID, touch ID, | passcode, PIN, whatever. It's a form of cardholder | verification that is missing when you use the card. | | That was my (slightly snarky) point - you don't need | contactless on the card when you have a smart device that | does it better. | dhosek wrote: | I'm not an Apple card customer either, but I use Apple | pay with my cards usually on my watch, although once in a | while it doesn't work at a terminal and I have to pull | out my phone (which is annoying since facial recognition | doesn't work with a mask on). I understand similar things | exist for Android. | WorldMaker wrote: | If you want more convenience in your contactless payments, | Apple suggest that you get a more recent Apple Watch. | | (Also semi-serious.) | dhosek wrote: | My credit union cards still have the old-style credit card | number on the front (but no raised digits for the ker-chunk | machine). My Chase card has the numbers in small type on the | back in a non-contrasty color. It's not possible to read in | non-ideal lighting conditions. | dhosek wrote: | But I rarely take either card out of my wallet. I use Apple | Pay almost everywhere. | Scoundreller wrote: | What I like about those is that you can stack more cards in | the same space. | | And the embossed cards tend to have their ink rub off | anyway. | gnopgnip wrote: | Vendors get much less protection when doing a card not present | transaction. They also usually pay higher fees. There are also | cases where an additional layer of security is used, visa | secure | 8K832d7tNmiQ wrote: | Another method would be a standardised QR code so that you can | make a transaction from your app by scanning the qr code. | | I don't know about other countries, but this is basically the | premise of QRIS Technology [0] used in Indonesia, basically to | put an end on competing in QR-based payment method. | | [0]: https://www.bi.go.id/QRIS/Contents/Default.aspx | gruez wrote: | The one thing I like about the credit card system (as opposed | to "app" pay system) is that the usability is so much better. | You don't have to worry about your phone being smashed or | running out of battery. It's also less work than a phone, all | you need to do is wave your card in front of a reader. No | need to get out your phone, unlock it, open the app, wave | around your camera so it scans, and finally confirming the | payment. Not having to install a potentially privacy invading | app is also a plus. | ravenstine wrote: | Wouldn't work in a lot of places where there's no LTE | reception, though that will probably change with things like | 5G and Starlink. | | I also wouldn't want my ability to pay to be tied to my | phone. Not only do I want to be able to pay for things even | when my phone is dead, but it just seems like it would add | yet another vector of attack to steal my money. | castratikron wrote: | Guessing Visa can "fix" this problem in the same way they fix the | fallback to magstripe: make the vendor pay a fee for | noncompliance. | | https://www.cardfellow.com/blog/emv-fallback-fees-definition... | csommers wrote: | That's exactly how it should be: party at fault gets charged. | afrcnc wrote: | Can we link to the actual research instead of this people-doxing | clown's article? | | Source: https://geminiadvisory.io/cybercriminals-deploy-emv- | bypass-c... | samblogs wrote: | Does anyone have a good detailed article on the crypto behind | iCVV/dynamic CVV? This article summarizes how it works, but I | haven't found a good detailed article after much googling | bob1029 wrote: | I found this from a public FirstData document: | | "Codes written on the track with equivalent data stored on the | chip to prevent fraud. All chip cards are issued with the card | security code on the track data stored on the magnetic stripe | and chip card security code stored on the chip. Calculated with | the same DES key but with a '999' service code" | | https://www.firstdata.com/downloads/marketing-merchant/EMV-A... | the_mitsuhiko wrote: | I will never understand why magstripe is still used in the US. | Even after EMV became "mandatory" there are still magstripe | transactions happening and when you are presented sith a chip | reader it's slow and awkward. Why is it such an inferior | experience compared to Europe? | swimfar wrote: | Because many consumers don't see chip and pin as an upgrade | (though contactless is nice). So it depends on the banks to | decide whether it's worth it. With debit cards, the extra | security is valuable. But with credit cards it isn't really too | important to me because I can just reverse fraudulant charges. | | As for the experience of using each, it seems to depend a lot | on the machines. I did not like using chip and pin in Europe | because it seemed to take longer and required more | interactions. With the magstrip I pull the card out, swipe it, | put it away. I'm never waiting for anything. Sometimes I'd have | to swipe it twice, but that didn't happen too often to me. But | it seems like different people have very different experiences | with these things. | | edit: this mostly applies to credit cards, which are much more | common in the US than in Europe. But the lack of significant | benefit for credit cards to use this technology could have | resulted in momentum that slowed the adoptation of it for debit | cards. | jermaustin1 wrote: | What is crazier still, is I wasn't even sent a chip & pin from | my bank until just last year. At least they did everything all | at once, chip and contactless. But I'm still waiting for | Capital One to send me a contactless card (its my preferred | card to use internationally where contactless seems to be the | standard). | tialaramex wrote: | If you have a (modern, smart) phone you can teach the phone | this Capital One card and it'll "be" that card contactlessly | when you travel, one less thing to carry. | | I deliberately own (special ordered from my bank) a card that | has no contactless, and it's also the card my phone "is" so | all contactless transactions with that card are through the | phone, the bank never issued a contactless card so it's | literally impossible that the card itself was used for a | contactless transaction. | | Using the phone this way allows me to walk around the | supermarket, scanning product codes with the phone, then walk | to the checkout, scan the "I'm done" code and hold the phone | near the contactless checkout as payment. No human | interaction, very little touching stuff, only need the phone | which I'd carry anyway, no cards or cash. | jermaustin1 wrote: | I actually had trouble the a year ago when traveling in the | UK (I miss travelling), I was using my capital one through | apple pay, but it would get declined constantly and shut | off because the UK doesn't pass the CVV into the | transaction. I never found a clear pattern for when fraud | detection would occur, but one app that caused it | constantly was Deliveroo. | llsf wrote: | I was wondering too. But here in US the equation is bit | different. The CC networks have already backed the cost of | magstripe fraud in the business model. They convinced Americans | to pay an elevated fee to balance the inevitable fraud induced | by magstripe. Now, with EMV in theory the fees should drop as | there is less fraud than with magstripe. Having magstripe | around is a way to justify the fees. That is my understanding | that it would be difficult now to explain to Americans that | they paid elevated fees for so long to pay for fraud that was | no fault on their own. | abrowne wrote: | My understanding for part of it is that magstip readers were | much more common in the US, and businesses (a) didn't want to | pay to upgrade all their terminals and (b) don't want to turn | away a purchase because a customer doesn't have a chip or the | chip isn't working. | lsllc wrote: | That may have been the case, but pretty much everywhere I go | stores have newer EMV capable terminals (e.g Ingenico etc). | The only place I really use mag swipe now is a gas station | pump (who have no excuse not to switch to contactless EMV). | | You'd think with COVID-19, there'd be a rush to move to | contactless payments. | blahyawnblah wrote: | Lots of gas stations do use the chip, but it's the same | process of inserting the card. | jackson1442 wrote: | Never been to a pump that uses chip personally, unless | you pay inside. I've seen ~5 with a contactless tap | point, but only got about 2 of them to work. | | This is in Texas, for reference. | eli wrote: | A lot of people think COVID-19 is indeed the thing that | will tip this into the mainstream default: | https://www.bankingdive.com/news/will-covid-19-push- | contactl... | lsllc wrote: | I hope so. On a related note, I don't know if this is | just me, but I literally have not used cash since March | (although I keep hearing about a "coin shortage", perhaps | this is people just not using coin anymore). | eli wrote: | Same. And yes, that's my understanding plus other | factors: low usage of mass transit ticket machines and | laundromats. Plus few people rolling coins and bringing | them into a bank right now. | penagwin wrote: | Yeah I actually choose gas stations that support contact | less payments. No card contact + one disposable glove is | the way to go. | | Overkill.. Maybe? But it costs me nothing so I'll take the | peice of mind. | bluntfang wrote: | I'm really not trying to be rude here, but a disposable | plastic glove isn't a "cost nothing" scenario. Plastic | pollution is bad. Climate change is real. Trash islands | are real. Microplastics in the entire food chain is real. | I admire your dedication to stay safe, and don't want you | to stop feeling safe, but we must all begin to accept | what we're doing to the environment. | ascorbic wrote: | Magstripe readers were ubiquitous in the UK 15 years ago. The | banks started issuing chip and PIN cards and terminals, then | did the liability shift a couple of years later. That shift | is what's needed to make retailers switch, and is what still | hasn't happened in the US. | Deathmax wrote: | A Monzo engineer describes nonconformance with specs which might | lead some card issuers to be more liberal with what they accept: | https://twitter.com/erincandescent/status/128153445694436147... | Fiveplus wrote: | That was interesting, thanks for sharing it here. | tzs wrote: | OK, so if I grasp this, the problem is that an EMV skimmer gets | the card number and an iCVV. The bad guys make a stripe card with | that number and the iCVV. | | That should not work because banks are supposed to look for the | iCVV only on dipped transactions, and look for the CVV on swiped | transactions (and the CSC for online/telephone transactions). | | Some banks apparently left out the logic of matching the type of | code to the transaction method, and so using iCVV in place of CVV | works for them. | | Even if all banks got this right, though, it seems to me you | could still get fraud. The CVV is only three digits. Once you've | got the card number just make a stripe card and guess the CVV. If | it fails, try another CVV. As long as you don't do too many | guesses too close together and cause the bank to lock out the | card, you should eventually find the right CVV. | | Even if the bank is very trigger happy on fraud lockouts, if your | skimmers got several thousand card numbers you are going to have | many CVV guesses turn out to be right the first time. | | Instead of the stripe on cards that have both EMV and stripe | being just a copy of the same card that is in the EMV side of | things, shouldn't they be separate? The issuing bank should issue | two logical cards for the underlying account, with one being EMV | only and one being stripe/online only. | kergonath wrote: | I would hope that a card would be flagged as suspicious before | a hundred tries. They'd still could get some transactions | through, but that would cut the success rate by a couple of | orders of magnitude compared to just hoping that the bank won't | check. | | What really needs to be done is letting go of the magnetic | stripe. | lmilcin wrote: | Hi. I have worked for one of the acquirers (card acceptors) for | couple of years, designing and implementing credit card terminals | and security infrastructure. I was also security officer. | | Basically, credit cards can be very secure. But it also costs. | Banks do simple cost/benefit decisions and may in many cases | significantly lag behind in technology for various reasons. They | get away with this because consumers have absolutely no idea how | cards differ and what the options are. | kergonath wrote: | My experience has been that all the banks that gave me cards | were diligent in verifying suspicious transactions, often | erring on the side of caution and asking for confirmation. | Also, they don't tend to argue much before refunding an illegal | transaction. | | So, from my point of view, it could certainly be improved | (along the lines of what Apple Pay is doing with tokenisation: | confidentiality is an issue), but there is no real reason to | complain. | | As long as fraudulent transactions are rare enough that the | banks don't drag their feet, it's fine. | throwaway_pdp09 wrote: | > because consumers have absolutely no idea how cards differ | and what the options are | | Well if there's a time and a place to educate people, it's here | and now. Your knowledge would be appreciated, TIA | rblatz wrote: | But also banks take on all the liability for misuse. Customers | aren't liable for fraudulent charges, that's why America has | lagged behind Europe on rolling out chip cards, customers don't | demand it because they don't pay the price for card fraud. | hocuspocus wrote: | European customers aren't liable for fraudulent charges | either, I don't really understand your logic here. | | Everyone pays the price of fraud and it's probably one major | reason that explains high interchange fees in the US. | swimfar wrote: | Early on the customers were completely liable because the | banks claimed that the only wait a fradulent charge could | be made is if the customer "allowed" their PIN to get | stolen. Eventaully they changed this and made it more | customer friendly. | C1sc0cat wrote: | IN Europe the liability shifted to the non complying | partner - which helped takeup. | tadfisher wrote: | Already the same in the US once EMV was rolled out. | tialaramex wrote: | No, US interchange fees pay for "reward" cards. You charge | everybody 5% extra, you give Karen 5% cashback, she thinks | you're "rewarding" her and everybody else get screwed, the | payment network keeps the difference. | | The EU caps the interchange fee, does that mean the | networks exit the business because they can't make money? | No. Does it mean they've eliminated fraud? No. But it does | mean they can't pay Karen 5% "reward" so they don't. There | aren't any cards like that in Europe. For everybody else it | makes the system cheaper. | llsf wrote: | That is the thing that it took me a while to understand once | arriving in US from Europe. In Europe I did not care the | least if someone managed to hack my credit card. The bank is | liable. The bank is responsible to make as secure as | possible. That is probably why we had credit card with chip & | pin since the 80's. Banks had incentive to reduce the fraud | as they could not easily pass it to the customers. But when I | arrived here in US, I heard all those horror stories with | fraudulent charges (and it happened to me too) and why I | should take it seriously. And why I should protect my CC | details ?!? (like my US social security number... but that is | for another thread :) Coming from a country where CC used | chip & pin for more than 30 years, and only have US embracing | it (but only half-way) in recent years, is bizarre. | kergonath wrote: | Coming from a country where your address and social | security number are basically publicly-available | information (so of course neither are used for anything | sensitive), it took me some time to understand the fuss | Americans tend to make about SSNs... | Wowfunhappy wrote: | Right, and so the trade-off seems completely reasonable to | me. | | If the bank has calculated that extra fraud costs less than | the price mitigating it with additional security measures, | and it is the one bearing the cost either way, then power to | them! | techsupporter wrote: | I'm not sure I understand this. Fraud, and cleaning up | after it, is not free of cost. If anything, fraud is more | insidious because it costs the one thing I can't replace, | which is time. | | Even for me--someone who has multiple payment cards, | primarily uses credit (instead of debit), a healthy savings | account, and a flexible job--cleaning up from a stolen | credit card number takes two or three hours at a minimum. | For someone who does not have those things, _particularly_ | for people who primarily use debit cards[0], the impact is | far worse. | | If we swapped our cards to simply require a PIN that's | validated by the chip on the card (so that in-person | charges without the proper PIN cannot complete, even if the | card is shimmed), that removes the bulk of in-person fraud | attempts. But US banks are, largely, so fearful of | customers switching away from them at even the slightest | provocation, we don't get PINs. So I'm forced to ask what | other "basic" measures (like 3D Secure for online | transactions) we lack. | | 0 - I don't want to hear the rebuttal that "well, people | should just use credit cards." There are a hundred | different reasons why people don't use credit cards--don't | qualify for one, have an objection to debt, past bad | experience, and so on--and we cannot write off people who | "only" use debit from security measures. | kergonath wrote: | Overall, debit cards make much more sense than credit. | Their purpose is just to move money across accounts, not | to entice you to overspend and then prey on you if you | forget the magic dance, or datamine your spending | patterns. There is no intrinsic reason for credit cards | to be safer. | VBprogrammer wrote: | This completely ignores the amount of worry and frustration | which an ordinary person has to go through to get back to | the point that only the bank are out of pocket. It's not | trivial by any means. | | You could also make an argument that by continuing to allow | this fraud to happen we're funding all kinds of nasty | people. I'm not convinced the argument holds water since | bad guys are often faster to move than the banks but it's | worth noting. | kergonath wrote: | It's a systemic issue. In jurisdictions where banks | cannot shift the risk to the customers, they tend to be | more effective. | | In the few European countries I know, banks are very pro- | active about card fraud and refund without asking | questions if fraud happens anyway. | | Nasty people will get funded anyway, but reducing fraud | also reduces their income. The main drawback is that | people have to use their PIN (and even that is getting | rare thanks to contactless cards). | lsllc wrote: | I think the bigger issue is not the terminals themselves, but | the software behind it that's designed to process the payment | from the track data. | | Contactless magstripe (MSD) is a workaround that allows for a | contactless payment, but really is just sending the same | (insecure) track data through the backend software. Contactless | EMV is the right way, but requires more sophisticated software. | cosmie wrote: | > They get away with this because consumers have absolutely no | idea how cards differ and what the options are. | | Do you have any tips/resources for how an interested consumer | can become more informed (whether for personal or small | business accounts)? | | Would you be able to get this type of information you'd be able | to get to through contacting support, if you know the right way | to ask? Or would it be considered too sensitive for the bank to | give out implementation details that easily? | whitepoplar wrote: | Can you give any recommendations on banks that really get it | right? How about the inverse? | dddddaviddddd wrote: | What features make a secure credit card and how can a consumer | verify their presence? | specialist wrote: | How can noobs like me assess how good any given POS is? | | Is there a rating system? | | Any way to inspect transactions to see the whatnots? | | Knowing nothing, I've been doing as much as possible using | Apple Pay, because IIRC they do some kind of token exchange, vs | sending my digits across the wire. | donarb wrote: | I use my chipped card frequently when going to the grocery store. | Pretty much 20% of the time, it won't read the chip, reporting | "Chip Malfunction". Even wiping any sort of gunk off the chip | contacts doesn't fix it. So you have to go through 3 failed read | cycles before it will let you use the mag strip on the back. | | Going back to the store a few days later and the same machine | will work, I wonder how often the machine's readers are cleaned. | jack_h wrote: | I've had problems with the chips themselves. I had a card whose | chip worked perfectly for maybe a year or more before I lost | it. The replacement chip worked for about a week then I'd get a | chip error every time and everywhere. So I got another | replacement which didn't work out of the envelope. So I got a | third replacement and it worked exactly one time before | breaking. | | At this point I've just given up and insert the card three | times before being forced to use the mag strip. I don't even | know what else to do... | meragrin_ wrote: | A cashier gave me a tip once. Try pushing on the face of the | card so the chip end is levered up against the machine tighter. | It seems like there is something wrong with the contacts in the | reader and do not make appropriate contact with the chip. ___________________________________________________________________ (page generated 2020-07-30 23:01 UTC)