[HN Gopher] Is your chip card secure? Much depends on where you ...
___________________________________________________________________
Is your chip card secure? Much depends on where you bank
Author : MindGods
Score : 127 points
Date : 2020-07-30 15:19 UTC (7 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| bryanthompson wrote:
| On this topic, if anyone can point me toward a US-based issuer
| where I can open an account and get a card that supports credit
| pin (not pin for cash advance on a credit card), I'll happily
| venmo you a pizza or something. The issuers I have spoken to[1]
| all tell me it is impossible to get such a card in the US, which
| seems ridiculous.
|
| [1]: https://wallethub.com/credit-cards/chip-and-pin/ I discussed
| each of the cards noted here with the issuers, not one is
| actually chip+pin credit.
| neom wrote:
| HSBC
| techsupporter wrote:
| * Spokane Teachers Federal Credit Union (Mastercard)
|
| * Andrews FCU (Visa, one of the cards is also contactless) -
| Must ask for the "international travel" card, the default is
| chip-and-sign
|
| * State Department FCU (Visa) - Must ask for the "international
| travel" card, the default is chip-and-sign
|
| * Target REDcard Mastercard (you have to get the normal store
| card and hope to get swapped out to the Mastercard after a few
| months/years/epochs; you can't get the Mastercard from the
| first go)
| nhf wrote:
| Also the UNFCU credit cards.
| PascLeRasc wrote:
| I believe AmEx charge cards (Green, Gold, Platinum, possibly
| others but these are the good ones) are all chip-and-pin. The
| Blue Cash one on that website isn't.
| ceejayoz wrote:
| My Gold is definitely not chip-and-pin. Chip, yes. Pin, no.
| lotsofpulp wrote:
| I have inquired about this also and found no solution. If I use
| my US based credit cards abroad where chip and pin is the norm,
| I end up getting asked to sign a printed receipt.
|
| I imagine the card networks just don't want to spend money to
| change the infrastructure to support chip and pin because the
| merchant pays for most the losses in the US?
| bryanthompson wrote:
| The liability shift in the US that affected most retailers
| occurred in October 2015 -- basically, merchants are and have
| been liable for fraud that occurs on swiped transactions. I'd
| be curious to find out how the example presented by the
| parent article could change this -- a valid-looking card that
| only has swipe would definitely be taken by a merchant for
| fraud, and if the card doesn't claim to be EMV-capable, it
| seems like this would not be the merchant's fault. I would
| think in 2020, however, a mag stripe only card would raise
| red flags with humans at the counter, but gift cards are this
| way, so perhaps they would just breeze right through.
| lotsofpulp wrote:
| Previous commenter and I were talking about chip and pin,
| not just chip (aka EMV).
|
| With EMV, someone can still use your card after they steal
| it. With chip and pin, that is far more difficult. I don't
| know if merchant off the hook even with just chip, I
| presume the card networks kept some weasel language in
| order to allow them to blame the merchant.
| Symbiote wrote:
| EMV is the standard for the debit/credit cards with
| chips. It includes modes with PINs, signatures, and
| neither, depending on the configuration of the card (i.e.
| the bank) and the reader (i.e. the shop's
| bank/intermediary).
|
| https://en.wikipedia.org/wiki/EMV
| xenospn wrote:
| Had many arguments with cashiers in Europe who refused to let
| me sign receipts and insisted I just enter a pin.
| jacques_chester wrote:
| I was (politely) threatened with arrest on a British
| commuter train when the ticket inspector's credit card
| device insisted on a PIN for an American credit card.
|
| He literally didn't believe me when I said American cards
| still ask for signatures. By luck there was an American
| also riding in the cabin who piped up to verify my story
| and I was allowed to pay when I reached my destination.
|
| In Australia the same card works with contactless payment,
| which never asks for a signature, up to AU$100. But as soon
| as I go over that limit it's a card dip + signature.
| bryanthompson wrote:
| Also interesting how there are such specific requirements
| at grocery stories. None of my US-based cards could be used
| in several grocery stores in the Netherlands. When the
| cashier looked at my cards, they immediately knew it was
| because I didn't support whatever networks they expect.
| thesimon wrote:
| Maestro or VPay they expected, the european old-school
| debit brands.
| graton wrote:
| First Tech Federal Credit Union offers Chip and Pin Mastercard.
|
| https://www.firsttechfed.com/
|
| https://www.firsttechfed.com/help/support/frequently-asked-q...
|
| What is the difference between Chip and PIN versus Chip and
| Signature? Chip and PIN is the most secure type of credit card
| technology. Instead of a signature being used for identity
| verification, it requires you to enter a four-digit Personal
| Identification Number (PIN) that must correspond to information
| contained in a computer chip embedded within the card. The Chip
| and PIN authentication method has been a global standard across
| Europe and Asia for many years which means using your card
| while traveling overseas will be even more convenient.
| Authorizing your transactions with a PIN is not new to debit
| card transactions, but is a new way to authorize payments with
| a credit card.
|
| You may occasionally still be asked to sign for transactions
| while using your chip card. Please be assured that while these
| transactions are still secure, many merchants do not yet
| support chip and PIN so you may encounter this from time to
| time. First Tech is committed to ensuring chip and PIN
| technology is available wherever merchants accept it. Learn
| more at firsttechfed.com/mastercard.
| techsupporter wrote:
| Can confirm; I have First Tech and Spokane Teachers cards and
| both are chip-and-PIN. If either of them would start offering
| contactless on these cards, I'd have the perfect travel card.
| astura wrote:
| Last I knew Barclays is the only one who offers a credit PIN
| that you can use at kiosks that only accept PINs. I also heard
| Navy Federal was rolling it out but their services are a
| military+family only
|
| This article says there's a few, ymmv
|
| https://www.creditcardinsider.com/blog/chip-and-pin-credit-c...
| nhf wrote:
| Barclays has chip and PIN capability, but it doesn't default
| to PIN if signature is available - it will only trigger if
| that's the only verification method, which is almost never
| the case in the US.
|
| (Source: I have one, and the only time I've entered the PIN
| is at a British train ticket machine.)
| Nursie wrote:
| So this effectively lets you use chip data to recreate a magnetic
| stripe, which passes validation when the banks don't check
| against the right CVV.
|
| Yeah, not great. OTOH I worked on an early EMV implementation
| almost 20 years ago now, and it was obvious even then that mag
| stripe was a huge security problem. I'm amazed we're _still_
| talking about mag stripes and issuing cards with them in 2020.
|
| They should have been retired over a decade ago.
| humaniania wrote:
| Maybe it would make sense to limit magstripe transactions to
| $40 or let people decide their own limit.
| LeifCarrotson wrote:
| If a transaction doesn't get made because it was over $40,
| that represents unacceptable missed profits, if some
| unfortunate consumer gets their identity stolen[1], well,
| they should have been more careful.
|
| It would make sense to eliminate magstripes, to limit them to
| $40, to let people decide their own limit, or any number of
| other things - the trouble is that the incentives of the
| businesses, banks, and credit card companies are more to make
| every transaction a success and to blame the consumer when
| they're too successful.
|
| [1]: Yes, I recognize this is bad framing, the fault isn't
| with the victim nor really with the perpetrator but the
| incompetent designer of the lock.
| pc86 wrote:
| > the fault isn't with the victim nor really with the
| perpetrator
|
| The perpetrator isn't at fault?
| Spivak wrote:
| The perpetrator defrauded the bank, not you. The fault
| for your account not showing the correct balance should
| be on the bank.
| asveikau wrote:
| The perpetrator is in one sense to blame but this isn't a
| good justification for lax security on the part of the
| card issuers.
|
| You wouldn't leave your door unlocked at night because
| it's the burglar's responsibility to be a better citizen.
| IshKebab wrote:
| > If a transaction doesn't get made because it was over
| $40, that represents unacceptable missed profit
|
| Contactless already has transaction limits so clearly
| payment method-specific transaction limits do not create
| "unacceptable missed profit".
| [deleted]
| woodruffw wrote:
| > Contactless already has transaction limits so clearly
| payment method-specific transaction limits do not create
| "unacceptable missed profit".
|
| This isn't true with US payment cards, in my experience.
| I've charged over $1000 on a credit card multiple times
| while using contactless methods (both RFID and Apple Pay,
| specifically). I was also able to do the same with my
| (American) cards while in Europe.
| Nursie wrote:
| Apple/Android pay is generally unlimited here in the UK,
| but using contactless cards is limited to PS40, blanket.
|
| This is because contactless card payments have no
| cardholder verification.
|
| I am quite surprised if you can do that with your cards
| in Europe as the limit is usually enforced on/by the
| merchant, not the card.
| Thlom wrote:
| Can tap-to-pay with no verification up to 500NOK
| (approximately $55), over that amount I have to type my
| pin. No limit with pin as far as I can tell.
| tomatocracy wrote:
| I believe the way it works (in some European countries at
| least - perhaps also the UK) is that if the retailer uses mag
| stripe then effectively they bear the fraud risk, whereas
| with chip and PIN the bank/card company does (not sure how
| this works for card holders who are unable to use chip and
| PIN due to disabilities, which is another reason mag stripes
| haven't gone away completely). This seems like a reasonable
| compromise to me.
| Symbiote wrote:
| I don't think disability requires using the magstripe. The
| chip can mark what security is required, just like many
| American cards are "Chip and Sign".
| tialaramex wrote:
| This is called "Liability shift" yes. Shift is imposed
| where a retailer cannot/ does not accept chip cards rather
| than where for whatever reason a chip card wasn't able to
| be used. In the US shift was supposed to be imposed
| everywhere left this summer, I expect COVID-19 is offered
| as another reason to yet again delay, but retails stores
| are already covered, it's mostly things like some
| unattended 24 hour gasoline pumps that are still mag-stripe
| in the US.
|
| Also most (all?) card holders don't have a problem with the
| chip, they may be unable to remember a PIN, or unable to
| enter one, in which case the chip terminal requests a human
| witness them signing something or asks the retailer to
| accept just the chip. Americans using European terminals
| may not have a PIN either, their chips tell the terminal
| this user doesn't have a PIN, they may be asked to sign
| something instead.
| alistairSH wrote:
| _Americans using European terminals may not have a PIN
| either, their chips tell the terminal this user doesn 't
| have a PIN, they may be asked to sign something instead._
|
| Or, in the case of unmonitored "kiosks", the American is
| just left with a failed transaction. This was my
| experience with train ticket terminals in Italy and
| unattended petrol stations in the UK. Fortunately, in
| both cases, my secondary card has a PIN enabled. It was
| irritating that my primary card didn't offer a PIN, so I
| cancelled it upon my return to the US.
|
| Edit - this was 5 years ago, may have changed since, not
| sure as I changed cards to one that explicitly offered
| chip/pin at the time.
| aerostable_slug wrote:
| This kind of thing is done today with EMV cards to determine
| whether the customer needs to enter a PIN or not. Under a
| threshold: swipe and go because the level of possible fraud
| is acceptable vs. the impact on the customer. Above a
| threshold, PIN required.
| lotsofpulp wrote:
| Not in the US.
| kevin_thibedeau wrote:
| Won't work for gas stations which are the last holdouts.
| joncrane wrote:
| You sure? Most of the gas stations I use to fill up have me
| leave the card in for the chip reader, as opposed to slide
| it in and out quickly as before.
| Alupis wrote:
| Stumbled across my first one of these the other day.
|
| It's not obvious at all that you should leave it in -
| particularly when accustomed to the ubiquitous slide-in-
| and-out-fast kind.
|
| This one tried to lock my card in, but when I reflexively
| yanked on it to pull it out, somehow it lost contact with
| the chip or something. What followed was a stuck card in
| this machine, and the machine stuck on "verifying"... no
| cancel buttons worked either. Eventually, after a long
| and disconcerting minute had passed, it finally released
| my card and told me to go inside for payment.
|
| Definitely not user friendly in the slightest... and just
| an awful way to start your morning on your way to work.
| 0xffff2 wrote:
| I travel a decent amount in the Western US, mostly in
| California and Oregon. I have never once encountered
| this.
| SEJeff wrote:
| Until EVs are more mainstream I guess, but that won't
| probably be for another 5-10 years.
| Thlom wrote:
| Haha. A bit unrelated, not sure how it works in the rest
| of the world, but inNorway EV charging stations doesn't
| even have a card reader, you have to sign up with an app
| and register your card there. And each charging company
| has their own app. Absolutely bonkers. You can get a chip
| for your key chain and tie it to all your apps so you can
| read that at the charging station, but still.
| SAI_Peregrinus wrote:
| The chain "Speedway" has chip card readers at their pumps,
| at least in my region (western NY).
| kevin_thibedeau wrote:
| The New York Speedways are all conversions from Mobil
| stations and they just upgraded their pumps. Few other
| stations are supporting chip cards.
| lsllc wrote:
| There's no reason why contactless EMV should not be
| required even at a gas station (not needing a limit).
| aerostable_slug wrote:
| Gas pump readers are very expensive. The solution for the
| wise customer is to go inside and use the POS terminal at
| the counter if possible.
|
| Old school gas station attack: many gas stations queue
| and forward transactions for reconciliation in batches,
| waiting to do so when they don't have connectivity.
| People have taken advantage of this fact by climbing up
| on the roof of stations with satellite connections for
| their POS terminals, tin-foiling them or otherwise
| blocking their transmission, then buying a bunch of gas
| with a stolen credit card. Head down to the next gas
| station, lather rinse repeat, and by the time things get
| figured out you've got maybe a hundred gallons of gas and
| a bunch of candy bars you can trade for meth (this is not
| a Bond Villain-level crime).
| tialaramex wrote:
| > The solution for the wise customer is to go inside and
| use the POS terminal at the counter if possible.
|
| That's irrelevant to this attack. Bad guys aren't obliged
| to use that terminal, and they're the ones relying on
| access to a mag-stripe reader.
|
| However for that "old school" attack EMV could help if it
| was deployed. Because EMV cards have state, they can have
| arbitrary rules about how often they're willing to
| perform offline transactions and how much value for. So
| e.g. a card can decide it won't do more than five offline
| transactions or more than $100 of transactions without
| going online.
| jgalt212 wrote:
| Mag stripes via fingerprinting of the actual stripe, can make
| make them more secure than EMV or contactless.
|
| _Both the standard card data and the underlying magnetic
| fingerprint of the card is read, all in a single swipe._ [1]
|
| [1] https://www.magtek.com/product/magnesafe-intellihead
| Nursie wrote:
| That's still not really "more secure" than EMV, which
| includes active security measures like PIN validation
| capabilities, various active anti-fraud measures like offline
| velocity checks, transaction amounts encoded in cryptographic
| tokens, and which can in theory be remotely disabled etc.
|
| I guess it makes it "more /just as able to be authenticated
| as a genuine card" though.
| jgalt212 wrote:
| Yes, I hear you. It would then come down to what's easier
| to do correctly, authenticate an EMV transaction or read
| and validate the fingerprint of a card's mag stripe.
|
| To the best of my knowledge, I don't think anyone has been
| able to replicate a mag stripe's fingerprint on another
| card's mag stripe. However, this security measure has
| probably seen a few orders of magnitude less adversaries
| than EMV and RFID have.
| Shivetya wrote:
| First I would love to find a way to find which banks or
| processors are vulnerable.
|
| Second is, is there a way to gain the safety of the chip and
| pin with online purchases. Currently I obscure my CC info by
| using PayPal where available and when in the real world I live
| by Apple pay. If I could disable access to my card by stripe
| for real world where Apple pay is not usable I would.
| brendoelfrendo wrote:
| Hm, that makes me wonder; is it possible to demagnetize or
| scramble the data on the mag stripe without harming the chip?
| I'm not sure how sensitive the chips are to magnetic
| interference, but if you can pull it off, you can make your
| own chip-only cards.
| andrewnicolalde wrote:
| There certainly is. I have done this with a non-payment
| card. All you need is a magstripe reader/writer. A few tens
| of passes of writing random data to the magstripe should do
| the trick.
|
| Not sure how this would impact the usability of your card
| though, in case you do end up relying on the magstripe.
| grishka wrote:
| > Second is, is there a way to gain the safety of the chip
| and pin with online purchases.
|
| Yes, there's this 2FA thing where you're redirected to your
| bank's website and you have to enter the code they send to
| your phone. I've had this for ages and I'm surprised there
| are still places where it's not mainstream.
|
| Magstripes tho? I remember using mine when I visited the US
| in 2016 and that's about the only time when I used it. It was
| weird too, because most terminals had the chip slot but
| cashiers insisted that you swipe. The most bizarre part is
| that sometimes the transaction went through with _just the
| swipe_ -- no PIN, nothing.
| Nursie wrote:
| >Second is, is there a way to gain the safety of the chip and
| pin with online purchases.
|
| In the UK we have had "Verified by Visa" and "Mastercard 3D
| Secure" for many/most online transactions for a long time (12
| years?)
|
| It's effectively a form of 2FA, the transaction flow diverts
| to a bank portal where you authorise the transaction with a
| password, or a selection of digits from a passcode. This
| never goes near retailer systems.
|
| It's not the same level.of assurance as EMV, but it is
| something, and any transactions that don't go via that system
| are more likely to be declined or flagged as fraud.
| 0xffff2 wrote:
| How do those work over there? We have both in the US as
| well, but I've always refused to use them because signing
| up for either seems to transfer a significant chunk of the
| liability for fraudulent transactions away from the bank
| and on to the consumer.
| te_chris wrote:
| You don't sign up to anything, it's with the issuing bank
| or provider.
| im3w1l wrote:
| What if you sidestepped all the chip cleverness and just put
| cameras to capture the name, CC number, expiration and 3 digits?
| You'd still need a billing address I guess, but you might be able
| to get that by looking up the name and disambiguating using the
| location of the terminal.
| Nextgrid wrote:
| A lot of merchants are starting to use 3D Secure now which is
| essentially two-factor authentication.
| Nursie wrote:
| Starting to?
|
| It's been pretty standard for over ten years... (I'm in the
| UK, I have no idea how our market compares to yours)
| untog wrote:
| I used to live in the UK (and still visit often) but now
| live in the US. You'd be _amazed_ how far behind US banking
| is, even compared to the UK ten years ago.
| Nextgrid wrote:
| I said "starting" to include the US which I expect to be
| still far behind. I agree that in the UK it's been standard
| and in fact EU regulations now make this mandatory anyway.
| tricolon wrote:
| I'm in the US and have never heard of it.
| kergonath wrote:
| It's common in Europe (I think it's even mandatory now,
| though not necessarily for each transaction).
| ceejayoz wrote:
| > It's been pretty standard for over ten years.
|
| It's unheard of in the US.
| oneplane wrote:
| Depends on where you bank I suppose. Also depends on where you
| credit.
|
| I can't use my bank card without mutual validation, same with
| my credit card. Even if you do it manually we still get a
| challenge-response that you use a hardware device or an app
| for.
| ceejayoz wrote:
| > What if you sidestepped all the chip cleverness and just put
| cameras to capture the name, CC number, expiration and 3
| digits?
|
| Apple Cards have just the name on them, which is a nice step in
| the right direction. (No contactless, though, which is weird.)
| WorldMaker wrote:
| Apple Cards also have the nice feature that the entire mag-
| stripe CC number is virtual and different/distinct from the
| number used by contactless/Apple Pay, the number used by the
| EMV, _and_ the number given by the App for cases where
| something requests you manually type in a CC number. Most of
| those numbers can be changed in the App when needed. So even
| in the cases where someone skims or leaks an Apple Card CC
| number you typically have more protection than an average
| card.
| Nursie wrote:
| Why would you need it, you've got an iPhone right?
|
| (semi serious here - I'm sure they want you to use Apple Pay)
| frogblast wrote:
| A contactless card just proves physical possession of the
| card. An Apple Pay payment means that a password or
| biometric authentication was performed, AND possession of
| the device, which raises the barrier to fraud. So there is
| a good reason to wanting to discourage the use of the card
| when possible.
| SomeHacker44 wrote:
| There is a little thing called COVID. All my main payment
| cards are contactless now. I am not an Apple card customer.
| Nursie wrote:
| Sure, but if you have an Apple card you're going to have
| an Apple phone, most probably, and that can do the
| contactless bit for you. Not sure if apple cards and
| android phones work, but android-pay is the other option
| for most cards.
|
| Both are more secure than using the card directly with
| contactless - you have verified to your phone that it is
| you using it, by logging in with face ID, touch ID,
| passcode, PIN, whatever. It's a form of cardholder
| verification that is missing when you use the card.
|
| That was my (slightly snarky) point - you don't need
| contactless on the card when you have a smart device that
| does it better.
| dhosek wrote:
| I'm not an Apple card customer either, but I use Apple
| pay with my cards usually on my watch, although once in a
| while it doesn't work at a terminal and I have to pull
| out my phone (which is annoying since facial recognition
| doesn't work with a mask on). I understand similar things
| exist for Android.
| WorldMaker wrote:
| If you want more convenience in your contactless payments,
| Apple suggest that you get a more recent Apple Watch.
|
| (Also semi-serious.)
| dhosek wrote:
| My credit union cards still have the old-style credit card
| number on the front (but no raised digits for the ker-chunk
| machine). My Chase card has the numbers in small type on the
| back in a non-contrasty color. It's not possible to read in
| non-ideal lighting conditions.
| dhosek wrote:
| But I rarely take either card out of my wallet. I use Apple
| Pay almost everywhere.
| Scoundreller wrote:
| What I like about those is that you can stack more cards in
| the same space.
|
| And the embossed cards tend to have their ink rub off
| anyway.
| gnopgnip wrote:
| Vendors get much less protection when doing a card not present
| transaction. They also usually pay higher fees. There are also
| cases where an additional layer of security is used, visa
| secure
| 8K832d7tNmiQ wrote:
| Another method would be a standardised QR code so that you can
| make a transaction from your app by scanning the qr code.
|
| I don't know about other countries, but this is basically the
| premise of QRIS Technology [0] used in Indonesia, basically to
| put an end on competing in QR-based payment method.
|
| [0]: https://www.bi.go.id/QRIS/Contents/Default.aspx
| gruez wrote:
| The one thing I like about the credit card system (as opposed
| to "app" pay system) is that the usability is so much better.
| You don't have to worry about your phone being smashed or
| running out of battery. It's also less work than a phone, all
| you need to do is wave your card in front of a reader. No
| need to get out your phone, unlock it, open the app, wave
| around your camera so it scans, and finally confirming the
| payment. Not having to install a potentially privacy invading
| app is also a plus.
| ravenstine wrote:
| Wouldn't work in a lot of places where there's no LTE
| reception, though that will probably change with things like
| 5G and Starlink.
|
| I also wouldn't want my ability to pay to be tied to my
| phone. Not only do I want to be able to pay for things even
| when my phone is dead, but it just seems like it would add
| yet another vector of attack to steal my money.
| castratikron wrote:
| Guessing Visa can "fix" this problem in the same way they fix the
| fallback to magstripe: make the vendor pay a fee for
| noncompliance.
|
| https://www.cardfellow.com/blog/emv-fallback-fees-definition...
| csommers wrote:
| That's exactly how it should be: party at fault gets charged.
| afrcnc wrote:
| Can we link to the actual research instead of this people-doxing
| clown's article?
|
| Source: https://geminiadvisory.io/cybercriminals-deploy-emv-
| bypass-c...
| samblogs wrote:
| Does anyone have a good detailed article on the crypto behind
| iCVV/dynamic CVV? This article summarizes how it works, but I
| haven't found a good detailed article after much googling
| bob1029 wrote:
| I found this from a public FirstData document:
|
| "Codes written on the track with equivalent data stored on the
| chip to prevent fraud. All chip cards are issued with the card
| security code on the track data stored on the magnetic stripe
| and chip card security code stored on the chip. Calculated with
| the same DES key but with a '999' service code"
|
| https://www.firstdata.com/downloads/marketing-merchant/EMV-A...
| the_mitsuhiko wrote:
| I will never understand why magstripe is still used in the US.
| Even after EMV became "mandatory" there are still magstripe
| transactions happening and when you are presented sith a chip
| reader it's slow and awkward. Why is it such an inferior
| experience compared to Europe?
| swimfar wrote:
| Because many consumers don't see chip and pin as an upgrade
| (though contactless is nice). So it depends on the banks to
| decide whether it's worth it. With debit cards, the extra
| security is valuable. But with credit cards it isn't really too
| important to me because I can just reverse fraudulant charges.
|
| As for the experience of using each, it seems to depend a lot
| on the machines. I did not like using chip and pin in Europe
| because it seemed to take longer and required more
| interactions. With the magstrip I pull the card out, swipe it,
| put it away. I'm never waiting for anything. Sometimes I'd have
| to swipe it twice, but that didn't happen too often to me. But
| it seems like different people have very different experiences
| with these things.
|
| edit: this mostly applies to credit cards, which are much more
| common in the US than in Europe. But the lack of significant
| benefit for credit cards to use this technology could have
| resulted in momentum that slowed the adoptation of it for debit
| cards.
| jermaustin1 wrote:
| What is crazier still, is I wasn't even sent a chip & pin from
| my bank until just last year. At least they did everything all
| at once, chip and contactless. But I'm still waiting for
| Capital One to send me a contactless card (its my preferred
| card to use internationally where contactless seems to be the
| standard).
| tialaramex wrote:
| If you have a (modern, smart) phone you can teach the phone
| this Capital One card and it'll "be" that card contactlessly
| when you travel, one less thing to carry.
|
| I deliberately own (special ordered from my bank) a card that
| has no contactless, and it's also the card my phone "is" so
| all contactless transactions with that card are through the
| phone, the bank never issued a contactless card so it's
| literally impossible that the card itself was used for a
| contactless transaction.
|
| Using the phone this way allows me to walk around the
| supermarket, scanning product codes with the phone, then walk
| to the checkout, scan the "I'm done" code and hold the phone
| near the contactless checkout as payment. No human
| interaction, very little touching stuff, only need the phone
| which I'd carry anyway, no cards or cash.
| jermaustin1 wrote:
| I actually had trouble the a year ago when traveling in the
| UK (I miss travelling), I was using my capital one through
| apple pay, but it would get declined constantly and shut
| off because the UK doesn't pass the CVV into the
| transaction. I never found a clear pattern for when fraud
| detection would occur, but one app that caused it
| constantly was Deliveroo.
| llsf wrote:
| I was wondering too. But here in US the equation is bit
| different. The CC networks have already backed the cost of
| magstripe fraud in the business model. They convinced Americans
| to pay an elevated fee to balance the inevitable fraud induced
| by magstripe. Now, with EMV in theory the fees should drop as
| there is less fraud than with magstripe. Having magstripe
| around is a way to justify the fees. That is my understanding
| that it would be difficult now to explain to Americans that
| they paid elevated fees for so long to pay for fraud that was
| no fault on their own.
| abrowne wrote:
| My understanding for part of it is that magstip readers were
| much more common in the US, and businesses (a) didn't want to
| pay to upgrade all their terminals and (b) don't want to turn
| away a purchase because a customer doesn't have a chip or the
| chip isn't working.
| lsllc wrote:
| That may have been the case, but pretty much everywhere I go
| stores have newer EMV capable terminals (e.g Ingenico etc).
| The only place I really use mag swipe now is a gas station
| pump (who have no excuse not to switch to contactless EMV).
|
| You'd think with COVID-19, there'd be a rush to move to
| contactless payments.
| blahyawnblah wrote:
| Lots of gas stations do use the chip, but it's the same
| process of inserting the card.
| jackson1442 wrote:
| Never been to a pump that uses chip personally, unless
| you pay inside. I've seen ~5 with a contactless tap
| point, but only got about 2 of them to work.
|
| This is in Texas, for reference.
| eli wrote:
| A lot of people think COVID-19 is indeed the thing that
| will tip this into the mainstream default:
| https://www.bankingdive.com/news/will-covid-19-push-
| contactl...
| lsllc wrote:
| I hope so. On a related note, I don't know if this is
| just me, but I literally have not used cash since March
| (although I keep hearing about a "coin shortage", perhaps
| this is people just not using coin anymore).
| eli wrote:
| Same. And yes, that's my understanding plus other
| factors: low usage of mass transit ticket machines and
| laundromats. Plus few people rolling coins and bringing
| them into a bank right now.
| penagwin wrote:
| Yeah I actually choose gas stations that support contact
| less payments. No card contact + one disposable glove is
| the way to go.
|
| Overkill.. Maybe? But it costs me nothing so I'll take the
| peice of mind.
| bluntfang wrote:
| I'm really not trying to be rude here, but a disposable
| plastic glove isn't a "cost nothing" scenario. Plastic
| pollution is bad. Climate change is real. Trash islands
| are real. Microplastics in the entire food chain is real.
| I admire your dedication to stay safe, and don't want you
| to stop feeling safe, but we must all begin to accept
| what we're doing to the environment.
| ascorbic wrote:
| Magstripe readers were ubiquitous in the UK 15 years ago. The
| banks started issuing chip and PIN cards and terminals, then
| did the liability shift a couple of years later. That shift
| is what's needed to make retailers switch, and is what still
| hasn't happened in the US.
| Deathmax wrote:
| A Monzo engineer describes nonconformance with specs which might
| lead some card issuers to be more liberal with what they accept:
| https://twitter.com/erincandescent/status/128153445694436147...
| Fiveplus wrote:
| That was interesting, thanks for sharing it here.
| tzs wrote:
| OK, so if I grasp this, the problem is that an EMV skimmer gets
| the card number and an iCVV. The bad guys make a stripe card with
| that number and the iCVV.
|
| That should not work because banks are supposed to look for the
| iCVV only on dipped transactions, and look for the CVV on swiped
| transactions (and the CSC for online/telephone transactions).
|
| Some banks apparently left out the logic of matching the type of
| code to the transaction method, and so using iCVV in place of CVV
| works for them.
|
| Even if all banks got this right, though, it seems to me you
| could still get fraud. The CVV is only three digits. Once you've
| got the card number just make a stripe card and guess the CVV. If
| it fails, try another CVV. As long as you don't do too many
| guesses too close together and cause the bank to lock out the
| card, you should eventually find the right CVV.
|
| Even if the bank is very trigger happy on fraud lockouts, if your
| skimmers got several thousand card numbers you are going to have
| many CVV guesses turn out to be right the first time.
|
| Instead of the stripe on cards that have both EMV and stripe
| being just a copy of the same card that is in the EMV side of
| things, shouldn't they be separate? The issuing bank should issue
| two logical cards for the underlying account, with one being EMV
| only and one being stripe/online only.
| kergonath wrote:
| I would hope that a card would be flagged as suspicious before
| a hundred tries. They'd still could get some transactions
| through, but that would cut the success rate by a couple of
| orders of magnitude compared to just hoping that the bank won't
| check.
|
| What really needs to be done is letting go of the magnetic
| stripe.
| lmilcin wrote:
| Hi. I have worked for one of the acquirers (card acceptors) for
| couple of years, designing and implementing credit card terminals
| and security infrastructure. I was also security officer.
|
| Basically, credit cards can be very secure. But it also costs.
| Banks do simple cost/benefit decisions and may in many cases
| significantly lag behind in technology for various reasons. They
| get away with this because consumers have absolutely no idea how
| cards differ and what the options are.
| kergonath wrote:
| My experience has been that all the banks that gave me cards
| were diligent in verifying suspicious transactions, often
| erring on the side of caution and asking for confirmation.
| Also, they don't tend to argue much before refunding an illegal
| transaction.
|
| So, from my point of view, it could certainly be improved
| (along the lines of what Apple Pay is doing with tokenisation:
| confidentiality is an issue), but there is no real reason to
| complain.
|
| As long as fraudulent transactions are rare enough that the
| banks don't drag their feet, it's fine.
| throwaway_pdp09 wrote:
| > because consumers have absolutely no idea how cards differ
| and what the options are
|
| Well if there's a time and a place to educate people, it's here
| and now. Your knowledge would be appreciated, TIA
| rblatz wrote:
| But also banks take on all the liability for misuse. Customers
| aren't liable for fraudulent charges, that's why America has
| lagged behind Europe on rolling out chip cards, customers don't
| demand it because they don't pay the price for card fraud.
| hocuspocus wrote:
| European customers aren't liable for fraudulent charges
| either, I don't really understand your logic here.
|
| Everyone pays the price of fraud and it's probably one major
| reason that explains high interchange fees in the US.
| swimfar wrote:
| Early on the customers were completely liable because the
| banks claimed that the only wait a fradulent charge could
| be made is if the customer "allowed" their PIN to get
| stolen. Eventaully they changed this and made it more
| customer friendly.
| C1sc0cat wrote:
| IN Europe the liability shifted to the non complying
| partner - which helped takeup.
| tadfisher wrote:
| Already the same in the US once EMV was rolled out.
| tialaramex wrote:
| No, US interchange fees pay for "reward" cards. You charge
| everybody 5% extra, you give Karen 5% cashback, she thinks
| you're "rewarding" her and everybody else get screwed, the
| payment network keeps the difference.
|
| The EU caps the interchange fee, does that mean the
| networks exit the business because they can't make money?
| No. Does it mean they've eliminated fraud? No. But it does
| mean they can't pay Karen 5% "reward" so they don't. There
| aren't any cards like that in Europe. For everybody else it
| makes the system cheaper.
| llsf wrote:
| That is the thing that it took me a while to understand once
| arriving in US from Europe. In Europe I did not care the
| least if someone managed to hack my credit card. The bank is
| liable. The bank is responsible to make as secure as
| possible. That is probably why we had credit card with chip &
| pin since the 80's. Banks had incentive to reduce the fraud
| as they could not easily pass it to the customers. But when I
| arrived here in US, I heard all those horror stories with
| fraudulent charges (and it happened to me too) and why I
| should take it seriously. And why I should protect my CC
| details ?!? (like my US social security number... but that is
| for another thread :) Coming from a country where CC used
| chip & pin for more than 30 years, and only have US embracing
| it (but only half-way) in recent years, is bizarre.
| kergonath wrote:
| Coming from a country where your address and social
| security number are basically publicly-available
| information (so of course neither are used for anything
| sensitive), it took me some time to understand the fuss
| Americans tend to make about SSNs...
| Wowfunhappy wrote:
| Right, and so the trade-off seems completely reasonable to
| me.
|
| If the bank has calculated that extra fraud costs less than
| the price mitigating it with additional security measures,
| and it is the one bearing the cost either way, then power to
| them!
| techsupporter wrote:
| I'm not sure I understand this. Fraud, and cleaning up
| after it, is not free of cost. If anything, fraud is more
| insidious because it costs the one thing I can't replace,
| which is time.
|
| Even for me--someone who has multiple payment cards,
| primarily uses credit (instead of debit), a healthy savings
| account, and a flexible job--cleaning up from a stolen
| credit card number takes two or three hours at a minimum.
| For someone who does not have those things, _particularly_
| for people who primarily use debit cards[0], the impact is
| far worse.
|
| If we swapped our cards to simply require a PIN that's
| validated by the chip on the card (so that in-person
| charges without the proper PIN cannot complete, even if the
| card is shimmed), that removes the bulk of in-person fraud
| attempts. But US banks are, largely, so fearful of
| customers switching away from them at even the slightest
| provocation, we don't get PINs. So I'm forced to ask what
| other "basic" measures (like 3D Secure for online
| transactions) we lack.
|
| 0 - I don't want to hear the rebuttal that "well, people
| should just use credit cards." There are a hundred
| different reasons why people don't use credit cards--don't
| qualify for one, have an objection to debt, past bad
| experience, and so on--and we cannot write off people who
| "only" use debit from security measures.
| kergonath wrote:
| Overall, debit cards make much more sense than credit.
| Their purpose is just to move money across accounts, not
| to entice you to overspend and then prey on you if you
| forget the magic dance, or datamine your spending
| patterns. There is no intrinsic reason for credit cards
| to be safer.
| VBprogrammer wrote:
| This completely ignores the amount of worry and frustration
| which an ordinary person has to go through to get back to
| the point that only the bank are out of pocket. It's not
| trivial by any means.
|
| You could also make an argument that by continuing to allow
| this fraud to happen we're funding all kinds of nasty
| people. I'm not convinced the argument holds water since
| bad guys are often faster to move than the banks but it's
| worth noting.
| kergonath wrote:
| It's a systemic issue. In jurisdictions where banks
| cannot shift the risk to the customers, they tend to be
| more effective.
|
| In the few European countries I know, banks are very pro-
| active about card fraud and refund without asking
| questions if fraud happens anyway.
|
| Nasty people will get funded anyway, but reducing fraud
| also reduces their income. The main drawback is that
| people have to use their PIN (and even that is getting
| rare thanks to contactless cards).
| lsllc wrote:
| I think the bigger issue is not the terminals themselves, but
| the software behind it that's designed to process the payment
| from the track data.
|
| Contactless magstripe (MSD) is a workaround that allows for a
| contactless payment, but really is just sending the same
| (insecure) track data through the backend software. Contactless
| EMV is the right way, but requires more sophisticated software.
| cosmie wrote:
| > They get away with this because consumers have absolutely no
| idea how cards differ and what the options are.
|
| Do you have any tips/resources for how an interested consumer
| can become more informed (whether for personal or small
| business accounts)?
|
| Would you be able to get this type of information you'd be able
| to get to through contacting support, if you know the right way
| to ask? Or would it be considered too sensitive for the bank to
| give out implementation details that easily?
| whitepoplar wrote:
| Can you give any recommendations on banks that really get it
| right? How about the inverse?
| dddddaviddddd wrote:
| What features make a secure credit card and how can a consumer
| verify their presence?
| specialist wrote:
| How can noobs like me assess how good any given POS is?
|
| Is there a rating system?
|
| Any way to inspect transactions to see the whatnots?
|
| Knowing nothing, I've been doing as much as possible using
| Apple Pay, because IIRC they do some kind of token exchange, vs
| sending my digits across the wire.
| donarb wrote:
| I use my chipped card frequently when going to the grocery store.
| Pretty much 20% of the time, it won't read the chip, reporting
| "Chip Malfunction". Even wiping any sort of gunk off the chip
| contacts doesn't fix it. So you have to go through 3 failed read
| cycles before it will let you use the mag strip on the back.
|
| Going back to the store a few days later and the same machine
| will work, I wonder how often the machine's readers are cleaned.
| jack_h wrote:
| I've had problems with the chips themselves. I had a card whose
| chip worked perfectly for maybe a year or more before I lost
| it. The replacement chip worked for about a week then I'd get a
| chip error every time and everywhere. So I got another
| replacement which didn't work out of the envelope. So I got a
| third replacement and it worked exactly one time before
| breaking.
|
| At this point I've just given up and insert the card three
| times before being forced to use the mag strip. I don't even
| know what else to do...
| meragrin_ wrote:
| A cashier gave me a tip once. Try pushing on the face of the
| card so the chip end is levered up against the machine tighter.
| It seems like there is something wrong with the contacts in the
| reader and do not make appropriate contact with the chip.
___________________________________________________________________
(page generated 2020-07-30 23:01 UTC)