Target Moves To Chip and Pin Cards To Boost Security 210
jfruh (300774) writes "U.S. retailers must accept chip-and-pin charge cards by the end of 2015 or become liable for fraudulent purchases made with chip cards. Target, still smarting from its recent embarrassing security breach, is moving to get ahead of that trend. The company will be installing chip-and-pin terminals in all its stores, and will also be issuing chip-and-pin versions of its own branded cards, which account for about 20 percent of Target sales. Will this move by a huge retailer push the U.S. into parity with the rest of the world?"
Re: Chip and PIN (Score:2)
A bit off topic, but how will this changeover affect companies like square that depend on swipe and sign for most transactions?
Other than that, it's about fucking time!
Sick of finding out every other month that some retailer that I frequent has been hacked.
I'm tired of constantly changing my credit info to avoid being ripped off...
Re: (Score:3)
Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.
Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.
Re: Chip and PIN (Score:4, Informative)
Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.
Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.
Well, it really depends. Without chip and pin, the vendor assumes all responsibility for chargebacks. It will be a decision for each square user as to whether it is more profitable to assume liability or pay for the more expensive reader. upgrade.
Re: (Score:2)
Don't you just need a simple ISO7816 card reader? I remember paying $10 for those 8 years ago back in my directv hacking days. The communication method is simple serial/RS232, of which there is a Bluetooth standard for (and it works rather well with Android phones too, I've used it for OBD2 serial communication to avoid needing a wire connected under the dash.)
PayPal Here could likewise do ISO7816 via a bluetooth dongle and ask for the pin on the device itself. I don't imagine the whole thing would cost the
Re: (Score:2)
That's clearly part of it, but there is a lot of backoffice related stuff that needs to be present for it all to work as there is encrypted information that needs to get passed back and forth from the card to the issuer.
But a small merchant might not have that much to do in that I am guessing that their own bank would handle all of that.
Re: (Score:2)
Not really. Chip might be kinda easy to read using commodity hardware, but pin entry must be done through a PCI certified device (as in, lots of money for certification, passed on to you, the consumer)
https://www.pcisecuritystandar... [pcisecuritystandards.org]
Re: (Score:3)
I still have a Target-branded chip-and-pin card and USB reader from 10+ years ago from an early pilot they did with a well-financed crypto startup. I would imagine some of their executives are kicking themselves now for having shut the project down then.
It's nice to see the US finally catching up with what Europe has been doing for a very long time.
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
On the user side, all cards are not only backwards compatible with not only magnetic stripe but mechanical impression on carbon paper.
On the processor side, presumably Square will have a new unit next year that can read the chip unless they want to absorb the costs of chargebacks themselves.
Re: (Score:3)
I think your bank is probably more tired of it than you are as by law they are required to eat most of the liability. The good banks give you zero liability (as in, you aren't ever responsible for losses.)
I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers (wouldn't bother me, but buying things via smartphone or tablet will need some revamping.)
Re: (Score:2)
My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.
Re: (Score:2)
My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.
Remember that under US law, when you pay via credit card, you have rather strong protections that largely take your side when you dispute whether a merchant delivered what you ordered. No such provisions exist when you pay using PayPal. This is especially valuable in the era of internet ordering, rather than brick-and-mortar purchases.
Re: (Score:3)
That exists right now - it's called a "Card Not Present" transaction and the transaction fees ARE higher as a result. I believe Square charges like 3.5% instead of 2.5% for those kind of transactions. because of the increased risk.
Paypal fees mirror the credit card processing fees, so Pa
Re: (Score:2)
The company accepting payment bumps the user off to an outside service such as "Verified by Visa" or mastercards equiv and let them handle the problem. These are run by the payment processors and as a card user you generally have to sign up to them seperately. They tend to use seperate information that is not on your card.
Then visa takes responsibility for fraud.
Reader (Score:2)
Yes, you'd have to have the card reader if everyone implements a challenge/response type system like in Europe. I have one at work and keep one at home. When I travel I throw one in the bag just in case. You get used to it.
Re: (Score:3)
Other than that, it's about fucking time!
Sick of finding out every other month that some retailer that I frequent has been hacked.
That won't change in the long run. In the short run maybe some benefit, while the crooks come up to speed, but chip and PIN is also hackable. It's not as easy, to be sure, but technology marches on and both PIN harvesting and stolen card use are both happening in Europe today (though not with the frequency of the US problems yet).
One place we might gain advantage form our late start is that no one will have the older-tech cards where PIN-extraction from stolen cards is possible (and done) due to flaws.
Flaws (Score:2)
Do you have any links to chip & pin flaws? The one I saw I thought allowed you to enter any PIN and have it return as valid, so the transaction would be charged. You had to have a programmable card hooked up to a laptop and a valid card, I think. Doable with a jacket and backpack, but not quite clone & go. Curious what else is out there.
America is *finally* implementing chip-and-pin (Score:5, Insightful)
Re: (Score:2)
Re:America is *finally* implementing chip-and-pin (Score:5, Funny)
I can confirm this.
Only Netcraft can confirm this.
Re: (Score:3)
I can confirm this.
Only Netcraft can confirm this.
Netcraft can only confirm that the street musician is dying.
Re: (Score:3, Interesting)
Re: (Score:2)
if that card is Chip and sign, you're boned (Score:3)
It still has to be swiped in Europe.
You need a Chip and PIN card. Wells Fargo issues them now. And Chase does for some cards too. You really should be getting one of those before you go.
If you don't have the PIN for your card, you don't have a Chip and PIN card and you'll be in a slightly worse boat in Europe than a card that doesn't have a chip because you'll usually have to tell them "ignore that chip, you have to swipe that" every time you use the card.
Re: (Score:2)
Good choice. I was in Europe recently, and there are a fair number of places that can't handle the chipless cards. (Including, irritatingly, French toll booths, which are fairly frequent and of course far away from any place you could get cash.)
Re: (Score:2)
I was in London in Feb, but I have a chip card from BofA. Technically not chip-and-pin, it is chip-and-signature. But I didn't have any problem whatsoever when I was there. Everyone knew what to do with it, and it worked without a hitch.
Re: (Score:2)
Today I saw an American in London trying to buy their lunch with their credit card. The cashier didn't know how to process swipe-and-sign cards, since they are exceedingly rare, they had to go and find a pen.
Very much this. I'm a Brit that has lived in the US for 17 years. When I go back home, the cashiers hear my accent, think I'm local and then give me weird looks when they have no clue how to process my credit cards (even though, technically, they should be able to). It's got to the stage now where I just use cash over there.
Re: (Score:2)
Meanwhile in Finland, everything and everybody has a wireless payment terminal. I once even saw a street musician with one for tips...
Not so fast.
Chip-and-pin is not a panacea. Every major chip-and-pin system in the world has known security flaws that haven't been fixed in years.
I would far rather have them fix the security flaws that already exist BEFORE adopting a new system with just more security flaws. It's an unnecessary expense and rather self-defeating.
This isn't why they had a security breach (Score:5, Informative)
They might as well announce they're getting Yettie insurance. They had their payment system compromised by people that got access to their point of sale system at one of their stores and then used that to gain access to their central system.
That has nothing to do with chip and pin.
And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field? So indifferent to chip and pin, that is going to keep working. And I suspect that indifferent to chip and pin, somewhere in the target billing system there will be a list of credit card numbers, expiration dates, and security codes. A hacker gaining access to that database isn't going to care if the cards were chip and pin or not. Because by that point the data is prepared for processing. The only way chip and pin would be effective is if the security code were different for each transaction. That seems extremely unlikely but if you could some how pull that off then snagging the numbers might not get the thieves anything. Of course, how you'd get that to work with online retail is anyone's guess.
TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.
Re: (Score:2)
Re: (Score:2)
he would not be able to use it without an extra password.
Which was written on a piece of paper in your wallet with your credit cards.
Re: (Score:2)
perhaps it's because i've never had anything go wrong in terms of online shopping, but that program is such a pain in the ass.
Re: (Score:2)
To get you to sign up for it, they're kind of deceptive. You can press 'skip' or 'no thanks' to verified by visa signup. Of course now that you're signed up your boned, and its probably a good idea to do it, but not having it isn't going to remove the ability for you to report and void fraudulent charges.
Re: (Score:2)
Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page where you have to enter further credentials to complete the order. So, even if a thief has your credit card number and the extra security number on the back, he would not be able to use it without an extra password.
And when my order comes up to the Verified with Visa page, I cancel it. VwV is a pain.
The security number by design not embossed on the card, nor, as far as I know, encoded in the stripe, because for physical card-reading applications the cashier has to confirm your identity by other means such as signature and driver's license.
Online transactions use the security ID, but if someone has latched onto that, then they're already running amok in someone's network or have physically stolen the card (in which cas
Re: (Score:2)
In VISA's case, their recommendation is to compare the signature with the one on the back of the card. However they explicitly state (page 34) [visa.com] that merchants can't decline processing a VISA transaction if the customer refuses to show an ID for a signed card. I believ
Pain (Score:2)
I agree the Visa and MC programs are a pain. They come up so infrequently that I never remember what the password is. Plus with varying rules as to what constitutes an acceptable password, I can't even count on it using a password I'm familiar with.
If implemented like in Europe,though, you only have to remember the PIN. Which you use everywhere, so that's not an issue. There's a challenge-response part of the online purchase that generates a code to confirm you have possession of the card and know the PIN t
Re: (Score:2)
Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page
I have yet to see any online retailer do that to me, and if they did I'd assume it was some kind of MITM/phishing attack. I'd also be surprised if the retailer/phisher could correctly guess which of the several hundred "banks" (actually a CU) in the US I use.
Re: (Score:2)
Re: (Score:2)
Chip and Pin stops card cloning (Score:2)
And cloned cards were a major vector of fraud in the Target attack.
Re: (Score:2)
Re:This isn't why they had a security breach (Score:4, Informative)
It has everything to do with chip and PIN. It would've prevented the security breach entirely because with chip and PIN, getting the card number by itself is useless. You need the smart chip on the card and the PIN to activate it before you can do anything with the card number. Since you can't use the numbers without the chip and PIN, there is no incentive for thieves to steal the card numbers - they are just numbers, not a magical way to access someone else's money.
You buy a card reader [newegg.com] for your home computer.
I don't get why people keep trying to blame Target's security for this problem. The problem all along has been that you can buy stuff using nothing more than a plaintext sixteen-digit number that "belongs" to someone else. I'm not saying Target isn't at fault for failing to secure their network. But giving your credit card to a waiter at a restaurant makes your card just as vulnerable as Target's network was during their security breach. The current system is like telling your bank to authorize payment if someone gives them "your secret password." Then you proceed to give that very password out to every merchant you visit, so they can tell the bank and collect payment. Well if you're giving your password in plaintext to every merchant out there, it's not very secret is it? And anyone who steals the plaintext or overhears it or copies it can make charges to your account (whether it be a thief who stole them from the merchant, or an employee at the merchant, or the guy standing behind you in line who snapped a picture of your card with Google Glass).
The way I understand how chip and PIN works, you insert the card into the reader which powers up the chip. The merchant transmits the transaction info to the chip. You enter your PIN which gets transmitted to the chip. The chip then uses the private key embedded in it to encrypt those pieces of data. That encrypted data and the card number is sent to the credit card processor, who holds the card's corresponding public key. They look up the card number, find its public key, and decrypt the data. The card number is no longer the gateway to your money, it's just a reference number for looking up the public key. It's the public/private key pair safeguarding your money and authenticating the transaction, and using the private key requires physical access to the card's chip and the corresponding PIN.
Re: (Score:2)
Like this: [krebsonsecurity.com]
or this: [theregister.co.uk]
And many more on the internet that I am more then surprised the slashdot community didn't point out. Much different community then ten years ago on here
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Online (Score:2)
Online sales use a challenge-response system to ensure you have the card and know the PIN. You don't enter the PIN into any website, though, just the little card reader. The challenge-response system is run by the bank, I think. You're redirected there as a part of the sale to verify. Kind of like the Verified by Visa thing, but instead of just entering a password, you do the whole challenge-response thing with your card and reader.
This is how it's done in Europe, at least.
In POS systems, the PIN never leav
Re: (Score:2)
Re: (Score:2)
Out of a regular PoS that's running Windows, yes. C&P transactions take place entirely between a dedicated piece of hardware and the card itself. Also the card signs a nonce so there's nothing to steal if the hardware is bad beyond the old regular magstripe data which is already stealable.
that's not true (Score:2)
http://en.wikipedia.org/wiki/E... [wikipedia.org]
Although most of these attacks require you be able to clone the data reaped from EMV onto a stripe card and use it in a place that accepts stripe swipes. If the US stops accepting those, it will reduce fraud by presenting less opportunity. But it won't be because EMV prevented data extraction, but because you can't (currently) clone onto an EMV card.
Re: (Score:2)
exactly how do they charge the card then?
Re: This isn't why they had a security breach (Score:4, Informative)
The vendor takes the customer's name, postal address and card number, and sends a message to their card processor (bank) saying "I want to charge this customer this amount for this transaction"; the bank sends back a url and the customer is redirected to that page.
The (secure) page (which displays a shared secret known only by you and the bank) asks for your online banking password; the bank processes the payment, and redirects you back to the vendor's thank-you page.
This has nothing to do with chip and pin.
But UK banks also hand out free one-time pad [barclays.co.uk] terminals which use your chip and pin card for online identitification.
Terminals (Score:2)
With the terminals, the bank issues you a challenge code based on the transaction and you use the terminal, card and PIN to generate a response that validates your the authorised card holder. It's worked pretty well the few times I've bought someone online with it.
Re: (Score:2)
No....
The full PAN can and must be read from an EMV card. (EMV specifications, book 3, Mandatory data objects). Actually both the authentication and the card PAN are sent to the issuer.
Re: (Score:2)
Re: (Score:2)
This reminds me of debit cards. Yes, it is quick and fast to just swipe the card, enter a PIN and be off without signatures or waiting days for the amount to stop floating and be debited... but the anti-fraud protection is nowhere near what one finds when one runs transactions via credit card processors.
What I wonder about is if chip/PIN does get compromised, on whose shoulders do the bogus transactions get dropped on. I'm guessing this is decided by who has the fattest wallets.
Re: (Score:2)
And this is where the October 2015 liability shift comes in:
If fraud occurs on an EMV card and the merchant hadn't upgraded to EMV and was relying on swiping the magnetic strip to process the transaction, the merchant has liability.
If fraud occurs on a non-EMV card and the merchant had upgraded to EMV, then the bank issuing the card has liability.
The result is banks are incentivized to upgrade to EMV cards so they can try to shift fraud liability to the merchant who hasn't upgraded to EMV terminals, and the
Re: (Score:2)
I mentioned this elsewhere, but one way the CNP transactions could be addressed would be an e-Ink display. Similar to the card I use for authenticating to PayPal, press the number, enter the six to eight digit code, and send in the transaction. With the fact that e-Ink displays only need power when changing state, the battery powering the display should easily last the life of a card (until it expires.)
With a card having this, a user just enters the numbers on the display in one field, his "CNP" PIN (coul
Fucking finally (Score:5, Funny)
Re: (Score:2, Insightful)
walmart started requiring a chip about a month ago (Score:2)
Walmart started doing this about a month ago in my area. Unfortunately for me the chip doesn't
work on my card so every time I go to walmart they have to manually key in my credit card number.
Re: (Score:2)
If the chip doesn't work, just get a new card issued?
Nope (Score:5, Insightful)
Recent experience in Italy (Score:2)
If I wandered into the bank.. (Score:4, Interesting)
My wife has a retail store and a credit card reader.
If I wandered into the bank and asked how I get a C&P terminal for the store, they would stare at me blankly. It simply isn't available. The terminals exist, but the bank isn't going to talk to it until they're good an ready to, which at the current rate of progress is 'never'.
Target has more leverage, but small retailers have to take what the bank makes available.
For this and other reasons, we will probably switch banks, but people should be under the impression that retailers in the Us can 'just switch'. They can't. The bank decides which terminals it will work with. This is bizarre given that the terminals are completely generic.
Re: (Score:2)
Completely generic? Ummmm no. They are C programmable embedded devices which are usually developed according to the acquiring bank's specifications.
Re: (Score:2)
The wire protocols are standardized by PCI.
Re: (Score:2)
Ummmmm no.
The wire protocols are de-facto standarized up to a point (ISO-8583 or vendor specific protocols) and the rest are application specific. Interestingly, wire protocols are one of the things that PCI has never touched.
Re: (Score:2)
I was under the impression PCI referenced 8583 and the transport wrapper. Maybe not. I'm not searching PCI specs for fun.
Re: (Score:2)
I read that, not as in all devices are the same (since a chip and pin device has a completely different reader) but that there's no reason someone willing to buy a different reader shouldn't be able to use one
Re: (Score:2)
Re: (Score:2)
My wife has a retail store and a credit card reader.
If I wandered into the bank and asked how I get a C&P terminal for the store, they would stare at me blankly. It simply isn't available. The terminals exist, but the bank isn't going to talk to it until they're good an ready to, which at the current rate of progress is 'never'.
Target has more leverage, but small retailers have to take what the bank makes available.
For this and other reasons, we will probably switch banks, but people should be under the impression that retailers in the Us can 'just switch'. They can't. The bank decides which terminals it will work with. This is bizarre given that the terminals are completely generic.
Then you're dealing with the wrong vendor. I can tell you right now that I sometimes work on proof of concept applications for one of the largest POS terminal makers in the US and all of their hardware comes with chip and pin support. Even the lowest end equipment. It's available in the US. In fact, the last time I went into the T-Mobile store, all of the terminals inside the store supported chip and pin.
Re: (Score:2)
But not the shitty Hypercom terminals you find in a large fraction of independent retailers.
Re: (Score:2)
But not the shitty Hypercom terminals you find in a large fraction of independent retailers.
I am not involved in the sales end of their setup, but I do know that it works with European chip and pin cards. Some of the proof of concepts I put together are to market the terminals to banks. The low end readers are like $200. The units I play with are dev units, and do not communicate with a processing service. It's side work for me, so I don't know a lot of the details of how their product works once you tie it in to the processing. They sell the exact same units to the rest of the world, though.
Re: (Score:2)
>Are these Hypercom terminals even less than $200?
Some are. On Amazon I've seen $70 terminals. Our model is $269 because adding an ethernet interface adds $200 to the price. Odd that since I just brought a 16 port switch to $70.
But to get one that works with the bank I have to get it from the bank and they charge their own price. Presumably they throw some secret numbers in there that any decent hacker could extract.
Not quite (Score:2)
Target is huge? I'm not so sure about that. But it will be fait accompli when Walmart changes.
Bitcoin? (Score:2)
How about taking bitcoin online? Make a deal with BitPay or Coinbase.
No information to steal except for shipping information. And the public fact that it was paid with bitcoin.
Re: (Score:2)
Because bitcoin is totally fraud-proof.
Chip and Signature, not Chip and PIN (Score:4, Interesting)
Most US cards being issued with a chip are Chip and Signature, not Chip and PIN -- because banks have trained Americans to think PIN means debit so banks fear applying a PIN to a credit card would confuse people.
I have one of these Chip and Signature cards and on my last trip to UK it was a real PITA, especially at self-checkouts. Like at ASDA there was a signature signing pad but I had to wait for a clerk to come over to give me the pen and then she checked my signature real closely. Same thing at the duty free at the airport. The self-checking stopped and alerted the clerk to come over to check my signature. Then at other stores the clerk couldn't find a pen, or was surprised when paper spit out and had to ask a manager what was going on.
(I had one clerk hand me the slip to sign, checked my signature, then put the signed slip into the bag with the receipt! If I was an "arse" I probably could have disputed the charge and gotten away with it because they couldn't produce a signed slip)
At the ASDA (far away from where tourists usually go) the clerk remarked it's been years since she saw someone have to sign for a charge. I apologized, said I was an American, and that our banks think we are too stupid to remember a PIN. She got a good chuckle out of that...
Re: (Score:2)
True about most US cards being C&S, not C&P. Or being both, but with C&S as higher priority and not supporting offline PIN (which is where the real trouble comes). From what I'm hearing, Visa is the one that's really pushing C&S in the US; MasterCard is pushing C&P. And since the new EMV Target cards will be MasterCards, there's reason to hope that they'll be C&P.
For the record, Walmart has also apparently been advocating C&P. They're also ahead of Target in rolling out EMV suppo
Re: (Score:2)
Most US cards being issued with a chip are Chip and Signature, not Chip and PIN -- because banks have trained Americans to think PIN means debit so banks fear applying a PIN to a credit card would confuse people.
Confuse or alarm? Perhaps it has changed but it used be that if you purchased using a credit card and used the PIN, the transaction went through as a cash advance with all the associated and onerous fees.
Chip and Pin cards? (Score:2)
That is great and all, but are there any banks in the US supporting chip and PIN cards for Visa/MasterCard currently? I'd love to get one even if I only use it at Target just to help push things along, but I don't know of any cards that are supporting it now (and I really don't need a Target card).
their terminals already had it (Score:2)
The terminals that had the problem were their new (few months old) chip and PIN-capable EMV terminals.
Chip and PIN doesn't fix the breach Target had. Only Chip and PIN with tokenization does.
I already have one Chip and PIN card from my bank (US bank) and I'm trying to get my other one switched too. But it doesn't fix this problem.
Target, if you replace your terminals again, please get ones that do Chip and PIN and also NFC and PIN please?
Good I guess (Score:2)
I'm still waiting for the metric system to catch on =)
EMV - Encryption (Score:2)
http://www.digitaltransactions... [digitaltransactions.net]
"Security experts say data still can be transmitted unencrypted, or in plain text, during an EMV transaction."
So this is going to help Target how?
Re: (Score:3)
Chip and Pin in the USA will go the same way Concorde did
Back and forth to Europe twice a day?
Re: (Score:2)
Re: 'Bout time (Score:5, Interesting)
The US almost always suffers from the early adopter problem. That is, we get the earlier versions of standards merely because we adopt them first, and by the time Europe gets around to adopting them the technology has improved based on what was learned in the US. Note similar things like T1 equivalent E1 being faster, and given that superseding technologies (such as optical carrier) are sold in multipliers of T1 speeds, the Europe versions tend to be speced higher.
Broad adoption of standards is like a marriage: You're stuck with it, flaws and all, and changing to another incompatible one requires a lot of pain and sacrifice, with there being more pain the longer the marriage has lasted. For another perspective on this, look how much of a PITA it was to switch to digital TV, which the US actually did faster than most of the world.
And yes, I know Europe also had magnetic stripe. But like the marriage analogy they didn't have it for as long nor was it adopted as broadly before chip and pin came along, likewise switching wasn't as difficult.
There is a silver lining to our system though:
One time I saw somebody commenting on how much he hates chip and pin because it was supposedly only being pushed so that banks can force you to pay for fraudulent charges, whereas magnetic stripe they supposedly can't. The article was referring to the US adoption, and so I told him that we already have laws that strictly limit liability for consumers that mostly just make banks liable, and they aren't going away. He then lambastes me that "the rest of the world" doesn't do it that way, therefore chip and pin is evil, and I'm a stupid ignorant American for thinking that, even though the article was specifically about the US where such a problem doesn't exist.
Why doesn't it exist? Well, because us backward Americans have been on magnetic stripe for so long, that it was born out of necessity. (Which by the way, looking in his profile revealed he lived in Europe, which isn't "the rest of the world" as other non-European countries do have similar laws to the US, for the same reasons.)
Re: (Score:2)
This has been going on since the days of the US having 120 volt electricity and Europe having 240VAC/50 Hz.
Chip and PIN is a necessity. Without it, the only thing actually preventing fraud are the anti-theft algorithms that banks use to detect out of place transactions and either call the person up for approval, or just put the kibosh on them. Long term, it is a good thing that chip and PIN is making its way here to the US. This will reduce CC fraud by a large amount [1].
[1]: Of course, there will be un
Re: (Score:2)
Yep I've seen the same silly argument.
Europe wide the only thing that has changed is that the retailer is now responsible for any fraud using C&P cards if they are not used as C&P (say just swiped as that is the normal fallback). Non C&P cards (such as amerians visiting) are still the liability of the card processor/bank.
The client has never been responsible for fraud. Although I think there is a lower limit for credit cards they normally wave it unless the item was very expensive. But that is a
Re: (Score:3)
It isn't the merchants dragging their feet. Chip and Pin has not been available to merchants in the US. The thing most people don't realize is that credit card fraud is a profit center for Visa/Mastercard/etc. Do you think Visa is eating the cost of a fraudulent transaction to cover the "$0 Fraud Liability" they offer to their customers? Of course not. It goes right back on the merchant. Now the merchant is out their merchandise, out the money they would have received from the sale, and they are hit w
Re: (Score:2)
I've wondered about just having a small e-Ink display on credit cards similar to the authentication card I use with PayPal/eBay. Press a button, up pops a number, and because e-Ink only needs power when changing state, the battery in the card has lasted a good number of years.
In combination with chip/PIN, this would protect transactions done online (basically turning CNP or card not present transactions into CP, or card present) because the user just enters the number on the card when checking out.
I do agr
Re: (Score:3)
Re: (Score:2)
Chip-And-Pin has the annoying side-effect of requiring a PIN instead of a signature. I don't understand why you need a PIN at all, honestly.
My suggestion nearly a decade ago was straight PKI. An embedded IC would contain a burned, non-readable, unique private key and certificate. The certificate would be bank-signed, and verified dynamically with the bank.
When you insert the card into the reader, a command stream is sent. This includes the transaction, a time stamp, and a block of random data. The
Re: (Score:2)
Interestingly enough, EMV (c&p) cards work like this. However the card and the cardholder are both authenticated - either PIN or signature.
If someone steals your card, deactivate your card.
Ok, isn't it a bit stupid to design a system that can be circumvented by someone stealing your card? And no card deactivation for sure doesn't solve the problem
Re: (Score:2)
The primary fraud problem with the current system isn't a window between a stolen card and its deactivation; it's stolen card numbers sold on an open exchange. Bruce Schneier covers ATM pin stealing mechanisms fitted over the card slot fairly often: read the mag stripe, record the pin with a camera, transmit wireless signal to a laptop in a nearby coffee shop.
A hardware verification process removes this possibility entirely: a person must physically gain control of your card to use it. The current sy
PIN (Score:2)
Sure, but in the meantime, the PIN prevents the card from being used since the thief doesn't know what it is. It also prevents the card from being cloned (assuming that's possible) and used elsewhere even though you have your card in your wallet. It's the whole "something you have" and "something you know" security model.
No changes (Score:2)
The card I was issued from my bank does not allow the PIN to be changed. It could be because they don't have physical branches/ATMs anywhere, though. Maybe if this catches on a lot more, you'll be able to change it at any ATM.