Study: $1.8 Billion In Reshipping Fraud With Stolen Cards Each Year

An anonymous reader writes: Researchers from the University of California, Santa Barbara and others studied the economy of how criminals monetize stolen credit cards by operating reshipping scams as means to cash out, KrebsOnSecurity reports: "A time-honored method of extracting cash from stolen credit cards involves "reshipping" scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity. [...] disrupting the reshipping chains of these scams has the potential to cripple the underground economy by affecting a major income stream of cybercriminals. By way of example, the team found that a single criminal-operated reshipping service can earn a yearly revenue of over 7.3 million US dollars, most of which is profit."

LOL ...

[gstoddart]

By way of example, the team found that a single criminal-operated reshipping service can earn a yearly revenue of over 7.3 million US dollars, most of which is profit.

Wow, that sounds even better than the other MLMs, tell me more!!

Re:

[ruir]

Mules...with that word in the summary we would not have to read the article. Though I already suspected it.

Re:LOL Once Again..

[willworkforbeer]

Foreigners taking all the good American jobs. We used to dominate the Organized Crime sector of the economy, but now the real crime innovations aren't coming from the New York regional crime labs of the old days (AKA "Sicilian Valley").

We've lost our edge.

Article server is dead

[jonsmirl]

Here it is in Google cache [googleusercontent.com]

So many ways to combat this...

[Anonymous Coward]

If we really wanted to stop CC fraud, we could almost eliminate it. It's pretty simple, but we've abandoned this in favor of convenience.

The new credit cards in the US with chips are good, but why chip and signature? Why not chip and pin like much of the world does? Better yet, why not require two-factor authentication for large and online purchases where the card isn't swiped? If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter. This is used for so many services now that are less sensitive than financial transactions, so why not use it for these as well? Even the "verified by Visa" program that required a password for online CC transactions seems to not be widely used.

Also, it's a different method of fraud, but a few months ago my CC was used to make a purchase from a fraudulent website. In this scheme, a transaction is made for a small amount of money, often less than $10, to a website that's not legit. In this case, the website is actually in on the scam. It was pretty obvious the website wasn't a legitimate business. The best thing that can be done is to do a chargeback and report the merchant to the CC processor, which in this case was Visa. If there are sufficient numbers of complaints against the merchant, who in this case is part of the fraud, they will be penalized and probably not allowed to make any more transactions. I provided my bank plenty of evidence that the merchant was fraudulent and asked them to do a chargeback, but they said they didn't want to bother and claimed it was simpler to collect insurance from the FDIC. It seems like merchants ought to be penalized when they're part of the fraud. It also seems like merchants that use poor security practices ought to be liable.

I'm convinced that there really isn't an interest in ending fraud, because the technology exists to make it far more difficult. We just don't implement it, which is frustrating.

Re:

[Arkh89]

Better yet, why not require two-factor authentication for large and online purchases where the card isn't swiped? If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter.

This is already implemented in Europe for online purchases (some banks at least). It took more than 25 years to get the chips in the US, I guess we'll have to wait another 15 years or so...

Re:So many ways to combat this...

[PopeRatzo]

The new credit cards in the US with chips are good, but why chip and signature? Why not chip and pin like much of the world does?

Because every American would set his PIN to "4444".

And, it might take a millisecond longer to buy a Big Gulp and bag of chips and if there's one thing you never want to do, it's make an American wait an extra millisecond for his Big Gulp and bag of chips.

Re:

[GigaplexNZ]

I find it faster to type in a PIN than to write my signature on a piece of paper.

Re:

[PopeRatzo]

I find it faster to type in a PIN than to write my signature on a piece of paper.

Most everywhere in the US doesn't require a signature for anything less than $50. Just swipe your card and you're off.

Re:

[rickb928]

Simpler to tap your phone. Link to a prepaid card, low balance, manage refills offline.

Re:

[msobkow]

My card in Canada has the best of both worlds. Chip and pin for anything over $20, NFC for less than $20.

Re:

[TheRaven64]

You're joking, but you're actually close to the reason. There have been a lot of studies done on how easy it is to lose sales by making life inconvenient for purchasers. Amazon, in particular, is very much aware of exactly how many lost sales each extra click needs. There's pressure from a lot of big shops on this, because the cost of fraud is less than the cost of lost sales from people deciding that spending a lot of money in a secure way is too much faff. If you're asking someone for a lot of money,

Re:

[antdude]

Yeah, no Chinese would use that unlucky number. ;)

Re:

[Zontar The Mindless]

I think somebody needs his Big Gulp and sack of chips.

Re:

[ruir]

I second you there is no interest. The solution is more costly than providing compensation, and plus compensation allows for tax breaks and setting money aside in fraudulent schemes I suspect. But it is all entirely speculation in my head.

Re:

[lucm]

You are correct. They implemented chips on debit and credit cards in Canada and this did not make a dent on fraud, but it proved expensive as hell. Guess who ended up paying more for their banking fees? (hint: not the bankers and not the criminals)

Re:

[lucm]

I was curious so I just looked it up. Apparently it reduce the fraud rate by 68%, so there the evil canadian system works :p

You got it wrong. The chip is only good to protect purchases made at a physical POS. It doesn't work for online transactions. In this case of re-shipping scam it does not help to have chips - yet the customers do pay for that technology.

And scammers are scammers, they adapt. Instead of swiping cards they now steal the POS device and replace it with a modified one that registers all the details of the transactions. It never ends.

Cards with chips are not safer overall, but they are more expensive.

Re:

[Okian Warrior]

If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter.

So in order to complete the purchase I have to drive home, get the verification code, and drive back to the store?

No thanks.

Re:So many ways to combat this...

[lucm]

If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter.

So in order to complete the purchase I have to drive home, get the verification code, and drive back to the store?

No thanks.

it probably wouldn't work for you anyways, these things require touch-tone.

Re:

[ruir]

If only someone has invented a mobile phone. Maybe in an alternate earth, who knows? If there is something unlimited is peoples stupidity.

Re:

[TheRaven64]

The latest set of attacks on two-factor auth work by exploiting the fact that Google people are idiots and granted the Google Play app the ability to install applications without user intervention and exposed this via a UI to the Internet. If you compromise the user's browser and they log in with their Google credentials, then you can replace their bank app with a trojaned one and allow the two-factor auth to go forward.

Re:

[tlambert]

If we really wanted to stop CC fraud, we could almost eliminate it. It's pretty simple, but we've abandoned this in favor of convenience.

100% guaranteed that there would not be any credit card fraud, if there were no credit cards. In other news, people who have their appendix removed don't get appendicitis, which is why it was SOP for the Mercury, Gemini, and Apollo astronauts.

Re:

[Solandri]

If we really wanted to stop CC fraud, we could almost eliminate it. It's pretty simple, but we've abandoned this in favor of convenience.

We haven't abandoned it. The credit card companies have. They have successfully shifted all the costs associated with poor security to the merchants. If there's a fraudulent transaction and the merchant can't prove the cardholder actually made the purchase, there's a chargeback and the merchant eats the cost of the fraud. The credit card company pays nothing (their fe

Re:

[Required Snark]

Do you realize that the credit card companies make money on fraudulent transactions?

Their profit is built into every transaction, legal or not. The cost of fraud is spread over the customer base, and is part of the fees paid by users and merchants. Collectively the user base pays for theft from the system, and the credit card companies make more money. That $1.8 billion in illegal billings is a profit center.

The reason that the credit card companies are rolling out smart cards in the US after all this tim

Re:

[ctime]

Hey, we're Americans, not some kind of progressive island nation with 10 million people. We're a huge moving ship of 300 million and it takes time to change things, chip + signature is a huge step in the right direction. Why? Most of the scams involving purchases with stolen credit cards involve "carding", or simply stealing the magnetic strip data and reusing it online and on duplicated cards.

The chip eliminates this as the chip can't be skimmed in practice. The big credit card folks (EMV) would love t

You have to love the CC companies

[bradley13]

You're exactly right, but the CC companies have little interest in ending fraud. Instead, they just pass along the costs. Think about it: it's actually kind of shocking that the credit cards collect a percentage of gross, i.e., the full purchase price on every transaction. In terms of processing, it doesn't matter if a transaction is for $5 or $500. This more than covers the costs of fraud, and the charge is ultimately passed on to the consumer.

Meanwhile, they impose very strict security requirements on the

Re:

[140Mandak262Jamuna]

The new credit cards in the US with chips are good, but why chip and signature?

Because the signature (on a debit card) makes it a credit transaction allowing the credit card company to charge 2 to 5% commission on the sale. If you authorize a debit card with a PIN instead of a signature the credit card company gets a flat fee of 25 cents.

Re:

[locotx]

I'll give you a hint. Look into the insurance on the debt and how they package any debt collections. There's a lot of money in re-selling debt on collections and the merchants have fraud insurance. There's more money in making a fraud claim than actually recovering product and it's so much easier.

Re:

[phantomfive]

What a lousy rule. I'm glad I use Mastercard then, no problem with small chargebacks.

Surprised this still works

[Todd Knarr]

I'm surprised this scam still works today. All of my cards automatically reject purchases where the shipping address isn't the billing address of my card. I can add addresses to the valid list, but I have to do it beforehand through their web site or through customer service. That should shut this kind of scam down.

Or the other obvious change of, instead of having the merchant charge my card, have me tell my bank/issuer to pay the merchant. Then the merchant never needs to know my card number and it's a lot

Re:

[ruir]

There are other obvious answers. In my country we have virtual CC cards. I just create one with the amount I need for the article I want to buy, with a margin of a couple of euros - or a recurring one for a period of one year, say for my Apple account, with a limit of 100 dollars. However, once I set it to one entity, it cannot be used by another entity. This technology proved to provide a huge boost in electronic commerced as it provided an inceptive for many sceptics to buy things using "VISA". I also he

Re:

[ruir]

As a anecdotal tale, I provided a virtual CC to the free tier of amazon, ending, guess what, at the term of their "free" time interval. My luck, because I had forgotten a stopped virtual VM that was paying for hard disk used. First month out of the trial got an email...cannot charge you on your expired "VISA", give us a new one,... good way to control hidden recurring fees after "free" trials.

Said it before, say it again

[rsilvergun]

in 20 years they'll be no petty crime outside of the poor stealing from the poor and the occasional white collar crook who manages to steal things legally Bain style. Software will eat the world.

Much easier way to stop this

[WindBourne]

Most of the CCs that are stolen en-mass have 2 things in common:
1) the systems run Windows.
2) the company outsourced to India.

now some of you will say that it is not so , or that I am biased. Yet, nothing of the kind. Russians approach Indians and point out correctly, that the company that they work for pays them crap. In fact few make more than $9k / year. As such, Russian can offer them 90k to leave a back door. Once in, the Russian will clean it up and point elsewhere.

This will continue until weste

Agreeable Fact

[hariyaksh]

I suppose, any sort of credit card scam can be linked that way. The credit system was introduced primarily to help people set up their business. Now it is a business in itself. Good Job Loan Sharks.

Russia part of Europe ?

[Alain Williams]

Article says "carded consumer goods from America to Eastern Europe — primarily Russia".

I don't think that Putin would like Russia to be seen as part of Europe. Look at the fuss that he made when Ukraine was getting too close to Europe [wikipedia.org].

I doubt

[nickol]

I live in Russia and I think that this information is not completely true. Please note that $1.8 billion is a lot of money. What can I see here is that this service is not offered to a general public. It is not advertized, I knew nothing about it before reding this article.
That means that the situation when many Americans are constantly sending things to many Russians is very improbable. What are the alternatives?
They can send these goods to few companies or persons which later resell them in Russia. But he

Re:Re-what?

[w1zz4]

I had to ask Google in order to know what is a reshipping scam... To summarize, criminal found stupid people on craiglist that will accept to have goods paid with stolen credit card shipped to their home in order to reship them to a foreign address.

Re:

[mjwx]

I had to ask Google in order to know what is a reshipping scam... To summarize, criminal found stupid people on craiglist that will accept to have goods paid with stolen credit card shipped to their home in order to reship them to a foreign address.

And the idea is that you can disrupt credit card fraud by targeting this.

Which is ludicrous because you're relying on people being more sensible than they are stupid and greedy. Hoping the world runs out of idiots is like hoping the sky will be red tomorrow.

There are already several methods that would cut credit card fraud significantly but banks and the general public refuse to use them.

1) 2 factor authentication. This alone will kill a lot of card fraud as it would require the purchaser to enter

Re:

[vux984]

2 factor auth is irritating. I really don't want to carry a bunch of dongles. I'd be open to using my phone for larger purchases, especially online. But what if I can't get SMS where I am? What if I'm on vacation in the carribean and need to book an emergency flight, and my phone isn't working properly there? Yeah, that seems far fetched, but its also happened. I want assurances that my card will work, more than I am concerned about fraud that ultimately doesn't directly cost me anything.

Cash is for chumps.

Re:

[KGIII]

You know... I've been carrying cash for years and not had a problem. I do have a high value credit card and a debit card and I do usually use those as the former is automatically paid every month and I think they give me some sort of rewards but it gets me much better service than normal and different hotel rooms and the likes. It's a long story but, suffice to say, it's a decent card.

Anyhow, I'm currently on the road - gallivanting or appeasing my wanderlust. I am doing something I do every couple of years

Re:

[vux984]

I'll try to be brief in response. For starters I do carry cash, not much mind you. When I travel internationally especially outside of major cities or in smaller / less developed countries, then I carry more cash. Because you are right there are all sorts of situations that can arise, especially traveling, where cash.

But, I *only* use case for those situations. If I used cash more then I'd need to carry a lot more cash. Because if I want to have a couple hundred on me for unexpected situations then I need t

Re:

[KGIII]

That's better. I was under the impression that cash was for "chumps" as you'd said so figured you mustn't be a chump and thus wouldn't carry any. I mean, nobody is willingly a chump if they can control it.

Personally, I've got a couple of "nice" (read damned expensive) credit cards that I don't actually bother using. I carry a few debit cards, I typically use those. I keep them linked to special accounts with limited amounts of money in them. I have shared banking with my credit union and can just go where I

Re:

[vux984]

Heh, well, unlike you I still don't advocate actually USING cash. For me, its the lowest common denominator. I carry some because sometimes you do need the lowest common denominator; but given the choice to use cash vs credit I'll practically always choose credit.

I'm not sure I follow why you use debit cards instead of credit cards. The protection afforded you in terms of fraud protection, dispute resolution etc is far more favorable to the card holder with credit than with debit.

Re:

[KGIII]

Happens where I live every year - multiple times a year.

Re:

[budgenator]

> What the hell do you do when the power goes out or there's some sort of emergency?

Hasn't happened yet, so why would people worry about it?

You mean like the Northeast Blackout of 2003 [wikipedia.org]?

Re:

[Anonymous Coward]

You could have read TFA to find out, but apparently that's too much to ask.

Re:Re-what?

[Firethorn]

Basically, there are many businesses in the USA who won't ship internationally for many reasons. Heck, some won't even ship to parts of the USA like Alaska (ask me how I know). Said reasons include customs difficulties, fraud, damage in transit, time, etc...
Thus, there's a market for 'reshippers'. People who accept packages on behalf of their clients and act as facilitators for international shipping. Good ones handle the customs requirements, any extra packaging, etc...

Thing is, they can be a bit like a pawn shop. You have legit ones, and you have ones that are more straight out fences.

Given the description, it sounds like they're ripe for some additional regulation.

Re:

[JustAnotherOldGuy]

Basically, there are many businesses in the USA who won't ship internationally for many reasons.

Yup. I have a friend who lives in Cambodia and almost no one will ship anything there...so he buys stuff on Amazon, has it sent to my home, and I re-ship it to him.

Re:

[lucm]

he buys stuff on Amazon, has it sent to my home, and I re-ship it to him

Are you a stay-at-home mom making $3,000 per month working 2h a day, like in the ads?

Re:

[JustAnotherOldGuy]

Are you a stay-at-home mom making $3,000 per month working 2h a day, like in the ads?

I wish. I'm a stay-at-home slacker making omelettes and excuses.

Re:

[CanadianMacFan]

I was going to buy something from the US but the company only used a reshipper. It was going to cost $15US to ship to the reshipper and another $75US to send it to Canada for an order of about $160US. I did a quick check and with the same shipping company I could get a parcel from my place to theirs for $40 Canadian. I wrote them and politely let them know that they lost the sale because of their shipping policy. It's no good just not buying from them. If you don't let them know that they are missing o

Re:

[Your.Master]

Driving for ~4 hours round trip (including *2* border crossings and gas money) to save a net of $20 (the difference between $40 direct shipping and $15 within-US shipping, minus the $5 parcel holding fee) is not worth it 99% of the time.

The great lakes region is one of the most populated parts of that 100 miles thing, so 4 hours is pretty conservative to go around the lake and then across a busy bridge. I know where I grew up it's more 12 hours total (6 out and 6 back).

Re:

[OzPeter]

Basically, there are many businesses in the USA who won't ship internationally for many reasons.

There is also the market where these businesses will ship to foreign destinations, but charge a huge premium for the privilege. Thus making dealing with re-shippers attractive.

Re:

[rickb928]

MY advice to merchants? Don't ship to Singapore, Eastern Europe, or Central America. To processors, don't sign merchants in Singapore, Eastern Europe, or Bahamas.

Re:

[Joe Gillian]

It's also the opposite - there are plenty of foreign businesses who won't ship to the United States. I have a friend who buys a lot of anime goods off Yahoo Auctions JP, and most of the sellers there will not ship outside of Japan. He pays an exorbitant sum to re-shippers to forward the packages to him.

On the business side, I once worked for a place that made airplane parts. One of their customers is a French firm that routinely shipped parts back to them in order to get them fixed. They also had to use a f

Re:

[trawg]

Given the description, it sounds like they're ripe for some additional regulation.

While I don't disagree, it should be noted that one of the reasons companies don't ship internationally is to preserve their local distribution models. From Australia it's often impossible to buy certain big brands (IIRC, things like North Face) from places like Amazon - they have local distribution locked down so they can control the price points globally (Moosejaw have a list of some of these brands [moosejaw.com].

As a result, reshippers became quite popular in Australia. So much so, that our national postal service ac

Re:

[rickb928]

Safekey, 3DSecure, etc have some potential. AVS and shipping checks also.

But the simplest way is to use the stolen card to buy gift cards, use these to purchase merchandise, and fence that via reship or whatever, even eBay.

Once the gift card is used, the link to the original cardholder is lost, AVS is useless. In fact, use out of town mules to use the gift cards, bus them in and out, and even the video of them at the register is useless. Nobody in Seattle is going to look at mug shots from Sacramento to

Re:

[tlambert]

But the simplest way is to use the stolen card to buy gift cards, use these to purchase merchandise, and fence that via reship or whatever, even eBay.

Once the gift card is used, the link to the original cardholder is lost, AVS is useless. In fact, use out of town mules to use the gift cards, bus them in and out, and even the video of them at the register is useless.

Have you tried buying a gift card with a credit card? There are a few mall locations which allow you to do this, on camera, but if you try it at a grocery store, they'll deny the purchase. They'll let you buy it with a debit card, but not a credit card (I got to watch an insistent lady in front of me in line try very very hard to throw a hissy fit until they let her get away with it; it was like watching a 19 year old trying to buy alcohol).

Re:

[CylanR77]

Have you tried buying a gift card with a credit card? ... if you try it at a grocery store, they'll deny the purchase.

Yes, I do it all the time, and no it doesn't get denied. The only catch is that if I buy one and put enough money onto it, the POS terminal asks for my DL# for verification.

So I don't know where you got your information from, but it's flat out wrong.

Re:

[locofungus]

Safekey, 3DSecure, etc have some potential to make peoples systems less secure

FTFY.

If they make the system so much more secure, why do I have to allow cross site scripting for them to work?

Why do I have to enable javascript for them to work?

I changed my credit card provider because I could NEVER get it to work properly. It still sends me to the "XSS attack page" so I have to click "unsafe reload" but I don't have to provide a password or DoB.

With my old provider I would get a message saying that the transa

Re:

[GigaplexNZ]

I visited USA last year, and was horrified when my transaction went through when the merchant swiped the mag strip on my Australian chip-and-PIN card, without requiring my PIN or signature. I wasn't aware my card issuer would even allow such a transaction. I've since destroyed the mag strip portion of my replacement card.

Re:

[ruir]

It is not only stores...I have to authenticate transactions with a PIN, except at toll gates and automated pump stations, for THEIR convenience.

Re:

[guruevi]

Why horrified? What do you think your chip contains, a wireless connection to your private bank server? Chip-and-pin is no more secure than magswipes, it contains the same data and can often broadcast the data a 100m around you through RFID activation. A culture of accepting that anything makes your card more secure will allow CC companies to lay the blame solely with you in case it does get compromised.

I'd rather keep my mag swipe, in case it gets compromised or even a problem with the vendor (if they won'

Re:

[GigaplexNZ]

Horrified because my bank is supposed to refuse the transaction if the PIN isn't sent along with the transaction data. I wasn't aware they granted exceptions to the USA system.

Chip-and-pin is no more secure than magswipes, it contains the same data and can often broadcast the data a 100m around you through RFID activation.

RFID isn't a requirement for chip-based cards. In fact, one of my chipped cards doesn't support RFID. And you're kidding yourself if you think that the cryptographic chip is equivalent to the mag strip.

I'd rather keep my mag swipe, in case it gets compromised or even a problem with the vendor (if they won't do a warranty return), my bank will happily take the charges off the card. Once I've entered a PIN or used any of their stupid 'security measures' (eg. Verified by Visa which is a horribly broken design), they assume I'm to blame for any problem with my card.

You do that. Meanwhile, we don't use the mag strip in Australia, so I'll happily prevent my card from being compatible with the less s

Re:

[OzPeter]

You do that. Meanwhile, we don't use the mag strip in Australia, so I'll happily prevent my card from being compatible with the less secure USA methodology.

Its worse than you think here. They are finally rolling out chip based cards in the US, and the system is just "Chip" .. no PIN required.

Re:

[dgatwood]

And you're kidding yourself if you think that the cryptographic chip is equivalent to the mag strip.

You're right. It is worse. With a magstripe, the cost of fraud often gets eaten by the credit card company. With crypto chips, the cost always gets eaten by the vendor because of the presumption that the system is secure. Unfortunately, that couldn't be farther from the truth. The reality is that these days, most credit card fraud doesn't involve people visually reading the number off the card. It invol

Re:

[GigaplexNZ]

You're right. It is worse. With a magstripe, the cost of fraud often gets eaten by the credit card company. With crypto chips, the cost always gets eaten by the vendor because of the presumption that the system is secure.

That's a policy issue, not a technical issue. It's also short lived, very soon all fraud on the magstripe will be eaten by the vendor as incentive to migrate to the chip. If the vendor has a cracked crypto chip reader, well, it's their responsibility to prevent that.

Re:

[dgatwood]

You're missing my point. There have already been dozens of cases of folks breaking into point-of-sale terminals and compromising the card reader systems. Unlike hitting someone with a hammer, those compromises can happen A. mostly anonymously, and B. remotely from anywhere in the world. Once a communication endpoint (defined as a display terminal in the case of the customer endpoint) is compromised, no transactions made through that endpoint are trustworthy, period. And once you've compromised the term

Re:

[guruevi]

There is no exception. Your chip still contains (in most cases in the US) the plain text version of your card information just in case you need to do a transaction when the system is offline (read and weep https://en.wikipedia.org/wiki/... [wikipedia.org]).

I know because I have a chip reader for POS testing and I can often get the plain text information from both the mag swipe and the chip. The only difference with the chip is who gets to hold the responsibility in case it does get compromised.

Re:

[godel_56]

You do that. Meanwhile, we don't use the mag strip in Australia, so I'll happily prevent my card from being compatible with the less secure USA methodology.

We certainly have a mag strip on our cards and it's to allow them to be used in countries that don't have chip and pin.

While the RFID doesn't duplicate the chip, it can provide enough information to an attacker to duplicate the mag strip and the info on the front of the card, so that they can send that overseas to an accomplice to write on a dummy card

Re:

[silas_moeckel]

No more secure? The secret of the card nevers leaves the fsking card thats pretty much the point. The pin is a secondary factor.

Now it would be much better if you never typed your pin into anything shared. Phones with NFC come to mind some companies got a keypad and display to a cc size package. Some got a per transaction "cvv" generated on the card.

Really it is a half step should have moved to NFC based transaction how many people are still walking around with dumb phones?

Re:

[GumphMaster]

how many people are still walking around with dumb phones?

Quite a few. Some, like myself, don't walk around with any sort of phone.

Re:

[KGIII]

Then you go without. Just like a non-driver needn't worry about additional driving license regulations.

Way back in the early 2000s a magazine called eWeek had an article about a different schemata. It was a dongle, a PIN, and a hashed value of certain aspects of your thumb print. Something you have, something you know, and who you are. I thought it was probably a pretty good idea. I generally assume any such transaction is unsafe and act accordingly to minimize my personal risks but that's just me. It would

Re:

[KGIII]

And I misread your post. *sighs*

My bad. My sincere apologies. I will say three hail RMS' and donate to EFF immediately. I blame lack of coffee - I'm out in my room and the lobby hasn't made any yet.

Re:

[silas_moeckel]

So carry cash? Making a small stand alone device that's a tpm (crypto processor whatever) chip, an nfc controller small keypad and lcd display to ack as one or more CC is pretty trivial. Hell you can get a fingerprint reader into that form factor.

NFC and similar removes the form factor of having something that has to swipe or plug in. There are a plethora of authentication protocols to provide a second factor that does not matter if it's compromised and do not require it be sourced from your bank. Maybe

Re:

[sjames]

So what happens if you order over the web or phone? I'm guessing the front door looks like a bank vault and the back door is a flimsy screen door as always.

To really be secure, the card should be usable with a small terminal to sign web transactions.

Re:

[locofungus]

To really be secure, the card should be usable with a small terminal to sign web transactions.

They added this functionality - it works on all my cards. But only Barclays online banking seems to use it (at least of my cards).

I believe the sticking point is that people don't want to walk around with the card reader device. I can understand it but I do think it's a shame that you cannot voluntarily use it for online purchases instead of all the error ridden javscript XSS that you have to work through instead w

Re:

[sjames]

They wouldn't really need to carry the device around, they could just connect it to their PC (USB would be more than fast enough) for ordering over the web.

Re:

[silas_moeckel]

TPM etc, your secure bits are not on the phone rather a simple stable module with a well defined access method. The TPM only has one part you still need a pin if your realy worried about it your pins can be one time. It's pretty trivial to print out a few pages of business cards and mail them to you, cross off a pin as you use them in order. So yea if you pown the phone you could get access to have the TPM sign a transaction and a PIN that was entered. If you're that worried about it making a stand alon

Re:

[sjames]

I think you whooshed. I mean you are talking to someone on your plain old telephone circa 1970 and read your card details off to pay for something. No TPM, no chip, just like the insecure old days. If that goes through, then none of the new measures matter much in the long run, they just shift the problem a bit.

Re:

[silas_moeckel]

In 1970 they were probably hanging up and calling into the CC company to get an auth. It was insecure.

Re:

[sjames]

The PHONE would be circa 1970 (no reader, no nothing, just voice), the transaction could be taking place this very moment and the chip in the card does nothing. That is, all that supposed extra security can be readily bypassed by a carder, and so it isn't really all that secure.

Re:

[silas_moeckel]

Checking ANI's has been a staple of call center security for a long time now. Dialback verification works rather well at stopping fraud. Overall that is leaving a lot more traces than a carder wants to. Simple SMS verification can lock down voice transactions pretty well it's, up the the banks to actually do it, as long as the losses are on the business they have little incentive to fix it.

Re:

[sjames]

So they'll order by mail or the web.

You still seem unable/unwilling to understand that the chip and pin is totally worthless as a security measure for anything but a card present transaction.

Re:

[guruevi]

Wrong, that is one of the capabilities of these chips but often, for convenience sake, the chip still contains the same information as the mag swipe in plain text. I have a chip card that I blocked non-encrypted transactions and the chip on the card simply doesn't work at any Wal Mart stores (it does at other stores), eventually (after 3 times chipping) the system will give in and allow me to swipe it.

Re:

[silas_moeckel]

The mag card info is not the secret not even close.

Re:

[Dutch Gun]

Chip-and-pin is no more secure than magswipes, it contains the same data and can often broadcast the data a 100m around you through RFID activation.

You're mistaken about a few point. First, these cards use near field communication technology, not RFID, and is readable at a distance of less than a few centimeters. Second, the card doesn't re-broadcast your credit card number. It uses on-card encryption to respond to queries without ever giving away the private key. And third, each transaction has a unique code generated by the card itself for each transaction, so replay attacks are not possible. This makes things like ATM skimmers much less practic

Re:

[TheRaven64]

And third, each transaction has a unique code generated by the card itself for each transaction, so replay attacks are not possible

Well, almost. If correctly implemented. Unfortunately, the security depends on an 'unpredictable number', which in a lot of devices is a simple incrementing counter, so if you can do one transaction with your real card and intercept the signals (you can buy off-the-shelf things that look like a credit card and contain a couple of extra chips for this) then you can predict it for the next transaction and bypass much of the security. Oh, and the fact that the bank authenticates the card but the card doesn'

Re:

[icknay]

"Chip-and-pin is no more secure than magswipes, it contains the same data"

Just a point of fact: the above is 100% false. The EMV transaction includes some info, but less than the full magstripe, so it cannot be used to make a "Target" style fake magstripe card. This is why all the Target style breaches have been in the pre-EMV USA.

Re:

[tlambert]

I visited USA last year, and was horrified when my transaction went through when the merchant swiped the mag strip on my Australian chip-and-PIN card, without requiring my PIN or signature.

Signatures are not required on charges of $25 or less, since the store is indemnified against a loss up to that amount, when they fail to collect a signature. Over that amount, it usually requires a signature, and then your signature is floating around as a digital copy for a forger to use.

Chip-and-PIN has reduced brick and mortar fraud, but online fraud is alive and well, as is ATM fraud. Just expect that, as in Europe, the U.S. incidence of card skimming, card trapping, and cash trapping to go through t

Re:

[spire3661]

Automatic approval was only for small amounts, usually $25 or less. I didnt care becasue im covered by the bank anyways. We are moving to Chip and PIN now so its moot, i just got mine in the mail yesterday

Re:

[david_thornley]

It's not that bad. In the US, I'm only liable for $50 from fraudulent credit card transactions, and the card companies waive that. (I don't know how it works with an Australian card, or in Australia, but that's not the normal case for US merchants.)

I check my credit card statements when they come, to find fraudulent transactions. If I report them, I'm fine. I don't have to pay, and it doesn't hurt my credit rating.

This means that I'm not paying for security problems, but rather some combination of

Re:

[lachlan76]

Australia is no liability, no ifs, no buts, unless you were negligent---negligent is defined as being similar to such things as telling people your PIN, or writing it down undisguised and storing it with your card.

Re:

[Dunbal]

Regulating re-shipping or breaking re-shipping? I use a mail forwarder because I live in Panama. There are many things I can buy online that are simply not available locally, from my wife's designer shoes for her tiny feet whose size no store ever carries stock, to the latest computer parts for me. They all get shipped to my mail-forwarder in Miami (took all of 15 minutes to set up an account), and it all gets re-shipped to me. Takes about a week to clear customs, etc, and it's expensive as hell since we're

Re:

[jecblackpepper]

I would have thought that a system of address verification between merchant and credit card issuer is they way to go. Merchant will only ship to addresses approved by the card holder via their card issuer. Then merchants won't ship to a random re-shipper address unless it's approved by the card holder. However we already have AVS which is a great start and I'm surprised that any merchants are willing will to take the hit of not doing it. All e-commerce systems I've worked on used AVS to verify shipping loca

Re:

[tlambert]

The more straightforward solution seems to be to simply make CC fraud much more difficult. We have the technology to do so, but seem unwilling to implement it. The new CCs in the US are better in that they have chips, but inexplicably still use signatures rather than PINs.

I personally know of 9 methods of scamming a chip-and-PIN system. The only real value they have are to the credit card company, and the merchant, both of which get to blame you, instead of being blamed themselves, for when one of these scams is run. The intent is clearly to offload the cost of fraud onto the consumer, rather than keeping it the problem of the large financial markets that have some hope of being able to curb the abuses, by virtue of economy of scale approaches to the problem.

The typical Ru

Re:

[dave420]

Was your Pa raped by a European or something? Regardless, your knowledge of Europe seems to be based on European Vacation. It's not helping you seem at all knowledgeable.

Re:

[JustAnotherOldGuy]

I read the whole summary and I still don't understand what the fuck they mean by reshipping or how the scam is being done.. Don't they know how to summarise properly anymore ?

It would hardly be sporting for the editors to have any explanatory information in the summary, now would it?

Slashdot is one of the few paces that routinely publishes "summaries" that are 100% content-free. I always marvel at how they do it- you'd think that a stray bit of info would find its way into the summary by chance once in a while but that doesn't seem to be the case here.

Re:

[epine]

Slashdot is one of the few paces that routinely publishes "summaries" that are 100% content-free. I always marvel at how they do it- you'd think that a stray bit of info would find its way into the summary by chance once in a while but that doesn't seem to be the case here.

It wasn't always like this. Slashdot seems to wield a universal bike shed field only instead of everything tasting like chicken everything tastes like bike shed. Useless summary is the universal chicken sauce of click to view.