dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4759
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Why Card Fraud Grows

By Tracy Kitten
Missing the Mark on Secure Card Tech Will Haunt Any Issuer

Payments card fraud is a growing concern for U.S. card issuers, yet few have taken dramatic steps to fight it.

Last week's announcement that major card brands and domestic issuers are joining forces to create an EMV Migration Forum reflects at least some interest in enhancing payment-card security.

The forum, an independent, cross-industry organization, hopes to serve as a catalyst for wider adoption of chip-card technology. The group plans to support EMV implementation steps required for global payment networks, regional networks, card issuers, processors, merchants and consumers.

We'll have to see if the forum jump-starts an organized U.S. movement away from mag-stripe cards and toward EMV cards, an essential component of the fight against POS fraud.

Chip cards that conform to the Europay, MasterCard, Visa standard are inherently more secure than mag-stripe cards because the data stored on them cannot be skimmed. EMV chips are microprocessors that use cryptographic algorithms to enable dynamic authentication through a sequence of encrypted exchanges with EMV-enabled card readers. Thus, card data contained on chips is encrypted, so it cannot be read in the clear. Mag-stripes, on the other hand, cannot communicate dynamically with card readers. Transactions are authenticated by simply reading information stored in the stripe, where data is not encrypted.

It's clear the U.S. needs to get away from mag-stripe transactions: Both Visa Inc. and MasterCard have issued EMV migration dates, and Discover recently followed suit.

But the card brands have been focused on EMV for credit, not debit.

Visa says transactional complexities surrounding debit, as well as questions about interchange and fraud incentives offered by the Durbin amendment to Dodd-Frank, are primarily to blame.

Still, with debit fraud increasing, why would we continue to use card technology with known fraud vulnerabilities? We can see from other markets that enhancements in payments technology, such as the chip, do improve security, subsequently reducing losses related to card skimming and POS network attacks.
»www.bankinfosecurity.com/blogs/c···s-p-1329
EMV Migration Forum

The EMV Migration Forum is an independent, cross-industry body created by the Smart Card Alliance to address issues that require broad cooperation and coordination across many constituents in the payments space to promote the efficient, timely, and effective migration to EMV-enabled cards, devices, and terminals in the United States. A broad cross-section of leading payments brands, issuers, payments processors, and industry suppliers are behind the effort to establish the Forum. The EMV Migration Forum will support the alignment of the EMV implementation steps required for global payment networks, regional payment networks, issuers, processors, merchants, and consumers to successfully move from magnetic stripe technology to secure EMV contact and contactless technology in the United States.

EMV Migration in the United States
Commonly used globally in place of magnetic stripe cards, EMV chip cards reduce fraud resulting from counterfeit, lost and stolen cards. American Express, Discover, MasterCard and Visa have all announced their plans for moving to an EMV-based payments infrastructure in the U.S., with payment processor mandates in place for 2013, and major changes for managing fraud risk set for 2015.

Experiences in other parts of the world have shown that that cross-industry cooperation is essential to allowing a market to migrate to EMV in an efficient manner and to yield the full benefits of such an upgrade in technology to consumers and other constituents. The EMV Migration Forum has been formed to provide the collaborative environment for the U.S. payments industry and to focus on the needed coordination and cooperation across the payments landscape.

»www.smartcardalliance.org/pages/···on-forum
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13

1 recommendation

If it is bad in the US then losses are even higher in less developed countries. As it is bad for commerce to advertise the fraud losses and thus discourage people from indebting them selves with credit card then such loses are conveniently covered silently (or with minimum necessary public mention) by the banks and credit card companies.

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2012/13



DownTheShore
Honoring The Captain
Premium
join:2003-12-02
Beautiful NJ
kudos:14

2 recommendations

reply to Name Game

For early-morning readers like me whose brains aren't firing on all cylinders yet:

Europay, MasterCard, Visa = EMV



I_H8_Spam

join:2004-03-10
St Catharines, ON

1 recommendation

reply to Name Game

This chip & pin system has been in pay for a few years in Canada, recently a couple major banks have amended card terms to shift card liability to the holder for unauthorized transaction that use the pin.

So if your card is stolen and pin captured, you are on the hook for all activity. Stark contrast to the zero liability of before.

EMV is more interested in protecting itself, then protecting you. Shift the liability to the end user.
--
AFK: Attack, fight, kill!! The healer is telling you to go pull mobs.
WTF: Way to fight! The healer is applauding your tactical genius


TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel

said by I_H8_Spam:

This chip & pin system has been in pay for a few years in Canada, recently a couple major banks have amended card terms to shift card liability to the holder for unauthorized transaction that use the pin.

And which banks would those be?


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24

1 recommendation

reply to Name Game

I am a total cynic, of course. So, my thought is just another little loss of privacy re: a chip, in the name of security.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

2 recommendations

reply to I_H8_Spam

said by I_H8_Spam:

This chip & pin system has been in pay for a few years in Canada, recently a couple major banks have amended card terms to shift card liability to the holder for unauthorized transaction that use the pin.

So if your card is stolen and pin captured, you are on the hook for all activity. Stark contrast to the zero liability of before.

sshh! listen closely to that.
US financial institutions are paying close attention to these developments abroad. You should too because in the end it's about whose end is going to be responsible for credit/debit card fraud in the US.
As it stands today, a US based credit card user is generally limited to the first $50 of loss due to fraud. The rules for debit cards are different (less favorable for the consumer) but every US based debit card issuer voluntarily applies the credit card rules to their debit cards that I'm aware of.
I'm not familiar with the rules or rule making process that Canadian card issuers follow but in the US card issuers do not make up their own rules. They are bound by rules set by regulators.
Here's a brief overview of what has happened with credit/debit cards & what I expect to happen.

Card issuers geared up for & won the battle of consumer acceptance.
Cards are profit centers for issuers, the more they issue & more importantly how often their used will have a significant impact on their earnings.
The largest obstacle in consumer acceptance was the legitimate & real concern over whose money is lost due to fraudulent use of a consumers card.
The issuers embraced the regulations pointing out that $50 was the maximum exposure a consumer would be liable for.
To sweeten the pot of consumer acceptance most banks also waived that $50 leaving the consumer with $0 liability.
That battle is over.

The issuers now are gearing up for the more formidable battle of changing user perception re card security.
To that point US issuers have made dramatic & significant improvements in card security in the past several years.
e.g., today it is not at all uncommon for a US based issuer to contact a card user re a change in usage pattern asking if a charge(s) are authorized. Today issuers can with almost 100% certainty flag a transaction as fraudulent even without asking the user. Real time monitoring has made huge advances in the past several years helping issuers reduce loss to fraud.
These improvements have a single goal but different purposes.
The goal is to reduce loss due to fraud - period.

If only that were the end of the story...
Let's not be naive enough to believe that issuers are going to accept being responsible for loss due to fraud until the end of time.
What's next?
The sequel:
"Issuers vs Users Whose Dime Is It?"
Issuers will heavily lean on the improvements re card security in the sequel. Astroturfed stories about how careless & even 'stupid' users are to blame for fraudulent card use. A shift in perception is what this battle is about.
Issuers will push stories about how 'common sense' of the user is the first line of defense.
Subtle shifts in perception, barely noticeable if you're not paying attention will (have) taken place.
Users over time will start buying into that nonsense believing they can actually protect themselves from fraudulent use.
At that point the issuers go to work on the regulators, showing how consumer perception has changed enough through improved security that shifting the loss from the issuer to the user is politically doable. Users won't like it but that doesn't matter as long it doesn't upset the power grid it's a done deal.

Here's the truth.
I don't care what you know, who you know or who you are.
You cannot give yourself 100% protection against fraudulent use of a credit/debit card.
You can't fault the issuers for wanting users to insure themselves but it's also not fair to ask a defenseless user to defend themselves.

Here's a fast & easy self test to determine how much of a risk you pose to yourself re card security.
How offended or how stupid did I sound when I used the term
"defenseless user"
If you said
"I'm not defenseless or he doesn't know what he's talking about"
Then I'm writing this for your benefit.

For sure there's countless articles about protecting ones identity, some even offer practical advice that can reduce fraud significantly.
Wait, why is word 'reduce' highlighted?
Because user diligence in reducing fraud has ZERO to do with user diligence eliminating fraud.
Reducing is not the same thing as eliminating.
The battle will spin on that seemingly minor difference.
A shift from issuer liability to user liability is an important issue that every user should pay attention to.
Next time you read a story about how stupid users have stupid things happen to them ask yourself if the story is more about changing your view on user liability.

Hopefully a few formerly 'secure' card users come away from this post feeling 'defenseless" because you are.
It's just a matter of whether you know it or not.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

I bank with TD bank Canada since they bought up my bank..I use my card from them for credit and debit...when I cruise..I call them ahead of time and let them know..but we travel alot beside that and they call me often on my cell phone to make sure charges we have just made are legit for us since they are made away from areas of the country where we live..I like that..still we are vulnerable and we know it..most of the time we just use the card for debit at places we trust..then get extra cash back ..$100 to 200 each time.. and also use it at ATM's we trust. We do this so most transaction are with cash since there are very few places we trust and we would rather use cash than have most places even touch our cards.
»www.tdbank.com/debitreissue/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



I_H8_Spam

join:2004-03-10
St Catharines, ON
reply to TheMG

From letters I have received:

MBNA - Mid 2011
Bank of Montreal - Feb 2012
Canada Trust - July 2012

Amex no change, my recent renewal has a chip; but no machine accepts it yet.
--
AFK: Attack, fight, kill!! The healer is telling you to go pull mobs.
WTF: Way to fight! The healer is applauding your tactical genius



ashrc4
Premium
join:2009-02-06
australia
reply to Snowy

said by Snowy:

Here's the truth.
I don't care what you know, who you know or who you are.
You cannot give yourself 100% protection against fraudulent use of a credit/debit card.
You can't fault the issuers for wanting users to insure themselves but it's also not fair to ask a defenseless user to defend themselves.

Chip and Pin cards (SDA type) now have possible exploits.

Researchers in the United Kingdom say they have mounting evidence that thieves have been quietly exploiting design flaws in a security system widely used in Europe and Australia to prevent credit and debit card fraud at cash machines and point-of-sale devices.

»www.theage.com.au/it-pro/securit···ts1.html

Basically,

In their provided analysis the Cambridge researchers have assumed that the chip cards are so called SDA cards. Those cards are really not better than mag stripe cards which are very vulnerable to skimming and cloning.

If the original card which was skimmed was of the SDA type, then there is a theoretical possibility that the cloned card might be able to fool the POS terminal that it is genuine card. Further if the POS terminal has fully predictable random number generator the crook may be able to try to replay cloned EMV ARQC and EMV TC data to the issuer host hoping they will not detect duplicates. Any reasonable implementation of the issuer EMV authorization system should be able to detect duplicate transaction attempts (for example using ATC - Application Transaction Counter - data from the card, which is part of the ARQC and TC cryptograms) and the transaction must be declined.

On the other hand if the issuer (bank) provides legitimate cardholder with so called advanced DDA card the EMV protocol should catch the fraudulent transaction attempt even before the POS terminal vulnerability can be attempted to be exploited. In other words if DDA EMV card is used this attack is not applicable.

I think you can fault the POS machines issuer's though.
--
Paradigm Shift beta test pilot. "Dying to defend one's small piece of suburb...Give me something global...STAT!


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to I_H8_Spam

said by I_H8_Spam:

This chip & pin system has been in pay for a few years in Canada, recently a couple major banks have amended card terms to shift card liability to the holder for unauthorized transaction that use the pin.

So if your card is stolen and pin captured, you are on the hook for all activity. Stark contrast to the zero liability of before.

EMV is more interested in protecting itself, then protecting you. Shift the liability to the end user.

This could have ominous implications for online business that currently only involves the user entering a card number and PIN. If the liability for such transactions is shifted to the consumer because he can't physically use a chipped card, consumers will perceive online transactions to be even riskier than they are now (at least I can actually "see" a bricks-and-mortar store I patronize). It will be interesting to watch as this all plays out...
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775


More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
kudos:31
reply to Snowy

said by Snowy:

"Issuers vs Users Whose Dime Is It?"

There's another player in this and that is the merchant.

There are two primary use cases with respect to the fraud and the user today.
1) The user detects the fraudulent transaction. The user calls the issuing bank and disputes the transaction. Issuing bank posts a chargeback to the merchant. Merchant is now out the $$$ unless they can prove the transaction was legitimate. Issuers are not out $$$, although there is a finite cost of processing the chargeback.

2) The user does not detect the fraud. User is out the $$$.

In order to speed the adoption chip cards, both Visa and MC are going to shift the liability for fraudulent mag stripe transactions from the user to the merchant. This result is no different than use case #1 today.

However, what Visa and MC are really saying to the merchant is "You will no longer be subject to chargebacks for transactions done with chip cards". i.e. the onus will now be on the user to prove the transaction was fraudulent rather than on the merchant to prove it was legitimate.
--
There are 10 kinds of people in the world; those who understand binary and those who don't.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Blackbird

Entering a card number and PIN? Where do you do that? My credit cards don't have PINs. You enter the credit card number and card expiration date and, if the site is a trustworthy, smart site, you are also required to enter the the 3 digit number on the back.

I already hate shopping online so a shift toward making the customer liable would mean I would stop shopping online except when absolutely necessary. Will this shift to customer liability exist for phone transactions? I always call the site, if that is possible, and purchase from a CSR. Of course, I use a CORDED landline for the transaction.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to More Fiber

said by More Fiber:

In order to speed the adoption chip cards, both Visa and MC are going to shift the liability for fraudulent mag stripe transactions from the user to the merchant. This result is no different than use case #1 today.

However, what Visa and MC are really saying to the merchant is "You will no longer be subject to chargebacks for transactions done with chip cards". i.e. the onus will now be on the user to prove the transaction was fraudulent rather than on the merchant to prove it was legitimate.

How does making mag strip cards more attractive to the user than chip cards get chip cards adopted faster? What you said doesn't make sense. Are you referring to the banks getting faster acceptance of chip cards by merchants? If so, they still have to get consumers to suddenly accept all liability. How is that going to happen? Even with inattention of Americans to most things these days, this will cause a huge outcry and if the banks won't issue a mag strip card to customers who demand that and tear up the chip card that was sent unasked for...well, how are the banks going to get this switch over accepted quickly? It probably will all depend on whether or not the Democrats can keep the White House as the Republicans are drooling at the notion of being able to royally shaft average Americans on this and on everything.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

1 recommendation

reply to Mele20

said by Mele20:

Entering a card number and PIN? Where do you do that? My credit cards don't have PINs.

I believe the issue is the fact that these days the distinction between credit cards, debit cards and ATM cards is no longer clear.

You're correct, an actual credit card has a number, expiration date (and these days) a CCV (Credit Card Verification) number on the back next to the signature panel. A credit card can also have a PIN which allows the holder to withdraw cash from certain ATM's. However such cash withdraws are credit charges (i.e. are not linked to a Bank check/savings accounts) and appear on your monthly bill. The use of PIN's with credit cards is not common.

However these days debit/ATM cards look and act like credit cards. The only real difference is that they are linked to Bank check/savings accounts and the PIN accesses those account. Cash withdraws and purchases are not credit charges with these cards and come out your account immediately.
--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

I am completely clear on the distinction between credit cards, debit cards and ATM cards and always have been. I made it my business years ago to educate myself on this. I have no idea why others are confused as I am sure everyone could do what I did and get educated!

I know what a debit card is and only a fool would have one today and anyone with one, when the changes happen, would be an even greater fool. An ATM card is NOT a debit card. How many times do I have to say this here? An ATM card has a pin and is connected to either your checking account or your savings account or both ....however YOU tell the bank to set it up. It is not connected to a credit card with that bank and it cannot be used for ANY PURPOSE EXCEPT at ATM machines for that bank or a network of banks your bank is affiliated with for ATM usage. I never use an ATM other that those owned by my bank as I have to watch my money and do not wish to have $3 fees if I use other banks in the teller machine network. When I travel, I take travelers checks which are FREE of charge from my bank if I get $1000 or more. I don't travel outside Hawaii often but no problems in Hawaii with using travelers checks and you can always cash some before you leave your hotel that day as any hotel will cash them even if some merchants won't out of ignorance. Or go in the nearest bank and cash some. They don't expire so you can use them for years and even pay bills like Macy's lets you pay your bill with travelers checks.

ATM cards have been around ever since the first ATM machine many, many years ago. Debit cards have been around for over a generation so don't tell me that folks are confused about the differences in the three kinds of cards because debit and ATM cards are something relatively new. If people are confused they have only themselves to blame and with the internet it is easy to become unconfused. Your bank wants you confused. They want you to use a debit card and no credit card because the rules that protect you, currently, with credit cards and fraud are not there or are much laxer with debit cards. ATM cards can be attached to a small savings account only and never attach all your accounts for access in an ATM or ONLINE at your bank's website. Debit cards don't need to attached either to any account with a lot in it. Have the bank attach the debit card only to one account that is funded just for when money is needed quickly. You have to tell your bank how you want your cards set up. Refuse all pins for credit cards and complain to the issuing bank if a pin was sent unsolicited, never attach all your accounts to a debit card (if you mistakenly think you must have one), and use a pure ATM card to access your bank account (preferably a savings account that does not have a lot in it) in an ATM instead of a debit card. Pay your credit card off each month in full, use one that gives you mileage or cash back and do not fall for any sales spiel that a debit card can give you mileage or cash back so you should have one instead of the safer credit card. Insist on a credit card not a debit card. And complain like hell to any bank you have a credit card with about these upcoming changes. Let them know that you will be cancelling your cards if fraud liability is placed on the card holder's shoulders.

I believe that a lot of this confusion about the different types of cards is deliberately fomented by the banks so that these upcoming changes will appear more "palatable" and to ready the public to becoming docile fools who will accept responsibility for fraud.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

1 recommendation

Not sure if your rant was directed at me (it was a reply to my post). I was simply answering your question (as quoted) about credit (not debit or ATM) card PIN's.

For many banks (big guys anyway) a debit card is the ATM card. They're one and the same. That said some cards are ATM only. I have a few of those from smaller banks.
--
Don't feed trolls--it only makes them grow!


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Yes, I was replying to this:

"I believe the issue is the fact that these days the distinction between credit cards, debit cards and ATM cards is no longer clear."

The distinction is quite clear. Banks may try to obscure it and customers have to educate themselves. I am not sure why anyone would need more than one ATM card from one bank where they have either checking or savings account so they can get cash using that ATM card. I have not the vaguest idea what Chase or Discover or CapitalOne, etc. have for an ATM card because I would NEVER have my checking account with one of them! That would be crazy. They are bad enough for credit cards (I am a party to the successful class action against Chase for the shit they pulled on many credit card accounts back in 2009 and I am not a fool. I would never have a checking or savings account with an arrogant bank like Chase or many other huge, nation wide ones).

I have credit cards with both of the big banks in Hawaii and with the third largest bank also. NONE of my credit cards are tied to other accounts at the banks. I cannot use my credit cards in these banks ATMs. I have a SEPARATE ATM card from each bank as that is the safest thing.

I was not ranting. I was pointing out the idiocy of having debit cards which is not something I have just dreamed up but is a fact and one that most Americans refuse to acknowledge ...no wonder Americans will be easy pickins for changes designed to place fraud responsibility on the shoulders of the card holders as it is already half way there on debit cards yet folks continue to use them instead of safer credit cards.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Well I agree, in general, about debit cards. I do have one that I use as a credit card (it's linked to a Health Savings Account). That said I don't keep it in my wallet. The other one is from a major bank and I use it only as an ATM card. That bank is constantly sending me offers to lure me into using it for purchases etc. Like you I'm not falling for it.
--
Don't feed trolls--it only makes them grow!



More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
kudos:31
reply to Mele20

said by Mele20:

How does making mag strip cards more attractive to the user than chip cards get chip cards adopted faster?

Users will be persuaded with massive advertising campaigns by MC and Visa that chip cards are more secure. Before that can happen, merchants will have to have readers that accept the cards.

Convincing merchants they will no longer be subject to chargebacks is about persuading the merchants to invest millions in new readers that can accept chip cards. Since merchants are eating fraud chargebacks today, investing in chip readers should eliminate those loses.

Legally nothing changes responsibility with chip cards. The user is still only responsible for the first $50 on a fraudulent credit transaction. However, like debit cards today, the user will be responsible if the pin is compromised.

The problem for the user with a fraudulent chip transaction is going to be proving that the cryptographic algorithms on the chip have been compromised.
--
There are 10 kinds of people in the world; those who understand binary and those who don't.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by More Fiber:

Legally nothing changes responsibility with chip cards.

Yes, Congress determines liabilty/limits.
said by More Fiber:

However, like debit cards today, the user will be responsible if the pin is compromised.

Assuming you're talking about a credit card & not a stored value card, there's no doubt issuers would like to see that codified but has Regulation E been modified to incorporate that change?

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to More Fiber

said by More Fiber:

Legally nothing changes responsibility with chip cards. The user is still only responsible for the first $50 on a fraudulent credit transaction. However, like debit cards today, the user will be responsible if the pin is compromised.

The problem for the user with a fraudulent chip transaction is going to be proving that the cryptographic algorithms on the chip have been compromised.

What are you talking about? I don't have PINS. I have credit cards. If I need to write a check I will do so....why would I use a debit card when I have a checkbook? Or I would pay with something called CASH. I use credit cards for their safety and their other advantages (like mileage, cash back), and because sometimes I need to carry a balance as I live on a modest income in a very expensive state. For those with tons of money why not just pay in cash? Why hassle with a debit card and hold up the line behind you (not to mention the inherent dangers in debit cards over cash or check or credit card)? Debit card users take a lot more time in a checkout line than do credit card users or even check writers. The rude people are generally those using debit cards.

Why would the customer have to prove that the cryptographic algorithms on the chip have been compromised? If I use my RFID card and wave it at the machine and then someone later charges $500 to my card from Spain why would I need to prove anything? I did not enter a PIN that could be compromised. There is no pin on this card. It is a credit card. If the bank told me I would have to use it like a debit card and enter a PIN that would be insane because one reason to use it is that it is contactless and supposedly faster and safer than a mag stripe credit card. I don't care about the faster as you still have to wait for the receipt which can take a long time, but I get tired of having to swipe a card several times to get it to "take" so waving it over the machine would be an advantage especially when under $50 so no need to sign (but you still need the receipt). I would return any credit card that requires a pin be attached to it and cancel the account.

What I see as the danger is not what you see (which I think you mean debit card only and you are not talking about credit cards). I think the danger in RFID cards is the problems with proper shielding. Who wants to carry a separate billfold for those cards? Men maybe, but women want a selection of nice billfolds to choose from and I have not seen any that have shielding that are attractive and fashionable and the right size for my purses. I'd rather carry a checkbook (builtin to the wallet) than a separate, bulky RFID shield that would be smaller than my wallet and require fumbling in my purse for taking up the time I might have saved by waving the card instead of swiping it.

How would a credit card holder, with RFID chip, who uses the card on a phone transaction, on a corded landline, or online where the 3 digit code on the back of the card is asked for by the website, or where the card holder uses a one time (or short time....Discover's is 6 months and I hope they shorten that) number have to prove later that the algorithims have been compromised if there is a fraudulent charge? The card holder might have to prove they used a corded landline (a good reason for keeping your landline) but other than that I don't see how the card holder would have to prove that the algorithms on the chip have been compromised as that has nothing to do with internet and phone purchases. Banks could require hardware be attached to one's computer/phone so that the card is inserted into the hardware when a purchase is made. American Express did that many years ago and I was a tester for it.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to Mele20

said by Mele20:

Entering a card number and PIN? Where do you do that? My credit cards don't have PINs. You enter the credit card number and card expiration date and, if the site is a trustworthy, smart site, you are also required to enter the the 3 digit number on the back. ...

That 3 digit number is what I was referring to. A bad choice of terms on my part in calling it a PIN...
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775


More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
kudos:31

1 recommendation

reply to Mele20

We're talking about two different things. RFID and EMV are two different things. EMV cards are commonly know in Europe as chip and PIN cards although not all EMV cards use PINs. EMV cards also known as smart cards and require a contact reader.

said by Mele20:

Why would the customer have to prove that the cryptographic algorithms on the chip have been compromised?

Because EMV will put us back where we were before congress passed the credit card liability law. If your chip and pin card is used at a merchant in Spain, you can dispute that charge and the chargeback will occur, but the merchant will have proof that your PIN was used since his system will show that the cryptogram from the EMV card contained a correctly encrypted PIN. Therefore, you must have entered your PIN at the POS terminal.
--
There are 10 kinds of people in the world; those who understand binary and those who don't.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by More Fiber:

Because EMV will put us back where we were before congress passed the credit card liability law.

Where are you getting that from?


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Name Game

Informative 3 page thread here on EMV

Views on EMV (chip & pin) usage in the US?

»ficoforums.myfico.com/t5/Credit-···/1505804
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


davews

join:2012-08-07
united kingd
reply to Name Game

I am amazed reading this thread how behind the times the USA is with credit cards. Here in the UK, and most of Europe, credit cards have ALWAYS come with PINs, so that you could use them in ATM machines to withdraw cash (at exhorbitant interest rates). For quite a few years now this has also been used with the EMV chip and pin system, which is now pretty well universal in stores for both credit and debit cards. Cheques (checks in your dictionary) are not accepted by most stores and there were plans to withdraw them, fortunately put on the back burner at the moment, but cheque usage is now pretty low and some bank accounts don't even come with them. We also have the Mastercard SecureCode and Verified with Visa online verification schemes for online purchases which are very common in the UK, as is supplying the CVV 3-digit code in online purchases.

It frustates me when buying from USA online sellers that they don't use these systems, which certainly help to reduce card fraud.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to More Fiber

Huh? Credit cards do NOT require pins. If there EVER is a change in that then a lot of folks, like myself, will instantly stop using credit cards. Since that is an extremely gigantic change for Americans and would prove very painful I can't believe that sort of nonsense would ever go over here. I still believe that you are talking about debit cards. EMV is NOT on table in this country. RFID is.

I do not believe for one minute that Americans would allow this utter nonsense and basically evilness. I can see Americans accepting EMV for debit cards but NEVER for credit cards. Debit cards in this nation do NOT have the protections under federal law that credit cards have. That is why only foolish people get debit cards.

--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to davews

Europe never had ATM cards for use to withdraw cash from checking or savings? That is sure backwards of Europe. How does someone in Europe get cash from their checking or savings account? They have to actually go into the bank during banking hours? Why would anyone want a credit card to use to get cash from? That is nuts. A credit card is credit card. If you need cash, you use an ATM card in a terminal and get cash from your checking or savings account OR you use a debit card. Europeans actually fell for such absurdity as using a credit card...not a debit card to get cash? You were not able to refuse having a pin attached to a credit card? That is mind boggling insanity.

Americans already have the ability to withdraw cash at the merchant's terminal (not all merchants but many large ones) using a CREDIT card and NO pin and the very same interest rate that is on the credit card. I don't like this feature on my card. It drives me nuts as I am always forgetting to click no for cash back and the transaction is delayed until I finally notice and click no. If I need cash I will simply walk over to my bank's ATM a few steps away and get cash from my checking account. This particular credit card has a reasonable interest rate and that same reasonable rate for cash back on the card but why would I ever want cash back on a credit card? That makes no sense. Cash back on a DEBIT card would be different as that is similar to walking over to the bank ATM terminal and using my bank's ATM card but lacks the safe guards of using the ATM card instead of the debit card.

Online USA sellers that are smart require the 3 digit code on the back of the card. Don't patronize those that are too lazy to set that up. Tell that online seller that won't give them your business until they require the 3 digit code. They will require it quickly enough if they lose business because they don't currently require it. Now Verified for Visa and SecureCode for MasterCard we also already have. What we do NOT have is Europe's harebrained scheme of forcing pin numbers on credit cards...if you want a pin on it we have that for many years but we don't force the crap system that Europe has that is so unfair to consumers on USA citizens. Just as we don't deny senior citizens cataract surgery until they cannot drive, cannot see to read, use a computer, watch TV, and fall and break a hip, like England does to save money.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Snowy

said by Snowy:

Assuming you're talking about a credit card & not a stored value card, there's no doubt issuers would like to see that codified but has Regulation E been modified to incorporate that change?

I can't believe a change as important as this would happen without a lot of debate in this country. If somehow it has happened, and I am unaware of it, then how come I can use my PIN LESS credit cards? And how come the issuing banks have not sent me notices of changes in liability? I actually read those...I may not remember all I read...but I read it when it comes and I would certainly have noticed any massive change like this!

What's a "stored value card"? I've never heard of it.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson