Basically: the form of fraud it protects against is very rare in the US, and consumers find memorizing another number painful. Europe adopted chip+PIN not because anyone really wanted it but because it was mandated by law. It’s unclear that it has actually been effective.
They are, but people use their debit cards for ATMs and mostly use credit cards for other transactions (for those that do have credit cards, which is a majority of people). All of my credit cards same with some type of pin for using them at ATMs for cash advances. I couldn’t tell you a single one of them.
Maybe the difference is that more Americans have credit cards than Europeans.
This is particularly evident in East European countries, e.g. here in Poland credit cards are far less common than debit cards. And so people use them to pay in their grocery store as well as in ATMs.
I for example didn't had a credit card until recently, when I wanted to rent a car, it looks like credit card is (almost) mandatory and I use it only for that purpose.
So it just sits in my drawer until once a year I take it out when I go on vacation and rent a car there.
I know it's piss poor security, but I just have the same PIN for my debit and credit cards.
At one point, I actually just had a single, combined debit and credit card. It worked for both, so I could use it at an ATM, as well as use it as a CC.
> You have _much_ less fraud protection with a debit card.
Having had ~US$20K sucked out of my debit card (which was ~$10K more than I had), I can verify that you have essentially no recourse. Why the stupid bank authorized someone to go over by such a yuuge amount still baffles me...
Any idea how that happened? I have a combined credit/debit card, but debit is chip only so it can't be copied. I can't see how it could be misused except at gunpoint.
Sure ... it was a chip-less Visa debit card. My point is simply because it was routed to a DDA, not a credit line, the typical protections for a credit card don't apply. (This was the US). They are pretty clear about this in the contract. We even found footage of the malefactor checking out of a department store. Live and learn, I guess... This was some years ago. Now, I almost never leave the house with a debit card, and I have all my cards make my phone go bing! when they are used.
Assuming you can stomach $50 in the case that you do drop the ball notifying the issuer upon realizing your physical card was physically lost, how do the rules differ appreciably?
Also, how does not having a debit card significantly alter the exposure of a given deposit account (eg through the ACH network), besides just having one fewer network address? It seems like the better option is to get a feed of transactions in a convenient manner, whether tablet notifications or an ofx feed.
(Not that I don't want to stick it to the banks as hard as possible for perpetuating this negligent payment network and tricking customers with terms like "identity theft", but just pragmatically speaking)
Debit card fraud drains your checking account, creating a short-term emergency: legitimate transactions are then returned for insufficient funds or create overdrafts. Both carry punitive fees. The bank has to restore your funds eventually, but in the meantime, there could be an eviction notice on the door.
You generally share your bank account number with a small number of trusted parties: employer, landlord, creditors, utilities, tax man, etc. Exposure is low. When you start swiping a debit card around town, you hand out the same level of access to every merchant you buy anything from, and whomever might be skimming their terminals or stealing their databases.
Credit card fraud adds to your balance, but you don't have to pay it while the investigation is ongoing. Typically they revoke your card number and mail you a new one. During that time, you live off of a different credit card your debit card. Critical payments go straight to your bank account and are unaffected. When the investigation is over, the charges disappear. At no point are you deprived of actual money, you merely have an inflated short-term debt.
I agree, but these seem like operational concerns that you'd anticipate for each individual account in today's world of broken payment networks. It might even be nicer to have bank account disabled with a few hundred in it, than temporarily lose a credit card with a high limit that you funnel larger payments through for the rewards. You can't prevent this, so my comment was focused on how much you could actually lose after the dust settled.
Good point about a check bouncing though. I would think your bank should waive any charges (after all, you weren't defrauded nor did you write a bad check), but the recipient might complain about their bank's fee (for essentially a rejected ACH transaction, but I digress). Although speaking of checks, readily handing out a printed withdrawal key seems like a poor idea if your goal is avoiding surprises!
> You generally share your bank account number with a small number of trusted parties
Every second website I buy stuff at has my IBAN.
Looks like it's a vety different situation here in Europe.
Sadly, too many US websites don't allow this, I ended up having to get a CC (and pay for it!) just to deal with US bullshit websites demanding a CC. That CC cost me more in fees than I've ever kost in debit transactions.
Credit card is the same old debit card with additional "automatic loan issuance on insufficient funds" service. With debit, your risk is limited to whatever is in the account associated with the card. With credit it is the same risk plus your credit.
Your funds are not really at risk of permanent loss in either case. The difference is what happens in the short term. Also it’s not true at all that debit card losses are limited to your balance. Banks will approve transactions that put you well into negative balance and charge overdraft fees.
Each location you use a card increases the risk of the number getting copied. So using a debit card exposes tons of possible people with entry points into your account.
So once you assume whatever you use will get stolen, you determine what dealing with a stolen card number will be like. With debit cards it's your own cash locked up in a transaction dispute. With credit cards its the credit card companies credit balance and you have no money locked up.
In the US, your ATM card is (at least) often a debit card. Perhaps there's some way to flag them so they can be used only as an ATM card up to the usual daily limits. I agree with your basic point though. I have the card but essentially never use it except for withdrawing cash.
I had a debit card from Citibank but I had to call and specifically request only an ATM card as debit cards are absolutely horrendous. They were able to issue an ATM only card.
My standard Chase ATM card can be used at stores as either credit or debit. Some payment terminals say "enter PIN for debit, or press continue for credit". Some don't, but at at least one store, despite the prompt just saying "Enter PIN", I was able to pay by pressing continue without entering a PIN, so I think the terminal has the same functionality, just not advertised.
I have no reason to think it hoses your credit rating in the US if you pay your bill (or at least the minimum) on time. What it does do though AFAIK--it's been a long time since I've done it--is to start the clock on paying whatever extremely high interest rate your card has on the total balance on the card. Including your regular charges that would otherwise be carried interest-free until the payment due date.
So it's generally a very bad idea to get a cash advance on your credit card, especially a credit card that you also use to charge other purchases.
It does not hose your credit rating in the US (assuming you pay your CC bill on time). It doesn't even show up as an event on your credit rating, as the decision to extend credit up to your limit has already been approved.
It can actually, although perhaps a little indirectly. Off the top of my head, the credit card balance is a direct I put to both the Debt to Income Ratio (small affect), and Percentage of Revolving Credit Available (much larger affect). These are not deal breakers, but did lower the score at both places I worked where this mattered.
Well, certainly if your carried balance goes up as a percentage of revolving credit, that will affect the score. But this would hold true whether you did a cash-advance or bought a TV, no?
EDIT: IIRC, the Debt-to-Income ratio calculation (if you were to apply for a mortgage, for example), is based on your aggregate credit-card limits (used or not), on the assumption that you could be that exposed. I remember when I were a young lad, I had to kill a card (or two?) that I wasn't even using in order to get the mortgage rate I was looking for because of this effect.
Okay, so just to explain the way this works in the UK - a cash advance shows up directly against the card and month it was taken. Credit scorers typically treat it as a sign that you're living outside your means, and so it has a very serious effect on your ability to get credit.
There are certain types of payment which are also classed as a cash advance and sometimes catch people out, such as to gambling sites.
I simply solved this by using a prepaid credit card. Sadly they are less accepted but there is a significant amount of fraud protection and I can manually control how much damage can even exist in case the fraud protection somehow fails.
I only need it for american services though, all EU services I use accept SEPA pull or push, Sofort, giropay or Paypal with a bank account (strangely enough, some american services in the past declines to accept a paypal account without credit card, weird stuff)
My personal recommendation to US people is avoid connecting PayPal to your bank account. I don't know what protections they have in the EU but I doubt we have them so better safe than sorry. Use your credit card.
Paypal provides fraud protection against my bank account. And I can always revoke their SEPA Mandate and demand my money back as long as 6 weeks have not passed since the direct debit. (German law atleast) My bank ensures this by notifying me when I receive a bank statement on the online interface and mailing it me on my own cost via postal service if I don't mark it read (about 5€ IIRC) within a week.
Same goes for any SEPA DD based transactions. Everything else is secured via TAN, which depending on what generator method you choose (SMS, Optical, HBCI or Smartphone App) has varying levels of security (Optical and HBCI are highest atm, then App and SMS last, atleast according to my knowledge and understanding of the implementations).
The only bad part is when paypal fucks you over but that's a given risk when interacting with paypal anyway.
And debit cards don't use chip and pin? What's the distinction here?
I recently got a new debit card which has the usual (European) chip and pin - but also annoyingly has contactless payment (aka "leech my money"). Sadly the only way to opt out might be to switch banks...
Of course most Americans have both debit cards and credit cards. I think that debit cards (as opposed to cards that can only be used at ATMs) didn't really start to become common until the late 90s. I expect that you'll find that older people don't use them as often out of habit.
> Europe adopted chip+PIN not because anyone really wanted it but because it was mandated by law. It’s unclear that it has actually been effective.
At least in UK it was a sort of anti-consumer Trojan horse. Theft decreased by 80% or more, but now the responsibility of the remaining part lays on the user instead of the bank. I remember UK consumer groups quite upset about this ~12 years ago.
Not the banks, the vendors. It’s a great coup that banks have convinced customers they cover credit card fraud when really visa/MasterCard go and take the money back from the seller.
I can't see how that can be true. Prior to chip+pin, you could still withdraw money from an ATM with a card+pin, so how exactly did the security change?
In both cases, you can dispute transactions with the banks, and in both cases, the banks are going to open their defence with "but how did the thief know your PIN?" but that does not make it clear-cut, nor does it mean the banks will always win their argument.
Before Chip+PIN was introduced, card cloning or ‘skimming’ was a very common fraud method. An ATM would be modified with a device to copy the magnetic strip and register the associated PIN with a keypad overlay or a pinhole camera. This data could then be used to create a cloned card to withdraw money with, sometimes even in another continent.
Chip+PIN (EMV) prevents this because the chip cannot be cloned, and so it completely eliminates this form of fraud. However, banks also used the introduction of Chip+PIN to move liability of any fraud to the customer, whereas before the banks would fully refund any fraud.
Consumers remain fully protected from the cost of card fraud and are covered under The Lending Code. From 1 January 2005 there was a shift in liability for some types of card fraud from banks to retailers, but this will not affect cardholders in any way. If businesses have chip and PIN terminals in store, they are covered for the cost of card fraud whether customers enter their PIN or their signature, just so long as staff follow the on-screen prompts and carry out the routine checks to ensure cards have not already been reported lost or stolen. Banks will continue to be liable for the cost of card fraud committed on old-style non-chip and PIN cards, so by accepting them businesses are not putting themselves at risk in any way
So in what way has fraud liability shifted on to the customer?
Much as juries tend to believe a cop even though data suggests cops aren't very reliable even when they aren't actively lying, so they also tend to believe a smartly dressed bank official. Victims of fraud who end up on trial (either tacitly after they have to sue the bank for their money, or more rarely literally after the bank tells police they committed fraud) are disproportionally female, elderly and non-white, all factors that make them less believable to a jury, almost as if those trying this on know that...
Juries are rarely told, and bank officials would hardly volunteer that big frauds often involve a bank insider, and sometimes even an insider the bank has since caught and fired. You won't get the money back from an insider who was taking 10% but you can make a victim of the individual account holder rather than eat the loss at your multi-billion dollar bank. And all you have to do is pretend systems you know are all too fallible are instead perfect.
Ross Anderson has written about some of this on Light Blue Touchpaper
Again, I can't see how anything changed. You have a card and you needed a PIN to use it, before and after the chip was added. Smartly dressed bank officials were around in both times. In either situation/time period, banks would claim "how could someone possibly have got cash/goods without you disclosing your PIN? Our systems are secure!" whereas we know that the systems, before and after the chip, are not 100% secure. Ross Anderson has been instrumental in demonstrating this, for sure.
As I've quoted from the website, there was no change to the consumer protection in the introduction of the chip. Your description applies equally well to court cases before and after the technology changed.
"You have a card and you needed a PIN to use it, before and after the chip was added"
Er, no?
I guess it's possible you've actually forgotten what changed here.
It's 1995, I have stolen a VISA card issued to a nice old lady who lives across the street. I walk into a PC wholesaler which allows walk-in purchases, I hand over the card in the name "C. Smith" and walk out with two month's salary worth of Pentium CPUs that can be sold easily for almost their RRP. Did I know a PIN? Nope, just squiggled something that might be "C. Smith" on both the card and the receipt.
When her bank tells her she bought all those Pentiums, she's going to freak. And when she calms back down she'll say she never received that card. Has no idea where it is. Give her back her money.
The bank will of course insist that it's her card and surely she bought all those CPUs. But Ms Smith's lawyer doesn't need a Computer Science degree to understand what happened, and neither does the jury. Smart suit or not, "Her card was simply stolen from the post" is an easy argument to understand and she'll prevail.
Not so when the bank says her PIN was used. Who else could know her PIN? Those are secret. Aren't they?
Why didn't the store want a PIN back in 1995? Because they had no way to validate it, it would be useless to them. Only the _chip_ enables offline PIN verification, and in 1995 even some _ATMs_ were still doing offline transactions.
The transactions are not routinely On Line. Yes, I know, you had to wait 5 minutes the other day in an antique store because their card machine used a dial-up modem. Very annoying. And also quite possibly bogus, there's a good chance that wait was a charade. But why doesn't it have to be online, surely that's unavoidable?
Time for another brief lesson, this time not about history though, this all still true today:
Payment card transactions are really _two_ transactions, the banks make no real effort to correlate the two, and one is done entirely on the honour system.
1. Authorization: Does the card holder authorize this transaction? This is the one that has tightened up considerably due to fraud. But this doesn't move any money anywhere, and doesn't involve any real time interaction with a bank at all. Once upon a time this involved a machine that used carbon paper to take an "impression" of the 3D credit card, and collecting a signature. Today it's "Chip and PIN".
2. Settlement: Who should get paid, and how much, by who? This moves the actual money to the merchant. It's done entirely on the honour system, banks and merchants both routinely screw up, if your country's laws make them they'll eat the cost of fixing that, otherwise they'll probably blame you and make you suck it up. Hooray.
The first one has loads of serious technology thrown at it. Anti-replay for example. If I authorize one $14.99 payment, you can't just show that again to authorize another one.
And the second, which moves the money, undoes every benefit of the first, for example you needn't replay the authorization, just do settlement again for the extra $14.99 without any authorization at all. The bank will hand it over, the customer loses the money, unless they remember to explicitly complain about having $14.99 stolen you can just keep it. If they do complain, say it was a "mistake", you lose the $14.99 but so long as you don't do it too often you'll just get a slap on the wrist and can try ripping off other customers.
For all the words, I still don’t get your point. The banks introduced an improved system that we can all agree is more secure than the old one, and consumer protection did not change, but apparently you think this makes it worse for the consumer?
What on earth do you want banks to do? Make their systems less secure, so it’s easier for people to convince a court that their disputed transaction was fraudulent?
It’s natural and predictable that banks will argue that security improvements make it more difficult for thieves to make fraudulent transactions, but since these systems aren’t 100% secure, people will always be able to dispute these events and win their challenges.
Consumer protection effectively does change if its enforceability changes. If a system's security is improved (or at least the security theatre is improved), it's easier to disbelieve victims of fraud, and even accuse them themselves of fraud. This is especially true when existing known vulnerabilities are closed, and fraudsters begin using new vulnerabilities.
To use an analogy, it would be like if you improve the reliability of a product you make, then start saying those who RMA your product must have damaged or mishandled it for it to be broken, and deny them their warranty.
What you're missing is that once you have a PIN the deniability goes out the window, so you're now on the hook for the fraudulent purchases. So as a card user you're trading a high percentage of fraud with no liability for a low percentage of fraud with absolute liability. Things are better for the bank, not the customer.
Contrary to popular belief, merchants are responsible for frauduluent charges, big or small. They pay not only in any lost merchandise or services, but also in losing the payment.
This shifting of burden ultimately comes back to the consumer in higher costs and fees, and is just a cost of business for the merchants. The credit card company beneifts because they make money regardless of fraud, and they’ll make increased money from the detachment of the feedback loop from the consumer. Merchants don’t pursue fraud because they simply increase costs to cover it.
In this scenario merchants lose, consumers lose, credit card companies win from increased usage.
See the text I cited from the card association’s website. Merchants are only responsible for fraud (in the U.K. at least) if they did not use chip + PIN properly.
Who pays for fraud, in the end? Well, the customers pay, of course, since they are ultimately the only source of funds. Regardless of whether or not the merchant or bank eats the fraud, they are going to recoup the cost through their charges to customers.
I find shifting the burden to the merchant or card processor to be ultimately anti-consumer. It hides the true cost of financial crimes from consumers and ultimately manifests in increased costs, while to the merchants or banks it’s just a cost of business. In the end the consumer is shielded from fraud but ultimately pays for it.
The merchant/processor are better placed to take the burden though - it may increase the fees, but to me, an ongoing marginal increase is preferable to the risk of being cleaned out in the case of fraud.
It's also pro-consumer in that it lets you use your debit cards without much fear of fraud -- if I were liable for fraudulent charges, I would be _much_ more reluctant to use it anywhere (especially as the bank may not be as incentivised to provide as good a fraud protection), drastically reducing its utility.
The reason why I think it's anti-consumer is that by detaching the liability of fraud from the end consumer means detaching it from the whole system. No one really cares about the fraud if the consumer doesn't. The credit card company profits either way, but by removing any concern for fraud it makes more money.
I think a sensible solution is to split the liability between the merchant and consumer. Hiding it from the consumer hides it from the one party that would even care about prosecuting fraud.
I was under the impression this was used in case of a dispute, they could go back to the receipt to determine if it was your signature or not. Not sure how often that is actually used.
Apparently a lot of cards are dropping the requirement anyway. [1]
That’s correct. This new policy from the card brands begins this month for EMV transactions. My customers are excited to reduce check out time by dropping the signature requirement.
The signature signifies intent. You understand the charges on the receipt. You can't say "I didn't know I bought that" when the list of things you bought is right there and you signed your name.
Except you can literally draw a poop emoji as the signature and it’ll be happily accepted. How would that signify intent at a later dispute investigation?
No it doesn't signify intent. The signature on the slip should match the signature on the back of the card. This is how the retailer knows the purchaser is the authorised user of the card. So unless the card as a poop emoji in it the card holder can deny the transaction based on non-matching signatures.
They can refuse your transaction for whatever reason they want, it's their business. If you give off any vibe that the card might be stolen, then a business can turn you down whether or not what you were doing was technically correct.
Yeah if you sign a printed receipt that's true. Most POS devices I see now aren't displaying the individual charges anymore by the time the interface gets to the "really charge $X?" screen and the electronic signature screen. You have to wait until the receipt prints out, and then you can complain to the clerk.
The screen-signature POS terminals I've seen almost always have another screen showing a list of purchases being made. The only exception I can remember is very old pharmacies. In newer pharmacies, the list is on the signature screen.
Interesting. Everywhere I've been recently (mostly west coast, I'll admit), the grocery stories have the biggest tally screens. And at the bottom the biggest line is how much you "saved" by shopping there. (Yeah, right.)
You paying signifies intent. If I use Google Pay to pay for something, I've shown that I agree with the charge. The signature is just useless hassle. I've had to do it it twice in my life and they never seemed to be pens around just when you need them...
Moreover, if you think that retailers are making you sign a piece of paper because they want to hassle you and make you take your money elsewhere, you need to rethink the situation.
Signature has never been intent but a security measure, which is why it is matched with the signature on the card. It's an authorisation step, nothing else. You handing over the card is intent.
I've also heard before (anecdotal) that in general in the EU, people have far fewer credit cards. As someone with several chip+pin cards in the US, it can be a bit of a chore ensuring they all have the same pin, and I wouldn't even want to try having five different cards with five different pins.
Different cards offer different reward structures. I currently have sixteen (16) credit cards, but I'm certainly an outlier.
For everyday purchases I use one card for restaurants and gas, another card for groceries and yet another for everything else. Then two other of my cards have rotating bonus categories, so I may use one of those for gas one quarter and for restaurants next quarter.
And, at minimum, you should always have a backup, like a sibling comment points out. Especially when travelling, you don't want to be in the middle of nowhere trying to buy meal only to find out your card has fraudulent transactions and the new one has to be mailed to your house.
Depends entirely on the card! Annual fees can be either $0, as small as $30/year, or as high as $500/year (AMEX Platinum) and up. AMEX Centurion is invite only, it's for millionaire high spenders and has a $2,500/annual fee. Barclays Luxury Card is open to everyone and I believe it has a $900/year annual fee.
Some cards waive the annual fee the first year and some don't. It's whatever the card issuer decides makes them the most money.
Personally, I pay two annual fees and have a third one waived for now. Some of the cards I have I've downgraded to the less benefits no annual fee version of the card after collecting the annual fee version benefits for a year.
Many, many cards have no annual fee. The ones that do, are usually worth it for the right customers- e.g. a travel card that comes with a lot of actually-valuable travel perks for the frequent flyer.
Credit cards with an annual fee simply for the privilege of having a credit card, are mostly gone, chased out of the market much like the takeover of free checking.
It varies. I don't have anything like 16. But I have a couple of cards with specific reward benefits that I pay for plus a number of free ones for benefit and other reasons.
3) Restaurants. This is the only use-case where my card is out of my possession, and I try to isolate that.
4) MOST on-line purchases (Except for #5 below)
5) Online subscriptions. These are things like DO or AWS or month-to-month Jetbrains or Safari. This makes it easier to visually scan the statement for things that should not be there, or are wrong. (Billing mistakes are not infrequent).
6) Business expenses. This makes either submitting expenses and/or taxes easier, because it's all in one place.
Different cards offer different benefits. At a minimum, I want to have one backup in case I leave one at a restaurant or something wonky happens with fraud systems. So, yeah, I have multiple cards although I mostly only use two of them.
I wonder why they chose a system or workflow that breaks with what we are pretty much doing everywhere else in the world: chip + PIN. It works, it's fast and reliable. And with optional NFC it's even faster.
While people can always make up arguments for some edge case where it wouldn't work for them, that is anecdotal at best. Resisting change it only going to hurt (economically, technically, knowledge-wise) in the long run. I know that learning from history is not humanity's greatest skill, but actively working against what turned out to be a bad practise seems rather.. strange.
And at the same time, some commercial services jump in to fill the void, which is not something you probably want either due to the risk of monopoly, data sharing and other privacy concerns.
It's interesting because according to my understanding, the U.S. is actually using a pretty good system for dealing with credit card fraud in general...which sadly seems to be the rare exception in regards to consumer protections in the U.S.
Basically -- again, as I understand it -- the losses due to credit card fraud is either on the merchant or the card-issuer -- generally the two groups most equipped to deal with the issue. If Visa thinks it's losing too much money due to fraud, they have the control to influence change on the system, put more resources into detecting or preventing it, etc. But they can generally view it as a cost-profit analysis, and handle it appropriately. Of course there's side effects, it costs all of us involving the courts or police, to some degree, but in the absence of a perfect solution in an ideal world, that's something that was going to happen anyway.
Which isn't to say the future couldn't change; money-ed lobbyists, such as Visa, can get the laws in the U.S. system modified to put the onus on the consumer, or on the business (which could drastically damage small businesses), but for the time being, the system does seem, to me, to be working well ... here.
One reason that can work in the US is because there is so much money slopping around in the system from high interchange/network fees. An issuing financial institution may bear most of the risk of fraudulent transactions, but the revenue of interchange fees is easily 10x that of fraud.
So, there are aligned incentives to keep the system secure which ends up being friendly to the individual consumer, but it comes at a cost because consumers bear this cost in the form of opaque fees in everything they buy.
Get a good cashback card and it's not that much. Use your personal cashback card for billable business expense and you probably make money.
One thing it does do is incentivize the banks to monitor transactions. They know my card # has been stolen before I have a clue, calling me nearly immediately.
Because it would break or otherwise add friction to the existing workflows in the US? But I know that every system used in the US that's different from some other country is clearly the result of stupidity. It seems pretty obvious in this case that many of the interested parties didn't see the upsides of PINs outweighing the downsides.
I don't believe the source of lack of change would be pure stupidity, but rather an extreme weighing in the favour of short term money making.
Most EMV countries have standardised on Chip + PIN, and before that on magstripe + PIN, and it is used equally across all of them.
Perhaps the problem is that people still think in terms of 'good guy' and 'bad guy' and nobody wants to be the 'bad guy' that made everyone upgrade their system to some sort of secure payment method. https://www.theatlantic.com/business/archive/2016/03/us-dete...
Wouldn't the criminal in this case be able to intercept the letter with the PIN also and replace it with a letter that looks the same but has the wrong PIN? The receiver would not be able to find out the PIN is wrong because the cards chip does not work at all.
I have never received the pin by post. My bank sends me the card, then I have to go online to activate it and set the pin on the website - the card never has a pin assigned to it by default.
Pins are generally mailed separately before after mailing the cards. (In this case I'm speaking of debit cards) It might make it difficult to map the pins to the chips, but maybe not since it seems these are bulk mailings.
>The reason the crooks don’t just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that.
I guess I'm a little confused as to how this works. In the case of my two card issuers "activating" the card means performing at least one fully online transaction at a chip-enabled merchant. (e.g: card present, chip used, pin entered.) If the card's chip were replaced in transit then I wouldn't be able to activate the new card. I'm guessing they are targeting card issuers that have a different activation scheme; but I'm a bit surprised that my extremely small midwestern bank is actually ahead of the curve on card security.
That is the 'non US' view sadly. You see we didn't get "chip AND PIN" in the US. We got "chip to send the magnetic stripe". If you use a US chipped credit card in a terminal it doesn't ask for a pin, it just wants an unintelligible signature and you're done.
I'm more than a bit irritated with this since without the pin you can 'skim' chip cards just as easily as you can magnetic cards.
> without the pin you can 'skim' chip cards just as easily as you can magnetic cards.
Uh... no? Not sure what you're saying. The PIN authenticates the human user, so without the PIN you can use steal a card. "Skimming" is a MitM attack, something expressely designed against in the chip design.
Right. As a different Krebs article noted in another comment says, Chip + PIN mostly protects against lost/stolen cards used at a POS terminal. And that's not a particularly big fraud problem in the US.
You can’t skim a chip card and just use it. The terminal can tell from the data on the magstripe that you need to be using the chip. So it would be worth less on any EMV enabled to terminal.
You could only use it on terminals that have EMV turned off or never supported it. Like gas pumps.
I don’t know EXACTLY what it is on the mag stripe that tells the terminal to use EMV mode, if anyone knows I’d love to hear it.
I think if the first digit is a '2' instead of a '1', that tells the reader to force a chip-only transaction. Or in other words, if you can write the mag data to a blank card, you can set that byte to what ever you want and have a field day. Unless there is some more validation at the bank level? Haven't tried personally.
and that's why most CC fraud in the usa happens at gas stations. it only require the magnetic strip everywhere and their association recently fought against and won to not install chip terminals.
the second source of fraud is airline tickets and I have no idea how that works. crazy stuff.
But then what's the point? The whole signature scheme is not making much sense anyway, and pretending that no change is better because it is cheaper just gives you technical debt in the long run.
Would probably be better if at some point it was decided that using a signature is stupid and a deadline for using a PIN was set. But then again, the US hasn't been able to fix the date naming scheme, the measurement system or the temperature system (and it's just 4% of the world that is still using the old ones). I doubt this will ever be fixed.
Good question. The great credit card debacle that was that Target breakin was the force that finally pushed the US to have chips put in their cards, but the truth has always been that credit card companies would much rather spread the cost of fraud over interest rates and bank fees than actually mitigate it, after all a transaction is a transaction and if they can keep most of their fees its a win right?
I was in one of those fancy investment seminars and was seated next to a guy who either was or worked with the Chief Security Officer (CSO) of a big credit card issuer. I had asked how a credit card could justify charging 15 - 30% interest when the fed rate was below 2%. He explained that all of the fraud is covered by the fees and interest. They tune their systems to return the most money per dollar transacted and it is simpler to raise the interest rate across their base by 3% to cover any fraud obligations because they still make the money on the base transaction fee. While more complex security would cut their fraud losses it would also cut their earnings because it would reduce the overall transaction rate and the total number of dollars they process through a transaction.
Think about it this way, someone buys a $500 TV with a stolen or fraudulent CC. The CC company gets $10 from the company selling the TV (2% transaction charge) and covers the $500 "loss" out of interest payments above the cost of borrowing by other customers. End of the day they get their $10 and lose no money. What's not to like? Nobody will regulate them so that they cannot cover their "loss" of $500 by raising interest rates, and they still get their 2%.
It is a pretty classic case that their interests aren't really aligned with those of consumers.
What you describe matches my understanding perfectly.
Even if you leave finance charges out of it and are discussing debit cards - the interchange revenue is way more than enough to cover fraud liabilities. Throw in account fees, and you've got yourself a profitable product.
I was working at a small bank during ye old Target/Heartland breach years, and the only time I heard dissatisfaction expressed at the security status quo was when the breaches forced large-scale card reissuances. General fraud scaled proportionally with transaction volume, and was easy to deal with. Mass-reissuance didn't.
> the US hasn't been able to fix the date naming scheme, the measurement system or the temperature system
That's exactly equivalent to proclaiming that the three dozen major languages still used in Europe should all be abolished, except for English. More than half of all Europeans share no common language. The most widely understood language in the EU, English, only has about 1/2 coverage.
Language is far more important than measurement, and it should be standardized just the same as measurement.
Now see what kind of response you get when you tell the Swedish, Germans, Greeks, Romanians, French, Hungarians, Italians, Dutch, etc. that they all have to abandon their languages for superior efficiency of communication.
Finnish, Lithuanian and Danish are a mere 1% of the EU language base. Estonian is less than 1%. Globally it's that much worse. Why are they persisted generation after generation? It's wildly inefficient and backwards to force them upon children. Where are the widespread calls for abolishing them in favor of English as the primary language, in the name of gaining efficiency?
Possibly because in a lot of Europe most people learn their native language AND english, and this isn't that much more difficult.
Plus, langauge preserves a culture (literature, etc), which isn't really the same as measurement systems. I wish the UK (where I live) would hurry up and ditch it's remaining imperial units (e.g. miles). It would make life easier.
Actually the measurement system can sort of encode cultrual knowledge. For example, in the imperial system, a fluid ounce of butter weighs one ounce, so a pint of butter weighs a pound. :^)
It's no more difficult to learn two measurement systems, as it is to learn two languages. I'd argue it's dramatically easier to learn two measurement systems.
To learn the metric system, how many concepts do you need to memorize? Not many, it's quite easy. Now try learning Estonian or Russian as a native English or Mandarin speaker. People spend years of effort just to become mediocre at speaking Mandardin as an example.
Now consider, you're born in Finland, and few other people globally or in the EU use Finnish. To communicate well with other foreigners (the other seven billion people), you need a common language (typically English in Finland). The effort involved in learning English at even a moderate proficiency, means you're going to practice and use English for perhaps six to ten years growing up to just become decent at it. Then it further requires that you use it on an on-going / never-ending basis to stay proficient at it. That's because language is radically more complex and difficult than eg the metric system. That need to adopt and maintain a popular common language in addition to the scarce first/primary language, comes at a great time cost when added up across a lifetime.
By contrast, you can teach someone the metric system (someone entirely unfamiliar with it) in a very small amount of time.
More people in the US as a percentage know the metric system than know Finnish or Estonian in the EU.
The cultural explanation for languages, which is common, is no more valid than claiming culture for the imperial system clinging-on that you see in the US. In fact, that's precisely why it hasn't gone away in the US (otherwise it'd have been trivial to abandon). You can explain cultural concepts just as well in English and you can make subtle adoptions into English for phrases or cultural concepts as necessary, without needing to learn an entire other language.
In the US a tall person may be six feet six inches. That's an example of cultural embedding.
In the US, a fast car might go 180 or 200 miles per hour. The speed limit might be 70 miles per hour. That's embedded into the culture.
The three point line in basketball might be at 22 feet. That's culture. The pitchers mound is 60 feet six inches, that's culture.
A first down is ten yards, not 9.1 meters. That's culture. There are dozens of other common, equally valid examples from across US life.
If someone claims those things are not part of US culture (whereas an obscure language phrase is culture), they're simply guilty of arbitrary - and rather comical - snobbery.
Measurement systems affect culture but they are not culture in and of themselves. Countries have changed systems, but their cultures clearly have not. In fact I think the fact that many countries have switched demonstrates that it's not something cultural, rather one of practicality. There's a strong school of thought in the US that the government creating standards is "interferring" etc, that's possibly a reason why they haven't changed. Your argument reads that there's no need for change because it's cultural and easier just to keep things the way are. However if things were really like that, languages would have never evolved. People change, we get new ideas, and move on.
In every language you'll have phrases that relate to things from a long time ago, that doesn't mean they have a right to stay. The US has kept to the imperial system, which is your decision, but it's just few other people can understand your steadfastness.
In the UK we have phrases similar to what you mentioned regarding basketball rules, etc. They've stayed and quite rightly; also in russian and french we still have some of these words. But our general attitude to measurement systems has changed, for practical reasons, and quite rightly too.
In all fairness, languages are tied to national identity in a way that, say, date formats aren't.
But honestly the fact is that the various schemes mentioned aren't seen as problems by the vast percentage of Americans and transitioning to something else would be painful to various degrees. And where it's important/useful to have metric and Celsius measurement scales, they're mostly used.
> I'm more than a bit irritated with this since without the pin you can 'skim' chip cards just as easily as you can magnetic cards.
Huh. I assumed that the chip had a secret it used to pass a challenge-response type of thing. Can you skim a chip just by observing the data bits that go in and out of it?
The reason shimmers exist at all is that some banks have
apparently not correctly implemented the chip card
standard, known as EMV (short for Europay, Mastercard
and Visa).
Ok, so my assumption was right—in theory—but of course they screw up the implementation!
Say I'm a cashier at a retail location. All I need to do is say our system is down, carbon-copy-swipe your card number, CCV, and expiration date. You'll give me your Zip code and billing address when I ask for them "to verify the transaction with the card issuer later on when the system comes back online." I don't need your signature since that requirement is gone now. I can sell that CC info for money or I can make a few fraudulent purchases online where no card is required to be present.
Card fraud is embarrassingly easy in the USA if you're in the right position of employment, even in lower rungs of employment.
'Activation' for some cards entails calling a number included in the literature; you don't need to do anything further, so I presume they just confirm the call is coming from the phone number you have on file?
My bank would do normal phone banking authentication, so that means I need to know my name and address (which someone who had intercepted the card has) and then I need to know a password (from which I will be asked random letters) and for some other thing I told them like "my favourite food is Apple pie" or "I secretly hate owls".
No idea what would happen for a company, but I wouldn't be surprised if some PA picked the answers and wrote them down. Which still makes it hard for a random crook to have them.
I've forgotten to activate a card and it still worked, complete with the sticker still on it... And no signature on the back. Hell I don't think a single card I have is actually signed.
So, aside from the fact that this is screaming for chip + pin, isn't this a failure on the cardmaker's part to make a card that you can remove the chip without destroying the card?
I keep saying this but the we in the US really screwed up in the transition to chips. We had a chance to change behavior but we went ahead and ignored pins.
I simply don't understand why, apart from too many retailers complaining.
If cost of fraud is less than the cost of pins. Then nobody will push for pins.
Adding pins to checkout process adds friction and checkout time. It might be a minor amount per transaction. However if you add it up across all transactions, it's a significant amount.
More friction than printing out a receipt and asking me to sign it?
BTW, if you want to see just how efficient chip-and-pin can be, go to a bar in a nordic country. In Helsinki I can pay with chip-and-pin as quickly as cash (assuming change). The bartenders won't even hold a tab open for you, they just charge you every time. I've experienced the same efficiency in Sweden.
As of this month (April 2018), the big four card networks have stopped requiring (USA) merchants to collect signatures if chip is used. They had already waived this documentation step for the ~80% of transactions below $50.
With the wireless payment cards, it's even more efficient then cash. Just put your card up to the machine and it takes the payment. No pin or anything. Limited to under a certain amount though. And it does sometimes ask for your pin now and then to make sure it's you.
Increasingly you sign (or in my case scrawl a wiggly line) a pad but I still sign paper fairly regularly. One of the issues with PIN in the US is likely that you'd have needed a whole new workflow and mobile devices at sit-down restaurants. It would arguably be a better system to move to settling up at the table, but it would still be a big and expensive change.
You needed new devices anyway to switch to chip, but I think it is a cultural issue with tipping. Some people really like that the server doesn't know how much you tipped until you leave.
Yeah, that may be part of it. It's not really rational but I don't especially like someone waiting for me to enter a tip amount into a keypad. I imagine others feel similarly. The US isn't unique in having tips but in the UK, for example, they tend to put 10% onto the bill automatically.
ADDED: And you needed new devices but not mobile systems to bring to the table.
Actually with chips with pins, it's faster because you can authenticate locally. Since we don't use chips, we have to do a server roundtrip, which is why initially a lot of the chip cards seemed to take "forever" (30 seconds) to authenticate.
Another performance issue with early EMV (I assume before NFC) is that it supports more different applications ("cards") on same physical card and there is no preferred one and the terminal essentially tries random file names until it finds something (and in fact is even supposed to continue the search to exhaustion for the rare case when the card contains more than one usable EMV application, in which case the customer is supposed to select the used one from menu). In current version the cards are supposed to contain data file with known name which specifies the filename of preferred application, this is required for NFC cards for somewhat obvious reasons, but AFAIK only recommended for contact-only.
This process is probably the largest part of what happens when the terminal/ATM displays message like "Chip initialisation in progress".
On most of the machines I've used in Sweden, you can input your PIN in advance while the cashier is scanning your items. Then you just push "OK" to confirm the final total and walk away.
This process also occurs in US with the chip transactions. You can start the auth process while checkout scanning is still occurring. So implementing the pin into the mix would be beneficial and not so much added friction/time in completing checkout.
I've never heard an authoritative answer about why the US didn't go to PINs when chips were adopted. One strongly suspects there was significant concern about changing retail/restaurant/etc. workflows, confusing customers who mostly don't use debit cards (with PINs), and otherwise introduced more confusion and friction to customers than absolutely necessary.
>Adding pins to checkout process adds friction and checkout time. It might be a minor amount per transaction. However if you add it up across all transactions, it's a significant amount.
Uuuuuh...
The rest of the world has been doing this for at least a decade without any problems at all. You got any kind of citation you can link us to demonstrating that the rest of the world is suffering from this decision in a way that the US is not?
If "someone else" is referring to the cashier, the customer uses the payment machine themselves. In PIN using countries the waiter brings a machine or you step over to the front counter.
If someone else is your spouse, kid, or personal assistant; you tell them the PIN or ask the issuer for an authorized user card.
Well, you don't. But I wouldn't have a problem with my partner using my card, in which case I just give them my pin? On the other hand, that is(or should be) literally impossible with signature.
I...don't. Ever. Why would you do that? That's terrible.
I usually transfer them the money through the free, instant, secure and traceable inter-bank transfers that are universally provided by every financial institution in my country to every other financial institution in my country, so that they can use their own card.
Only if the retailer has failed to upgrade to reading chips. E-commerce merchants have to absorb 100% of fraud which is why many are so picky about addresses exactly matching and sometimes require ID scans or phone verification for new customers or very large orders.
I'm complaining as a consumer. I have half a dozen cards in my wallet, and each retailer is incentivizing me to get their card (5% off is hard to ignore), if I applied for and carried all those cards I'd have ~20 cards to carry around, each with a different $%&#@%^^% PIN to memorize. It is not possible to do that.
Quite frankly, as a consumer I don't need increased security over what we had 20 years ago (mag strip and signature), someone else took the liability for any fraud. Chip+pin is trying to push the cost of fraud on me, and I don't like it. The value of cards over cash or checks is largely because I pay less price for fraud.
They're not doing on-the-spot signature analysis. You're just harming your own chances of getting a dispute resolved in your favor if you ever need to make one.
When you have a documented history of legit signatures on file, signature difference is one of the factors that get considered in the event you file a dispute.
As of this month (April 2018), the big four card networks have stopped requiring (USA) merchants to collect signatures if chip is used. They had already waived this documentation step for the ~80% of transactions below $50.
I work in the credit card processing industry and can't even begin to comprehend how a fake signature would help.
It wasn't a valid signature. Even when you attempt to make a legitimate signature on a screen it comes out incredibly poorly. The only legitimaticy is that "someone signed some form of letters/made a drawing of a penis". I can't see why that would ever prevent chargebacks
It's possible to change the PINs on your credit cards to the same value. Not much security decrease and greatly improves usability. I haven't tried it myself as PIN credit is very rare in USA.
PIN does not mean you are automatically liable for fraud losses. Federal law caps credit card liability at $50. Most issuers eat that too with $0 liability to remain competitive.
There are also state laws that may go further in consumer protection. The card network may also have additional protections. Finally as I've mentioned the issuer often waives all fraud loss liability.
Maybe you should stick with 1 card and 1 PIN and that solves all your problems and the problems of the people around you that you are affecting by living in society?
People in the US routinely give their cards to other people to use (e.g. relatives). Yet banks tell everyone never to disclose your PIN. So using PINs would prevent card lending which would reduce bank's income.
Don't worry, contactless throws all of that out the window. It's like WPS for routers. Anyone got your card? They can make purchases and cashback till your account is out of cash or they get really tired.
Yeah, there can be a limit on the number of transactions, but my bank and several others just don't care, there's only a limit on a single transaction, currently £30. Genius, just genius.
That's for personal cards, though. Always use a prepaid card when paying for anything, anywhere.
That is just not true - you will be asked for a pin if you use contactless multiple times in succession, and you can't do cashback with contactless at all. I also live in UK.
How many times? I did 5 consecutive purchases in a day with TSB, no PIN requirement. Contactless VISA allows for cashback. Barclays, 3 consecutive purchases, haven't tried cashback.
At least in my country I've seen a common practice for the bank to mail (separately, days before/after) an envelope with a temporary PIN to the customer, so that they can activate the card and change it.
Not sure if they do that in the US or if they'd do it for corporate cards as well, but I guess it wouldn't be a problem to intercept the second envelope for whoever intercepts the cards. In that case the PIN wouldn't add any value.
Now regarding card destruction, I wonder how hard would it be for them to just print fake cards with fake chips that just have the same numbers.
Probably a better solution would be forcing to activate the card in an atm, so that the chip would be validated.. cumbersome but safer.
I'd place the blame more on the card packaging; it should be in a tamper proof envelope. Or there should be a "scratch off" necessary to activate the card.
> The Secret Service memo doesn’t specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.
The idea that employees of delivery companies might be conspiring to do these large scale scams is terrifying.
Oh, this is nothing. You don't realize just how much stuff 'drops off the docks' or is 'beyond economical repair' in logistics.
I remember when a ton of Sony stuff disappeared from the repair depot I worked at. Boy that was a fun day. 300 laptops, freshly repaired that week, gone from the warehouse. Never even made it to the shipping lanes on the other side of the warehouse. And no camera footage despite every angle being covered from the repair store cage to the shipping lanes.
Sounds like credit cards need to come with some sort of "tampered with" mechanism covering the chip, sort of like scratch off to reveal numbers on gift cards.
A simple way to solve this issue is ask for a pin only for first use (provided at the time of activation). That way users will have to use pin only once, after which it can be used like a regular chip card.
Ideally, pin should be asked for each transaction. But I’m the land of the free, PIN is an outcast.
I don't understand how this can be implemented so badly. It's like someone looked at a European system, said "that Chip+PIN system sure looks great. What if we copied it, but then removed the security and increased the hassle."
I wouldn't be surprised if they thought of this then decided not to because the customer support cost of people that don't pay attention and try to use the card without the pin would be higher than the expected losses.
You have to enable cookies. I assume it's some sort of anti-DOS defense (e.g., send cookie & redirect; dumb scripts will just uselessly loop instead of causing a server render), but man is it annoying.
All of the debit cards I've gotten from traditional B&M banks have let me activate them at an ATM. Only my current bank, which does not have physical locations, doesn't give me that option. I assume it's because they let you use ATMs from partner banks but don't have their own.
Ah I just want to clarify, we aren't "required" to activate at an ATM. I'm just saying that we are able to activate a card without having to go to an ATM. I'm sure going to an ATM is an option as well.
> It could well involve U.S. Postal Service employees (or another delivery service)
I find older generations put a lot of faith in the post office. For instance, one of my investment banks, "in order to securely reset your online password", literally snail-mailed me a new pin number.
Some day, I'd like to be able to able to register public keys with my bank's blockchain and have them only authorize purchases if the itemized invoice is signed by an active private key. One can dream.
Basically: the form of fraud it protects against is very rare in the US, and consumers find memorizing another number painful. Europe adopted chip+PIN not because anyone really wanted it but because it was mandated by law. It’s unclear that it has actually been effective.