
Secret Service Warns of Chip Card Scheme - el_duderino
https://krebsonsecurity.com/2018/04/secret-service-warns-of-chip-card-scheme/
======
gok
To those asking “Why doesn’t the US use chip+PIN?” there is a good article
from the same source: [https://krebsonsecurity.com/2014/10/chip-pin-vs-chip-
signatu...](https://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/)

Basically: the form of fraud it protects against is very rare in the US, and
consumers find memorizing another number painful. Europe adopted chip+PIN not
because anyone really wanted it but because it was mandated by law. It’s
unclear that it has actually been effective.

~~~
alecco
> Europe adopted chip+PIN not because anyone really wanted it but because it
> was mandated by law. It’s unclear that it has actually been effective.

At least in UK it was a sort of anti-consumer Trojan horse. Theft decreased by
80% or more, but now the responsibility of the remaining part lays on the user
instead of the bank. I remember UK consumer groups quite upset about this ~12
years ago.

~~~
eterm
But in the UK banks still cover fraudulent transactions at no cost to the
consumer.

~~~
fra
Not the banks, the vendors. It’s a great coup that banks have convinced
customers they cover credit card fraud when really visa/MasterCard go and take
the money back from the seller.

~~~
celticninja
That's with credit cards which are owned and run by VISA/MasterCard. If your
debit card is used to take money from your bank, then the bank pays.

------
oneplane
I wonder why they chose a system or workflow that breaks with what we are
pretty much doing everywhere else in the world: chip + PIN. It works, it's
fast and reliable. And with optional NFC it's even faster.

While people can always make up arguments for some edge case where it wouldn't
work for them, that is anecdotal at best. Resisting change it only going to
hurt (economically, technically, knowledge-wise) in the long run. I know that
learning from history is not humanity's greatest skill, but actively working
against what turned out to be a bad practise seems rather.. strange.

And at the same time, some commercial services jump in to fill the void, which
is not something you probably want either due to the risk of monopoly, data
sharing and other privacy concerns.

~~~
davvolun
It's interesting because according to my understanding, the U.S. is actually
using a pretty good system for dealing with credit card fraud in
general...which sadly seems to be the rare exception in regards to consumer
protections in the U.S.

Basically -- again, as I understand it -- the losses due to credit card fraud
is either on the merchant or the card-issuer -- generally the two groups most
equipped to deal with the issue. If Visa thinks it's losing too much money due
to fraud, they have the control to influence change on the system, put more
resources into detecting or preventing it, etc. But they can generally view it
as a cost-profit analysis, and handle it appropriately. Of course there's side
effects, it costs all of us involving the courts or police, to some degree,
but in the absence of a perfect solution in an ideal world, that's something
that was going to happen anyway.

Which isn't to say the future couldn't change; money-ed lobbyists, such as
Visa, can get the laws in the U.S. system modified to put the onus on the
consumer, or on the business (which could drastically damage small
businesses), but for the time being, the system does seem, to me, to be
working well ... here.

~~~
oasisbob
Yup, that's essentially how the system works.

One reason that can work in the US is because there is so much money slopping
around in the system from high interchange/network fees. An issuing financial
institution may bear most of the risk of fraudulent transactions, but the
revenue of interchange fees is easily 10x that of fraud.

So, there are aligned incentives to keep the system secure which ends up being
friendly to the individual consumer, but it comes at a cost because consumers
bear this cost in the form of opaque fees in everything they buy.

~~~
411mrc
Get a good cashback card and it's not that much. Use your personal cashback
card for billable business expense and you probably make money.

One thing it does do is incentivize the banks to monitor transactions. They
know my card # has been stolen before I have a clue, calling me nearly
immediately.

~~~
NegativeK
Consumer incentives are paid by the merchant, who will adjust prices to
compensate.

~~~
411mrc
Merchant fee - cash back = net cost to consumer

------
drbawb
>The reason the crooks don’t just use the debit cards when intercepting them
via the mail is that they need the cards to be activated first, and presumably
they lack the privileged information needed to do that.

I guess I'm a little confused as to how this works. In the case of my two card
issuers "activating" the card means performing at least one fully online
transaction at a chip-enabled merchant. (e.g: card present, chip used, pin
entered.) If the card's chip were replaced in transit then I wouldn't be able
to activate the new card. I'm guessing they are targeting card issuers that
have a different activation scheme; but I'm a bit surprised that my extremely
small midwestern bank is actually ahead of the curve on card security.

~~~
ChuckMcM
That is the 'non US' view sadly. You see we didn't get "chip AND PIN" in the
US. We got "chip to send the magnetic stripe". If you use a US chipped credit
card in a terminal it doesn't ask for a pin, it just wants an unintelligible
signature and you're done.

I'm more than a bit irritated with this since without the pin you can 'skim'
chip cards just as easily as you can magnetic cards.

~~~
oneplane
But then what's the point? The whole signature scheme is not making much sense
anyway, and pretending that no change is better because it is cheaper just
gives you technical debt in the long run.

Would probably be better if at some point it was decided that using a
signature is stupid and a deadline for using a PIN was set. But then again,
the US hasn't been able to fix the date naming scheme, the measurement system
or the temperature system (and it's just 4% of the world that is still using
the old ones). I doubt this will ever be fixed.

~~~
adventured
> the US hasn't been able to fix the date naming scheme, the measurement
> system or the temperature system

That's exactly equivalent to proclaiming that the three dozen major languages
still used in Europe should all be abolished, except for English. More than
half of all Europeans share no common language. The most widely understood
language in the EU, English, only has about 1/2 coverage.

Language is far more important than measurement, and it should be standardized
just the same as measurement.

Now see what kind of response you get when you tell the Swedish, Germans,
Greeks, Romanians, French, Hungarians, Italians, Dutch, etc. that they all
have to abandon their languages for superior efficiency of communication.

Finnish, Lithuanian and Danish are a mere 1% of the EU language base. Estonian
is less than 1%. Globally it's that much worse. Why are they persisted
generation after generation? It's wildly inefficient and backwards to force
them upon children. Where are the widespread calls for abolishing them in
favor of English as the primary language, in the name of gaining efficiency?

~~~
nicoburns
Possibly because in a lot of Europe most people learn their native language
AND english, and this isn't that much more difficult.

Plus, langauge preserves a culture (literature, etc), which isn't really the
same as measurement systems. I wish the UK (where I live) would hurry up and
ditch it's remaining imperial units (e.g. miles). It would make life easier.

~~~
adventured
People in the US learn the metric system as well.

It's no more difficult to learn two measurement systems, as it is to learn two
languages. I'd argue it's dramatically easier to learn two measurement
systems.

To learn the metric system, how many concepts do you need to memorize? Not
many, it's quite easy. Now try learning Estonian or Russian as a native
English or Mandarin speaker. People spend years of effort just to become
mediocre at speaking Mandardin as an example.

Now consider, you're born in Finland, and few other people globally or in the
EU use Finnish. To communicate well with other foreigners (the other seven
billion people), you need a common language (typically English in Finland).
The effort involved in learning English at even a moderate proficiency, means
you're going to practice and use English for perhaps six to ten years growing
up to just become decent at it. Then it further requires that you use it on an
on-going / never-ending basis to stay proficient at it. That's because
language is radically more complex and difficult than eg the metric system.
That need to adopt and maintain a popular common language in addition to the
scarce first/primary language, comes at a great time cost when added up across
a lifetime.

By contrast, you can teach someone the metric system (someone entirely
unfamiliar with it) in a _very_ small amount of time.

More people in the US as a percentage know the metric system than know Finnish
or Estonian in the EU.

The cultural explanation for languages, which is common, is no more valid than
claiming culture for the imperial system clinging-on that you see in the US.
In fact, that's precisely why it hasn't gone away in the US (otherwise it'd
have been trivial to abandon). You can explain cultural concepts just as well
in English and you can make subtle adoptions into English for phrases or
cultural concepts as necessary, without needing to learn an entire other
language.

In the US a tall person may be six feet six inches. That's an example of
cultural embedding.

In the US, a fast car might go 180 or 200 miles per hour. The speed limit
might be 70 miles per hour. That's embedded into the culture.

The three point line in basketball might be at 22 feet. That's culture. The
pitchers mound is 60 feet six inches, that's culture.

A first down is ten yards, not 9.1 meters. That's culture. There are dozens of
other common, equally valid examples from across US life.

If someone claims those things are not part of US culture (whereas an obscure
language phrase is culture), they're simply guilty of arbitrary - and rather
comical - snobbery.

~~~
amaccuish
Measurement systems affect culture but they are not culture in and of
themselves. Countries have changed systems, but their cultures clearly have
not. In fact I think the fact that many countries have switched demonstrates
that it's not something cultural, rather one of practicality. There's a strong
school of thought in the US that the government creating standards is
"interferring" etc, that's possibly a reason why they haven't changed. Your
argument reads that there's no need for change because it's cultural and
easier just to keep things the way are. However if things were really like
that, languages would have never evolved. People change, we get new ideas, and
move on.

In every language you'll have phrases that relate to things from a long time
ago, that doesn't mean they have a right to stay. The US has kept to the
imperial system, which is your decision, but it's just few other people can
understand your steadfastness.

In the UK we have phrases similar to what you mentioned regarding basketball
rules, etc. They've stayed and quite rightly; also in russian and french we
still have some of these words. But our general attitude to measurement
systems has changed, for practical reasons, and quite rightly too.

------
halestock
So, aside from the fact that this is screaming for chip + pin, isn't this a
failure on the cardmaker's part to make a card that you can remove the chip
without destroying the card?

~~~
atonse
I keep saying this but the we in the US really screwed up in the transition to
chips. We had a chance to change behavior but we went ahead and ignored pins.

I simply don't understand why, apart from too many retailers complaining.

~~~
cobookman
If cost of fraud is less than the cost of pins. Then nobody will push for
pins.

Adding pins to checkout process adds friction and checkout time. It might be a
minor amount per transaction. However if you add it up across all
transactions, it's a significant amount.

~~~
jdblair
More friction than printing out a receipt and asking me to sign it?

BTW, if you want to see just how efficient chip-and-pin can be, go to a bar in
a nordic country. In Helsinki I can pay with chip-and-pin as quickly as cash
(assuming change). The bartenders won't even hold a tab open for you, they
just charge you every time. I've experienced the same efficiency in Sweden.

~~~
clintonb
I only sign paper at restaurants. If a signature is needed at a retail store,
I usually sign a digital pad.

~~~
ghaff
Increasingly you sign (or in my case scrawl a wiggly line) a pad but I still
sign paper fairly regularly. One of the issues with PIN in the US is likely
that you'd have needed a whole new workflow and mobile devices at sit-down
restaurants. It would arguably be a better system to move to settling up at
the table, but it would still be a big and expensive change.

~~~
smelendez
You needed new devices anyway to switch to chip, but I think it is a cultural
issue with tipping. Some people really like that the server doesn't know how
much you tipped until you leave.

~~~
ghaff
Yeah, that may be part of it. It's not really rational but I don't especially
like someone waiting for me to enter a tip amount into a keypad. I imagine
others feel similarly. The US isn't unique in having tips but in the UK, for
example, they tend to put 10% onto the bill automatically.

ADDED: And you needed new devices but not mobile systems to bring to the
table.

~~~
nicoburns
However the US is unique in not paying waiting staff minimum wage, which makes
tips a whole other thing.

------
AlphaWeaver
> The Secret Service memo doesn’t specify at what point in the mail process
> the crooks are intercepting the cards. It could well involve _U.S. Postal
> Service_ employees (or another delivery service), or perhaps the thieves are
> somehow gaining access to company mailboxes directly. Either way, this alert
> shows the extent to which some thieves will go to target high-value
> customers.

The idea that employees of delivery companies might be conspiring to do these
large scale scams is terrifying.

~~~
lightedman
Oh, this is nothing. You don't realize just how much stuff 'drops off the
docks' or is 'beyond economical repair' in logistics.

I remember when a ton of Sony stuff disappeared from the repair depot I worked
at. Boy that was a fun day. 300 laptops, freshly repaired that week, gone from
the warehouse. Never even made it to the shipping lanes on the other side of
the warehouse. And no camera footage despite every angle being covered from
the repair store cage to the shipping lanes.

------
TheBeardKing
Sounds like credit cards need to come with some sort of "tampered with"
mechanism covering the chip, sort of like scratch off to reveal numbers on
gift cards.

~~~
astura
That's very easily circumvented:

1) Remove scratch off tape

2) Tamper with card

3) Replace scratch off tape

You can get scratch off tape from here: [https://www.amazon.com/Security-
Evident-Scratch-Stickers-Scr...](https://www.amazon.com/Security-Evident-
Scratch-Stickers-Scratch-Off/dp/B00MW1ZCJE)

People tamper with giftcards this way too.

------
calvinbhai
In US, chip cards are activated on phone/web.

A simple way to solve this issue is ask for a pin only for first use (provided
at the time of activation). That way users will have to use pin only once,
after which it can be used like a regular chip card.

Ideally, pin should be asked for each transaction. But I’m the land of the
free, PIN is an outcast.

~~~
furyg3
I don't understand how this can be implemented so badly. It's like someone
looked at a European system, said "that Chip+PIN system sure looks great. What
if we copied it, but then removed the security and increased the hassle."

------
pronoiac
I'm getting a redirect loop. Here's a mirror from the Internet Archive:
[https://web.archive.org/web/20180405160113/https://krebsonse...](https://web.archive.org/web/20180405160113/https://krebsonsecurity.com/2018/04/secret-
service-warns-of-chip-card-scheme/)

~~~
zeveb
You have to enable cookies. I assume it's some sort of anti-DOS defense (e.g.,
send cookie & redirect; dumb scripts will just uselessly loop instead of
causing a server render), but man is it annoying.

------
ernesth
Activating a card usually involves using it in a machine reading the chip and
asking the pin (typically an ATM).

~~~
atonse
Not in the US – we just have to go to a website or call a number and that
activates the card.

~~~
sli
All of the debit cards I've gotten from traditional B&M banks have let me
activate them at an ATM. Only my current bank, which does not have physical
locations, doesn't give me that option. I assume it's because they let you use
ATMs from partner banks but don't have their own.

~~~
atonse
Ah I just want to clarify, we aren't "required" to activate at an ATM. I'm
just saying that we are able to activate a card without having to go to an
ATM. I'm sure going to an ATM is an option as well.

------
m3kw9
Some banks now have new activation procedures now include using your card to
do a transaction or just use with correct pin.

------
gonesilent
This seems like it would need someone on the inside. How do you know the corps
about to get new cards?

------
rootedbox
the physical man in the middle attack

------
exabrial
From the article:

> It could well involve U.S. Postal Service employees (or another delivery
> service)

I find older generations put a lot of faith in the post office. For instance,
one of my investment banks, "in order to securely reset your online password",
literally snail-mailed me a new pin number.

Some day, I'd like to be able to able to register public keys with my bank's
blockchain and have them only authorize purchases if the itemized invoice is
signed by an active private key. One can dream.

------
excalibur
Problem: Chips are too easily removed from and transferred between cards.

Solution: Put chips in humans instead.

[https://pbs.twimg.com/media/DQLzlRcX0AABygD.jpg](https://pbs.twimg.com/media/DQLzlRcX0AABygD.jpg)

~~~
theandrewbailey
Next problem: Chips are too easily removed from and transferred between
humans.

Solution: ???

