
The credit card industry is still on dial-up while thieves are using broadband - shasa
http://business.time.com/2014/01/18/your-debit-card-is-much-more-dangerous-than-you-think
======
andybak
Wait - you're still using magnetic strip cards in the US?

The recent mentions of EMV had me thinking there was some new type of security
that improved on Chip and Pin but no - you haven't even had that yet.

What was the hold-up? This was launched in the UK _ten_ years ago.

~~~
cbhl
Merchant adoption.

Nobody wants to pay for new EMV-capable payment terminals; heck, at a
conference I went to two years ago, people were still using _carbon copy_
credit-card processing machines (!).

In the SF Bay Area, every merchant that uses Square as a payment processor can
only process mag-stripe transactions. Square supports neither Chip and PIN nor
NFC/PayPass/PayWave transactions -- by design. (This leads to a "better
customer experience", IIRC.)

OTOH, the huge machine-learning machinery built by credit-card processors in
the US has helped mitigate much of this risk; I've had enough false positive
declines that I'm confident that the fraud-prevention systems currently used,
while expensive, work in 90+% of cases.

Edit: I should mention that in Canada, Chip-and-PIN roll-out occurred
concurrently with the roll-out of NFC/PayWave/PayPass, so the "increased"
security of PIN was offset by the ability to read your credit card wirelessly.
The banks mitigate this by limiting PayWave/PayPass transactions to ~$100
(it's meant to be used for things like going to McDonald's or Tim
Horton's/Starbucks).

~~~
bowlofpetunias
I think the problem is that the US never made the jump to instant Debit Card
payments in the first place, and is still stuck with in a world of using
either Credit or cash.

In the Netherlands, cash is on the way out due to the massive adoption of
instant Debit Card payments for even the smallest purchases. Merchants prefer
not to handle cash because it's safer (robbing a store with no money is
pointless) and cheaper (no dealing with money transports, deposits, counting
the registers, having change on hand). Compared to all of that, getting card
terminals is cheap.

Using the same system for Credit Cards is mostly just a side-effect of the
push to eliminate cash. It's also the reason Credit Card usage isn't all that
widespread in the Netherlands. They're only used for big ticket items
(sparingly), on vacation and for international online purchases.

~~~
frandroid
Huh, the U.S. has debit, what are you talking about.

~~~
cbhl
I was under the impression that PLUS was simply used at ATMs. By comparison,
many merchants in Canada accept Interac.

The fees for Interac are typically rather low (IIRC, a monthly fee plus
$0.50/transaction) compared to Visa/MC (some percentage of the sale, depending
on risk).

Debit transactions through Visa/MasterCard generally just give you the worst
of both worlds (high merchant fees, _and_ transactions affect your checking
account balance instantly).

~~~
maxerickson
There are multiple debit networks in the U.S.

I'm not sure about the fees, but I'm under the impression they are lower than
credit (mostly because POS systems are set up to prefer PIN style
transactions).

------
digitalengineer
Security in Europe? We've had groups taking over unmanned gas stations and
cash machines with our 'secure' pin. Their latest method of attack: Stand in
line and spot the pin-code (just 4 numbers). Distract the person when the
machine is about to give back their card and swap it for another card (a dummy
that looks like it's theirs, nobody reads the card anyway). They now have your
PIN and your card. With the card and the PIN they access your bank- and
savings accounts. The target doesn't know it until they check their account
(usually after some days). The bank will not block large transfers of money
and won't notify you.

What could the bank do? Well they already have my cellphone number. A SMS with
you're about to transfer XXX to bank account YYYY would be nice. Or a MAC-
adress savety? Allow me to add machines the way Apple does with their iPhone.
Instantly block all other machines.

Edit: Solutions

~~~
darklajid
What's your point? That someone can get his/her card stolen? And that a PIN
might be seen by an observer?

That's still orders of magnitude better than 'No PIN'. And frankly, if you
allow others to see your PIN you are not properly educated by your bank (I
sometimes see elderly people do that and they get a pass from me) or
reckless/careless (in which case I have no sympathy).

Of course attack vectors exist. They always do. This very site talked about
card skimmers a couple of times for example, which copy the magnetic stripe
and record the PIN at the same time. As soon as you mix social
engineering/clever people in the mix you have boundless opportunities. But
that's a different terrain, attacking the person in front of the ATM and not
the technology.

In reply to your potential solutions: That 'Send SMS to phone' is implemented
over here - I get my transaction codes for my mobile banking site via SMS and
the message specifically restates amount and target before the TAN itself.

~~~
digitalengineer
They use miniature camera's in blind spots for the person using the machine,
transparent foil on the numbers or even completely dummy covers on top of the
real covers with prepaid phones sending the data immediately. My point is the
bank can do so much more (and so easily) but they do not care. Your Credit
Card act as a buffer if I understand correct. You can get the money back
right?

About my PIN? Yeah it doesn't work outside my country. In just 1.5 hours dive
you can use that card abroad without the PIN. The banks have now blocked this
by blocking the card abroad. So I need a Credit Card as well...

My friend works for the biggest payment system we have around here. They do
not care about these systems as they're focusing on a society without
PIN/Credit Cards. Cool of course, but for now we're stuck in 1980.

~~~
bowlofpetunias
Wait, what? What Debit Card do you use that works without PIN?

~~~
dagw
Not all places have chip+pin terminals. All debit cards I've used (in Sweden)
let you swipe and sign a receipt in place of typing your PIN.

~~~
digitalengineer
Yes, that's what happened to me as well (vacation in France, some time ago). I
was shocked. There was no protection if I lost my card.

------
cynwoody
> _For years, consumers in Europe and many other countries have used a
> technology called EMV (for Europay, MasterCard and Visa), created in the
> mid-1990s that makes it possible for retailers to confirm payments locally
> instead of placing a call to your bank. That’s possible because of a chip on
> the card that requires you to tap in a PIN code at the point of purchase.
> Simple. Safe. Secure._

Nope. All that proves is that you own the card. It doesn't imply that the
transaction is worthy of approval by the bank.

It needs to be a three-way conversation between the merchant, you, and your
bank. The merchant is represented by his POS. You are represented by your
phone. And the bank sits somewhere in the cloud. The merchant presents the
bill to your phone. You approve the charge by entering a code on your phone.
Then the bank approves your approval, and the transaction is complete.
Everything is encrypted, and there is nothing to skim.

~~~
Anechoic
_The merchant presents the bill to your phone. You approve the charge by
entering a code on your phone._

This requires a) having a mobile phone, and b) having a properly-working
mobile phone (battery charged, able to receive a signal, etc). That's a lot to
ask for a lot of people in a lot of locations. If a device representing a
third party is requires, we'd be better off with an RSA-type key fob.

~~~
cynwoody
That would also work, although there would be the problem of stolen key fobs.

The point is not to have replayable data streams (mag stripes) available for
interception and abuse.

------
duhast
Costs of replacing infrastructure are higher than the costs of fraud. That is
the reason why nothing happens. Financial institutions know how to count
money.

~~~
streetnigga
10 years of fraud cost less than the implementation of chip and pin? EU banks
and finance firms must of folded half a decade ago under the crippling burden.

Thankfully these wise financial institutions know how to count monies,
offloading fraud costs into higher fees and fines for consumers and
businesses. Else we'd all be in a bad spot.

~~~
smackfu
Completely depends on how much fraud there is. Maybe there is much more credit
card fraud in the EU?

