Just because you are using the chip doesn't mean you are doing an EMV transaction. The unique transaction codes only happen with and EMV transaction, almost every time you dip your card it's a regular old card transaction, just as if you swiped the card. Why?
Getting EMV certified requires every part of the transaction chain to go through unified system testing, for each combination of hardware, software, card type, processor, issuing bank.
I've been eyeballs deep in this nonsense for the last year or so. We just can't justify the expense of getting EMV certified, so we just accept the chip and do a regular transaction.
As a consumer you have no way of knowing if your transaction is and EMV transaction or just a chip enabled regular transaction.
I have also designed security protocols to keep the data and keys from the bad guys, including things like Key Injection Facility, loading and exchange protocols, etc.
These things (terminals, cards, HSMs) can be extremely safe. Not only there are protocols available that in my knowledge have never been breached but also the devices themselves are built in secure manner to prevent any physical attacks. The entire infrastructure can be made so that no single employee can get hold of any secret material.
The truth is, that there is a range of solutions and the secure ones cost. It costs to set them up and use correctly. It costs to produce chip card that can dynamically sign and encrypt the data. It is up to the issuer (bank) how much they pay for the security of their card and typically banks are not too eager to overpay. Rather, they take calculated risk.
Another problem is that North America is particularly behind in security standards. I remember, while working on this application (10 years ago) there was much more leniency for US users (issuers, acquirers) than the rest of the world.
They aren't 'cracking' Key Injection Facility or messing with protocols. They just add a simple card reader? The reason they hit gas machines is the volume and most don't take chips (US).
For the fraudster to receive any funds from my account they would have to go with that data somehow to my issuing bank and have their transaction request accepted.
My bank will never do this because my card is a secure one. They expect it to generate a signed document listing the details of my transaction along with the name (ID) of the merchant and terminal performing the transaction. The message also certifies that the PIN I entered was successfully verified by my card. The message can only be created by the card using my PIN. This requires the card to be stolen along with the PIN.
The only money I can loose in case my card is stolen without the PIN is up to a floor limit for offline transactions. It's peanuts but it allows for quick transactions for example from vending machines.
The gist of the story is to move to a bank that cares for security.
Forgive my ignorance, but aren't most sellers in America willing to process transactions (even large ones) without PIN entry?
I realize pin-and-chip is a largely secure scheme, but the chip rollout in the US hasn't actually implemented a two-factor system.
While I don't doubt they're already out there, I don't recall ever seeing a gas pump in the US with a chip reader.
Also, it's at leas worth noting that technology for skimming chip-based transactions already exists in the wild:
The "shimmers" take advantage of poor implementations of the EMV standard, but the chances strike me as fairly high that there's going to be a lot of poor implementations of EMV out there in the wild. (Not only is the less secure "chip and signature" approach common in the US, I've made more than one purchase with what could be described as "chip and nothing": put my card in a chip reader and make a purchase without being asked for either a PIN or a signature.)
Buy stolen CCs without pin in large volume
Set up online merchant account (eBay is common), use software to scrape and copy listings for popular products that cost less than the floor amount but more than your costs. When someone orders a product and the payment clears automatically put in an order for the product on a different website (preferably one that allows a guest checkout). Automate more and more parts of the process as time goes on (e.g. using a different card when one is declined)
Keep the transaction volume low and you're basically printing money at the rate of the difference between card info cost and item cost.
This is a pretty common tactic to monetize large volumes of CC#s.
It doesn't help that most merchants don't cross reference billing address with the bank and some don't require the security code.
Two years ago at defcon, someone presented on advanced skimmers that could read chips too. He claimed they need a network connection to work, as there's only a two minute window to reuse the same token.
This was noted in the article. There appears to be availability on the board for an extra connection.
Not quite. The one who gets your card info probably won't use it. They will more likely sell it. If the person who buys it can't use it, whoops, too bad.
And credit-cards are a testament to that.
1) transactions with card present(chip+pin or signature)
2) transactions with card not present(someone types in your card number into the terminal)
3) internet transactions(card number + CVV from the back).
I can set any of them to zero, effectively blocking the transaction type completely. So yes, while you can read the card number and exp date from the chip, you can't get the CVV number from the back of the card, which means it's only useful for the second type of transactions - and I don't see any reason to ever change the limit on that to anything other than zero - so any information gained from just skimming the chip/magstripe is effectively useless without the CVV written on the back.
The better solution is to have a bank with good reputation that expends effort in making your transactions safer.
- has their cards well issued (and I know this since I have worked as credit card terminal developer for many years and I know every detail of how cards are personalized and designed actual security systems),
- sends me a code to verify my internet transactions (remember not to use your phone to do internet transactions!),
- processes chargebacks without fuss unless there is a reason to suspect cardholder is trying to defraud the merchant.
Do you have time to explain?
I'm aware of the problems with using sms as 2FA but if I understand you correctly you mean something else?
(Around here most banks demand we use BankID which is typically downloaded to the sim card in the phone.)
If you were to enter your credit card details on the same device you use to receive codes (most likely your only mobile phone), the attacker having some kind of malware code could first steal your card information and then use your phone to receive the codes to complete the transaction.
This requires infecting just one device, so basically as a fraudster you create a malware and wait for people to have their phones infected. Then you defraud those that use phones for credit card transactions and either don't need separate codes to complete the transaction or use the phone for this.
It is much more difficult to get two devices infected that are used by the same user. This only typically happens in case of targeted attacks and is rarely seen.
My colleague at one of the companies I worked for lost the money he saved to buy a flat this way. He got his phone infected with malware and then over few days he got all his money sucked out of his account in a series of increasing transactions.
Now I keep a low-limit branded gas card that can only be used at gas stations. Go ahead and skim me. All they can do is charge $30 worth of Munchos and beef jerky.
The thinking is if either one of our cards get compromised we will can just replace that card, the third card will remain safe while locked up. That is unless the company or payment processor gets breached which is a larger issue in itself.
For recurring payments I make a ShopSafe card per merchant. If one merchant has a breach all I should have to do is make a new ShopSafe card for them. All of the others should be unaffected.
If the underlying card is compromised and replaced the ShopSafe cards should continue to work as long as the underlying account is not closed.
This has worked out quite well. There are only three annoyances.
1. The interface is annoying. It is a small Flash window.
2. The expiration date can only be up to one year out.
3. Some merchants, like Amazon, use a variety of merchant names depending on what you are buying. For example, the shoelaces I bought recently from Amazon show up on my credit card statement as "AMAZON MKTPLACE PMTS AMZN.COM/BILLWA". The Kindle book I bought recently comes from "Amazon Services-Kindle 866-321-8851 WA". My subscription to the Kindle edition of "Analog Science Fiction and Fact" comes from "KINDLE-AnalogScien 866-216-1072 WA". (A few months ago, Analog came from "AMAZON DIGITAL SVCS 866-2866-216-1072 WA"). I also see in my Amazon purchase history things from "Amazon.com AMZN.COM/BILLWA".
Dealing with that would require five ShopSafe cards, and picking the right one for a given purchase.
There is a workaround I've heard for this with Amazon, but have not gotten around to trying. Buy Amazon gift cards with a ShopSafe card, and use them to pay for everything else.
 Bank of America. I believe that Citi has a similar feature.
We don't touch the debit card attached to our checking account unless there's no choice, however - which is usually just WinCo when we can't get what we want (or get what we want for a reasonable price) at Fred Meyer or Albertson's. All of our credit cards have $0 liability, and worst case if someone skims them and maxes our limits we have to temporarily switch to a backup card while the charges are reversed and a new card is mailed - someone draining my checking account leaves me with the inability to pay rent, electricity and gas and Wells Fargo is happy to drag their ass on reversing unauthorized debit card payments.
My cards have been compromised by Target, Home Depot, and other vendors. I never know exactly who, just get the notice from the bank that I'm getting a new card.
The side benefit for me is that these small transactions keep the cards active with regular on-time payments.
If one of them is compromised, I only have one or two recurring payments instead of having to change all of Netflix, Ting, Comcast, Virgin Mobile, Google Play, Apple, NY Times, WSJ, etc.
I've probably had 5 cards compromised in the past decade. The biggest hassle is changing recurring payments. I don't track them, I just do my best ten wait for the bills to fail. What's annoying is sometimes they keep successfully charging my account for 4-5 months before failing. How they're able to bill the old number I don't know.
But yeah, they just call you and send you a new card. No need to select which transactions are fraudulent typically -- or at best 2 mins on the phone. No big deal.
Sucks when you're overseas but google voice + headphones and then Apple Pay means your new card is active the minute it's issued, even if you won't get it in the mail for 2 weeks.
As a consumer using a debit card, you have lots of exposure. Bounced transactions, lots of paperwork and more bureaucratic pitfalls.
Credit cards with premium issuers are just a minor hassle. With Amex or Citi, you literally just need to click. With lousy issuers, you can be stuck dealing with a breach event for a long time.
Where do you think the cost of losses goes? To the consumer via higher prices...
By the way, do you have any reference on this? Everywhere I've searched, chip seems synonymous with EMV.
Every chip or contactless transaction is an EMV transaction. This is by virtue of EMV being the protocol that terminal uses to communicate with the card.
EMV allows for different types of transactions with different level of security.
For example, if the transaction can be done offline (gas pump unattended terminal situation) AND executing CVM rules (both terminal and issuer have their own rules) points to the possibilty of exchanging encrypted PIN, the PIN can be sent safely encrypted to the card for verification.
If the card or the terminal does not support encrypted verification then the PIN can be sent in the clear and vulnerable to skimming.
> Every chip or contactless transaction is an EMV transaction.
But the parent comment I was replying to says:
> Just because you are using the chip doesn't mean you are doing an EMV transaction.
I presume you're saying he's wrong in this? Or am I misunderstanding what you both mean?
I'm also confused by the PIN thing you mention. Why is there a PIN at all, and why is there an "encrypted PIN exchange"? We're talking about the US, right? The US is chip & signature, and there is no PIN involved. I thought it was supposed to be that the card generates a unique one-time authorization code (public-key signatures?) and the bank validates it? Where does a PIN come into play?
- no verification (just read magstripe or magstripe equivalent from chip or contactless card that does not have any more advanced verification mechanism)
- static verification - for chip, card sends static signature along with the data so that the terminal can verify electronic signature
- dynamic verification - for chip, card accepts challenge and generate response so that the terminal can verify the signature. This also makes it much more difficult to copy the card because it is not enough to copy the available data, you also need to copy the key that is embedded in the card.
- no verification -- sometimes no cardholder verification will be performed (for example contactless under certain limit, unattended terminals without PIN capability or on a plane when there is special rules for airline terminals because people are typically verified separately)
- Signature -- this is where US is stuck it seems
- offline plaintext PIN -- cardholder enters pin, terminal sends the pin to the card, card responds if the pin is correct -- this is the source of most of the skimming problem
- offline encrypted PIN -- same as above but the pin is being encrypted with a key established securely with the card. This is safe but the cards cost more.
- online PIN -- the PIN is never exchanged with the card, it is encrypted and sent to the bank and bank decides whether it likes it or not.
- floor limit -- sometimes the transaction can be agreed between the terminal and the card. Typically there is some information stored on the card and set of rules that decide that this is possible. The card may be decreasing a limit of funds available offline and when it hits the limit it will force you to perform full chip transaction.
- online verification -- the message goes online to the bank and bank decides.
>- offline encrypted PIN -- same as above but the pin is being encrypted with a key established securely with the card. This is safe but the cards cost more.
what's the difference between the two? can't the attacker put a physical keylogger on the pin pad?
The problem comes from physically stolen cards, if your card doesn't rely on cryptography to secure the request/response channel you can insert a shim between the reader and the card to fake acceptance of an arbitrary pin. This specific attack has already been demonstrated, and if my memory serves correctly it's already being used in the wild.
I'm in the US and the credit card I have through my credit union requires a PIN on chip transactions.
Its all a stopgap measure to chip and pin anyway. Once everyone is used to EMV and all the terminals have been replaced, we'll have a sunset on swipe and then move to chip and pin, which will be a minor upgrade. This will all take time. Lets remember the United States has a quarter of the world’s credit card transactions, but only 4.5% of its population. Its a very big cc market and change isn't going to come quickly.
After about 3 cycles, it gives up and accepts the magstripe (plus the pin)
Often it will just deny the transaction completely and the shop queue grows _looong_
Later, before the new card arrived, I tried using the old one again and it worked, so I just chalked the whole thing up to those two stores likely using the same payment processor that was having issues that day or something.
What do you do when the chip and PIN fails?
Since all of the laws revolve around signing, we don't get PINs.
There is a second wrinkle to this for Europe: because there is no equivalent to these laws, in many cases Europeans are the ones completely on the hook for fraudulent transactions as the correct PIN number is seen as evidence the consumer having leaked it. So in cases of fraud the U.S. chip-and-signiture winds up protecting the consumer much more.
Maybe in your region of the USA chip and signature is prevalent but in my experience (SF bay area) every chip transaction has required a PIN.
Or perhaps it's your card-issuing bank?
AFAIK ALMOST NO US-based banks issue chip+pin credit cards. Only chip+signature. Debit cards are indeed chip+pin, but in USA you'd have to be careless to ever use a debit card anywhere but an ATM.
Chip+PIN doesn't really exist for US CCs. I've setup PINs on a few cards but they only work overseas where the terminal refuses signature.
I haven't seen anyone or myself swiped in about 10 years, and that was only because the chip reader wasn't working at the time.
A lot of this has to do with Quick Chip, which forgoes writing the host authorizer ID to the credit card's chip thus simplifying and shortening the transaction. QC rollouts happen at whatever pace retailers want, so you'll see some shops using QC and others that don't.
Having a requirement that all vendors use chip-enabled cards simply increases the cost of producing each cloned card; so the goal is to raise the cost of committing the fraud.
At least that is my understanding.
Updating your POS system to chip-and-PIN doesn't help if there's no infrastructure (or reliable infrastructure) to plug it in to.
Yellowstone is the size of Cyprus, and Death Valley is the size of Montenegro, to use two examples without much internet access. Alaska is three times the size of the Iberian peninsula and most of it does not have internet (though to be fair most of it has no population or tourism).
The places I've seen either use that or accept cash only.
Sadly, this isn't all that "outdated" here. There are still lots of places in the U.S. that don't use the chip and basically none -- does anywhere? -- use a PIN with it. I don't even know if I have a PIN on any of my credit cards, much less what it is.
>Your credit card is a chip and signature card with Personal Identification Number (PIN) capability. In most cases when you travel abroad, you'll be asked to sign for your transaction. However, at some unattended terminals, such as train ticket kiosks, you may be asked to enter your PIN instead of signing.
But on the plus side, maybe it will motivate the hotel to implement a more secure payment system?
edit: Didn't see other reply
Even today, two years after the supposedly "drop dead date" for switching to chip cards, 40% of my transactions are by swiping.
0 - There are other reasons, like some ATMs reading the magstripe to ascertain whether a card has a chip and then prompting the user to leave the card in place. I've only encountered older ATMs that do this but it is another reason. But the most common one is that outside-the-U.S. issuers want their cards to work inside the U.S. if a customer of theirs travels there.
I live in San Diego, 8/10 places where I shop still have chip slot taped closed with a handwritten message "Does not work".
Once it was demonstrated to me, I went back and found out the cards I've had since 2013 (pre-chip).
So let them have it, why should I care and endure security risk? I've never been to USA nor I'm planning to (at least not unless they fix that gestapo-like border control), but still my every card has a magstripe waiting to get skimmed. If I ever need to go to USA, I'll get a suitable card.
Because banks the world over are notoriously slow about doing anything that might nudge even a fraction of a percentage of customers over to a competitor. If they removed magnetic stripes (which, in the short run, would cost a bank money because that's a specialty card) and said "just contact us if you're going to the States and we'll overnight you a States-compatible card, no questions asked," nothing would stop a competitor from running adverts that say "why wait 24 hours and worry about not getting your card? We issue cards that work in the United States from day one!" Now the person who made the decision to delete the magstripe from cards issued by the first bank is out of a job and so now you see why his or her interests didn't line up with yours.
It's the same reason why chip-and-PIN isn't primary in the United States; chip-and-sign is. Over here, customers have been trained that entering a PIN means the money comes out of a checking (draft/demand/deposit) account while signing means it goes "on the card." Trying to get that mindset changed is more costly than just eating the potential stolen-card-being-used-before-being-shut-down fraud for most issuers.
(Some credit unions, primarily catering to people who travel overseas, and smaller banks that want to differentiate themselves are issuing PIN-primary cards but they are definitely in the minority. I happen to have cards from three of them--First Tech, Spokane Teacher's, and Target--for reasons of security and international use but I am also in the minority. Amusingly, it's large merchants who want PIN-based cards because it puts the onus on the cardholder, not the merchant.)
It would be good to raise the bar, but it won't be an end-all solution.
At the end f the day, it's going to take quite some effort to move the entire payment industry to something more secure.
The current state of affaires is good enough in terms of cost for the banks vs loss from fraud.
EMV chip transactions and 3DSecure really ought to eliminate the vast majority of "card number stolen" fraud. Too bad it's all so poorly implemented.
Even if they see my PIN, they can't clone a chip, so what they are going to do with it?
• information required by the bank,
• information that the bank will check if you supply it,
• information that is not checked by the bank.
The first category, required information, is just the card number for most banks (and the amount to charge, of course).
The second category, checked by the bank if supplied, is everything except for the card number and the expiration date and the amount. This information is used for fraud control. If a merchant supplies it, the bank tells the merchant if it was correct. With many banks the credit card fees are slightly lower if this information is supplied. Even if the merchant supplies this and the bank says it does not match the merchant can go ahead with the transaction, although such transactions have a higher risk of fraud (and therefore chargebacks).
The third category, information not checked by the bank, is the expiration date. The expiration date check is at the payment processor, and that check is simply:
if expiration_date < current_date()
This is one reason why many people have gotten a surprise when they have had some kind of subscription they no longer wanted, and instead of actually cancelling it they just let their card expire and think the re-billing will then fail. There are three problems with that approach.
1. If the merchant marks a transaction as a recurring transaction some payment processors skip the expiration date check.
2. Some merchants include something like this in their re-billing code:
if expiration_date < current_date()
expiration_date = date_add(expiration_date, interval(3, 'years'))
It's also possible that there is more checking for transactions that are not flagged as recurring payments.
Trying to use a non-US card in the USA is a pain: most online shops or machines (e.g. NYC Metrocard) require a 5 digit ZIP.
Cards from elsewhere don't have a 5 digit ZIP to enter. So usually I can't use those websites, at least if it's a machine I can pay cash.
Payment should require some kind of private information, either from the chip, or from the head of the owner (like a PIN), but preferably both.
> Get rid of the magstripe and bad
> actors will steal your card info
> using cameras
I've written in my other comment that I did ask. The answer was "it is not possible".
In so many ways going from Canada to the USA feels like going back in time, and swiping a credit card is always one of them.
Well, we're relatively slow.
That is to say, after inventing credit cards we now have a lull in innovation and feature adoption.
I catch myself falling into that trap.
But since most internet commenters never go anywhere, they buy into the "US is old and backwards and dumb" cliche that makes them feel superior to everyone else.
Because I am the OP of this comment chain, I feel that is directed at me.
For reference, this is me - http://theroadchoseme.com
I like to think I have been a few places, lived a few lives.
I'd blame the 5 companies that control 50% of global credit card terminals that decided to keep things low cost in the US. Much of the blame probably also rests on the 5 banks that issue the majority of the credit & debit cards in the US.
In fact I believe the current chip rules are there just to hobble new entrants in the space. Probably 10-20 startups like Square built readers that they provided for free or nearly free and gave millions of units away. Many of these are garbage as a result, and all of the mag readers will be eventually.
The chip (with conspicuously missing PIN) legislation was a pretty expensive attack on all of those companies, intentional or not.
Considering that Canada's GDP is a rounding error compared to the United States, it's going to take a while to any payment method change to spread nationwide.
That said, I've run into far more "cash only" situations in Canada than in the U.S.
In Australia you pay for fuel after filling up, and one fuel station owner is dealing with an average of a driver or two a day who is unable to pay for fuel.
They don't carry cash, the chip/EMV is failing and they don't have the mag stripe linked to a facility since they're often debit cards.
Apparently the failure rate on phone based payments is also high(er).
It's one of those issues I wouldn't have considered before speaking to retailers.
The problem with a cashless society really is that you assume the tech is reliable. Unfortunately, that's often not the case.
I know you're speaking of NFC chips in cards, but you might know — Does the phone version (Apple Pay/Android Pay/Samsung Pay) still work when my phone's battery is dead?
Though theoretically your phone could have a RF-powered NFC chip in it that took over when the phone is off...
I look forward to having banks issue cards without any mag stripe on them.
Again, that's US-centric thing. Here in Europe, there's >99% cellular coverage (the remaining 1% is usually deep woods and mountains), so it's not a problem. What I don't get is why the rest of the world must still have magstrip and be open to the related risks, when virtually nobody uses it. I've never seen anyone using magstripe over here or see a place accepting it, but I hear about skimmed/cloned cards and emptied banks accounts regularly.
If you are really concerned about having your card skimmed, you can take any simple magnet and erase/scramble the data by waving it over the mag tape.
You can check that things worked by swiping before and after at some place where they'll let you swipe (or by making/buying a reader).
Because, like it or not, it doesn't make economic sense for the issuers to remove them.
The US is still a place where a lot of transactions are done, and despite the last 10-15 years of immigration bullshit, a ton of people still visit the US from abroad. A non-US card issuer isn't going to spend money to get a custom card without a mag stripe in the first place, and also then be at risk of losing customers who do travel to the US. Offering a special mag-stripe-free version of the card for an extra fee likely isn't worth it to them either, especially when they're fine eating the cost of fraud, and don't care that canceling your card is an inconvenience to you.
Magstripe is historically for fallback mechanism when the chip on the card or the reader in the terminal might be damaged.
There is also a class of terminals that may not have the chip reader altogether, for example airlines didn't bother with chip at all for very long time.
That's nicely solved with contactless. You get immediate confirmation that the card was accepted but the terminal still confirms online. The feedback comes 3-5 seconds later. That still allows the retailer to stop you if the card was declined but you can already use the time and don't have to wait until you can remove the card.
I'm not an expert in PIC assembly but it seems there is very little code and there are no obvious code paths, like a switch..case like construct for processing the serial commands. Lots of I/O and not much more. Most likely they are not decoding the magstripe data in PIC but just get the decoded data and store it.
Edit: And the reset vector begins with a branch to location 0x001ACA, which is all zeroes, so I'm pretty sure most of the firmware was not read out due to the code protection.
I have no idea if this is legit or not. I doubt your law enforcement would let you access their services anyway.
Edit: My guess would be they work with industrialized de-capping + software to dump the memory, like this:
There are other "chip intelligence" companies in the US, some of which probably have such services. At a different cost.
At that point the employees could just make it part of the standard inspection and it'd be more obvious to customers if they were missing.
"extremely difficult to source" is a link to an ebay page with thousands of different security seals.
From what I've seen about gas pump locks, they look about as "secure" as those round keys that came with every IBM AT-clone in the early 90's. They kept the weak and the ignorant out, but you could unlock your buddy's rig at will.
> Are you angry that your card has been stolen, again? Contact your local congress person or senator and ask them to pass legislation that fines gas stations $100 for every card that is discovered on a skimmer in one of their pumps. It’s ultimately up to the gas stations and pump manufacturers to secure their pumps.
Suggesting a solution like it's an easy fix always bugs me a bit. Would a 100USD fine actually work here? The issue seems more with the fact that the US hasn't upgraded to a chip&pin style system. You might end up just costing the gas stations more money, when they don't actually have the power to do much about the problem.
It feels a bit like victim blaming, when in this case the victim has little choice but to work with the system as they find it.
The way I understand, after the 2020 deadline, gas stations will be liable for fraudulent charges (or at least associated fees).
Also, I've had my debit card skimmed twice in the past 3 years. A smart gas station (or chain) would pay to put chip readers in NOW and advertise that feature. I'd got there exclusively.
Huh. I suppose that is the one advantage we have in Oregon where we are not allowed to pump our own gas.
Yeah. The number of cases being reported would go down when gas stations start throwing skimmers they find in the trash instead of calling the cops.
Most stations do what they can with security seals, frequent inspections, I've even seen some that install hardware-store hasps and padlocks on the pumps.
I do wonder why they have not converted to chip cards though. Almost all other retailers have.
> Essentially, the perpetrator opens a pump using one of a few master keys, unplugs the credit card reader from the main pump controller, plugs the card reader into the skimmer and plugs the skimmer back into the pump controller. This reportedly takes less than 30 seconds.
So I'd say that at least those stations whose pumps can be opened easily with a master key should be liable if their careless handling of customer data leaks credit card details to skimmers. A fine would put additional pressure on the pumps with the worst security and might eventually lead to widespread deployment of something like the alarm system proposed at the end of the article.
So it's not clear that these things are purely under the gas stations control and that a simple fine would solve the issue.
Alternative solutions might include:
1. Mandating stronger security certification of public facing card readers.
2. The police more aggressively prosecuting these offenses (raising the cost to criminals who are caught and making the offense less profitable).
I don't have complete information, so it's not clear to me which solution is best. But it doesn't seem obvious and simple.
I guess in both cases what they can do to prevent those things from occurring at all is limited. Is anyone arguing that they don't monitor for skimmers on a regular basis? It's just that the criminals keep putting them back.
(Not sure if this is how it works outside of the US, but we currently have cards with both magstripes and chips. You use the chip where it’s supported, the stripe where it isn’t.)
Everywhere else is Chip+Signature.
Are you thinking of Debit Cards? (I won't use these. I got my bank, BOFA to issue me an ATM card that's not a debit card.)
I don't think anyone swipes cards unless there is something wrong with the payment terminal. Even vending machines are tap and go.
I believe that the magnetic strip can still be used for certain low-value transactions by stable merchants (e.g. street parking meters) but such exceptions are rare. Certainly never the case in a normal retail situation.
Of the dozen times i've tried it i've been prompted once to sign - and in that case the card had no signature on it and the merchant waived it away.
I'm in the process of figuring out the scope of this issue and how to fix/report it - I think the solution will be for terminals to enforce prompting for ID/signature
Don't bother, the merchants and card issues are well-aware of this. You're supposed to reconcile your card statement with your expected transactions, and dispute irregularities. If you attempt to fraudulently claim that you didn't perform a transaction, the issuer goes to the merchant to get a copy of the signature & uses it as proof you authorized the transaction.
If a fraudster forged your signature, you simply assert that the signature is not yours. If you attempt fraud here (sign in an unrecognisable hand), the fraud investigations will try to put you at the scene with CC TV recordings/handwriting matching/etc. Hopefully you have not signed any affidavits that the signature is not yours, because then you'll be up for perjury as well as fraud.
If the payment is <= 30 GBP, it's an offline transaction as well. Anything over that amount triggers a round trip to the backend servers.
As an aside, it's now perfectly possible to live a cashless life in the UK if you wanted to.
 That said, I think ATMs read the mag-stripe... but I don't really use those either these days.
It's still online (card-present check), but skips authorisation (no PIN needed).
Perhaps in London. Try spending a long weekend in Torquay.
When implemented there was a liability shift. But as always the US is far behind the rest of the world.
In Denmark the chip was added in 2004, and fully adopted 4-6 years later.