0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).
So do we know if it would have stopped the Home Depot breach?
An important point to note is that, if banks want/care, they can put other safeguards that solve this problem, too. In Europe it is common for banks to text you a 6 number pin to confirm an online transaction, for example. There is no good reason to not do these things. It's still not perfect, but certainly much better.
> "I'm quite surprised by the blasé attitude the US has to card security."
Currently, if my CC information is stolen, I am not liable for any fraudulent charges. So why would I care?
CC security is for the CC companies and the merchants, not for the consumers. That is why Americans (with the exception of those with Europe Envy or those who are merchants) don't care. There is no reason for them to.
(In past discussions on this, somebody has mentioned that C+P would be beneficial for American consumers because it would mean less confused American tourists in Europe. The typical American does not vacation in Europe very frequently.)
Well, any retailer has to increase their prices by 3% to cover CC charges. Even the simple act of a place insisting on a minimum spend of X on a CC can put you in a situation to spend more than you need to.
You might not think you are paying for card fraud, but it's all priced into the products you buy.
My credit union has absolutely negligible fees and, since I don't carry a balance on my CC, I give them a negligible amount of money as well. The cost of merchant fees passed on to the consumer is not something that I notice and therefore not something that I care about. I really do not have a reason to want C+P.
Edit: clarifying - what I meant was that the US EMV cards will be chip and sig, not chip and pin. Most US cards are obviously still mag stripe. I'm traveling to Europe later this year so I was looking into the CC issues, and as a US traveler not being able to get an EMV card with pin priority is annoying.
Edit 2: jvm, not sure what you meant to link to, but that link just goes to the Forbes splash advert.
I have three cards. Only my debit/credit card has a chip and there's no pin. I can press it against one of the few readers that support this (Walgreens, Subway) and it'll work. My other two cards don't even have this. Of course, if these guys are storing my card in a non-encrypted way, its still the same issue as using swipe.
On the plus side Google Wallet works at Walgreens. I have yet to see any other brick and mortar support it. Paying for stuff with your smartphone is such a no-brainer. Shame Apple won't play ball with Google (or even put NFC in its phones) and Verizon is doing its own thing with ISIS and not allowing Google Wallet to be installed on any phones on its network. There's a lot of wrong here and its not just limited to credit card number theft.
If we have a more diversified way to pay for things it could limit the damage when one method is cracked but the others aren't. Sure Targets credit cards got stolen, but imagine if we were allowed to use Google Wallet. We'd be immune to it.
I think the card you have is RFID enabled. They've been around for a while, and have some weaknesses (replay attacks [1], notably), against the ID they broadcast when inside an EM field.
The newer cards have a microprocessor inside them, with exposed contacts about 10mm from the left edge. With chip + pin transactions, the pin "unlocks" the payment authorization [2].
Only one of my cards is chip and sig, and I had to go out of my way to get it. It's not the default for all new cards, and certainly not for existing cards.
When my credit card expired recently I received a chip and sig replacement without requesting it. They're definitely starting to be offered by default.
I believe it is chip and signature... I got mine from Bank of America... no pin necessary when the chip is used (and it still has the magnetic strip for stores that don't have chip readers).
Even travelling through a lot of small towns in rural areas I don't think I've run into a magstripe-only reader in the past couple years at least.
There was a period where it was a guessing game every time you paid for something whether it was magstripe or chip (some locations even had a chip-capable machine, but didn't have the service enabled with their payment processor, so you still used the magstripe...).
Its not a blase attitude. Its a chicken and egg situation. The credit card companies want to implement it but they need the stores to upgrade their point of sale hardware to accept the new cards. Stores say they won't upgrade their hardware til card companies release the cards
When I last heard this discussion it went like this: Visa to store : "People have been asking us for chip + pin and we're ready! Just pay a one time fee of $199.99 for the upgraded reader and note that C+P cards carry an additional .5% service charge for the more complex handling they do."
Literally using it as a revenue generating opportunity and a way to raise fees. My friend who owns the store declined to participate as they weren't interested in raising their prices just to pay Visa more money. Had Visa come at it the other way, reducing fees due to likely less fraud it would have been a different story.
Literally using it as a revenue generating opportunity and a way to raise fees.
This is the crux of it. In the US, every change is an opportunity to raise margins. Vinyl to CD. Book to Kindle. It kills me when the dead tree version is less than the Kindle version, but it's the same thing at work as with C+P.
How is that? I have a Chip+PIN enabled credit card and if the shop doesn't support that I can still swipe the magnetic stripe.
I don't see why they don't just provide credit cards with both options for a while until enough of the PoS hardware has been upgraded that they can get rid of the magnetic stripe. I guess cost plays a role, but I would assume that the decrease in fraud might offset that somewhat.
It's a complicated issue. Banks are partly afraid of adopting something new. If Bank A is amongst the first American banks to switch and something goes wrong, Bank B may win its business due to customer frustration
I highly doubt that banks really care about "customer frustration." If they did, then they would be focused on fixing a million different existing problems.
Given that, despite all the customer frustration that exists right now, they haven't been losing customers. I don't think that Chip+PIN failing to work correctly at first would cause customers to switch. Chip+PIN cards would only be cycled into use gradually, as people replaced their older, swipe-only cards with Chip+PIN cards, or signed up for new accounts. There would be more than enough time to sort out any problems, and you could also start out by making Chip+PIN optional for new/replaced cards.
This is exactly what will happen. During the transition you will still be able to use mag swipe, then after some period the reader will force the use of the chip and only use mag swipe as a fallback when a chip error occurs. I suspect after a short while mag swipe will be removed entirely, but it remains in many places outside of the US as a fallback.
It's all politics. Its a big financial commitment for whichever side goes first. The US has a bigger population than Britain. And perhaps the industry politics were different there too. The card companies may have got their way.
There's liability to consider as well. In the US, the consumer is generally not liable for fraud; I've certainly heard that in other countries with chip and PIN, if somebody steals and uses your card (having somehow obtained your PIN) you don't necessarily get your money back.
They rolled it out in Canada without anyone getting into a flap. It just happened.
Readers wear out. As people buy new ones they were chip/pin ready. A lot of these terminals are rented as well, making it easier for providers to swap them.
How is http://rescator.cc/ still online and facilitating the transactions when they are clearly selling stolen goods? I assume they are in Russia or similar. Are they using bitcoin, or do they actually use PayPal?
Would be interesting if payment processors such as Stripe, Braintree, Amazon Payments, and Balanced periodically got CC dumps, and proactively blacklisted cards before the issuing banks notice and decline.
In my experience, Stripe won't do anything like that. I manage a website that accepts donations. This tends to be a target that fraudsters like to utilize. They'll "donate" small amounts to the non-profit in order to check if the transaction went through. If the transaction was approved, they know the card is still valid. Meanwhile, we're stuck with the fraudulent transaction and have to refund the charge.
Now, these charges are clearly fraudulent. Without going into details, we can 100% detect the fraudulent transactions from real ones. I've suggested to Stripe that this could be a honey-pot setup to identify stolen cards but they've told me that there card processing doesn't have that type of infrastructure. Even if I know a credit card number has been compromised, there is no way to alert the card holder.
It's a shame really. It's not the fault of Stripe that we can't alert the card holder but it's important to know that there is no mechanism to protect card holders, even if you know their card has been compromised.
There is a path where you can report fraudulent activity to your 'merchant financial institution', which will typically be either your IPSP or your bank.
I don't get why stripe can't do this because my IPSP definitely can and we use this daily.
Time. I can eye ball the charges and know 100%. I need to add code that'll do the same and I don't have the time right now. For the few charges we get, it's easier to quickly refund than to write the code. It's something I will eventually write code to automate.
As a hosting provider, we also see our fair share of fraud. It's truly amazing at to me how many fraudulent CCs are attempted. I can't detect 100% -- but pretty close. I've also made suggestions to stripe with a similar response.
Stripe provides a fingerprint, and it would be nice if stripe provided a service to rate/track various card fingerprints and receive a score when adding/authorizing a card -- or develop some community based feedback scoring system with feedback from companies like ours!
Stripe turns a card number into a token, which you can store without needing to worry about PCI compliance. That token can be used with Stripe to use the card from their secure store.
> Would be interesting if payment processors such as Stripe, Braintree, and Balanced periodically purchased CC dumps, and blacklisted cards.
Wouldn't purchasing them create just one more incentive?
Also, this opens the door to disgruntled employees blacklisting all of the customers of their former employers (assuming they have access to credit card data, which shouldn't happen but often does).
> If a couple of Texas brothers could corner the world silver market,[HB] there is no doubt that the U.S. Government could openly corner the world vulnerability market, that is we buy them all and we make them all public. Simply announce "Show us a competing bid, and we'll give you 10x." Sure, there are some who will say "I hate Americans; I sell only to Ukrainians," but because vulnerability finding is increasingly automation-assisted, the seller who won't sell to the Americans knows that his vulns can be rediscovered in due course by someone who will sell to the Americans who will tell everybody, thus his need to sell his product before it outdates is irresistible. This strategy's usefulness comes from two side effects: (1) that by overpaying we enlarge the talent pool of vulnerability finders and (2) that by making public every single vuln the USG buys we devalue them. Put differently, by overpaying we increase the rate of vuln finding, while by showing everyone what it is that we bought we zero out whatever stockpile of cyber weapons our adversaries have. We don't need intelligence on what weapons our adversaries have if we have something close to a complete inventory of the world's vulns and have shared that with all the affected software suppliers.
I think that the intelligence agencies would rather have the vulnerabilities for their own use and roll the dice on being on the receiving end rather than buy up everything and close it, making it so they can't use it either.
Well the FAQ on the homepage says "Do NOT contact us about Bitcoin transfer that has status of Unconfirmed Transaction on Blockchain.info" so I'm guessing they don't use PayPal.
99% correlation sounds high, but I wonder what the correlation is with other stores, and with what statistical confidence you can actually conclude that Home Depot was the victim here...
Yes but what's the correlation like for other common stores? I've lived in a lot of different towns in the US and every single on of them has had a Home Depot in town. They've also all had a Target. I'd be curious to know what that correlation looked like.
You should be able to easily dispute charges at a "big box store" that were not chip-and-pin transactions, and that did not use the three-digit security extension to the number.
I've had a chip card for, what, some seven or eight years in Canada.
Here is a July 2007 story about how RBC (Royal Bank of Canada) logged 10 million chip transactions:
"RBC today announced it recently surpassed over
10 million successful chip transactions at compatible merchant locations in
Canada and worldwide. This milestone comes four years after RBC became the
first Canadian financial institution to begin issuing chip cards nationally to
its Platinum Avion Visa cardholders in 2003."
Aren't debit cards part of the problem? I only use my credit card and then just pay that as I go. Much easier to dispute charges on a credit card.
Also, if the card is stolen and my bank account is emptied, with a credit card all that would happen is that my credit limit on one of my cards is temporarily reduced.
The card attached to my main account (where my employer sends my salary) is private. My main credit card is from the same bank and I pay it directly from there. Credit card gets used at places that I trust. Dispute charges can be a time consuming process, and you have to pay some token amount to avoid punitive rates anyways.
I have another account in a different bank, were I send small electronic deposits periodically. I retire about 1/2 of that in cash at ATM, to pay either at places that do not accept cards or I do not trust (i.e. gas stations). I have to keep a small balance in the account, and it is not always practical to use cash, so I use the corresponding debit card at places I neither trust or distrust.
I was at a home depot on September 1st and my credit card was declined for security reasons. I just moved to a different state, but I had no problem using the card at other stores that same day, including to make a larger purchase at the same mall as the home depot.
This is supposed to be much bigger than the Target breach. If this doesn't give the move to the more secure EMV chip and pin method in the US, nothing will.
In Norway, the most common type of card is a debit card that can also be used as a Visa or MasterCard credit card. The card has a smart chip on the front, and on the back you have your national id number/date of birth, photo and signature, etc. The card is frequently used as an id card.
When you pay using the debit card, you have to insert the part of the card with the chip into a reader and enter your pin. Typically you can not do this until the cash register has transferred the amount to pay to the terminal.
You can also use it as a credit card when abroad or even in Norway. However, I'm not sure if the card will actually allow you credit (i.e. borrow money) per se -- I believe the account must have a sufficient positive balance, and I believe the domestic terminals are able to check that in real time (i.e. in a few seconds) and decline the sale if not funded.
As for online purchases, every time I use it as a credit card, I get re-routed to a card verification process. This means I get taken to some third party site (typically Visa or MasterCard) where I have to authenticate using my password and generate a one-time password (pin) on my phone. You can also use a FOB, but I find a phone more practical. After the verification is done, you get taken back to the merchant site. This is the same verification process that is used for online banking.
After living 15 years in the states I found this to be a bit annoying at first, but that had more to do with the speed of the implementation and the fact that it's applet-based (Java and Chrome -- have to switch browsers and hope that you don't lose your session).
If I had to authenticate every time I bought something on Amazon it would get old pretty fast. However, one could simply authenticate once to indicate that this merchant is trusted. A new merchant would trigger the authentication before the transaction can be accepted.
That is exactly what happens in India too, except that most banks issue debit and credit cards which are typically separate and not combined into a single card. It also does not serve as a national id. Is this not the case in US?
Basically the same here. I have both debit and credit cards are from the same bank. National id is a bit more contentious here but generally the two cards are about the same. With the caveat of much lower daily withdrawal limits on the debit (think 300).
Only until October 2015. After that, card issuers will be liable[1] if they accept a fraudulent payment unless the EMV (i.e. chipped) card was present or (for online payments) they authenticated the card holder with 3-D Secure[2].
I hear this a lot and I don't really know how EU's chip and pin works, but wouldn't it be best for the the card to spit out an encrypted blob that only the originating bank can decrypt? IE, no number that's useful to anyone in the middle at all? That seems like a better design to me.
A lot of places where I pay by PIN they still swipe it afterwards so that they have a record on their own system (not sure why they need this though) - I think this is what OP refers to.
The difference between US banks and mine though is that if I try to pay by signing my bank won't authorise it - I have to enter my PIN (and sometimes sign too) to make a payment.
Payments online is more of the retailers fault though. They shouldn't accept payments where the CVV check or address check fails. Here in the UK most retailers won't accept payments unless it all matches up, but as I understand this isn't as common in the US.
Yes, and the infrastructure is there for chip&pin cards, you just need an ISO7816 USB reader, which are cheap nowadays (<$20). Browsers already support it as well; in fact, our national ID cards follow the same standard and you can login to governmental websites with the card.
I wish they would deny merchant accounts to merchants too cheap/lazy to roll out contactless payments alongside chip and pin. There's nothing more stupid and frustrating than holding up the line doing chip and pin to buy a $5 meal at Subway.
Does the US use some byzantine tech for chip and PIN? Entering the PIN is about as fast as signing the receipt, at least where I’m from. I doubt it’s much slower than paying cash. (I hand over my card. Card is inserted in reader. I enter my PIN and confirm. Transaction is confirmed after a couple seconds. That can’t be more than ten seconds or so.)
Before Canada implemented Chip and PIN, you usually didn't have to sign the receipt for those kind of small purchases. It takes at least 10x longer now to do the insert, type PIN, remove than just a swipe.
This. In Holland we have chip and pin, which I've got to say goes much faster than someone can fish out cash from their wallet, certainly faster than someone can make change.
Recently many places also support RFID with no pin required for small purchases (I think it's €25). Goes much faster than the employee can bag your order up.
The chip-and-pin mechanism when optimized is very low overhead, probably faster than using cash and not nearly as slow as signing a physical receipt.
For instance, one oft used optimization is that you can insert the card in the reader prior to the register sending the amount to the chip&pin terminal.
The correct way to implement chip-and-pin is alongside a paypass/paywave reader. Customers making purchases over $50 must use chip-and-pin, everyone else can just tap their wallets against the reader.
Some other problems with chip-and-pin:
- You get really cheap merchants who would prefer to waste your time rather than shell out for the contactless reader.
- You get international merchants who have no idea what's going on and make you sign two receipts in addition to entering your pin after trying and failing to swipe it twice.
- You have to type your pin in with your bare hands in -40C weather at the gas station.
- You have to tip waiters with them standing right there and judging you.
- It breaks square and the like
IMO it's an unnecessary mess for anything under ~$50.
I make several payments per day using chip&pin, according to my bank last month more than 300 pin transactions. That's 10 per day (travelling I do this a lot more than when I'm at home).
Online it's not a problem either (fairly easy integration here with a system called 'iDeal'), typing in your pin at -40C at the gas station is still a requirement with the current prices of gas and I'm not one bit bothered by 'waiters judging me', that's a self esteem issue, not a technical one.
As for international merchants who have no idea what is going on: I spend more time abroad than I do in my home country and chip-and-pin have made my life a lot easier than it ever was before in this respect.
Something like 7 countries in the last 3 weeks and I have yet to use my 'cash backup' or my 'credit card backup'.
Contactless is a nice technology but it is as far as I'm concerned a step backwards, I can see the advantages only for bars and festivals where the risk of contaminating your card with fluids is significant and purchases are very small (<$10).
> As for international merchants who have no idea what is going on: I spend more time abroad than I do in my home country and chip-and-pin have made my life a lot easier than it ever was before in this respect.
Well YMMV, of course, but here in Vietnam I've had to go around the other side of the checkout to type in my pin because the terminal was bolted to the desk. Multiple times. And then they still make me sign two receipts anyways.
Has a pretty explicit note that Vietnam is still primarily a cash based society, I think that is where your problems stem from, not necessarily from the technological merits or lack thereof of chip&pin.
Paypal provide a Chip-and-PIN payment system for mobile devices here in the UK[0]. It'll break Square no more than it breaks everything else; I have no doubt that Square already have a working prototype of such a thing.
> - You have to tip waiters with them standing right there and judging you.
In the US currently you write down the tip and leave, they can then charge you whatever they feel like after you're gone. As a tourist I was really paranoid about this, as by the time I looked at my statement when I got back I had no idea which charge was which restaurant and how much it should have been.
A common thing to do in the UK is pay without tip on card, then tip in cash
Yeah, right, there is lots that can be done. Sadly, also Germany is still somewhat backward in that regard. Every reader seems to work differently, so I’m always a bit hesitant to just stick in my card unprompted (and maybe prematurely), lest I get yelled at or something.
There is lots to optimise, but chip and PIN is not inherently slow. In fact, for me it’s already as fast as cash in most cases.
Correction: I meant "insert your card", not "swipe". Though low-cost transactions can still be authorised without having to enter a PIN, at least in the UK.
To be fair to Home Depot, its self checkout systems have the most payment options of any system I've ever seen. They include feeding the machine a check, paying with PayPal, writing in a bank transfer, among something like a dozen payment mechanisms.
Where are you from? Around here (Southern California) every card reading machine defaults to debit transactions, where you have to enter your PIN anyway. At least when you do credit cards you don't have to sign them for small purchases any more (less than $50 at Home Depot, for instance).
I really can't say I've ever felt frustrated waiting for the person ahead of me to pay (except for maybe old people hand writing checks at the grocery store—and even then it's kind of interesting to see such old-school payments in action).
Debit or credit? Debit is the default everywhere. Why? Because credit has a surcharge for the merchant.
It is complete bullshit that the merchants put the onus on their customers and then shrug their shoulders when fraud happens. At least with credit you are insured. They get your pin and you are screwed.
I've never used a contactless method. Is it NFC (or something similar)? Is it really faster than swiping your card? I had the impression you still had to do something on your phone to authorize it...
Even in 2007 in Denver, Amex issued me a credit (not charge) card with a little RFID chip. Worked at a fair number of places. Just get the card near and it beeps and you go on your way.
The lack of chip and pin still surprises me. I'm surprised a lot of the bigger retail companies haven't put pressure on the banks to bring this in.