Fed Reserve: Chip and Signature Not Enough

Discussion in 'privacy technology' started by ronjor, Jul 1, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,768
    Location:
    Texas
    http://www.infosecurity-magazine.com/news/fed-reserve-chip-and-signature-not/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I've never understood the credit and debit card technology in the USA, it always looked so insecure to me.
     
  3. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I thought the USA was moving toward chip and pin, I just activated a credit card and a debit card and it appears to be the same old technology.
     
  4. brians08

    brians08 Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    40
    I have a new card from Chase that has a chip but 99% of retailers don't have a POS device that can read the chip.
    The signature thing is a joke as well. When I "sign" for a card transaction I just make 2 wiggly lines and touch the ok button. There is no machine or human looking at the signature.
     
  5. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    They are. Mastercard and Visa set an October 2015 deadline, at which point a “liability shift” will occur, whereby:

    As far as this Fed Reserve warning about "chip and signature," it seems odd to me, as I'd never heard of that. All the literature I've seen suggested that the "chip" technology necessarily came with a "PIN". In other words, to me it sounded like the shift was from "swipe and sign" to "chip & PIN"...and that there was nothing in between.
     
  6. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    768
    Location:
    "Here on Wilders"
    Yep, credit cards are becoming a joke. I use my wife's American Express all the time and sign for it. Go to McDonalds or most fast food restaurants, no one looks at the card or signature. I used my son's debit card last time we visited a fast food restaurant. :thumbd:
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I used to make purchases for a disabled friend using her credit card. Wrong gender, wrong age, wrong name in the signature. No one ever questioned it.
     
  8. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    All I've heard for the last year or so is that we're finally going to get the CMV visa cards that Europe has had forever in October. Now it's about to happen and folks are bitching it's not enough.
     
  9. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    So the 97% credit card fraud/hacking rate is alright with you? Well isn't that that that just swell.
     
  10. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    The present swipe system isn't alright. Now that we will have the digitally enabled card, eventually merchants will catch up and we'll be hopefully as secure as Europe. That's why the hackers hack us now rather than Europe. We're easy pickin's. I don't understand your statement.
     
  11. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    It isn't baseless; I don't want a PIN. Make your card less convenient for me and I'll stop using it.

    Signatures are rarely required anymore (over a certain amount) as what purpose do they serve, really? "Did you make this charge?" "No." "Is this your signature?" "No."
    Besides, if that accusation were true, why don't they just say "The upgrade is cost-prohibitive". How many "lost/stolen" cards are we talking about here?

    Baloney. This isn't for consumers. It is for everyone but consumers as consumers aren't held liable for fraud against them.
     
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Wow, is convenience what we should be focusing on at a security forum? If a 4 digit PIN is too inconvenient, I wonder what kind of passwords are being used...

    Lose your credit card and watch how being "not held liable" is such a sigh of relief. :rolleyes:
     
  13. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Even if we personally "Lose our credit card"...We still pay all the fraud by data breaches losing our personal information and paying for other fraud
    through higher food prices and higher other fees. My days of using a passwords such as 12345678 and password as passwords are long gone, I say the longer the password the better the limiting factor is what the website accepts as the max length of a password .
     
    Last edited: Jul 6, 2015
  14. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    You could buy that if you wish. Now compare that to said companies getting between 0.95 and 3.75% of every single transaction.

    I'll answer the personal attack: I keep physical control of my cards at all times; I don't need a PIN. PINs and passwords are not synonymous as a PIN only works on the physical card.

    I use the strongest passwords web sites allow (not all of them allow symbols and some even have a maximum character limit!) and I use a password manager so I don't have to type them in or remember them (computers can automate things y'know). I also use 2FA when available. This is the security that matters.

    The two instances of fraud against my card were completely outside of my doing: the first, someone, somewhere I've never been used my credit card information to purchase fishing equipment. I don't fish and I lived in a desert 2,000 miles away. The other was automated fraud putting a charge on a bunch of credit cards and was caught and reversed by the time I noticed. On both of these, I immediately changed my numbers.

    Funny thing though: a year after I changed my Bank of America card number having reported it stolen, it was still active.

    A PIN would have done nothing in these situations, which are far more relevant than the physical card itself.
     
  15. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I stopped using Bank of America credit cards 3 1/2 years ago Bank of America made too many mistakes on my Credit card accounts including charging me for the use of the cards telling me I had not enough money in the bank to justify not being charged for the use of the cards. I still get mail from Bank of America trying to get me to renew my cards. I have a credit card.....just not Bank Of America's.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Apparently the credit card issuers are tickled pink with it because the burden of liability supposedly shifts.

    Part of the October 2015 deadline is what’s known as the ‘liability shift.’ Whenever card fraud happens, someone (usually card issuers) are liable for the costs. When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will no doubt bear this liability.
    If a merchant is still using the old magnetic stripe system, they can still run a transaction with a swipe and a signature, but they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip card to the customer, the bank would be liable.

    That's my understanding of all this so far anyway.
     
  17. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    I agree. Bank of America is bad news. They charge a fee for everything, and have some really stupid ways of doing things. I can't comment on their Visa card, but I was the treasurer of an organization that used them, and I eventually convinced the organization to switch to another bank.
     
  18. brians08

    brians08 Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    40
    It is the customers that are forcing banks to delay security measures. People demand simple and easy. The banks deliver this by covering the cost of fraud via high interest rates and transaction fees to merchants. Sure, all banks could switch to 2-factor for all credit card transactions but Americans would protest in the streets and there would be class action law suites and congressional investigations!
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes, the system in the USA is really weird, I've never understood this, a simple PIN can reduce fraud a whole lot, both offline and online.
     
  20. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    No, I just don't agree with feel-good inconsequential busywork.

    And this completely ignores the cost of implementation.

    Besides, the merchants have a greater drive for easy and quick.
     
    Last edited: Jul 6, 2015
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    All I can say is, that this system simply works over here in Europe. I have been using PIN-cards for at least 20 years now, and they are quite secure and easy to use. Recently a new wireless paying system has been implemented (in Holland), which will let you pay up to 50 euro without PIN. I wonder how this will be working out, I have a feeling that fraud rates might go up.
     
  22. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    It works as does ours (US). Without a controlled study, it's just conjecture.

    Thresholds and requirements will vary by merchant and circumstance and heuristics.

    Rather than chip/PIN baloney (I've had to use those for many years at work [DoD CAC] and they are prone to failure and they are expensive--$200 per card), I'd rather see NFC POS.

    I like using Google Wallet; it's faster and even uses a PIN (that I can enter beforehand whilst waiting for checkout or before I enter the store) and no fiddling with my physical wallet and cards. If someone steals my phone, they can't get to its contents due to encryption, contextual screen locking, and anti-theft capabilities (remote wipe/listen/camera control, etc.). These are effective security measures that are also convenient.
     
  23. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    That's kind of the yin to security's yang. Much like the tradeoff for audio/visual quality is file size, the tradeoff for security is convenience (or rather, lack thereof).

    So yeah, I would say convenience is as relevant as anything can be in a security forum. If it wasn't a valid consideration, being secure would be pretty damn simple.
     
  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,768
    Location:
    Texas
    http://www.tripwire.com/state-of-se...-are-still-unprepared-for-the-emv-transition/
     
  25. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
Loading...