Discussion in 'privacy technology' started by ronjor, Jul 1, 2015.
I've never understood the credit and debit card technology in the USA, it always looked so insecure to me.
I thought the USA was moving toward chip and pin, I just activated a credit card and a debit card and it appears to be the same old technology.
I have a new card from Chase that has a chip but 99% of retailers don't have a POS device that can read the chip.
The signature thing is a joke as well. When I "sign" for a card transaction I just make 2 wiggly lines and touch the ok button. There is no machine or human looking at the signature.
They are. Mastercard and Visa set an October 2015 deadline, at which point a “liability shift” will occur, whereby:
As far as this Fed Reserve warning about "chip and signature," it seems odd to me, as I'd never heard of that. All the literature I've seen suggested that the "chip" technology necessarily came with a "PIN". In other words, to me it sounded like the shift was from "swipe and sign" to "chip & PIN"...and that there was nothing in between.
Yep, credit cards are becoming a joke. I use my wife's American Express all the time and sign for it. Go to McDonalds or most fast food restaurants, no one looks at the card or signature. I used my son's debit card last time we visited a fast food restaurant.
I used to make purchases for a disabled friend using her credit card. Wrong gender, wrong age, wrong name in the signature. No one ever questioned it.
All I've heard for the last year or so is that we're finally going to get the CMV visa cards that Europe has had forever in October. Now it's about to happen and folks are bitching it's not enough.
So the 97% credit card fraud/hacking rate is alright with you? Well isn't that that that just swell.
The present swipe system isn't alright. Now that we will have the digitally enabled card, eventually merchants will catch up and we'll be hopefully as secure as Europe. That's why the hackers hack us now rather than Europe. We're easy pickin's. I don't understand your statement.
It isn't baseless; I don't want a PIN. Make your card less convenient for me and I'll stop using it.
Signatures are rarely required anymore (over a certain amount) as what purpose do they serve, really? "Did you make this charge?" "No." "Is this your signature?" "No."
Besides, if that accusation were true, why don't they just say "The upgrade is cost-prohibitive". How many "lost/stolen" cards are we talking about here?
Baloney. This isn't for consumers. It is for everyone but consumers as consumers aren't held liable for fraud against them.
Wow, is convenience what we should be focusing on at a security forum? If a 4 digit PIN is too inconvenient, I wonder what kind of passwords are being used...
Lose your credit card and watch how being "not held liable" is such a sigh of relief.
Even if we personally "Lose our credit card"...We still pay all the fraud by data breaches losing our personal information and paying for other fraud
through higher food prices and higher other fees. My days of using a passwords such as 12345678 and password as passwords are long gone, I say the longer the password the better the limiting factor is what the website accepts as the max length of a password .
You could buy that if you wish. Now compare that to said companies getting between 0.95 and 3.75% of every single transaction.
I'll answer the personal attack: I keep physical control of my cards at all times; I don't need a PIN. PINs and passwords are not synonymous as a PIN only works on the physical card.
I use the strongest passwords web sites allow (not all of them allow symbols and some even have a maximum character limit!) and I use a password manager so I don't have to type them in or remember them (computers can automate things y'know). I also use 2FA when available. This is the security that matters.
The two instances of fraud against my card were completely outside of my doing: the first, someone, somewhere I've never been used my credit card information to purchase fishing equipment. I don't fish and I lived in a desert 2,000 miles away. The other was automated fraud putting a charge on a bunch of credit cards and was caught and reversed by the time I noticed. On both of these, I immediately changed my numbers.
Funny thing though: a year after I changed my Bank of America card number having reported it stolen, it was still active.
A PIN would have done nothing in these situations, which are far more relevant than the physical card itself.
I stopped using Bank of America credit cards 3 1/2 years ago Bank of America made too many mistakes on my Credit card accounts including charging me for the use of the cards telling me I had not enough money in the bank to justify not being charged for the use of the cards. I still get mail from Bank of America trying to get me to renew my cards. I have a credit card.....just not Bank Of America's.
Apparently the credit card issuers are tickled pink with it because the burden of liability supposedly shifts.
Part of the October 2015 deadline is what’s known as the ‘liability shift.’ Whenever card fraud happens, someone (usually card issuers) are liable for the costs. When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will no doubt bear this liability.
If a merchant is still using the old magnetic stripe system, they can still run a transaction with a swipe and a signature, but they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip card to the customer, the bank would be liable.
That's my understanding of all this so far anyway.
I agree. Bank of America is bad news. They charge a fee for everything, and have some really stupid ways of doing things. I can't comment on their Visa card, but I was the treasurer of an organization that used them, and I eventually convinced the organization to switch to another bank.
It is the customers that are forcing banks to delay security measures. People demand simple and easy. The banks deliver this by covering the cost of fraud via high interest rates and transaction fees to merchants. Sure, all banks could switch to 2-factor for all credit card transactions but Americans would protest in the streets and there would be class action law suites and congressional investigations!
Yes, the system in the USA is really weird, I've never understood this, a simple PIN can reduce fraud a whole lot, both offline and online.
No, I just don't agree with feel-good inconsequential busywork.
And this completely ignores the cost of implementation.
Besides, the merchants have a greater drive for easy and quick.
All I can say is, that this system simply works over here in Europe. I have been using PIN-cards for at least 20 years now, and they are quite secure and easy to use. Recently a new wireless paying system has been implemented (in Holland), which will let you pay up to 50 euro without PIN. I wonder how this will be working out, I have a feeling that fraud rates might go up.
It works as does ours (US). Without a controlled study, it's just conjecture.
Thresholds and requirements will vary by merchant and circumstance and heuristics.
Rather than chip/PIN baloney (I've had to use those for many years at work [DoD CAC] and they are prone to failure and they are expensive--$200 per card), I'd rather see NFC POS.
I like using Google Wallet; it's faster and even uses a PIN (that I can enter beforehand whilst waiting for checkout or before I enter the store) and no fiddling with my physical wallet and cards. If someone steals my phone, they can't get to its contents due to encryption, contextual screen locking, and anti-theft capabilities (remote wipe/listen/camera control, etc.). These are effective security measures that are also convenient.
That's kind of the yin to security's yang. Much like the tradeoff for audio/visual quality is file size, the tradeoff for security is convenience (or rather, lack thereof).
So yeah, I would say convenience is as relevant as anything can be in a security forum. If it wasn't a valid consideration, being secure would be pretty damn simple.
Thanks for the Tripwire article. My bank has announced that I will be getting a chip card to replace my swipe card "shortly". I guess the process will be a slow transition for all.
Separate names with a comma.