Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Businesses Encryption

Credit Card Chips Have Failed to Halt Fraud (So Far) (fortune.com) 229

An anonymous reader quotes Fortune: New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology...

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.

The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.
This discussion has been archived. No new comments can be posted.

Credit Card Chips Have Failed to Halt Fraud (So Far)

Comments Filter:
  • Chip & PIN (Score:4, Interesting)

    by Anonymous Coward on Sunday November 11, 2018 @03:52AM (#57624678)

    Without a PIN, and without a chip reader for online purchases the whole exercise has been a waste of time.

  • by Kopp ( 602770 ) on Sunday November 11, 2018 @04:31AM (#57624724)
    So, in 2018, one of the biggest economies, most technologically advanced country in the world still cannot use a 40 year old technology to authenticate a payment ? I know it might not be 100% failproof, but still... Even countries in eastern europe manage to do that...
    • by xlsior ( 524145 ) on Sunday November 11, 2018 @05:16AM (#57624800)
      The reason that US creditcard companies don't want to force their users to use pin codes is simple: no one wants to be first. In most of the world, people have a single creditcard. The average American has half a dozen or more. Forcing Americans to remember a Pin just means that a not insignificant percentage of users will simply to switch one of their other cards that's 'less inconvenient' - therefore, nothing changes since none of the card companies want to lose their users to the competition.
      • by Anne Thwacks ( 531696 ) on Sunday November 11, 2018 @08:29AM (#57625260)
        That is not true. Most people in Europe have several cards, and I am quite sure they have to use a PIN.

        I can also confirm that a lot of people in Nigeria have several cards, and they have to use PINs there, and one side effect has been to massively reduce fraud committed by the banks themselves. I assume the reluctance of American banks to force use of the PIN is because a large part of the fraud is committed by the banks themselves.

        Yes its true: American banks are noticeably less trustworthy than Nigerian banks. (cf Wells Fargo)

    • by Solandri ( 704621 ) on Sunday November 11, 2018 @05:17AM (#57624804)
      It's because the credit card companies don't want to pay for fraud. Right now they've gamed it so merchants pay for credit card fraud (merchant loses the merchandise, and the payment gets reversed). Chip + PIN basically makes it impossible for the merchant to be at fault in case of fraud, meaning either the cardholder or credit card company has to pay for fraud. So they gimped the chip in the U.S. by making it chip + sign, meaning it's still the merchant's responsibility to check the signature with the one on the card. And if they forget (or in the case of online orders, can't) and it turns out to be a fraudulent charge, the merchant has to pay for it.

      (And if you're one of those people who've been duped into thinking the high interest rates pay for fraud, no they don't. They pay for cardholders who are delinquent on payments.)
      • Re: (Score:3, Informative)

        by Anonymous Coward

        As a merchant it is even worse. After you have lost your merchandise and the payment is reversed we also need to pay a fine to the credit card company.

      • Your average large merchant doesn't "pay" for the fraud, instead they pass the cost onto their honest customers. Rather than big merchants paying out their profits, they instead charge every honest customer a few cents extra to cover the fraud costs and maintain their same profits.

        The little independent merchants do unfortunately suffer, as they're not the ones with the clout to improve the situation or the market share to have their honest customers cover the cost.
        • Companies don't aim for a specific amount of profit and set their prices to achieve that. They aim for maximum profit regardless. If increasing the price of an item would increase profits, they'd have already increased it regardless of fraud.

          Where fraud raises prices is where competition has already driven the price as low as it can profitably go. In such a case, a competitor with less fraud would potentially be able to undercut the others. In every other situation, the fraud eats into profits instead.

      • It appears that none of the major cards are requiring signatures any more:
        https://www.creditcards.com/cr... [creditcards.com]

        So instead of Chip+Signature, it's just Chip vs. Chip+PIN.

      • by nasor ( 690345 )
        Contrary to the common misconception in the US, the signature was never intended as a security feature. The signature on the back of the card merely indicates that you accept the CC company's terms and conditions; it was never intended to be compared to anything at the point of sale.
      • Signature has not been required for card-present transactions in the US by American Express since April 13, 2018. This is actually a global policy change for Amex.

        Merchant can, if they wish, require a signature, and some industries tend to. And there may be applicable laws in the US that require a signature for a variety of reasons, though I don't know them well enough to quote or reference here.

        I see many chip (EMV) transactions processed without even a PIN, in the US, a process that uses both fraud analy

  • A couple points: (Score:2, Interesting)

    by Anonymous Coward

    1. The chip does nothing to crooks from using the card number, type, expiration date and 3 digit code on the back.
    2. Many retailers I use my chip card at don't even use the chip reader functionality in their terminals, taping it off and indicating that the card needs to be swiped instead.
    3. Most retailers never check my sig (even if indicated on the card).
    4. I can run my card as 'credit' and can bypass the pin entry, totally rendering that useless.

  • by DrXym ( 126579 ) on Sunday November 11, 2018 @04:46AM (#57624748)
    The point of chip and pin is that the cards details don't go through merchants system at all. Instead the card is authenticated / authorized through a secure device that talks directly to the payment service. All the merchant gets is a token of the transaction. Of course if the merchant stupidly allows cards to be swiped instead then they're just as vulnerable to skimming / hacking / database theft as non chip and pin devices.
    • all you have to do is exactly what they did in europe and make the retailer liable for the fraud if they swipe

      • The economics of it is certainly the crux of it, but you are just supporting what the credit card companies want.

        The amount of fraud in dollars is less than the vig the credit card companies are taking. The credit companies are getting several percent of every transaction made with one of their credit cards. Full stop. This is the credit card companies problem and they would love to have their cake and eat it too. Dont help them. Please stop.
      • by DrXym ( 126579 )
        Well certainly some form of carrot and stick stores - use chip & pin / contactless payment and get a meaningful reduction in transaction fees, don't use and get whacked with higher fees and be on the hook for fraud.
      • by TRRosen ( 720617 )

        They are... That is how it works.

    • Re:Well duh (Score:4, Interesting)

      by TheRaven64 ( 641858 ) on Sunday November 11, 2018 @05:23AM (#57624822) Journal
      That's the theory. Unfortunately, one of the flaws in the EMV protocol is that the authentication is unidirectional. The card must authenticate itself to the bank, but the bank doesn't have to authenticate itself to the card. This makes it comparatively easy to MITM the transaction. It's a shame that the US waited over 20 years until the EMV protocol had been thoroughly analysed and numerous flaws identified and then deployed it.
      • That's the theory. Unfortunately, one of the flaws in the EMV protocol is that the authentication is unidirectional. The card must authenticate itself to the bank, but the bank doesn't have to authenticate itself to the card.

        That's untrue. The path for the transaction payload is Chip->terminal->merchant->bank->issuer and the payload returns along the same path.

        The chip's payload is encrypted with a key held only by the issuer, and the response is encrypted with the same key. The entities in between (the terminal, the merchant and the bank) have no way of decrypting the chip's payload, nor of encrypting a payload that the chip can decrypt.

        So unless the issuer is compromised there is no MITM attack going on.

        • You're actually both right. EMV isn't a protocol, it's a whole family of protocols, most with their own family of variants. The security of these protocols varies widely.
  • by jd ( 1658 )

    First, make the trader liable for problems at their end.

    Second, the U.S. is over a decade behind Europe on this technology, meaning hackers have had ten years to figure out problems. It's the equivalent of running Windows XP or an unpatched Windows 7 on a modern network.

    Third, why the hell is anyone expecting a trader to understand network security? These systems should be proof against even ingenious idiots. Plug it all in and it works, autoconfiguring. No default passwords, no default security holes, just

    • Also use a one time challenge response key pair for every single transaction. That makes card skimming worthless. The next level of security is embedding the chip into people to prevent theft.
      • The next level of security is embedding the chip into people to prevent theft.

        is people being stolen really a big problem where you live?

    • Re: Few things (Score:5, Informative)

      by Harlequin80 ( 1671040 ) on Sunday November 11, 2018 @05:56AM (#57624894)

      Only a decade?

      The uk had chip and pin in 2006 when i lived there. Not sure when they rolled it out out.

      And in 2014 australia stopped accepting signatures at all.

      Now though im pretty much 100% contactless and done mainly via my phone.

      • Only a decade?

        The uk had chip and pin in 2006 when i lived there. Not sure when they rolled it out out.

        And in 2014 australia stopped accepting signatures at all.

        Now though im pretty much 100% contactless and done mainly via my phone.

        I got my first chip and pin in 1997 when I turned 18, it had been around for years before then.

  • Duh ... (Score:4, Informative)

    by CptJeanLuc ( 1889586 ) on Sunday November 11, 2018 @05:20AM (#57624816)

    If the majority of the cards have a chip, then the majority of fraud cases will be cards with chip. The point of moving from a magnetic strip to a chip, is that others cannot gain access to your card simply by swiping it. After chip conversion, that vector of attack is mostly gone, and criminals move on to other methods. For which cards with chip are just as good/bad as any other card.

    • The point of moving from a magnetic strip to a chip, is that others cannot gain access to your card simply by swiping it.

      This is something that works well with chip+pin, not so well if you don't actually have any "something you know" method of securing the transaction.

  • Let's apply the same design to securing out IT:

    - Secure Boot enabled, locked down and unable to be changed.
    - Fully encrypted HDDs with decryption tied to user authentication.
    - Tamper proof case, encryption keys destroy themselves if the computer is opened.

    - No password.

    I was mocking the USA when they decided to 40 years late adopt Chip+Pin, a technology which caused credit card fraud to plummet in the rest of the world... and then they only adopted half of the technology.

  • As this EMV technology (protocol) is also used by ING bank (and perhaps others) for their implementations of contactless payments ('contactloos betalen') I wonder what implications this article brings to ING's case.
    Anybody who can share their insights here?
  • on purchases at most stores! I'd hate to think that my financial security was entrusted solely to a chip in a credit card.

  • by bongk ( 251028 ) on Sunday November 11, 2018 @08:19AM (#57625236)

    There's a lot of misinformation here.

    Chip cards aren't meant to prevent card breaches. For card-present transactions (in person at the store), the exact same encryption and cardholder data protection requirements are in place from the reader to the bank whether its EMV or old mag-stripe. For card-not-present transactions (online and e-commerce) EMV makes no difference at all.

    Chip cards do one thing. They make it harder to make a fraudulent physical card. With mag-stripe it is trivial to take another credit card or even a subway gift card and recode its mag-stripe to use a stolen card number, so I can walk into a merchant and use that card.

    The author appears to be confusing EMV standards with the PCI P2PE (point to point encryption) standard, which is meant to prevent breaches by doing many of the things the author describes.

    • For card-not-present transactions (online and e-commerce) EMV makes no difference at all.

      Not quite. If I try to pay anything online with one of my UK cards, after passing my card details to the merchant, a token is used to forward me to my bank, where I have to confirm 3 letters of my pin & 4 letters of my online banking password. I then get returned to the merchant once the payment's been authorised.

      Fine, that system's completely independent of my card, however it's only possible because the bank's been able to force me to set two separate passwords for authentication.

    • I thought the only 'one thing' that chip was meant to do, is provide a smokescreen justification for the credit companies to change their default assumption of blame from "the fraud wasn't your fault" to "the fraud was your fault".

  • This is really no different then when EMV rolled out elsewhere, except hackers have more access to the interconnectedness off things.

    EMV in EU also rolled out with loose rules to start - merchants want cards to work - so fall back to mag stripe was allowed, and the bad guys figured out they could smash the chip on a stolen or cloned card. When fallback was removed, fraud went away.

    The USA is also a different beast. Besides having to upgrade older infrastructure, the problem of customers with multiple cards

    • by rl117 ( 110595 )
      Agreed to a point. But they could have gone straight to chip+pin rather than the chip+signature setup which is almost pointless. When the rest of the whole world nearly is using chip+pin for nearly two decades now, it seems a bit odd to not use it. And regarding the magstripe fallback, has a date been set to drop it yet? If it was withdrawn from use and on new cards starting 2020, that would significantly curtain fraud.
  • I've had to have all my cards replaced at least once in the past year due to failed chips. Additionally, all merchants take cards without chips anyway, so what's the point?
    • by caseih ( 160668 )

      Have had chips in the cards for about 10 years here in Canada and haven't ever had a chip fail. Granted cards are usually only good for 3 to 5 years and then they are re-issued with a new expiry date. But certainly I know of very few chip failures among.

      But you make a good point. There's little incentive for card holders to want chips in their cards. Especially when a lot of commerce is done online and the chip and pin doesn't even enter into it.

  • When I visited New Zealand I marveled at how easily the metric system had pervaded everyday life. Although the UK formally switched to metric in 1965, it is still in the process of slowly seeping through popular culture. The general public still travels in miles, quotes Fahrenheit temperatures, and weighs people not even in imperial but in the Neolithic unit that preceded it. In the US, the public attitude is that if some little snowflake somewhere would be offended by switching over, we can't even contempl

    • by guruevi ( 827432 )

      Yet across the world credit card fraud has been increasing, not decreasing, pretty much at the same rate.

    • Although the UK formally switched to metric in 1965, it is still in the process of slowly seeping through popular culture. The general public still travels in miles, quotes Fahrenheit temperatures, and weighs people not even in imperial but in the Neolithic unit that preceded it.

      That's not even half true. Sure, it's still a messy mix, however there are very few things we still use imperial for, and it's mostly the baby boomer generation. Our schools started the transition as far back as 1968, however it wasn't until 1988 that the National Curriculum forced all schools to conform.

      For those over 60, Centigrade is the only Metric (SI) measurement they use - not even my grandparents use Fahrenheit. For human weight, they also use Stones (14lbs).

      For everyone under 60, it's mostly SI Met

      • My last visit was 2014, in Cumbria and Yorkshire. Okay, these counties may be the UK equivalent of Oregon and Tennessee, but despite official metrication the popular culture still seemed to be stuck on imperial.

    • That's not how the US works.

      I remember when I was in grade school (in the 1970's), there was a government plan to switch to metric. It was taught in our schools, but companies were not behind it. The whole "snowflakes being offended" craze is something that has grown in popularity in the last 20 years, so that's not the reason.

      The reason is MONEY.

      How many speed limit signs would need to be changed to kilometers/hour? How many bridge height signs need to be changed to meters? How many truck weigh statio
      • Finishing the job on metrication (we did get started, remember, leaving some industries metric and the rest imperial) wouldn't be that difficult. Because the beverage industry was one of the switchers, everyone is now intuitive about volumes in liters, and can think about how easier life would be without the dumpster fire that is imperial volume measure.

        For road signs, have the prisoners start making metric stickers to go on existing signs next to - not over - the imperial units, acquainting people with met

      • America uses metric. I'm drinking a 500ml bottle of soda right now in America. I'd be hard pressed to find anything in my kitchen that doesn't have metric units on it.

        Granted, some of the containers have a decimal in the metric measurement. Is that the definition of "not using metric" if the thing is marked with both an integer number of imperial units and a decimal number of metric units?

        We do use 20 feet and 40 feet as the standard lengths of our intermodal shipping containers and 8x4 feet as the standard

  • ...many merchants are failing to properly configure their systems

    Those humans who tried unsuccessfully to implement the chip-based cards have failed. Human error, who would have ever thought that to be a cause of failure?

  • My first CC to incorporate a chip was compromised in less than a week. The wait staff ( my best guess due to it's limited use based on the length of time I had it ) simply copied the name, CC numbers and security code and voila, they have everything they need to make an online purchase or provide to a third party who is paying them to collect such things due to their access to so many.

    I was somewhat puzzled when the transaction alert hit the phone that I had just paid for dinner for four to go about 1600 m

  • I had a credit card get punched back in the late 1980's. Someone was trying to buy airline tickets in London and it got blocked.

    After that I never had a problem with the card which was re-issued. Was using the same card up until 2014 when I was forced to get a "New" more protected chip card. Shortly after the very first use of the chip card I got a all that someone was trying to buy a computer.
    Now 4 years later the same thing happened again.

    27 years of no problems without the chip... now 2 problems in 4 yea

  • ..use plastic any more than absolutely necessary, and use cash and checks as often as possible.

    Several years ago a breach of a payment system hit locations I used to use plastic at. Prior to that I had my eye on the news, week after week, of escalating rates of breaches of payment and data systems. Luckily for me none of my accounts or identity information was affected by the payment system breach at places I then frequented, but it was clear that no merchant or payment system provider was capable of saf

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...