Story 2014-09-27 2SZD The golden age of credit card fraud is drawing to a close

The golden age of credit card fraud is drawing to a close

by
in security on (#2SZD)
The US is about to finally embrace the secure chip-based authentication system called EMV—the standard was pioneered by Europay, MasterCard, and Visa—that the rest of the world has already adopted. Pushed by mounting fraud costs, credit card companies have crafted incentives for merchants to switch to the sophisticated readers needed to accept the cards. “There was a lot of skepticism about whether it would ever happen in the US,” says Michael Misasi, an analyst with the Mercator Advisory Group. “All of the data breaches that have happened have woken people up, and progress has been accelerating this year.” The first serious milestone is October 2015. By 2020 the swipe-and-sign magstripe reader will be as hard to find as the credit card impression rollers they supplanted.

The end is nigh for online credit card fraud, too. Systems like Apple Pay and Visa’s newly announced Visa Token Service (something Discover, Bank of America, Citibank and American Express offered several years earlier) accomplish the same security goals as EMV, but also work online. They replace the static credit card number with a temporary token that changes every time.

http://www.wired.com/2014/09/emv/
Reply 7 comments

Finally, the modern age (Score: 3, Funny)

by zafiro17@pipedot.org on 2014-09-27 20:23 (#2SZH)

I traveled extensively in Europe this year and bumped into a lot of ATMs where my non-chipped American credit card was totally worthless. About time the Americans joined the modern world. As for the golden age of credit card fraud coming to an end, I'm not so sure. They can't make a carbon copy of my credit card at the restaurant anymore, but now they can camp onto my wireless, hack my router, decrypt my HTTPS connection, steal my identity, post revenge porn of me all over 4chan, trash my email, steal my bank password, and transfer my bank balance to an undisclosed location in the Cayman Islands. While they're at it they can see if I reused passwords, hack my server, and use my Yahoo account to tell all my friends I got kidnapped in Greece and will they please wire some money to that account I never mentioned in the Cayman Islands?

I kind of feel like we're out of the frying pan and into the fire.

Re: Finally, the modern age (Score: 1)

by wootery@pipedot.org on 2014-09-29 11:28 (#2T0C)

Still, better than the set of problems be changing, than increasing.

Yeah not so sure (Score: 0)

by Anonymous Coward on 2014-09-28 14:08 (#2SZY)

We'll see, of course, but even brand new registers and PoS are routinely going in without pin-and-chip or any thought of it. We're talking millions of readers in this great big country, with millions more ATMs and vending machines and the like. Then add in a few million more of the "Square" style plug-reader-in-smartphone-audio-jack mobile swiper setups, also actively being deployed.

When and how are all those getting changed out? How long did it take in Europe?

Both magstripe and chip/pin (Score: 1)

by eviljim@pipedot.org on 2014-09-29 02:48 (#2T05)

Here in New Zealand we've had the Chip 'n pin for a while, our POS terminals handle both magstripe for Eftpos/older credit cards and the chip. there's even circumstances where you can use the magstripe on the chip/pin card. I received notification the other day that my bank was replacing my eftpos card with a chip/pin debit card so will use both magstripe or chip and I can shop online with my own money... not too sure if I'm cool with that. I dont like the idea of the NFC (paywave) part of the card, going to line my wallet with tinfoil (real tin, never trust the aluminium junk!) when it arrives... if someone doesn't steal it from my mailbox first.

Re: Both magstripe and chip/pin (Score: 1)

by Anonymous Coward on 2014-09-29 14:29 (#2T0G)

Wow, I thought contactless payment was dead. It's almost never used in the US, so they don't issue many cards with it anymore. There are quite a few wallets out there with shielding built in if you want to be paranoid without the crazy looks. Search for "RFID Wallet".

Re: Both magstripe and chip/pin (Score: 1)

by eviljim@pipedot.org on 2014-09-29 20:57 (#2T0H)

Really, that's interesting it's not used in the US, I wonder why ours are pushing it?

Re: Both magstripe and chip/pin (Score: 1)

by stove@pipedot.org on 2014-09-30 13:26 (#2T11)

Because it's faster, cheaper, and generally more effortless than any of the other options. Chip+pin is secure but takes longer, cash involves a lot more overhead.

Retailers like it because:
  • It saves money. With self-checkouts everywhere, the biggest maintenance you have to do on those machines is restocking change. On a standard checkout, using a card is about as fast as using cash in most instances.
  • Effortless payment. You don't have to count out and hand over cash, you don't even have to verify the number and type in a pin (for purchase under $100 here). You just wave your card over the receiver, grab your stuff, and go. Retailers like you to be less conscious of how much you're spending.
People are fine with it for similar reasons. Cash requires planning and overhead (I recently dumped a 30kg bucket of coins at the bank). Card+pin can be fiddly or annoying if you're just buying a sandwich. Contactless options are fast and convenient for small everyday purchases.
They also pass a test that eftpos/chip+pin dont: You can quickly pay for a few drinks at a busy pub. It's hard to explain how big a deal that is, but it's something credit cards never conquered. Most pubs here include an ATM so you can turn your inconvenient card into convenient cash before you order anything.

I personally make a rule of using cash when reasonable possible. I'm uncomfortable with having one piece of plastic linked to all my purchases in easily-searchable databases...but I understand the appeal completely. Eventually I'll probably have to go over to it, I just hope there'll be an easy option that still includes some anonymity.