Security chips have not reduced US credit-card fraud

Originally published at: https://boingboing.net/2018/11/11/emv-fubared.html

…

Forgive my ignorance as a Canadian who hasn’t been in the US for two decades, but… what the fuck is so hard about payment card security that the US is having this problem?

Up here we’ve had chip and pin (or back in the 90’s, magnetic stripe and pin) for debit card transactions for three decades. Debit cards have lower fees than credit cards and all but the smallest stores with the most threadbare of shoestring budgets accept debit cards. There’s essentially no need to carry cash and paper checks are almost never necessary for anything (our last order for checks was a decade ago and we’re years away from needing to order new ones). Credit cards here have been chip and pin based for at least a decade. The new hotness in paying for shit here is tap and go - only for small transactions, and only at merchants whose bottom line is healthy enough to afford the new more expensive tap enabled terminals.

What is keeping America so backward in this realm?

So our fundamental problem down here is that almost 40 years of brainwashing which has sold a good chunk of the American people on the idea that the ONLY purpose of government is to have a yuuuuuge military has now led to the point where our government is incapable of even basic regulation. It literally all comes down to brainwashing by neoliberals, predominantly Republicans, but also many Democrats. It’s pretty awful, and those of us who are sane are starting to ask ourselves if we could tolerate the cold up in Canada…

AFAIK, Chip and pin is not a government regulation. It’s something the banks decided to implement to reduce fraud, thereby improving their bottom line. If the government did have a hand in setting it up, they did so at the behest of the banks and with their input.

So the question becomes, why are the banks in the US so utterly incompetent at getting together and implementing something that the banks in every other wealthy country in the world have set up to cut costs and improve profits?

The insecurity of tap and go continues to boggle my mind, especially since (as I just discovered) it is not only good for small transactions.

Without thinking, I tapped at the Dentist, immediately apologized (because, yes, Canada), and then discovered to my surprise that you can tap through charges of $170. The lady at reception was startled too.

Well how could they? All they did is require new terminals, but you can still call any company and read out the numbers. The code on the back might be an inconvenience to thieves, but the chip does nothing. In fact, about 10% of the stores around here still use the old terminals.

I’d be pretty surprised if there wasn’t more government oversight of such systems in other countries, versus the USA. We also pay way more for identical prescription drugs as other nations. The USA is fundamentally broken at this point.

Yes and no. True, it is a solution that the banks have implemented. However, it is up to the government to make the banks responsible for the consequences of fraud, including the one caused by identity theft (e.g. here in Europe it is almost unheard of that someone could open an account in your name without proving identity by actually coming to the branch and shoving some sort of ID).

Then the banks will put their shit together in no time. That’s how it has happened here as well - once the bottom line of the banks is on the line, changes happen very fast. The banks used to push the expenses for the fraud on the clients, once that was stopped by the regulators, they have shored up their systems and practices quickly.

That is what the government role should be - not dictate solutions but set the rules of the game so that the innocent (in this case customers/consumers) aren’t left holding the bag when the merchant/bank incompetence or malfeasance finally blows up in their face.

From TFA:

When it comes to using the stolen credit card data, crooks can embed it onto the magnetic strips of new plastic cards. Those cards can then be used to make purchases because the current credit card system in the U.S. allows for swiping as a fallback mechanism if no chip is present or if the chip is malfunctioning.

The problem is that the chip didn’t replace the stripe, but was only added to it. The stripe is still as insecure as it ever was.

It is somewhat about govt regulation - in the UK the banks rushed to roll out chip-and-pin after they were told that chargebacks would be massively easier on swipe-and-sign than chip-and-pin.

Never under estimate incompetence.

But that said I deal with daily a couple large hurdles we have with chip implementation - Old POS and the need to modify transactions after the fact to add tips.

Most of those older Micros, Aloha,etc terminals you see in restaurants have limited to NO ability to integrate with anything other than a mag swipe reader (which just interprets your credit card swipe as plaintext, no different than keying it in with a keyboard). So now my options as a restaurant are 1) update my legacy system for thousands of dollars and receive no benefits, other than reducing charge backs 2) switch to a pay monthly style system which they will have to install themselves and have exclusively over the phone support 3) use stand alone EMV terminals and trust that my staff is entering sales accurately since the POS has no interaction with the machine.

So, mostly, they wait till their hardware wears out or they wait till additional fees/chargebacks motivate a change. Add to this that in the first couple years of EMV being supposedly mandatory (IE. we aren’t going to let you dispute chargebacks) few solutions allowed entry of tips after the initial settlement. Anything that lowers tips, or even gives staff/management the impression that tips will be harder to get, is going to get a poor reception.

I don’t know if that covers the big picture, but that’s the impression I have gotten from my small corner of the payments industry the last 3 years. For what its worth, adopting newer POS systems that never even receive the card numbers, much less store it, is getting easier.

Now skimming that data and selling/using it online, maybe banks will work on that in the next decade.

What I’m more curious about is has it reduced in person fraud? Since there’s no “something you know” it can’t help with ordering stuff online, but does it at least make it harder for someone to clone a card and head over to best buy or a gas station?

Doesn’t this tie in to the rise of ordering stuff on line? Amazon or most web stores don’t ask you to enter a security chip. There’s no way to. They also save your credit card info so you can come back & not re-enter it. I blame hacking of online stores, not old credit card terminals that don’t use chip technology.

As a Canadian who recently transferred to the US - it’s a huge mess and I don’t get it. In my experience any terminal that works with Apple Pay works fine with C&P cards too.

The fun part is that my (Canadian) EMV cards work a surprising amount of the time (tap too!). Now that I have a card issued by a US bank I’m stuck like everyone else with chip and sign. I’ve been looking for an EMV card issued by a US bank but no luck so far.

Now granted I’ve only travelled to major centres, so I’m not sure about everywhere, but it’s not my experience. The people not knowing how to handle EMV cards is very true - the confusion I’ve seen when prompted for tip and PIN is something fun, but they should be able to learn, especially if they actually want a tip.

What made this a real problem is that the hardware used to read chips is often extremely crap. At the store I check in, the chip reader machine will give spurious “chip malfunction” errors to 20% of the customers, and will fully fail to read chips on three tries for 5%. Someone coming through with an old swipe card with stolen information on it and a decal simulating the chip would totally go unquestioned.

I once had a European tourist come through and get a chip read error. He was shocked. He said it was almost unheard of on the continent. The banks may have required my large chain store to get chip reading hardware, but they didn’t say they couldn’t buy from the lowest bidder.

Here in Canada most people use contactless payments, which makes easier to avoid the chip reader malfunction even if they are low quality. I think I’ve only experienced problems with chip readers a dozen times or so in the last 10 years.

On a semi related note, when I use contactless payment with my credit card in the US, the confused looks I get from some cashiers are priceless.

It’s possible to tell the difference. CP= a “card present” transaction, CNP = a “card not present” transaction.

(emphasis added).

So 3/4 of US credit card fraud involves cloned cards used in person. 1/4 involve card credentials without the card (presumably stolen in a breach of an online retailer).

Here in the UK we’ve had chip and PIN long enough that people now use “swiping” to mean tapping a contactless card. This in turn leads some people to think that they should move the card as they tap. Then there are the customers who end up with their hands in a painful-lookng position because they think that the exposed chip has to be facing down when they tap.

You bring the (wireless) EMV terminal to the customer. The customer inserts their card, selects a tip (in countries where that’s a thing), enters their PIN, collects the receipt. Done. That’s the standard workflow.

Obviously that requires issuers to stop sandbagging EMV, and POS systems to not suck the stars out of the sky (and newly-opened restaurants in the US still have stripe-only hardware, which the networks should have disallowed a long time ago).

My Dutch debit card still has a stripe but I’m sure I’ve never used it in the 5 years I’ve had this particular one. It’s nearly time for a new one, wonder if it will even have a stripe.

And the US fascination with credit cards, I’ve never had one in my life and can say I’ve never needed one either. Seems to me just a way to extract more fees from the customer for no apparent reason other than the profits of the bank.