Security chips have not reduced US credit-card fraud

Not trying to be annoying and take it the title too literal, but of course chip has not actually helped fraud… We don’t even have the full of Chip and pin system fully flushed out and then this America yet. Chip and pin is supposed to be the full secure help minimize fraud, we are currently in a transitional period with chip and swipe. They’re still signatures, and many ATMs in businesses are still not fully switched over to Chip and pin style. So personally I don’t expect fraud to go anywhere for another freaking 10 to 20 years as this gets all flushed out…

To understand how the US f*cked up EMV you must first understand the strained relationships between banks, card processors and merchants and who pays for fraud.

EMV stands for Europay MasterCard VISA. It is a standard developed by the major card networks and forced upon the merchants and banks as a way to shift liability for fraudulent transactions.

Prior to EMV, card processors ate the majority of fraud claims as they were deemed to be the least secure piece of the payment processing architecture (and also for customer service reasons hence a cardholder in the US is only liable for up to $50 if a fraudulent transaction is discovered and most waive even that). If a consumer reported a fraudulent transaction, their bank would push the responsiblity for covering it back to the merchant. The merchant would then contest the claim with the processors who would then reimburse the consumer for any fraudulent transactions made over their networks.

They got tired of doing this so they mandated that all merchants must upgrade their terminals to chip readers and all banks much issue chip cards. They set a deadline of 2015 for US merchants to become compliant or start eating fraud claims themselves.

Both merchants and banks freaked out over the staggering costs needed to update their terminals (millions of POS and ATMs in the US alone) and card issuers to replace hundreds of millions of mags stripes with chip cards. Not to mention the significant customer service problem of implementing a huge shift in consumer behavior.

So in the end they compromised. Card processors relented on chip & pin and allowed banks to adopted chip & signature instead which is far less secure. Merchants got concessions to keep mag stripes for another decade or so while they worked on converting to chip readers. End result was a half assed implementation that allows fraudsters to keep adapting ahead of the standards.

Also factor in that the US has over 17000 financial institutions vs only a handful of major banks in other countries (like Canada which only has 6) and you can see why the whole thing is a colossal shitshow.

Google “EMV liability shift” if you want to learn more.

The headline leaves one with the impression that the chip cards have done nothing. But the story explains that patterns of fraud are already changing in response. And that he switch to chip-based tech is still underway.

In fact, if the switch to chips is:

1. Deploy chip cards
2. Deploy chip readers
3. Eliminate mag stripe cards and readers

Then we’re only halfway through step 2. Really early in the game to expect magical results.

There are mobile payment systems now…

With something like Apple Pay, no credit card numbers or personal information is accessible by the PoS terminal. Apple doesn’t even have a copy of the card or see the transaction.

Google Pay is a little different in that credit cards do live on their servers and they do see the transaction, but at least they do rotate the virtual card # per transaction, so it still can’t be stolen at the PoS terminal.

No idea how Samsung Pay or any of the others work though…

What you see is fraud patterns have shifted dramatically away frim Card-present to card-not-present transactions.

Also gas pump readers are the largest growing area of counterfeit card use because EMV doesn’t become mandatory until 2020. (The cost to update a single gas pump reader can be upwards of $20,000 - many stations can have up to 20 pumps. You do the math. That is if you can even get a new one. There’s a huge backlog right now).

Similar. Electronic wallet systems are known as tokenized transactions. Real card numbers are not used but instead replaced with a digital token. It’s deemed more secure because it’s tied to a physical device (iPhone or Samsung for example) which is encrypted. Does nothing to reduce fraud outside of those systems though. Transactions still ride the same authorization networks.

Does nothing to reduce fraud outside of those systems though. Transactions still ride the same authorization networks.

It reduces the chance of a credit card getting stolen though - simply because it reduces how frequently one needs to use the physical card/card #.

Add in the instant notifications of all credit card transactions that Apple devices display (and I think Google was testing?) should dramatically reduce how many transactions thieves can charge on stolen credit cards before it gets shut down.

True. But card cloning isn’t the big problem with chip cards now so what mobile payment schemes offer are not a long term solution to fraud. It’s mostly a merchant and/or bank problem with card not present transactions. Chip & pin offers exactly the same security as Apple or Google Pay.

Yeah. 2008 was the year that SOOO proved that one!

/snark tag, or not /snark tag?

I mean, Mitchell and Webb did try to warn us that Chip and Pin would be a failure.

Chip & pin offers exactly the same security as Apple or Google Pay

Well, except you can’t steal a phone or take a picture of it to get the credit card # to run online like you can with plastic cards.

Mainly because it means they would have to do something, something that would cost money and require updated technology, software, and procedures. It would increase costs and decrease next quarter’s profits. And it’s not just the banks, but also the merchants and all the middlemen. Basically every business in the country has to agree simultaneously on what to do, how to do it, and when to do it, but none of them wants to eat the up-front costs.

They think it’s fine to instead just let the fraud happen and if/when the customer complains, then revert the charges. That has no up-front costs, doesn’t require any changes or consensus with thousands of other companies.

Similarly, in the U.S., we can’t do direct bank transfers. ACH takes 3+ business days and is insecure, requiring you to give someone else full withdraw access to your account numbers. But that props up companies like Western Union and Moneygram that can charge a $30+ fee to send $20. Of course they could easily institute instant and safe transfers, where the recipient gives you their receive-only number and you send money to it, but that would have up-front costs, new software, and it would obsolete the middleman corporations.

While online hacks are still a growing problem, at least they have PCI security standards now. (It’s not the wild west like it used to be.) The bigger problems currently are offline. One is the cheap, tiny, readily available skimmers that can be slotted into ATMs, gas station pumps, and other card slots or used by employees at restaurants. But worse than that is when a big retailer’s POS system gets hacked. Slip a skimmer in a gas station pump and they get some cards. Hack a Target or grocery store chain’s POS and they get millions.

There are multiple problems in the U.S. - without a credit card, you won’t get a higher credit score, so you can’t get loans when you need healthcare, so you have to either wait and save up and/or go to predatory payday loan sharks when you need healthcare. Also, credit cards have customer protection/liability clauses that are better than those on debit cards. If your credit card is compromised you have little or no liability and the losses are from their money, not the money in your bank account. But with debit cards that depends on the bank; your account can get cleared out and you might have to wait a month or so for them to investigate and issue a refund and you might still lose some (to overdraft fees if nothing else). Never mind not being able to pay rent/medicine/food/etc. for a month.

Of course they could easily institute instant and safe transfers, where the recipient gives you their receive-only number and you send money to it, but that would have up-front costs, new software, and it would obsolete the middleman corporations.

Mmm. The reason they don’t do it is because it is regulated by the FDIC. There are exemptions for credit cards and some special accounts, but otherwise, they really can’t do instant pull transactions. For payment, of course Fedwire/SWIFT/etc. exist.

Gas pump readers in the US are also my personal biggest source of credit card fraud. I haven’t had my number stolen since I started paying cash for gas when we go to the states to visit my in-laws.

(There was the waitress at the Moxie’s in Winnipeg when I was there for a business trip a few years ago who physically took my credit card. I don’t know why I didn’t make a fuss, but when I got back home I discovered I had $5K worth of Italian clothing and shoes on my credit card.)

Here’s another perspective:

I blame 90% of this problem on the EMV group (EuroPay, MasterCard, Visa). They created a standard, but they produced horrible documentation and basically ZERO samples. This meant that initially when the standard was released, thousands of teams around the world had to duplicate their efforts while creating their own EMV Kernels. Due to business factors such as competition and secrecy, nobody shared their code, there was no “reference” kernel in the wild.

This is a huge problem because the “EMV Kernel” is a piece of software that needs to be certified. Once certified, the binary is signed and a signature produced. It has a version number, and if you modify the kernel, you theoretically need to re-certify the new version. There’s a site that tracks all those kernels and their versions, the date of certification, and the date of expiration of that certification.

So the lack of code/binary samples from EMV, as well as test servers / sandboxes, meant that software teams had to interpret the standard in different ways, and chaos ensued. To try and resolve this chaos (and obviously make money!), some companies created testing suites to test whether or not your kernel is adhering to the standard. It’s not just software, it’s also a bunch of chip cards that are programmed in a very specific way, and even a physical set of tools that simulate a chip card, go into a card reader, and let the testing suite do its thing. So now, you have to go through a super long testing process that takes literally MONTHS! You need to spend a fortune on testing software and equipment, and you have to have dedicated testers (humans) in the loop, testing every possible scenario.

And in the end? EMV SUCKS. How many people leave the card in the POS Terminal, realize they forgot it and come back to get it? The usability is awful, compared to swipe. The muscle memory of most people is to swipe and stow away the card in their wallets (and forget that they did it, even though it took place 5 seconds ago). With EMV, this muscle memory is useless, and many people forget to take their card out of the slot. This is why POS terminals now emit an annoying beep when it’s time for you to take the card out. Another reason for this is that terminal doesn’t merely read the chip and is done - no, it actually creates a direct channel between the issuer and the chip. The issuer talks to the chip in real-time and may even manipulate values/properties within the chip. This process takes a while (internet latency), and you must leave your card within the terminal until the issuer is done.

Case in point: We recently implemented EMV for both ATM and POS. The process took a whole year to complete, despite us leveraging the help of another company that already created and certified an EMV kernel. It cost us a fortune, too!

And in the end? Honestly? Crypto Currencies have leapfrogged this whole mess, including the ability to tip your server, and the inability of anyone to take funds from your private wallet. The mess that is EMV took SO long to adopt, that by 2018 they have missed the train.

VISA recognized this a while back, and started working new tech to help with this mess:
https://developer.visa.com/capabilities/vts

But being that this is VISA, I would not count on this being in the real world in the next 5~10 years, and by then, crypto and smart contracts will probably win the market.

The clickbait article is very misleading. The “key findings” included this statement upon which they based the misleading headline:

90% of the CP compromised US payment cards were EMV enabled.

It used this statistic to imply that the chipped cards (and therefore the chips) were at fault. But nowhere does it say that the chips themselves were compromised, because they weren’t. The thieves are still skimming magnetic stripes at all those shops that have so far refused to comply by installing chip readers. Gas stations have been so slow to update that they received a multi-year extension to convert mag stripe readers in pumps to accept chips. I’ve certainly seen very little progress in that most of the gas stations and fast food restaurants around us have chip readers with years-old tattered paper signs taped over the chip slots, claiming “Chip reader coming soon”.

The shop owners who don’t convert are being completely stupid and irresponsible. The cost of getting breached would likely put any of them out of business for good. And converting to chip readers? Most of them are still paying 5% for their crappy old card readers, when they could be converting to a free chip reader from any of the dozens of payment companies out there that charge less than 3%. There is no excuse. I seriously don’t understand how someone that bad at business can still operate these days.

Maybe in your part of the world. Where I live, Chip&PIN has been the standard for ages. Here, people’s muscle memory is to hold the card by the end, not the top edge, before the machine is even ready or handed over. Habits are not the fault of Chip&PIN, nor are they a good reason to avoid it. People also used to literally manipulate a phone dial, too. Somehow we managed to adapt to pushbuttons. My mother who is in her 70s manages Chip&PIN just fine.

The other issues may be valid, but that one is weak.

I should have been more specific about this being an issue in the US, and about it being a transitive problem. You’re right about Europe and even in many parts of the middle east, where people have gotten used to it 20+ years ago. I’m sure they had the same issue with adapting. I simply recounted from anecdotal evidence (I am a US resident, and I’m seeing this happen all the time when I go grocery shopping).

Three years ago, I replaced cards with chips, six times in one year. One card was compromised within days of receiving it, which is when I noticed that the bank was simply issuing them in sequential order. So, have a card go bad, the bad guy simply waits a week, bumps the number a little and next card is screwed also after a few tests.

The only way I broke this cycle was to stop using my card at gas pumps. Once I did that, paying cash instead, the problem stopped. Yeah, the poor petroleum industry had more lawyers than the credit card companies and refused to upgrade the pumps. I think the deadline for when they have to comply gets pushed one year further out each year.

On the bright side they have increased the number of charts that look like Pac-man.