Credit Card Chips Fail to Halt Fraud, Survey Says

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Chip-enabled (EMV) credit cards were supposed to reduce fraud, but the latest data from research firm Gemini Advisory suggests they aren’t really working: “of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology.” It appears to be user error, as “merchants are failing to properly configure their systems.”

The stolen data is typically sold on the so-called dark web, which is where Gemini Advisory compiled the data for its report. When it comes to using the stolen credit card data, crooks can embed it onto the magnetic strips of new plastic cards. Those cards can then be used to make purchases because the current credit card system in the U.S. allows for swiping as a fallback mechanism if no chip is present or if the chip is malfunctioning.
 
Wonder how many of the illegal transactions are "no card present"? A major portion of my purchases are like this (Amazon, Netflix, Newegg, etc) These are still just the numbers and the security code. Not very secure and the chip isn't involved in these transactions.
 
The chip will not protect anything as long as store will accept the magnetic stripe and pin code is not asked..

Are these number really due to lack of protection on the chip method. or because people/companies refuse to use the chips. That is highly different.


"This 6 feet steel door is really bad because we have a hole in the wall next to it" hardly the doors fault.
 
Wonder how many of the illegal transactions are "no card present"? A major portion of my purchases are like this (Amazon, Netflix, Newegg, etc) These are still just the numbers and the security code. Not very secure and the chip isn't involved in these transactions.
Nope. That's not the main problem. As stated in the article, or at least the linked article. It is the fact that they still allow swipe as a backup, with no additional checking.
 
I guess I don't understand how a chip makes it more secure given the mag strip backup is no different than previous cards.

Edit : I guess 3 people made the same point before me
 
Problem is the piss poor deployment. First off not all locations even accept chips yet. Then you mix that with some require a pin and others don't. As long as there are places you can just swipe a card that won't stop physical fraud. Then you have the online part. The fact that you can just enter in a card number allows a vector for fraud there. the easier it is to use cards online the easier it is for fraud.
 
Problem is the piss poor deployment. First off not all locations even accept chips yet. Then you mix that with some require a pin and others don't. As long as there are places you can just swipe a card that won't stop physical fraud. Then you have the online part. The fact that you can just enter in a card number allows a vector for fraud there. the easier it is to use cards online the easier it is for fraud.
You can't even use a PIN if you wanted to. Your credit card issuer in the US won't even give you a Chip & PIN card. (This is about credit cards, not debit cards)
 
I still have no clue why credit cards aren't chip AND PIN in the US. Why did they bother with the chip if they didn't also use the PIN functionality to actually make it secure?
Going to the chip allowed the processes (Visa, etc) to push the liability of fraud away from them off to another party. The PIN was just that much more costly to deploy, and they didn't get any additional financial benefit. So they didn't do it.

The fact that there was (and is) no competition there really, means you can't get a Chip & PIN card even if you want it. I'd love to have one for international travel, but you just plain can't get it except for from a few specialized US financial institutions. There is no financial incentive for them to do so.

It is stupid.

As always, follow the money, and you get your answer.
 
I still have no clue why credit cards aren't chip AND PIN in the US. Why did they bother with the chip if they didn't also use the PIN functionality to actually make it secure?

living in the states for about 5.5 years I can tell you this
Nothing in the states are made for reason, future profing, or the sack of improving the system or life of the American citizen.
Its all about making cheap crap and making money.

The american people deserves better than the corporate run america is giving them.
 
hmm I don't recall even using the magnetic band here in Canada... Chips are everywhere.... Paypass is another thing though... ot supported everywhere.
Anyway, chips doesn't protect online transaction BUT I think the 3 numbers on the back aren't sent during normal transactions so you would need the actual card to know those...
 
I still have no clue why credit cards aren't chip AND PIN in the US. Why did they bother with the chip if they didn't also use the PIN functionality to actually make it secure?
Pretty simple actually... because credit cards are all about quick transactions with absolutely nothing to prevent their use, add a PIN to it and how many times will they not get used because someone forgot their PIN? 1234 is apparently a bad one to use, as is your birthday, and seriously you're going to get to the point of having to remember a PIN they are going to get used a lot less frequently. Now why is this that big of a problem? Money, you swipe a card the credit card company gets a small percentage of the action, someone uses their ATM card there typically is no fee for that usage. And ultimately somewhere some bean counter crunched the numbers and found that the credit card companies losses due to fraud are acceptable as opposed to the losses if X percentage of people stop using them due to "inconvenience"

I'm not going to lie, as infrequently as I use my ATM card there are many times I have to seriously think about what the hell my PIN is, and as a result tend to not use it as much.
 
You can't even use a PIN if you wanted to. Your credit card issuer in the US won't even give you a Chip & PIN card. (This is about credit cards, not debit cards)

haven't had a credit card in 5 years so never realized you didn't have pins with them. I use my debit card as credit when paying and it prompts me for a pin. just assumed with the changes credit cards had pins also. So then that is even more of the issue.
 
The problem with chip and pin technology is when it isn't absolutely forced. When you have POS terminals that don't reject the transaction when no chip is present is when this whole shit breaks down. Allowing transactions without chip and pin will lead to fraud.

I know I'm just talking about face to face transactions here, but this is a big part of the fraud ecosystem. I'd prefer not to elaborate, as it doesn't take much to inspire others to commit fraud due to how still insecure this shit is.

Oh, and it's a gong show in the USA in particular.
 
Yeah, this was preductable.

The rest of the world went "Chip + Pin". This verifies that you have the actual physical card, AND that you are who you say you are, because you know the pin.

In the U.S. credit card companies feared that if users had to enter a pin, they'd be lazy and instead use their competitors card without a pin, so none of them (except Target's Redcard) adopted the pin.

You can still call the issuer and request that they add a PIN to your credit card, but very few people do.

So, without the PIN, all it takes is for a criminal to use a stolen card.
 
The problem with chip and pin technology is when it isn't absolutely forced. When you have POS terminals that don't reject the transaction when no chip is present is when this whole shit breaks down. Allowing transactions without chip and pin will lead to fraud.

My understanding was that the typical configuration is that it IS forced, if both th eterminal and the card are compatible.

I've accidentally used my magnetic strip in a reader that is chip capable, and it has rejected it, telling me to insert the chip.

Maybe all we need is time for the few retailers that don't have chip activated readers by now to adopt it. After all, the retailers are now on the hook for fraudulent charges if they don't.
 
haven't had a credit card in 5 years so never realized you didn't have pins with them. I use my debit card as credit when paying and it prompts me for a pin. just assumed with the changes credit cards had pins also. So then that is even more of the issue.

That is probably the worst thing you can do, security wise. Most experts advise to NEVER pay with a debit card and pin.
 
There's many ways to trick a POS terminal to accept the card without a chip. This kind of stuff is not publicly acknowledged by the credit card companies because it makes them look incompetent, which they typically are.

This information has been available on various parts of the internet for like a decade. Some areas have implemented appropriate fixes, but until everywhere does, fraud will happen.

My understanding was that the typical configuration is that it IS forced, if both th eterminal and the card are compatible.

I've accidentally used my magnetic strip in a reader that is chip capable, and it has rejected it, telling me to insert the chip.

Maybe all we need is time for the few retailers that don't have chip activated readers by now to adopt it. After all, the retailers are now on the hook for fraudulent charges if they don't.
 
Thief damages the chip on a card and then asks the merchant if they can just swipe instead. Merchant agrees. Simple as that.
 
I still have no clue why credit cards aren't chip AND PIN in the US. Why did they bother with the chip if they didn't also use the PIN functionality to actually make it secure?

All I want is 2nd party authentication like the google app. Pins don’t do much because they just skim those too. Need a rotating number.
 
I have to say, whenever I go down to the states to visit, I find the disarray of payment methods to be insane. Restaurants still take your card and have you do signatures. Some places do tap, some do chip, some do swipe and signature. We do tap under $100, chip + pin for rest. Rarely do we do mag swipe/ take your card and get signatures around here.
 
Dont know about the chip on my visa card, but the NFC one i have rammed a drill strait thru.
And if anyone start to do any physical shopping on my card i am sure my bank will freak out, cuz i had a visa for a long time but i have not used it a single time for a purchase that was not online.
I prefer good old cash, that also as a side effect make sure my immune system are up and firing on all 8 cylinders.
 
Apple Pay is amazing. Frictionless, way more secure since each transaction has a one time "card number" that's used. Even better than chip and pin. Until methods like Apple Pay are more prevalent, this stuff is going to continue to be a problem.
 
The US has the worst credit card security in the world.
But at least with our exclusive chip-and-PIN-and-swipe-and-sign joke of a system, our worlds worst security is also the slowest.
 
Apple Pay is amazing. Frictionless, way more secure since each transaction has a one time "card number" that's used. Even better than chip and pin. Until methods like Apple Pay are more prevalent, this stuff is going to continue to be a problem.

You know whats better than this????

Cold hard cash.... Yup can't really hack hard copy....
Cash is King... And it always will. But most of you pubies never listen. Because you Lurv your lazy methods of paying.

https://www.usatoday.com/story/mone...s-new-record-raising-warning-sign/1014921001/

You never do listen and you never will. You enjoy being a lemming to the corporations. Those numbers never lie.
 
Ditch the credit card form factor and go with an RSA 2FA key fob with the chip / nfc system built in, for each transaction you push the button and input the code. Why is this so hard to do? I have had a 2FA key fob on my Blizzard account for a decade.
 
You know whats better than this????

Cold hard cash.... Yup can't really hack hard copy....

Sure you can. Counterfeit cash is a thing. Especially in Vegas. Went back to visit the family and most stores are scanning $10 bills now :confused:

Nothing wrong with credit cards if you pay them off every month.
 
You know whats better than this????

Cold hard cash.... Yup can't really hack hard copy....
Cash is King... And it always will. But most of you pubies never listen. Because you Lurv your lazy methods of paying.

https://www.usatoday.com/story/mone...s-new-record-raising-warning-sign/1014921001/

You never do listen and you never will. You enjoy being a lemming to the corporations. Those numbers never lie.

*smashes Icon_Charlie over the head with a heavy object while his wife distracts Icon with her cuteness, then robs Icon_Charlie of every last bloody penny he had on him!*

:)
 
It took way too long for most merchants to install chip capable terminals. The sad thing is that some of them are already failing. Had one yesterday that wouldn't read the chip and fell back to swipe. Also guessing that most stores didn't meaningfully upgrade the rest of the system so the only gain was from the chip creating a unique record.

As long as US regulators/lawmakers refuse to hold companies liable for security failures, nothing will fix things much. Pretty easy for the stores to simply raise prices to cover the loses and for the CC companies to do the same. Rather ironic that many merchants yell about high CC exchange fees and then do as little as possible to limit CC losses which forces the CC companies to cover those losses via higher fees.
 
Credit card companies don't want to make the system too complicated because they're afraid people will switch over to digital device payment systems like Apple and Samsung pay. I've read about new security systems being tested by Apple, and if Apple suspects a bogus charge is taking place, they can call your phone and ask for a selfie to verify. If Apple is really suspicious they can call in security, and when that happens I doubt many criminals are going to bother trying to steal through Apple pay.

Credit cards don't have the luxury of a computational device to handle higher forms of security (unless they build more abilities into the card reader). Most retailers are still whining about having to replace their card reader last year, I can't see them wanting to replace their card readers every few years.


P.S. I know a place in the US that still uses a credit card imprinter.
 
Problem is the piss poor deployment.

Why are you being so complimentary on the deployment process?

There are several issues here. The first issue is that convenience takes a higher precedence over security. If there are additional barriers to using a particular card, then the consumer will just use a competing card. Likewise, if the card reader takes longer to handle a chip transaction than a swipe transaction, chip transactions get disabled.

Also, there is the question about who pays for the terminal upgrade. Is it the merchant, payment processor, or credit card issue? For many merchants, they have no desire to pay to replace "perfectly working equipment", even if the liability deadline is long past.
 
I still have no clue why credit cards aren't chip AND PIN in the US. Why did they bother with the chip if they didn't also use the PIN functionality to actually make it secure?

Because lots of people have five to ten cards in their wallet and that's too many pins to remember.

If you're the first card in my wallet with a pin, I'll probably remember it; but I won't remember the rest, and if I can't use it without remembering the pin, I guess I won't use it. That's not good for card issuers.
 
Card companies are fine with this - part of the changes that introduced the chip also shifted the liability of fraud to the merchant if they allowed bypass of the chip mechanic.

Chip readers still suck here, chip transactions take several times longer than magstripe, and the POS reader providers have no real incentive to put out better units.
 
Wonder how many of the illegal transactions are "no card present"? A major portion of my purchases are like this (Amazon, Netflix, Newegg, etc) These are still just the numbers and the security code. Not very secure and the chip isn't involved in these transactions.
It's even worse.
When they first bought these out I told my bank that 'touch pay' or 'proximity pay' was a massive security breach waiting to happen.
They said no, don't worry everything is secure and safe! Nothing can go wrong. etc.
6 years later, massive amounts of walk-by jacking using a boosted signal.. whoops. If I could have seen that coming, you'd think their tech geeks could too.
 
I seem to remember Jamie Hyneman and Adam Savage *unofficially* mentioning something about this years ago, but were threatened by an army of lawyers from banks to prevent public disclosure.
 
On a recent trip to Sweden, I had no cash on me. I used my Canadian pin and chip card flawlessly there. It's a really convenient and safe system to be honest and I get e-mail and text alerts of purchases out of the ordinary of my normal patterns.
 
Sure you can. Counterfeit cash is a thing. Especially in Vegas. Went back to visit the family and most stores are scanning $10 bills now :confused:
Middle of nowhere rural north-east here. Just watched some bitch nearly get arrested at walmart a few months ago for passing a fake 20. She walked, but only because she had two older kids with her to back up her claim that she just got it as change at the gas station. And it's shit exactly like that, that makes me anxious using anything over a $10 bill. And that's not mentioning the strange white powder on a curly bill I got as change today.

At the end of the day, nothing is safe.
 
  • Like
Reactions: DocNo
like this
When they say "It appears to be user error, as merchants are failing to properly configure their systems." What they really mean is they were too cheap to spring for the new device and didn't train their staff how to use it so they just kept the old swipe stuff and pretended that the chips don't exist.
 
That is probably the worst thing you can do, security wise. Most experts advise to NEVER pay with a debit card and pin.

What kind of experts ? Considering whole world uses debit + chip & pin without issues and credit card is considered a "luxury item" (considering most credit cards require monthly fees). The only risk is when one uses their debit card number & CVC as a VISA card on internet. Or if someone makes a fake clone of it and uses it in US as magnetic stripe card.
 
Back
Top