Last Call For Old School Credit Card Fraud In The U.S.

most of the online sites are now using its own customised payment system to avoid chargebacks and financial loss.
 
Doesn't matter, very few places I have seen force the use of chips on cards with them. Most major places I shop at have had chip readers before I had my first chipped card, and to this day, only one forces you to use the chip reader, HOWEVER, half of the time its "down" or "not working", and I swipe anyway. So the chip does nothing if only 1 out of 100 places actually force its use, because so long as you are allowed to swipe still, it makes having the chip pointless, as it only makes the actual owner go through the hassle of dealing with it.
 
Wife and I got our chipped debit cards just the other day. Wife went to the store to use it for the first time and had to go to three different cash registers to find one that the chip reader was working. Doesn't seem like an improvement at all.

Not sure about the US, but I've had a chipped debit/credit card for years and have never seen a merchant that doesn't support it and have never had an issue with a reader being broken. It's a significantly safer than the alternative and with tap for transactions under $100, it's significantly faster.
 
Yup I couldn't believe how slow the chip reader was the first time I had to use it.... Seriously like 20 seconds of waiting after inserting the card. The old lady in front of me wrote a check faster than this stupid thing could complete the transaction, it's ridiculous.
 
it's also worth noting that the new card readers are terrible at reading the old cards. even with an immaculate card, it takes multiple swipes to get a reading, and apparently this is very common according to the clerk.

this limitation was probably engineered to encourage users to switch to the new cards. there's a word for this but it escapes my memory...
 
Walmart IS big indeed but is still just one chain. 2008 is still very much "behind" the schedule. Thats only 8 years back or around half way the time they got introduced over seas.
My first trip to the states before i moved here i was "Shocked" ( to strong of a word) a bout the simple swipe and sign. there has never been a sing on cards in my lifetime overseas it has always been PIN.

But the PIN/Chip is just half of the mess of the payments system in my eyes. reoccurring payments gets bound with the cardand not the account behind it. So if you loose or get your card stolen and a new one is reissued. you need to change everything. when wife and i finally got chip cards here we had to go through all our account to set up automatic payments again.
this is an unneeded step in other countries cause its bound to you account behind the card. you just get your pre-statment then you can say not to any upcoming chages if you want and if you just don't give a f... everything just keeps working even with new cards and blah blah blah.


There are way smarter system in place and working. but if you never experience them it hard to know exactly how inefficient and unneeded complex the current one is
I'm in the US, and all the reoccurring payments I have set up are tied directly to my bank account. You can even do this on your Microsoft account for store purchases these days.
 
Working retail, we have had quite a few cards cloned and used with a cloned chip to make fraudulent purchases. One person called to say someone had bought $1000 in gift cards, yet she lives over 50miles away and the customer had used a chip.

It's already cracked in Europe, and already cracked here with the most fraudulent claim being Chase and Chase Freedom.

You can't clone a chip and that is fact. You can clone a chip card without the chip and run it through as a mag stripe transaction so long as the Financial Institution hasn't shut down the non chip tran code (example would be an FI that didn't mass reissue and has both chip and non chip cards in the wild).
 
Walmart's card readers had chip support since like 2008 if not before. I know this because friends from Europe would attempt to insert their cards and they would totally succeed... Sort of. Only to have the terminal either tell them to swipe the card or do nothing at all. It was the software that didn't support it in the US.

They replaced and updated most of their card terminals recently though. I suppose even though the old terminals were physically capable of accepting chip cards the software was too old and they didn't bother attempting to update the old ones. It was simpler to replace them.

But I'm pretty sure most of the old card reader terminals were the same globally hardware wise. They supported swipe and chip. Except in the US the chip part was never enabled.

I highly doubt that Walmart had it in place, because the card issuer's were just certified in the US in the last few years. They may have had POS machines that could read a chip anticipating the liability shift, but there was no where for that information to go until fairly recently.
 
First time we ran into the "chip issue" was in France. Never heard of them before this. We were at a fine restaurant and the waitress was trying to insert my non-chip card and could not make it work until a gentleman at a neighboring table told her she needed to swipe instead. lightbulb.
 
Meanwhile in europe we use paypass.

But we never had any issues with chip readers either. The first time they started using card readers in shops they were slow because they were connected to the bank over dialup. Even now the slowest part of the 2 second transaction is the time it takes for the reader to communicate with the bank.
 
Meanwhile in europe we use paypass.

But we never had any issues with chip readers either. The first time they started using card readers in shops they were slow because they were connected to the bank over dialup. Even now the slowest part of the 2 second transaction is the time it takes for the reader to communicate with the bank.

It's like that everywhere except the USA and has been for years. We've had contactless payment here in Canada for several years and chips for much longer. The implementation they're using in the US doesn't use pins either.
 
I know a large number of the major retailers here are just disabling the chip readers and using the swipe function because of how long it takes.

Honestly it's all a wash since even with the chip that can take it and use it online. I think online is where the majority of the fraud takes place anyway...
 
It's amazing how many retailers in the US have not moved to the chip. There are even fewer who are accepting Samsung Pay or other phone type payments.
 
Yes sometimes the chip system is slow and I don't know why. This issue may be faced by all users around the world.
 
Haven't noticed the total transaction time being much longer. With the swipe, there is swipe(put card away), wait, sign, wait, done. With the chip, insert, wait, sign, wait, take card and put away, done. Time out of wallet is much longer.

Most of the places I use a CC have the chip reader but still don't have it activated and only allow swipe. And that doesn't count gas stations which got yet another extension before they are supposed to implement chip readers.

dont sign under whatever dollar it is, so most merchants or retail stores that dont suck dont print the sign receipt or ask you to sign on the terminal

I never use pins so it is a pretty significant change in time that it takes for me to buy a soda with my debit/credit cards now that I __have__ to use the chip....

not to mention all the places and vendors that are trying to force pin transactions only now...
 
The only reason there is a problem is because cards that don't have chips are still accepted.

You ended the sentence too soon leaving out: "... - the problem is on chip-based terminals that aren't enforcing the encryption by default." which makes it a complete idea and exactly what's happening with the chip-based system. The potential exploit demonstrated makes use of the fact that some chip-based terminals aren't enforcing the encryption used to secure the data on the stripe which tells the terminal to reject the swipe transaction in favor of using the chip method instead. Consider this:

With a chipped card that's had its stripe rewritten to take advantage of this exploit (telling the reader that it's not a chipped card), on a transaction where the retailer has started the process for the chip-based read of the information, if the "customer" says "Oh, my chip doesn't work, you'll have to let me do the swipe instead..." when that attempt is made - if the chip-based terminal DOES have the encryption enforced (because what causes the problem is it NOT being enforced) - the swipe of the rewritten stripe won't work (the encryption being enabled causes the swipe to fail completely). Thieves can't rewrite the encryption on the stripe that would pass inspection on the chip-based terminals if encryption is enabled hence the exploit exists because of this aspect of chip-based terminals not using the encryption by default that makes it an exploit in the first place.

Makes perfect sense to me.
 
Last edited by a moderator:
Anyone using Samsung Pay or an equivalent? I use Samsung Pay and it shows that it gives your credit card a different number when being used.
 
it's also worth noting that the new card readers are terrible at reading the old cards. even with an immaculate card, it takes multiple swipes to get a reading, and apparently this is very common according to the clerk.

this limitation was probably engineered to encourage users to switch to the new cards. there's a word for this but it escapes my memory...

The word (or phrase) you're looking for is "Planned Obsolescence" ;)

Planned obsolescence - Wikipedia, the free encyclopedia
 
My thought is that most fraud has never been in the mag stripe, but the reader. What's to stop them from hacking the reader with a firmware update? Hackers will always win.

From what I read, it doesn't work that way. (I may be wrong) It's similar to a challenge response with 1/2 the key on your card. The other key is stored with the CC procesor. The device feeds in a number which gets hashed through a number returned by the card creating a unique number for the purchase. The encryption varies with each number generated by the vendor. So even if they compromised the reader, it would be hard for them to break the 100% end to end encryption. Constantly requesting the same number over and over again to the clearing house would mean the machine was compromised and be immediately flagged.
 
So, I guess that's a "no"
Samsung Pay is using Tokenization. Much different than EMV and where the US should have went bypassing chip technology. I personally haven't used it, but working in the industry I can tell you that it is more secure than any CC - the ironic thing is I actually still use a chipless card mostly because I know how fraud truly works. I've been in most of the recent compromises (we get reports that list all the cards) and haven't even requested a new card.

TBH I tell friends and family just to do what you have always done. If you are curious of tokenization go for it. A ton of merchants accept Samsung Pay now. Remember that your small financial institutions are the one's that are most effected by fraud. We eat everything with Visa consumer 0 liability (you would only be liable for up to $50 and we have never once enforced that) Merchants that have the unsecured POS systems don't. Yet the CFPB wants to eliminate financial institutions making any income off plastics. F the CFPB, they are making it worse for everyone.
 
Back
Top