I'm guessing most everyone has the new debit cards with the chip in them now? I thought they were supposed to be more secure and help prevent fraud. However, I went into Target, slid my chip card into the reader, it sat there, then said "Remove card" and the transaction was done. Never once asked me for my PIN. I've been back in there a number of times since and not once has it ever asked me for a PIN. That means if I lost my card in the parking lot, someone could walk into the store and buy things, and there wouldn't be a trace of them. No forged signature, no PIN code, no nothing, so no one would ever know it was fraud until I figured it out.

How's that more secure than entering a PIN code? Without my PIN, you can't buy a stick of gum.

I believe it is about the ability for any one to duplicate the card and have 20 copies of it in use. No one can intercept the data as they use a one time encryption. I have been using one for a few months and frankly they are a pain because they are slower, but if it helps stop organized crime, it is worth it.

I believe it is about the ability for any one to duplicate the card and have 20 copies of it in use. No one can intercept the data as they use a one time encryption. I have been using one for a few months and frankly they are a pain because they are slower, but if it helps stop organized crime, it is worth it.

Yeah, but 20 cards wouldn't be able to buy a drink at Target with my old cards copied. It would be declined immediately. Not so much now. They might only be able to use that one card, but they could certainly use it without even slowing down. It would be a pick pockets dream. Work around stores, snatch a wallet, go buy some things, throw the card in the trash and move on. I think the whole thing that made it secure was the combination of the chip AND the PIN, I even thought there were called chip and pin cards.

Currently in the US, it's "Chip and Signature" and the signature is only required for purchases over a certain amount in some stores. "Chip and Pin" would be more secure (and that's how it's implemented outside the US for the most part), but as usual, the financial industry felt it might be asking too much of US cardholders to "do that thing" for each transaction... "Chip and Pin" will likely come into play down the road here, however, for obvious reasons...."Something you have" (card) and "something you know" (PIN) for two factor authentication.

My Visa card has the chip, but it also has the mag stripe. Someone with a card scanner could still swipe the numbers from the stripe.

My understanding is that the credit card companies will no longer eat the fraudulent charges made with the magnetic stripe readers. Stores that don't upgrade their credit card machines will be responsible for the fraud.


John

Here in Canada, it's 'chip and PIN', for both my debit card and credit card.

Here in Australia it is only 'chip and PIN', signatures were made completely redundant earlier this year. We also have 'pay wave' which uses a proximity reader rather than having to insert the card. Most transaction below $100 do not require entry of the PIN. A lot of fraud happens with stolen cards that are used to buy small amounts promptly after a card is stolen, but the financial institutions don't publish the figures. It's hard to tell if the amount of fraud is greater now than it was before with swipe and signature, which nobody ever seemed to check anyway. For transactions above $100 the card must be inserted in the reader and a pin entered. Also the system limits the number of times (10) you can make a pinless transactions each day. If you report your card stolen within a reasonable timeframe the financial institutions usually carry the cost of fraudulent transactions as a cost of business and don't charge the card owner, although I imagine finding out and contesting the transactions would be stressful.

Currently in the US, it's "Chip and Signature" and the signature is only required for purchases over a certain amount in some stores. "Chip and Pin" would be more secure (and that's how it's implemented outside the US for the most part), but as usual, the financial industry felt it might be asking too much of US cardholders to "do that thing" for each transaction... "Chip and Pin" will likely come into play down the road here, however, for obvious reasons...."Something you have" (card) and "something you know" (PIN) for two factor authentication.

Yep, the credit card industry in the United States was afraid that people would not be able to remember the pin and would therefore use another card - so they went with chip and signature. But people remember their iPhone pin, and their bank pin, etc.

Chip and pin would be more secure but chip and signature is better than the mag stripe. And after some date, if a merchant processes a card with only a mag stripe, and the transaction is fraudulent, the loss is on them. By that date, all card users will have been sent cards with a chip, so the only way a mag stripe would be used is if the merchant doesn't have an upgraded terminal.

Mike

"Safety" is the new religion in this country.
(note - - the definition here is from the old line, "Want to get rich? Start your own religion".)

Any time someone wants to sell an idea to anyone it's wrapped up and marketed as being "safe".
(Secure is just a synonym for safe.)

It doesn't matter what the truth is anymore - - as long as it's "safe"....

I was in line at HD yesterday and a guy was making a small purchase with a chip card. It must have taken 10 minutes for he and the cashier to get the scanner or whatever to accept and validate the transaction.

Mark has it. "Safer", in this instance, means the card cannot be easily cloned and used elsewhere while you still have the original in your possession. You are more likely to notice a missing card (pickpocket) than you are waiting to see fraudulent transactions at the end of the billing period. Therefore, it also requires the card to be used semi-locally rather than having its number transmitted around the world and used almost immediately.

Still, the "one-time use" algorithm isn't infallible ;)

YAnd after some date, if a merchant processes a card with only a mag stripe, and the transaction is fraudulent, the loss is on them. By that date, all card users will have been sent cards with a chip, so the only way a mag stripe would be used is if the merchant doesn't have an upgraded terminal.



That date is literally today, 1 October 2015, relative to the risk shifting to a merchant if they are not equipped to process cards with the chip as a chip transaction. That said, the latter thing you say is unfortunately not true...only a portion of cardholders have received new cards with chips. The banks didn't take the date seriously, apparently, citing "chicken and egg" with merchants not having updated terminals. That's also a problem, a very large portion of merchants have not upgraded to-date...

I was in line at HD yesterday and a guy was making a small purchase with a chip card. It must have taken 10 minutes for he and the cashier to get the scanner or whatever to accept and validate the transaction.

I've been using the chip feature at HD for months now with no issues...multiple local stores, too.

We use Square for taking cards from most walk ins and they haven't shipped the new Chip readers out yet either. They say "Shipping Late 2015". That means if we use their service until then, then we're on the hook if it's fraudulent. I was in a Food Lion last night and I put my chip card in, and it didn't do anything. I asked the cashier if the chip feature was working and she said "Oh, sorry, that doesn't work yet". I guess they were waiting until today to activate them too?

Many stores have set a limit of risk that they won't bother to ask for a signature or pin if you purchase falls below the limit. They figure that it costs more for the clerk's time waiting for a signature than they lose from stolen cards. The merchant probably takes the loss if they didn't bother to verify for small purchases.

Steve

Apparently someone didn't get the memo about it being safer. We just had one of our business accounts compromised. $750 worth of pay as you go cell phone charges on a Chip card that is used only for buying materials from about 8-10 different suppliers.

Good thing it's more secure.

On a side note, we called the police to ask if it should be reported and they came out and told us that once you call the credit card company about it, then you are no longer in a position to file any charges because you have had no damages done to you. They said the credit card company would have to file charges, and there was nothing we could do. I'm not sure why they couldn't tell us that on the phone, but anyway, it's done.

Mark has it. "Safer", in this instance, means the card cannot be easily cloned and used elsewhere while you still have the original in your possession. You are more likely to notice a missing card (pickpocket) than you are waiting to see fraudulent transactions at the end of the billing period. Therefore, it also requires the card to be used semi-locally rather than having its number transmitted around the world and used almost immediately.

Still, the "one-time use" algorithm isn't infallible ;)

But that doesn't stop online transactions where you don't have to have the card, only the number. Now presumably, you'd have to eventually have the PIN as well, but most fraudulent transactions are online, not physical.

The reports are that the majority (80%+) of the active cards have the chip. In some cases, the problem lies with the clearing house (processing company). A middleman. Especially for the smaller merchants. If you check out of a store and have to swipe through a chip-enabled reader, then chances are very likely the clearing house does not have the software installed, enabled, or other reason to process the chip based transaction. If the reader is not chip enabled, then the merchant has likely not upgraded on their part or is waiting for their clearing house to upgrade (could be a chick-and-egg thing).

Whats really weird I think is that when they call you to ask about fraudulent charges on the card the circles you have to go thru to prove your you. Hey they called me at a number I provided to them but they call and then want to know.
My name
My address
my birthdate
last 4 of my SS
my dogs name
my mothers maiden name
my card number
exp date
and 3 number CVs

But like you all said its easy to steal the card and rack up charges wtf.

All of my cards have chips, but a lot of stores don't have chip readers that work yet. I did three retail transactions yesterday and this evening and only one retailer had a chip card reader. Chip cards only protect against hackers that break into computers and steal card numbers.

Traditional methods of fraud like skimmers, restaurant employees stealing numbers, and people stealing cards are not stopped by chip cards. Some of these methods will be stopped by having PIN numbers hopefully at some point in the future.

Whats really weird I think is that when they call you to ask about fraudulent charges on the card the circles you have to go thru to prove your you. Hey they called me at a number I provided to them but they call and then want to know.
My name
My address
my birthdate
last 4 of my SS
my dogs name
my mothers maiden name
my card number
exp date
and 3 number CVs

But like you all said its easy to steal the card and rack up charges wtf.
If someone calls me, I do not give out any of that information. I tell them I'll call them on the number listed on the card and then I will provide the information, if I need to.

Mike

But that doesn't stop online transactions where you don't have to have the card, only the number. Now presumably, you'd have to eventually have the PIN as well, but most fraudulent transactions are online, not physical.

We need the PIN ASAP in US. Online, a total different animal. However, US card issuers and busnisses need to get inline with the rest of the world.

Can someone tell me what info is exactly on the chip?

Can someone tell me what info is exactly on the chip?

Some of the references in the middle of the wiki will point you to the possible information that can be stored.
https://en.wikipedia.org/wiki/EMV

You just told a scammer everything they needed to know ...


Whats really weird I think is that when they call you to ask about fraudulent charges on the card the circles you have to go thru to prove your you. Hey they called me at a number I provided to them but they call and then want to know.
My name
My address
my birthdate
last 4 of my SS
my dogs name
my mothers maiden name
my card number
exp date
and 3 number CVs

But like you all said its easy to steal the card and rack up charges wtf.

Can someone tell me what info is exactly on the chip?







Wouldn't it be something if the chip gathered information about your every move, then linked up with the National Center for Supercomputing Applications and dumped it's load every time it was used? :)
LOL!

Seriously though -- the technology is there to do that
64 bit processing/programs opened that Pandora's Box.
For the time being it's just too expensive.

Sooner or later though, the scope of what's gathered about a person is going to change - - probably in the name of "safety".

Yes I should have mentioned I call them back from the number on the card, I don't even answer the phone when someone calls unless its family or someone I know. But they call me all the time when I travel to verify charges even after I call them to tell them I'm traveling. weird .



We need the PIN ASAP in US. Online, a total different animal. However, US card issuers and busnisses need to get inline with the rest of the world.

The chip cards generate a one-time number for each transaction which is why they are more secure for point-of-purchase transactions. And the retailers that can't support them now carry the entire risk for a fraudulent card transaction that's swiped...that went into effect 1 October 2015. I agree with the comment that we need to move quickly to chip and pin from the current chip and sign method that was chosen by the US banking system because they thought their card holders couldn't manage to remember a PIN. With chip and pin, point-of-sale fraud will be thwarted big-time because of the two factor authentication..."something you have" (the chip enabled card) and "something you know" (your PIN). Online is still a bit more difficult, but requiring the three or four digit extra code helps a little since that's not always on the "dumps" information that gets sold out there on the Internet by the skimmers.

we need to move quickly to chip and pin from the current chip and sign method that was chosen by the US banking system because they thought their card holders couldn't manage to remember a PIN. With chip and pin, point-of-sale fraud will be thwarted big-time because of the two factor authentication..."something you have" (the chip enabled card) and "something you know" (your PIN). Online is still a bit more difficult, but requiring the three or four digit extra code helps a little since that's not always on the "dumps" information that gets sold out there on the Internet by the skimmers.


I wouldn't be so sure on that one, Jim. There have already been multiple hacks that show the PIN portion can be effectively bypassed.

I wouldn't be so sure on that one, Jim. There have already been multiple hacks that show the PIN portion can be effectively bypassed.

I would agree with that statement. We use the chip cards and they have never asked for a PIN, not once, except for debit cards. If it's a credit card, it just uses the chip and never asks for any PIN. In fact, I don't even know of any PIN's for our credit cards with chips. Not sure how it's supposed to be more secure when it doesn't ask for 50% of the thing that's supposed to make it more secure.

I would agree with that statement. We use the chip cards and they have never asked for a PIN, not once, except for debit cards. If it's a credit card, it just uses the chip and never asks for any PIN. In fact, I don't even know of any PIN's for our credit cards with chips. Not sure how it's supposed to be more secure when it doesn't ask for 50% of the thing that's supposed to make it more secure.
In the US, chip cards are not PIN cards. They are signature cards. I tried to get a PIN card for European travel and they wouldn't issue me one.

Mike

In the US, chip cards are not PIN cards. They are signature cards. I tried to get a PIN card for European travel and they wouldn't issue me one.

Mike
Yea, As I mentioned, this is a failing of the US banks because they felt that their customers couldn't handle remembering a PIN. That's kinda dumb because the majority of their customers don't have any issue remembering a PIN to access the ATM...

A few months ago, I stood in line for 30 minutes at Sam's Club while some stupid woman in front of me couldn't remember her PIN and was calling her entire family to see if they remembered it. Never overestimate the intelligence of the general public -- or the intelligence of a clerk at Sam's club who should have bypassed the woman until she could get her act together.

Yea, As I mentioned, this is a failing of the US banks because they felt that their customers couldn't handle remembering a PIN. That's kinda dumb because the majority of their customers don't have any issue remembering a PIN to access the ATM...
Or to access their smartphone.

Mike

Or to access their smartphone.

Mike

Well, to be fair, since I never, ever use cash, I can't remember the last time I was even at an ATM and my smartphone isn't locked. I'm sure lots of people are the same.

You know, there's such a simple solution to it all:


They just need to embed a gps tracker in every card. Then implant GPS trackers under the skin of every cardholder. When someone tries to use a card that is physically more than 5 feet away from the user, it gets automatically shut down!



OK, ok, so the government can now track your every move. That's a small price to pay.... for SAFETY !

Actually, Allan, biometrics are likely to become a factor for many of these things in the future relative to security...credit cards, smartphones (sorta have that now with the finger print reader), etc. There is a lot of work being done to find more secure ways to verify that someone is who they say they are, etc. Fingerprints, retinal scans, etc, are examples. So if you want to withdraw cash from an ATM, for example, you might need both your card and your mark-one eyeball to do it with the retinal scan taking the place of your PIN. I'm personally willing to potentially concede some level of personal privacy in order to secure access to my financial wherewithal as long as there is reasonable transparency around that.

The data describing your fingerprint, retina or whatever is stored in one or more databases. What happens when that database is subject to unauthorized duplication? A pin or password is easy to reset, a fingerprint or retina is tougher. If I had a digital description of your retina or fingerprint could I duplicate it and use it to fool a reader? A fingerprint seems pretty easy with 3D printing.

If I had a digital description of your retina or fingerprint could I duplicate it and use it to fool a reader? A fingerprint seems pretty easy with 3D printing.

Yes. I've duplicated fingerprints with a laser printer and some silicone... all I needed was a picture of the finger. Biometric data is not the panacea the pundits claim it is...

A few months ago, I stood in line for 30 minutes at Sam's Club while some stupid woman in front of me couldn't remember her PIN and was calling her entire family to see if they remembered it. Never overestimate the intelligence of the general public -- or the intelligence of a clerk at Sam's club who should have bypassed the woman until she could get her act together.

It bugs me that they added the chip to the card means the transaction approval takes longer but then they don't require a pin to prove it's you and not someone that just stole you card. Seemed kind of silly to go through all this and NOT require a pin... until I read your experience above. Yep, I could see long delays in line because people can't remember their pin. That would really bug me. But I would think eventually those people would remember their pin or would start paying with cash.

Yes. I've duplicated fingerprints with a laser printer and some silicone... all I needed was a picture of the finger. Biometric data is not the panacea the pundits claim it is...


And it's painful to reset:eek:.

Yes its stupid, people can remember a 4 digit pin geesh they remember several 10 digit phone numbers. I have a 14 digit pin for my bank I have no trouble with that. I still remember my service number form 42 years ago and my first tely number from when I was a kid.



It bugs me that they added the chip to the card means the transaction approval takes longer but then they don't require a pin to prove it's you and not someone that just stole you card. Seemed kind of silly to go through all this and NOT require a pin... until I read your experience above. Yep, I could see long delays in line because people can't remember their pin. That would really bug me. But I would think eventually those people would remember their pin or would start paying with cash.

It might be just a coincidence, and I don't use amazon all that much, but in two cases after I bought something on amazon that was actually sold and delivered by an amazon 'affiliate', about 3 month later I was finding stuff 'I'(?) bought in other parts of the world. I had tickets to a football game in Spain, spy camera stuff from Texas, several Amazon.it sales. In both cases (about 2 years apart), the purchases were refunded to me, and the cards replaced, but it's still a pain! At least the last time MasterCard did not ask me to file a police report before they gave me my money back.. I guess it was just so obvious that I was not in Italy.. I wonder how many hacks Amazon has had, and kept it quiet. They deal in Billions, so Hacks are probably common but kept under wraps.

That's interesting, Bill. I was under the impression that businesses using the Amazon platform didn't actually see the CC information and that the transaction with the end-customer was financially serviced by Amazon. Maybe I'm wrong about that.
-----

Bert, I agree about the PIN argument...the banks clearly are mis-guided about that in refusing to do chip 'n pin rather than chip 'n sign. Makes no sense to me, especially if my older daughter, who has "many issues" can remember her Debit Card PIN with no issue for ATM use.

That's interesting, Bill. I was under the impression that businesses using the Amazon platform didn't actually see the CC information and that the transaction with the end-customer was financially serviced by Amazon. Maybe I'm wrong about that.
-----

Bert, I agree about the PIN argument...the banks clearly are mis-guided about that in refusing to do chip 'n pin rather than chip 'n sign. Makes no sense to me, especially if my older daughter, who has "many issues" can remember her Debit Card PIN with no issue for ATM use.

I was under that impression too.. In the first case, the outside affiliate was in Montreal, in the second, it was shipped in from China (although china was never mentioned anywhere in the vendor info). I still think hacks are possible, and Amazon covers them up. Where else would they get the matching 3 digit validation number on the back of the card. None of my suppliers that I use my card with have it, the only place it has ever been entered for online purchases is Amazon and Cabelas. Plus, if they used the security of never shipping to a address not registered to the card, this problem could be eliminated. I know when my customers use their cards through PayPal, I get a verified shipping address, and will be the only address I will ship stuff to.

I was under that impression too.. In the first case, the outside affiliate was in Montreal, in the second, it was shipped in from China (although china was never mentioned anywhere in the vendor info). I still think hacks are possible, and Amazon covers them up. Where else would they get the matching 3 digit validation number on the back of the card. None of my suppliers that I use my card with have it, the only place it has ever been entered for online purchases is Amazon and Cabelas. Plus, if they used the security of never shipping to a address not registered to the card, this problem could be eliminated. I know when my customers use their cards through PayPal, I get a verified shipping address, and will be the only address I will ship stuff to.

Interesting, because whenever I have added a credit card to my Amazon account they have not asked for the three digit validation code. I always thought it strange that the world's biggest online retailer didn't ask for something that is basic to credit card security.