Even if the ATM designers find a way to shake off the skimmers, the scammers can simply build their own fake ATMs and leave them outside bars.
Improved technologies in the banking sector have failed to stem the rising tide of fraud in the US, according to a study by analytic software firm FICO. The US's belated move to EMV (Europay, MasterCard and Visa) chip-equipped cards hasn't curtailed fraud as much as many had hoped, based on the successful rollout of the …
build their own fake ATM
There are not that many Romanians and Bulgarians in most of the USA for that one. Also, it works great with tourists where the tourist can believe a message telling him about "no connection to your bank at the moment" for just long enough to peruse the stolen data. That does not work when hitting mostly "native" population.
Sure, our cards come with EMV chips (well, some of them do), but how often do you get to use them? And the second half of the equation, making sure the person using the card is the correct person, is also lacking. Only two of my four EMV cards have a PIN (and one is a pure-ATM card, which always had a PIN). Of course, I have two other cards that still don't even have EMV (I call my bank, and they promise they're rolling them out as fast as they can, still after 3 years?!).
Boy, was it embarrassing going to Canada. Every time I paid with my card, the machine would beep loudly, letting them know an American was there. "WARNING, WARNING: American attempting to use technology they don't understand, WARNING!". Then I had to sign a receipt, which totally keeps me secure, totally.
I guess it beats having to remember a 4-digit PIN. Remember when kids could remember 7 (or even 10) digit phone numbers? They grew up to be too stupid to remember a 4-digit PIN apparently. "My grandma could never remember her PIN!" Should your grandma be left in control of her own finances then? She's probably on the phone right now, reading off her credit card number to some prisoner she thinks is her grandson Steve (does she have a grandson Steve? she can't remember).
is mostly from retailers who haven't/won't update their POS terminals to accept the chipped cards OR they use chipped cards incorrectly. The ONLY US retailer I've run across which correctly uses my chipped debit card is Wal-Mart. Every other retailer fits into one or more of these three buckets:
- they have tape over the card slot with a handwritten sign to swipe the magnetic strip instead OR
- they accept the chipped card but if you hit the debit button instead of credit button, you are then instructed to REMOVE the card and swipe the magnetic strip instead OR
- you insert the chipped card and hit the credit button and are asked to SIGN rather than enter your PIN.
As much as I despise doing business with Wal-Mart, they at least did get the chipped card usage correct so I would rather shop there than a retailer who is too lazy/cheap/stupid to update their systems.
You Europeans need to know that the United States did not roll out a "chip and pin" system. It's a chip. The end.
There is no pin required -- you can press credit or cancel to bypass it and this is common knowledge. This was originally done as part of a "transition" away from the old system, while merchants still used old equipment. It's been many years. The old equipment is still there, and so is the "transition" period. So yeah, physical card fraud has gone up, because the new cards are actually less secure: It is one factor authentication -- "I have card. Gimme money." And you *can* get money at most places by simply asking for cash back. Which means... you don't need an ATM to get cash, just a candy bar to buy.
We didn't roll out EMV to decrease fraud, but to shift costs from banks to merchants, re: card-present (CP) transactions. But I mean, think about it... these pieces of plastic just need to be present to turn holding on to it into cash, albeit for a limited time. And as for people thinking skimmers can't be used? Most of the chipped cards also have RFID tags. Walk by someone carrying it. Conduct a card-present transaction by sending the challenge/response over the internet to another location. Bonus: Add bluetooth so the 'fake' card can emulate the real one.
EMV does nothing to stop man in the middle. It was fundamentally broken from day one -- and criminals need only use their heads and a tiny amount of finesse to overcome it.
I just spent three weeks in the US on a whistle stop tour, from the UK. A few observations
- Unattended magstripe transactions are still commonplace.
- "Chip and signature" is way more prevalent than proper chip and pin
- Everywhere that accepts chip and pin also accepts unauthenticated magstripe
- The one single time I used my travel-only credit card in new york (the first time it was used in over six weeks), I got a fraud alert three hours later as someone tried to spend six grand in New Jersey.
1) What the fuck can you buy for six grand in NJ? Was he buying half of Jersey City?
2) It doesn't matter if you've finally rolled out the chips if no one uses them
3) It doesn't matter that you use chips if everyone around you accepts magstripes.
4) It *really* doesn't matter what you do if your payment networks are so archaic they're being routinely compromised en masse by persistent hackers silently harvesting details.
I just really don't understand why chip & PIN is such a problem in the US. It's been universal in Europe (except for certain overseas visitors) for so long now that I can't even remember when exactly it was introduced, with very little fuss and bother. I'm certain Americans are bright enough to remember a 4 digit PIN, so why are their retail and banking industries so reluctant to use a technology that has been demonstrated to reduce fraud in Europe and elsewhere? Mystifying.
The US delayed chip because it was a big change and our fraud rate was relatively low. Europe pushed forward because their fraud rate was significantly higher, which EMV has brought down to match US rates.
In 2004 US card fraud rate was 0.05 and Europe was 0.11, more than double. By 2010, EMV brought Europe down to a fraud rate of 0.06 while the US rose to 0.08.
It probably has more to do with who has to pay for losses on the fraud.
In Europe the consumer has had near 100% protection for a long time, in the US the consumer could often spend weeks getting compensation back and having other types of issues.
That is, The US didn't see it as harming business so that makes it a positive.
The local news company ran a story last year when the chip became common, they asked all local people in their coverage area to contact the banks and request NOT to receive one of these cards because fraud was worse on a chip card rather than a swipe card. The "Fraud" they spoke about was that once someone had your card AND your pin that they could purchase things without you knowing about it. This type of "Fraud" was happening because low and behold criminals were going through the phone book saying "Hi, We are your bank, you just received a new chip and pin card but it is faulty, can you come meet us at the local liquor store, bring your pin, we will then order you a new one." Seems enough people were doing it that they deemed "Chip and PIN" to be a fraud risk.
"In 2004 US card fraud rate was 0.05 and Europe was 0.11, more than double. By 2010, EMV brought Europe down to a fraud rate of 0.06 while the US rose to 0.08."
Sure. But now it's 2017. As the article notes, the card fraud rate rose by 70% in 2015-16, while compromised ATM and PoS terminals rose by 546% in 2014-15. That would suggest that while Europe has managed to bring fraud down to levels around the same the US used to experience, the US has increased it's fraud levels way above where Europe used to be.
And that's assuming your quoted figures are accurate in the first place. I don't know exactly what you mean by "card fraud rate", but here are some other figures to ponder:
The USA accounted for 47% of the world's card fraud in 2015, despite only making up 24% of card transactions. 32 million Americans were victims of credit card fraud in 2015, three times higher than the previous year.
The USA has third highest rate of card fraud in 2016 with 47% of consumers experiencing it, compared to a world average of 30%. It is the only country to remain in the top three for three years running.
Interesting table halfway down this one - looked at per $1000 of transactions, chip&PIN has half the loss due to fraud, but also only just over half the profit for the issuing bank. Also worth noting is that this article gives the US 38.7% of card fraud for only 22.9% of card transaction volume for 2015, not quite as bad as the first article, but still not exactly great.
So sure, US card fraud may or may not have been relatively low back in 2004. It is now firmly one of the worst countries in the world for fraud, and only avoids remaining the worst for several years running due to huge increases in Mexico and Brazil. Every single report I've seen on the matter puts the blame squarely on the fairly to properly implement chip&PIN transactions. It may not be perfect, we do still have fraud here in Europe after all, but it's a hell of a lot better than either not having it at all or having the half-arsed approach the US has taken.
"I just really don't understand why chip & PIN is such a problem in the US."
Because the US has A LOT of rural areas where you would be amazed to find they still use imprinters...because even access to a telephone is not guaranteed (heck, they may not even have electricity). Chip readers would be useless to them.
"...so why are their retail and banking industries so reluctant to use a technology that has been demonstrated to reduce fraud in Europe and elsewhere?"
Because fraud isn't really that big an issue in the US. Well before Chips, the US has had a robust chargeback system in place, and the credit card companies have ways to investigate frauds. Given the volume of activity in the US, the overall percentage of fraud is close to the noise level, and most of that is not of the type that Chips can help control (for example, e-tailer or CNP fraud).
the US has A LOT of rural areas where you would be amazed to find they still use imprinters...
What's an "imprinter"??
OMFG! 8o I haven't seen one of those since, what,.. the early 1980s? The US really is going down the pan :S
Just because overall fraud is going up when EMV is still in the process of being rolled out doesn't tell you whether EMV is making a difference. Maybe fraud in non-EMV cards has gone up 100%, and fraud for those who have switched to EMV since the previous year has dropped 50%.
I may be out of touch, but I think the last that I heard, British and European bank cards were retaining the magnetic strip because it was part of the standards and contracts that govern banking services, and those weren't changing in a hurry.
Whether the magnetic strip still works after you leave a refrigerator magnet on it overnight, or go at it with a hole punch, is a different question.
(This is not necessarily wise - I have had a card's chip go non-functioning. The bank branch, in Scotland, was happy to swipe the strip to complete a transaction. Then I ordered a new card.)
Another concern is the very latest cards that telepathically transmit your bank account details to store clerks as you walk into or past the shop, to save time completing the transaction that they prophetically foresee. I'd use the hole punch to stop that but where do you put the hole? and what if they foresee you doing that, too?
It also doesn't help that a *large* portion of Americans are either too ignorant (willfully or otherwise), or have a serious cranial-rectal inversion to follow what is a stupidly simple process:
1. insert chip card into reader
2. wait for prompt to enter pin or sign (this is largely up to the merchant, and whoever configured their point of sale system) and enter pin/sign then press the enter button
3. remove card when prompted
But then, these are the same people who, when using the magstripe, will either crawl the card through the reader too slow, or whip the thing through at Warp factor 8 which then produces a card read error.
And invariably, I get stuck behind them in line.
need to cache the information from the chip on the reader, so people can just swipe it like they do with mag stripe. Chip readers for the most part still far too slow(though they have gotten better since the initial launch), I was last in Europe 2 years ago though I don't remember much of my credit card experience none of my cards have a PIN on them as far as I know(outside of ATM anyway). I did spend 3 months in Asia last year and I don't recall off hand seeing much "chip" activity(if any?), though I mostly used cash, though my main CC was flagged as compromised literally 2 days after I arrived(maybe it was hit before I left I do not know), and it took a month to get a replacement card(mainly because I didn't have a stable address going from hotel to hotel).
I find it kind of amusing the people complaining why the U.S. hasn't fully embraced chip+pin, the reason most customers have not is because they are not liable for the fraud anyway if there is any. Myself I have had very little fraudulent activity on my cards in the past 5 years. And obviously chip+pin does jack shit with regards to online transactions. I just got off the phone with an online merchant trying to make a purchase, whatever CC processing they use wasn't able to charge my main credit cards, so I gave them yet another card(3 total), and they tried to charge that, THAT bank flagged it as fraud and texted me, I approved it, the merchant said they will try to process the payment again and call me back, that was 40 minutes ago.
Using the chip has been far more of an annoyance factor for me vs magstripe (as in annoying me on a very regular basis), vs on average 1 fraud thing on my card per year. I am generally quite careful where/how I use my CCs, as well as ATM. Only time I have used a ATM not owned and operated by my bank was when I was overseas. I never ever use random ATMs at retail locations operated by 3rd parties.
Because that way if your account is ripped off it's your fault.
IIRC there were ad campaigns in Europe for what was called "Chip N Pin" about 15 years ago.
Really. US retailers (or rather their banks) are running with 15 YO software?
Another problem is the chip&pin readers are SSSLLLLOOOOOWWWW. At one of the local grocery chains, payment went from barely longer than it took to swipe the card, to something like a 45 second wait for C&P. One place was over a minute.
That may not sound like much, but when you're waiting to leave with your groceries and 15 other people are waiting for you to leave with your groceries, it's an eternity. Plus multiply that by the 10 people you're waiting behind.
> At one of the local grocery chains, payment went from barely longer than it took to swipe the card, to something like a 45 second wait for C&P
I suspect this says a lot about how much investment went into those C&P machines (or the online pin verification infrastructure provided by the bank). Honestly should be under 5 ... i.e. across Europe you usually have enough time to put the card in the machine and enter your pin, with no sitting and waiting.
* wireless machines not counted here - they are normally on some shitty GPRS side band for verification which is always as slow as shit. Anything with high throughput requirements should get wired EMV kit.
It also says a lot about how much verification was going on with the magstripes ie. none.
The longest I've had to wait was 30 seconds which is generally small shops with handheld cheap readers. In larger stores it's so fast I've got the notification the money has gone from my account before the receipt printer has finished printing.. it's sub-second.
On the primitive island I live on, chip & pin transactions take a second or two at train stations and major stores. Even mom and pop with dial up usually get an answer pretty quick. EMV is not very difficult (for anyone) and stops a lot of crime - what is the problem over there? Not invented here, blocked by the mafia lobby? Or what?
EMV is not very difficult (for anyone) and stops a lot of crime - what is the problem over there?
The US has a huge network of ATMs, many of which are antiques that can't be upgraded. To replace the whole lot with something more modern and more secure would cost a very large amount of money, and the cost of fraud to the banks is going to have to get even higher before they consider it worth replacing the network.
I had an interesting discussion with a US banking security expert a few years ago, on the subject of PIN length. I was working with a British manufacturer of PoS terminals, and we wanted to be able to offer the banks the ability to let customers set longer PINs. He said that in the US ATM PINs would remain at 4 digits for the foreseeable future because that length was essentially hard-coded into more ATMs than it was feasible to replace ... and international travel means that if the US is limited to 4-digit PINs, everyone else has to be as well.
It's much the same with chipcard adoption. It won't happen until the level of fraud rises even more, or until the banks are forced to indemnify customers from any fraud on their accounts.
"It's much the same with chipcard adoption. It won't happen until the level of fraud rises even more, or until the banks are forced to indemnify customers from any fraud on their accounts."
And the banks usually don't have to because the credit card companies will usually indemnify customers if it's just the odd one-off (better that than tick them off and raise a defection).
"Another problem is the chip&pin readers are SSSLLLLOOOOOWWWW. At one of the local grocery chains, payment went from barely longer than it took to swipe the card, to something like a 45 second wait for C&P. One place was over a minute."
Really? Maybe it was using a dial-up connection on a very busy day. I've been using chip'n'pin for years and I don't recall ever having to wait that long. In most places, verification is almost instant. It was sometimes a bit slower many years ago, but never as long as 45 seconds. I'd have thought that since chip'n'pin is "new" to the US that any kit installed would be fairly new and efficient.
its because they are using Dial up to do the token payment which has to be verified (which is Dumb it should be ethernet/3G connection when chip&pin is used transactions take less than 2 seconds to authenticate)
in the UK only the old 2G mobile ones are slower (or for some odd reason you picked the dial up version that needs a landline) and that's only if its the older 2G ones as they have to bring the GPRS data connection up and login and verify which is about 10 seconds(over 30 some times if its dial up), if its a mobile 3G or ethernet (3G mobile card terminal , SumUp or iZettle) they are near instant once you press the ok/Green button
Chip and Pin in USA should be all in with Chip and pin, it takes about 5 years to propagate down the line so everyone gets new cards with chip and pin (optional but shops can choose to tell customers to use it) and merchants get there card machines enabled for chip and pin (they already own a card machine that supports it, they might even be unaware that there termal supports chip and pin and is enabled for it or the POS seller has purposely disabled chip and pin on the terminal for profit)
Note if the terminal supports passive payments like Tap and Pay or active NFC payments like from apple pay or google pay the terminal already supports chip and pin and it been near instant payment (no delay)
after 5 years Chip and pin should be mandatory and mag swipe use should be automatic forced to chip and pin (in the UK the Last place that got chip and pin was actually the superstores or UK wide food stores and even petrol stations, the first was small shops) Tap and pay terminals has been very aggressively deployed most food and drink places have replaced there terminals already (even superstores as well)
how it worked in the EU you wipe the card it tells you to insert the card for chip and pin, if chip fails then mag swipe is available but you need to Prove you own the card when you swipe the terminal asks for information or even a call to the bank (most shops will ask for another card so they are no liable for the fraud if there is any)
Another problem is the chip&pin readers are SSSLLLLOOOOOWWWW
The retard who rolled it out bought individual dialer card readers instead of rolling out a proper connection to the upstream bank via the shop network.
We do get slow in Europe too - it is inevitable that some cretin has done that too.
It is somewhat dependent on how advanced your dominant telco is. If it is someone who is "with the times" like the one in Austria even the small coffee shops will use terminals that talks over WiFi using TLS to the bank and authenticate the transaction in a second or less.
If the incumbent telco is still in the Jurassic swamp exchanging farts with the brontosaurs like BT in the UK, all the small shops will all be using a modem dialer so you will have to wait for the authorization. By the way - it is regardless of are you using chip and pin or magstripe.
A big grocery chain, however is nearly guaranteed to have a proper network connection to its bank. Anywhere in Eu.
Nearly 100% of US ATMs are magstripe-only. This, plus the widespread use of "skimming" devices on ATMs (see krebsonsecurity.com) make it very easy for fraudsters.
As for POS transactions with chip cards, it is getting better most places I shop. Transaction time is down to maybe 5-10 seconds at most, some are better than that. But tokenized payment methods (for example, Apple Pay) are even faster and more secure, so I use that wherever I can.
I suspect this is why ApplePay and their ilk took off so well in the US and are barely used across Europe, Chip'n'pin and pay-by-bonk are so ubiquitous and quick, ApplePay etc don't really have any significant advantages so far fewer people have bothered to switch. I've recently noticed ApplePay and other logos appearing at checkouts but I don't think I've ever seen anyone use them yet. Maybe the hipsters in London, but not here :-)
not a hipster but apple pay and android pay is a token generated based (more like chip and pin) me is Android pay
uses a virtual card number so if some one manages to get the virtual card number well emm its still useless to them as they need to stored tokens (that change every time you use one) that are only exposed when the screen is on (Android Pay)
on iphone need your fingerprint to unlock the phone before token is allowed to be used and is for more secure then Tap and pay on visa and master cards (and you get a payment notification as well on the phone so you know if some how upto £30 was taken from you And its a delayed payment so you can dispute it right away)
Tap and pay is a static passive token on your card (have to replace the card if some one manages to clone it or steals the card but its rare due to limit to 5 transactions per day and £30 per transactions none of it is liable if fraud happens)
Pay by bonk is appearing rapidly via the backdoor (oo-err!).
Many of the new EMV terminals come with the "NFC" logo via "user screen", which so far works for Apple and Android, and perhaps some other services.
I know for Android/Apply pay the number of locations is growing steadily locally, and probably more so in bigger cities.
Quite by chance last night, I found I was able to pay for *beer* with phone NFC bonk at a local off-license/restaurant. ;-)
Now that's progress...
"on iphone need your fingerprint to unlock the phone before token is allowed to be used"
And Android Pay won't let you bonk until your device has a real lockscreen turned on (your choice, but none of that simple "Slide" business--fingerprints, PINs, patterns, or passwords, user entry is required).
Almost every transaction I do on a daily basis is Apple Pay or Android Pay. As more places accept over 30 quid or so, the few I don't use it with will evaporate.
I don't even take my card with me most of the time anymore. I also used contactless for everything I could until Apple Pay and Android Pay rocked up.
"Nearly 100% of US ATMs are magstripe-only. This, plus the widespread use of "skimming" devices on ATMs (see krebsonsecurity.com) make it very easy for fraudsters."
Actually, an increasing number of ATMs support Chips. You can tell because they'll ask you to leave your card in, clamp on them, and won't let go until you're about to get your cash.
"Actually, an increasing number of ATMs support Chips. You can tell because they'll ask you to leave your card in, clamp on them, and won't let go until you're about to get your cash."
I don't think I've ever seen an ATM that didn't suck the card in entirely. ...At least, not a bank ATM. Can't vouch for the in-store ATMs.
You need to clarify. You mean a bank ATM at a bank because practically ALL ATMs are provided by banks, as their money underwrites their operation. It's just that the banks that run kiosk ATMs are not the kinds of banks you can just walk in.
Most of the kiosk ATMs are the in-and-out type unless it has Chip support, in which case the slot has a clamp. This is probably for maintenance reasons since kiosk ATMs are visited less frequently, making recourse in the event of a seized card more difficult (anyway, the ATM can just transmit a panic to the card's bank to lock the card and render it useless until the user contacts the bank).