Staples comes clean: 1+ million bank cards at risk after hack Staples says malware that infected its registers in 115 stores had access to bank card numbers from 1.16 MILLION customers. The US chain today confirmed that hundreds of thousands of Americans are at risk of fraud after spyware compromised tills between August 10 and September 16 of this year, and as far back as July 20 for …
they do not have CHip and Pin because a lot of customers could not remember there pins for there cards so banks stopped issuing them (the removed the Chip completely from most cards)
over 90% of card readers in USA support Chip and pin (some acutely still have Swipe only card readers still)
by 2016 i believe all merchants must support and only use Chip and pin if not and fraud happens the Merchant will be liable for the fraud not the bank/Visa/mastercard (if the card has chip and pin), if chip and pin is used Normally the liability is shifted to the Person who owns the card after that bank visa or mastercard eat it (person has to prove it was not them and explain how the pin was used)
if you swipe a Chip and pin card it Forces you to use the Chip and pin if it fails 3 times then you have to fall back to swipe (which the merchant should then Reject and ask for another card unless they Trust that customer), its how it works in the UK/EU
The bulk of the US 'Chip&<verification>' rollout seems to be chip and sign. They don't support PIN and yep, still have the same info on the mag stripe. It's a marginal step up, the chip bit is hard to clone, but retailers expect to use magstripe as backup for dead chips.
It does seem somewhat retarded to go through a massive rollout without really increasing the security of the transactions to the best it can be, in line with pretty much the rest of the developed world, but US banks are terrified that their customers might not be able to remember a PIN and so would stop spending on cards.
Having met a few, I'm of the impression that most Americans are able to tie their own shoelaces, breathe unassisted, and so stand a great chance of being able to remember a 4 digit code. Missing a great opportunity here.
This is only partially true - there is a prevailing opinion that needing a PIN might make you the target for criminals in a "in your face-march you to cashpoint- leave you in a ditch" kind of way.
Many stores I have visited in many states, ask for an alternate-ID for transactions.
CHIP and PIN has the same weakness as all the other systems - who holds the keys?
If the banks really cared about *you* they would introduced phased authentication. i.e. 2nd confirmation for transactions >$X. I know this would help because I had my card cloned and I was 8000 miles away...an SMS to the phone? Or even a known phone number ROBO calling and asking for a secondary confirmation. Just a random thought....
I say let's put all the liability on the holders of the keys....
P.
But, but they have done that! They require a signature for any purchase over $50 these days.
But seriously, the PIN thing is a red herring. If you use debit instead of credit you have to enter your PIN. I'm betting at least 40% of the "credit" transactions happening at stores are Debit card transaction, not credit cards. Except for the account behind them, most people regard them as the same thing.
I'm ambivalent on the whole second factor thing. I mean, given how easily large numbers of retail systems have been breached, can we really trust a large network that handles the second factor? I would agree that banks/credit card companies ought to give customers the option for the second factor as well as the email notice when you apply for/renew you card.
As far as I know all debit cards here in the US have four digit PINs associated with them. Even one of my credit cards has a PIN. None of them as of yet has a chip however. My only guess is that since many people have more cards than dollars in their wallet the assumption is that those folks won't remember all 37 PINs and that would hinder their ability to spend money once the first 20 odd cards were maxed out and rejected. Granted the worst I've personally been behind in line only had to go through, and I shit you not, 8 cards before finding one that was accepted.
We don't have Chip & Pin in the U.S. because it would chip a tiny flake out of the US banks' profit structure.
We don't have trustworthy point of sale or server security in US retail companies because ... co$t$.
We don't have transparent & immediate notification of customer data theft because ... co$t$.
Customer protection will occur ONLY when customers begin to rebel, and make cash-only purchases from US retail outlets and refuse to use the magnetic strip credit cards anywhere until US banks and retail stores are willing to spend the $$ for security.
Using a mag strip credit card at any retail outlet in the US today makes about as much sense as browsing Russian porn sites with a bare-naked install of Windows XP. Ya hopes for the best, Sparky, but yer ass is gonna get pwned!
Plus their dreadful habit of seemingly keeping all the customers' details in the db forever, because it could be useful for CRM or marketing or leaking or something. Shades of the Gary Larson cartoon of people in a rubber liferaft hauling a box aboard while remarking "We may as well keep it, though I don't know what use we'll have for broken glass and sharp bits of wire"
Staples CIO: "It's dem pesky North Koreuns again. There are genwine US lives at risk if we can't sell stationary to US citizens. So Obama, can u nuke them for us plz? Thx"
Seriously though, how is the US so backward when it comes to buying things in shops?
I've never been a huge fan of chip and pin because it's easier to give someone a kicking to get their pin and withdraw a bunch cash. At least forging a signature in a shop requires a vague amount of practice. The only reason I can think of is to place the burden of security (and blame for fraud) onto the account holder. Also pin codes, only 4 digits!?
Only 4 digits seems weak until you remember you only get 3 tries before the card is blocked/retained. Forcing the same arcane mix of password rules (at last 8 case-sensitive characters plus punctuation plus digits and variants thereof) doesn't make a measurable difference to the overwhelming likelihood of wrong guesses stopping the card/account.
Muggings for a number don't actually seem to be a big issue, and anyway is handled through an entirely different stream than the absolute FLOOD of tens of millions of compromised credit cards in the USA alone this past year.
"At least forging a signature in a shop requires a vague amount of practice."
Assuming cashiers actually check the signature.
A colleague and I accidentally swapped company credit cards (this was before the UK switched to chip-and-pin), and nobody challenged our signatures in the three months it took for our accounts department to pick up on it.
The banks here basically tired to force it a bit ago, intending that they wouldn't be liable it would either be the customer or merchant who was. Tried to get laws passed saying that, about the time Internet shipping was starting to take off. The banks got a negative response from everyone and backed off ...for a while. I think they've gotten the same thing actually passed now.
The thing is that like about everything else, chip and pin is not perfectly secure. People recognized this and also the above. As of right now, the banks are on the hook. They want to be able to have no risk, yet make money.
Or is it because they haven't stolen from an important enough person yet....
Or it is because daylight robbery via VAT and the other "cost of living" expenses aren't at all rigged...
Or is it because the press is bought and paid for....
It certainly isn't because there is no fraud or theft in the UK....!
P.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
