back to article PHONE me if you feel DIRTY: Yanks and 'Nadians wave bye-bye to magstripe

Whenever I dump my load, I don’t feel the need to swipe. Swiping is far too dirty for me. I’d rather just lightly touch, lift up my trousers and walk away. Having slipped the touch-and-go debit card back into my wallet and collected my load of clothes shopping that I had dumped at the till – why, what did you think I was …

  1. John Tserkezis

    Ironically, here in Australia, some have blabbered trying to make NFC on cards disabled by default, and only available if you specifically ask.

    They claim that card fraud has jumped up with the advent of NFC, because it doesn't need any verification for less than AU$100.00. Of course, this only applies to stolen cards for the short time the original owner doesn't realise it's gone. Thieves can still squeeze a fair amount of stuff in that time though.

    It doesn't help that the scaremongers talk of pocket swiping with NFC. But that only applies to close proximity of the cards, meaning the wallet has to be thin, and the pants have to be tight. Feel free to make fun of THAT demographic...

    1. Richard 12 Silver badge

      The usable range is longer than you think

      Sure, using most of the certified CE-marked readers, the range is only about 5-10cm

      Using a high-powered antenna package, you can get several metres - this is used in other RFID systems, eg automated warehousing to count widgets on a pallet.

      However, 5cm is still easily enough to swipe a few hundred cards while on public transport or walking down a busy street.

      5cm thick trousers are somewhat less common than casual plate armour.

      To some extent, one protection is to fill your wallet with many contactless cards so they all clash.

      Or chain mail. That probably works too!

      1. DaveDaveDave

        Re: The usable range is longer than you think

        The hard part of stealing contactless payments isn't triggering the cards, but collecting on the money without getting caught. You'd need access to some legitimate seller's account at the very least, but you've also got to get paid before anyone notices their money was nicked.

    2. Anonymous Coward
      Anonymous Coward

      They claim that card fraud has jumped up with the advent of NFC, because it doesn't need any verification for less than AU$100.00. Of course, this only applies to stolen cards for the short time the original owner doesn't realise it's gone. Thieves can still squeeze a fair amount of stuff in that time though.

      It takes the better part of a second for a stolen RFID ident to travel to places where the limit is higher. As a matter of fact, AUD 100 is roughly £45, which makes it 50% higher than the UK limit so expect lots of people travelling to Oz who will never actually get there.

      The massive problem with NFC is that you can pay without knowing it. I am sure this is intentional by shops (makes impulse buy that much more likely), but as I have said (many times) before, if a credit card company voluntarily limits its own ability to get you into debt (which is where they make your money) you ought to start wondering why - here is that "why".

      Even with a mag swipe you have some idea where you had the card in your hands to pay, ditto with a PIN, with RFID you do not and payments can be kept low enough not to show up on your bill, so you better get a wallet with shielding.

      And, of course, RFID and CHIP do bugger all against Internet theft which must have taken over physical cloning years ago as it's so much less risk for the crims. I haven't checked, but given that databases are stolen with embarrassing frequency I reckon it must have happened years ago.

      It doesn't help that the scaremongers talk of pocket swiping with NFC. But that only applies to close proximity of the cards, meaning the wallet has to be thin, and the pants have to be tight

      In lab conditions you get to about 2 meters, in real life it's about 1 meter if you want a reliable one-shot read. You seem to confuse the deliberately bad receivers in the card terminals with actual limits of the radio technology in question. Indeed, in the early days of RFID it did happen often that people were paying who were still queueing and thus paid for someone else's goods (pretty much how thieves would like it).

      By the way, leather or fabric does nothing to shield RFID, so good luck trusting your leather wallet and trousers. As far as RFID is concerned, you're naked...

      1. Anonymous Coward
        Anonymous Coward

        1) The crims aren't going to be able to clone the chip, so usable copies of your card aren't going to be flying around the world within seconds of a theft;

        2) The ability to make devices able to communicate with the NFC element over distances of a couple of metres is irrelevant to the question of whether inadvertent payments are possible; the readers in payment terminals (deliberately) only work over ranges of a few centimetres.

        1. Dan 55 Silver badge
          Pirate

          In Spain you're getting one whether you like it or not and if you don't like it you can go to another bank where they do the same. When you activate the card you get NFC, there's none of this "put your PIN in the first time when you pay by NFC to allow NFC payments without PIN in the future".

          So I cut the antenna in mine and tested it with the NFC feature on my phone (the only time I've used it). I ain't paying, or having my cards stolen, or getting cloned without me putting my PIN in, thankyouverymuch.

          Icon may contain sharp blades.

        2. Anonymous Coward
          Anonymous Coward

          The idea is that a crim will use a higher-powered antenna (perhaps hidden in a sleeve) attached to an otherwise-legit unit that makes the thief for all purposes look just like a merchant. They aim, blast the NFC card, and walk away before the mark has any idea what happened.

          I think this is one reason the card companies are more enthused about Apple Pay and now Android Pay. First, they can't be skimmed without you noticing. Most times, you have to turn on the phone, and IIRC both of them require you to use a security sequence. Also, both are using tokenization systems like the Chips, meaning the numbers being transmitted are nonces, anyway, useless for a replay attack even if this number were stored and the database hacked.

        3. Rich 11

          Credas, I honestly wonder why the bank's PR department bothered employing you.

      2. P. Lee

        re: protecting your NFC cards

        I keep mine multiple ones together - myki, credit and debit. That normally foxes the legal readers (I'm not sure about the illegal ones - I'm just a bit hopeful) as you have to take them out of your wallet rather than just swiping the side of your wallet against something.

        1. Neil Barnes Silver badge
          Flame

          Re: re: protecting your NFC cards

          I have to agree with the above posts: no doubt I will be considered a stone-age relic, but when I make a payment I want the physical act of *making* a payment, not some vague 'wave this at that and hope the right thing happened'. I don't insist on cash, but I do insist on a pin entry.

          I can't help noticing that in *every* case where technology has been introduced to 'make it simpler for me to pay' the benefit has been more to the seller than to me. Perhaps I'm just not the target demographic.

          1. Bleu

            Re: re: protecting your NFC cards

            Probably not (the target demographic). Neither am I. I can use my phone for payment, from years ago, never do.

            I finally bought one of the Japan Rail system cards, to save a few yen on a stamp rally (you collect stamps at different stations, but they are always outside the wickets).

            I always keep its 'charge' as low as possible, because one can be sure that they do something with the accumulated capital.

            Actually, I should look more closely into that.

            Otherwise, I always use, I don't know the english, multi-trip tickets (not commuter pass, workplaces too irregular, 11 for the price of 10) or cash.

            Other places, sometimes the card is cheaper than a paper ticket, sometimes more expensive. Always only a few yen. The railways are scrupulous about the rounding.

            When I occasionaly use the NFC card, I never charge into the wicket without checking that I have enough to enter, it is so irritating when using a physical ticket, when someone who only uses a card, barges in to one of the few wickets that take physical tickets (they all take NFC in and around here), doesn't have enough 'charge' and blocks the gate.

    3. jockmcthingiemibobb

      I sorted out my latest credit card. Hold card to bright light, melt hole through induction loop. Problem solved.

  2. Malcolm Weir Silver badge

    Mr D... you are sadly mistaken if you think us N'Americans have adopted chip-and-pin. The whole "remembering the pin" thing is apparently too complex for the average user, so all those chip-enabled cards actually implement "chip and signature", presumably so that thieves are not inconvenienced by the change, only those who try to create fake cards.

    1. Anonymous Coward
      Anonymous Coward

      The whole "remembering the pin" thing is apparently too complex for the average user

      Ah. Finally an explanation why they still don't have sensible gun licensing laws. I knew we were missing something :)

      1. Anonymous Coward
        Anonymous Coward

        I dare say that in most of the states, they're more than sensible. Nanny states excluded.

    2. Dan 55 Silver badge
      WTF?

      How do you get money out of ATMs then?

      1. Charles 9

        "How do you get money out of ATMs then?"

        Chips are only being applied to credit cards (actual ones) at the moment.

        1. Dan 55 Silver badge
          WTF?

          You can't get a cash advance with a credit card out of an ATM with a PIN?

          1. Blake St. Claire

            > You can't get a cash advance with a credit card out of an ATM with a PIN?

            Sure, with a hefty fee attached.

        2. Gene Cash Silver badge

          > Chips are only being applied to credit cards (actual ones) at the moment.

          Nope, I've got an email that a chipped replacement for my Chase *DEBIT* card is coming in the mail this week.

      2. John Bailey

        "How do you get money out of ATMs then?"

        Wiv a sledge hammer..

      3. Bleu

        Some people

        seem to have done well at getting money from ATMs with construction or earth-moving equipment, mechanical shovels and the like.

      4. grumpyoldeyore

        How do you get money out of ATMs then?

        Like this? https://www.youtube.com/watch?v=fafCK6j8hx4

    3. Anonymous Coward
      Anonymous Coward

      The PIN will come later and is already an option for those of us planning to travel abroad and need it. That doesn't require new hardware beyond what's already going out. For right now, the Credit Card companies are content for the moment with preventing replay attacks using hacked databases (Target, Home Depot) or the PIN Pad switcheroo.

    4. Anonymous Coward
      Anonymous Coward

      PIN

      Not all. My Target credit card not only doesn't have a magstripe at all, but it's only chip+PIN. No signature accepted at all.

      1. Charles 9

        Re: PIN

        They must expect you to use it ONLY at Target. Target happens to be one of the few places that have turned on their Chip readers (Walmart is another).

  3. Evil Auditor Silver badge

    Cruel and unusual punishment

    Swipe cards for hotel rooms, that is. And no, they never - NEVER - open the door on first attempt. A few months ago, in a HK hotel, I had to get a newly written card each day. Until I figured that the occasional proximity of the card to my magnetic money clip rendered the card unreadable. Not that both were even in the same pocket.

    1. Fred Dibnah

      Re: Cruel and unusual punishment

      Door card in same pocket as phone usually equals unreadable card. Also, hotel door cards are actually quantum devices, as they have three states:

      1. Doesn't open the door

      2. Turned over and doesn't open the door

      3. Turned over again and does open the door.

      USB plugs are another example.

      1. RoboticRabbit

        Re: Cruel and unusual punishment

        Actually I believe USB plugs are 4 dimensional. Probably the same holds true for door cards.

      2. willi0000000

        Re: Cruel and unusual punishment

        USB plugs are merely spin ½ devices . . . they have to be turned over twice to turn them over once.

    2. Cameron Colley

      Re: Cruel and unusual punishment

      One hotel I stayed at I had to ask for two new cards in the same day and a new one on two subsequent days. I didn't keep the cards near my phone and while they were kept in the same pocket as my wallet they weren't toughing the magstrips on either of my cards and there's nothing magnetic in my wallet.

      I've a feeling (backed up by Mythbusters) that the whole mobile phone causing issues (with magstrips and NFC and other RID) is a myth anyhow -- I just think that many people keep their various cards near their phones and that the cards are prone to failure and the two are unconnected.

      1. Martin an gof Silver badge

        Re: Cruel and unusual punishment

        I've a feeling (backed up by Mythbusters) that the whole mobile phone causing issues (with magstrips and NFC and other RID) is a myth

        The magnetic cover on my phone definitely wrecked the door card at a hotel recently. Fortunately at that particular hotel they'd given us two cards per room anyway.

        That hotel chain expected you to put the key card in a holder inside the room in order to switch the electrics on. One only gave us one card per room which was really *really* convenient when I need to leave the room to get something from the car and leave the children in the room. In the dark. That was until I tried an old work ID card that I keep for scraping the ice from the car. Turns out the electrics switch is purely mechanical :-)

        We were on a road trip and stayed at four different hotels in the same chain. Two used mag stripe cards, one used RFID cards and the last used keys - real metal turn-in-the-lock keys. Fantastic.

        M.

  4. Anonymous Coward
    Anonymous Coward

    Money clip? How 1970's :)

    1. Evil Auditor Silver badge
      Happy

      So are magstripe cards!

  5. firu toddo
    Happy

    Door Access?

    Pah! I spit on your two cards. Right now, for one organisation, I have a magswipe card for the outer office door, two different pins for inner electronic locks. An RFID card for some other doors, another RFID token for some other doors, a mechanical lock code for some other doors and a pin for the other RFID token the get into another building.

    The staff canteen is cash only.

    1. TRT Silver badge

      Re: Door Access?

      At my place of work, you have to have a swipe card for almost everything. Main building is coded as a G swipe. Want to get into the other block? You need a B swipe. To get into the secure animal facility, you need an X swipe. For the lift lobby, you'll need an L swipe. And if you're going to the toilet, better make sure you have an R swipe.

      1. Keven E

        Re: Door Access?

        ...better make sure you have an R swipe.

        Impressive!

    2. Evil Auditor Silver badge

      Re: Door Access?

      Are you sure that you actually work there and are not just part (i.e. guinea pig) of a neo-kafkaesque experiment?

  6. Baudwalk

    "the Joliet-standard verbal password"

    The Rock Ridge extensions were much more reliable.

    But of course only worked on some systems (glass doors).

    1. Anonymous Coward
      Anonymous Coward

      Re: "the Joliet-standard verbal password"

      > The Rock Ridge extensions were much more reliable.

      Personally, I like to Gordon Freeman extension to open up recalictrant doors.

  7. Phil Miesle

    chip and WTF

    Slight nuance: Visa/Mastercard/etc are requiring terminals to do chip-and-signature. However, that does not preclude individual banks from supporting chip-and-pin ... and fortunately most terminal devices will support PIN signatures since EMV became standard throughout the civilised world quite some time ago.

    Trick is that small businesses will just keep accepting only magstripe, since the change-over cost has been made too prohibitive for their margins.

    And of course even here in the civilised world, our cards have magstripes with info on them as a "backup" entry method. We can of course only be saved by a Jobsian device.

    1. Phil O'Sophical Silver badge

      Re: chip and WTF

      Visa/Mastercard/etc are requiring terminals to do chip-and-signature

      By which they mean those etch-a-sketch terminals with a stylus that produces a squiggle bearing no resemblance whatsoever to my signature?

      1. stucs201

        Re: etch-a-sketch

        More like the world's worst magna doodle.

      2. Anonymous Coward
        Devil

        Re: chip and WTF

        /quote

        By which they mean those etch-a-sketch terminals with a stylus that produces a squiggle bearing no resemblance whatsoever to my signature?

        /quote

        Ha. I only ever make an X* on those things.

        * they typically won't accept simply a '.'

        Edited to say that the next time i have to use one, I'm going to pretend I'm a kid coloring....and black out the entire display.

      3. Adam 1

        Re: chip and WTF

        > etch a sketch/magna doodle/etc

        Spare a thought for us lefties. The string the pen is connected to is always too short for holding the pen at a comfortable angle, so they usually get something that resembles a three year olds first attempt to write their name.

    2. James O'Shea

      Re: chip and WTF

      "Trick is that small businesses will just keep accepting only magstripe, since the change-over cost has been made too prohibitive for their margins."

      Here in Deepest South Florida lots of small businesses are now requiring Official Gubmint Pic ID be shown for every charge above $25, 'cause they don't have the new card readers, 'cause the new readers cost too damn much. http://www.mypalmbeachpost.com/news/business/deadline-for-new-chip-credit-cards-looms-but-are-r/nnnqP/

    3. captain_solo

      Re: chip and WTF

      "Trick is that small businesses will just keep accepting only magstripe, since the change-over cost has been made too prohibitive for their margins."

      The problem with this is that the "liability shift" being implemented in Oct. offloads the costs of a security breach from the issuing bank to the small business if they don't spring for the new kit and the card is compromised - basically whoever's payment network tech is "lower" gets stuck with the bill. So the potential cost of not upgrading is likely much greater especially since the swipe card will be the low hanging fruit as even a chip/signature card is harder to counterfeit than the old school cards. That shift wasn't mentioned in this article, but its the reason we are seeing a rollout of these devices actually happening in the States. The banks would have been fine with it, but the millions of POS terminals that required capital investment by a variety of large and small businesses were slow on the uptake, hence the boot in the arse. Mastercard actually said they were hoping it wouldn't actually end up shifting liability around, but would instead drive fraud out of the system...I guess we'll see.

  8. Banksy

    Redundancy

    The only good point I can think of for magstripe is as a back up method of your payment being accepted in the event of a problem with the chip on your card or some other tech snafu.

    1. thomas k

      Re: Redundancy

      But isn't having a "back up" magstripe sort of defeating the purpose of switching to chip-and-whatever?

      1. Charles 9

        Re: Redundancy

        ONLY for those terminals that won't take chips. Otherwise, the regs state that if you swipe a chip card, the pad's supposed to prompt you to use the Chip instead.

    2. DanceMan

      Re: Redundancy

      My last two cards, Canadian chip with swipe. have both suffered chip failure before the card expiry. Both failed while working at a card entry building and I was entering by holding my wallet to the reader, leading me to suspect the entry reader might be causing the card chip failure.

      Canada's had chip cards for years. Some retailers will not accept swipe. Canada's not the US, although five more years of Harper might change that.

  9. Len Goddard

    Swiping

    At Waitrose you have to swipe your card to unlock a self-scanning device, and again to return it at the automatic checkout till.

    I have no reason to believe they actually slurp the other info on the card.

    And no assurances that they don't.

    1. Gene Cash Silver badge

      Re: Swiping

      There was a flap here about bars requiring you to swipe a credit card as proof of age, when it came out that they were indeed slurping name & address and anything else they could get, and adding people to marketing mail lists.

      1. This post has been deleted by its author

  10. Efros

    Cards?

    One of the predominant methods in these here parts is still the paper cheque (check), not sure as to its security, but I am sure that the USAians card/banking habits could probably do with a shake up. I've been here 14 years and I've never had my signature checked on any of my cards. Giving your credit/debit card to someone else for a purchase was fairly commonplace although now it seems that is sort of being limited to immediate family. I could call my bank and speak to a human who will transfer cash from one account to another, not necessarily a target account held by me, I saw my sister in law do this and was flabbergasted. As to the new C&P I have cards from two major banks and a couple of local banks and I've yet to see anything about it in my mail.

    1. Ken Hagan Gold badge

      Re: Cards?

      I'm not really surprised by your experiences, nor by the snarky remarks in the original article. ("It sounds appalling but compared to relying on carbon-copies of your credit card plus a signature, it must have been amazing.")

      It has long been my impression that *technical* barriers to crime are less important than the *legal* ones. This applies just as much in banking as in, say, file-sharing. Despite the popular belief that humans have no "feel" for statistics, society actually depends on everyone being able to balance the chances of getting away with it against the costs of getting caught. (The good news is that the last hundred thousand years or so would suggest that we are, as a species, much better at such cynical Machievellian calculations than we might like.)

      1. DropBear

        Re: Cards?

        Not sure at all about those superior statistic skills requirement. Mark one eyeballs suffice. Instead of "hmmm, let's see, I reckon I have approximately 23.8479% chance of getting caught and doing XYZ time for it so let's give it a try" I think it's rather "this guy I know has been doing it for ages and he's doing quite well for himself, and so does that other guy over there, and so does his cousin..."

    2. Queasy Rider

      Re: Cards?

      I too was flabbergasted after moving from a large city (where it had been impossible for decades to use a cheque in ANY store), to a very small town where cheque using was as common as credit cards, but the shock lessened when the local grocery posted the name of a customer at the checkout with a small note explaining they would never take this person's cheques again because their cheques were bad. That's what I call "naming and shaming." (Armchair lawyers jump in here.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Cards?

        That's something that can pretty much ONLY work in a small town such as you describe because it takes people knowing each other for a "name and shame" tactic to work. Otherwise, it's better to use cards since you can report dodgy transactions to the credit card companies which can keep track and revoke cards if need be. No need to name and shame if a malcontent's card come back "DECLINED".

    3. Anonymous Coward
      Anonymous Coward

      Re: Cards?

      > ... I am sure that the USAians card/banking habits ...

      lol. I'm going to start calling you lot UKians or Britainians, or Englishians.

      No more Liverpudlian, now it's Liverpoolian.

      1. SteveastroUk

        Re: Cards?

        Frank Lloyd Wright coined the term Usonian for you. Better ?

      2. Anonymous Coward
        Anonymous Coward

        Re: Cards?

        Pretty sure that's Liverpooligan.

  11. Nigel Whitfield.

    Bang!

    Perhaps now the americans too can enjoy the boom in gas-powered ATM thefts. Essentially, in the last couple of years, filling ATMs with gas and blowing them up has become a popular way to rob them. And one of the reasons for that is increasing use of chip cards - no longer can you simply clone a card and use it to withdraw lots of money from an ATM.

    In January this Bloomberg article looked at the phenomenon. Back then, no US machine had been robbed that way, and it was largely a European phenomenon. Now that the chip cards have been rolled out, I wonder how long they'll have to wait.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bang!

      Actually, the prevalent technique used in America is the truck winch or hooks-and-chains. Ram the building with a truck, loop the machine, break it off the foundation, reel it in, and just haul the whole thing out before the cops arrive. Once the machine's at the hideout, they can tear it apart at their leisure and then disperse the leftover pieces so no one gets suspicious.

  12. Tim Jenkins

    "...no one knew how easy it was to read and duplicate information..."

    Back in the late 80's, a certain technical university about 15 miles to the northwest of Charing Cross used perforated plastic cards for its halls-of-residence door security. One had to pay a silly amount in deposit for them, and they inevitably fractured at least once per term. It was, however, entirely possible to back-up* the the necessary information using a suitably sized drillbit and one of the billion or so phonecards that paved the streets in that Thatcherite wonderland...

    (*for personal archive use only, and definitely not for mass duplication to allow assorted non-students to enjoy the facilities. That would have been bad)

    1. brotherelf
      Meh

      Re: "...no one knew how easy it was to read and duplicate information..."

      Ha, saw the same thing at a London hotel only two weeks ago. Didn't have spares either, so anybody feeling sufficiently bold to wait for a concierge shift change and then ask for the key to No 347 could've gotten in.

  13. Doctor_Wibble
    FAIL

    Saw the terminal in half like the pros do

    The proper technique for magstripe cards that don't work the first time is to see if you can saw off the end of the terminal with it. I know this is true because checkout staff always tried to do that before calming down and only then swiping it slowly (which of course worked).

    Unfortunately a lot of them clearly couldn't dissociate this 'winning move' from the preceding 'limbering up' and it is a testament to the resilience of the cards that they ever survived more than half a dozen trips to the supermarket.

    The modern equivalent to this is when they apply the death-grip to a loaf of bread before using it to scour the dirt off the laser scanner glass.

  14. Katie Saucey

    'Nadians?

    Sir we prefer either Canuck, Maple Ni**er, or just plain old Hoser

    1. RoboticRabbit

      Re: 'Nadians?

      Definitely Hoser, eh? We get a two-four, a pack of smokes and back bacon and take off to the hockey game wearing toques.

    2. Alistair Dabbs

      Re: 'Nadians?

      Since you Nadians listen to country and western, you forfeit the right to choose your own name, or indeed anything else.

  15. Anonymous Coward
    Anonymous Coward

    Tracing paper and a roller

    How many people remember the old way of buying something with a credit card - and largish device that 'squashed' the raised card details onto a bit of tracing paper - 3 copies if I remember rightly. So much for security in them days!

    1. lnLog

      Re: Tracing paper and a roller

      This is still in use, just over a month ago when purchasing an additional bag at klm/delta check-in desk (UK airport) this was the only way they could take card payments.

      The poor girl had to be talked through the stage by stage use of the machine by an older member of staff.

      1. Anonymous Coward
        Anonymous Coward

        Re: Tracing paper and a roller

        "This is still in use..." - Crikey - so all the card numbers, plus the signature - mind you, the Dutch are pretty liberal.

      2. Anonymous Coward
        Anonymous Coward

        Re: Tracing paper and a roller

        Substitute last week for your two months ago.

        Had to do this at a Hotel on Long Island NY.

        The USA is really not ready for this move. A lot of Gas Stations petrol pumps don't even ask for a PIN yet they seem to think an 'in this state only' Zip code is more secure.

        Perhaps by 2050 they might join the 21st Century.

        1. HereIAmJH

          Re: Tracing paper and a roller

          The gas stations aren't asking for an 'in this state only' zip code. They are asking for the billing zip code for the card. So in essence, it is a PIN. It just isn't a good one. Should some random person get your card, they wouldn't be able to use it. OTOH, someone who did just a little research could probably figure it out. Almost as secure as the CVV that online retailers ask for.

          Oh, and then there are 'real' PINs. Most that I have run into are only 4 digits. And like passwords, people tend to use the same PIN for everything so they can remember them. How about we just snap a pic of the purchaser and include that in the transaction.

          1. Allan George Dyer
            Facepalm

            Re: Tracing paper and a roller

            "They are asking for the billing zip code for the card"

            So I'm secure because I live in a place without zip codes?

            They obviously don't value the tourist-in-hire-car customers.

    2. Youngdog

      Re: Tracing paper and a roller

      I heard the whole magstripe/chip'n'pin/NFC arms race began after a waiter in Italy worked out how to take an inconspicuous rubbing (fnarr fnarr) to lift the details. Apparently he later turned gamekeeper and went on to start a very successful tech security firm!

  16. Sandtitz Silver badge
    Boffin

    Magnetic Stripe Reader usage today

    "I sometimes try to imagine who might still prefer to use the ancient magnetic swipe reader found at the side of every point-of-sale card keypad."

    Lack of imagination then.

    People in shops and restaurants even here in EMV Land use magnetic stripe readers for them to personally log to a POS register - usually with a PIN code as well. The same MSR's are used also to process customers' gift cards and loyalty cards.

    Empty magnetic stripe cards are cheap to buy and program and the equipment for batch programming is also relatively cheap compared to chip cards.

    Technically speaking MSR's don't usually require any drivers since they appear as keyboards and implementations likely require less computer code too - in essence just parsing keyboard input. With chip readers you usually have to use not only drivers but may have to embed some 3rd party libraries from the manufacturer and sourcing from multiple manufacturers requires multiple drivers and DLL's too.

    There is of course a small risk with loyalty/gift cards theft or other cards as well (my library card is a magstripe card), but you'll always need to factor in the cost of implementing 2FA vs the risks.

  17. Shadow Systems

    Bah. I never have any problems with card code theft...

    I always pay in derranged rabbid squirrels. If the merchant can't show the claw & fang marks in their face & the anti-rabbies hypo bruise on their arse, then I know It Wasn't Me.

    Oddly enough I don't have any repeat issues with pick pockets either.

    Chip & Pin? Bah! I'll stick to Foaming Angry Squirrels for transaction security...

    *SarcasticCough*

    I'll get my coat, it's the one with the trail mix in one pocket, a large bagel & cream cheese in the other...

    1. Cameron Colley

      Re: Bah. I never have any problems with card code theft...

      I prefer Fish and Cushion myself. Thought it was a red herring at first but now I'm pretty comfortable with it.

      1. PNGuinn
        Linux

        Re: Bah. I never have any problems with card code theft...

        Bah - when I were a lad it were ferrits. Kids today - don't know they'v been born.

        Icon cos yer wuddn'd want summat as could s**t ten b****y feet in yer pocket.

  18. Chris Evans

    The limit keeps rising!

    When introduced in 2008 they said don't worry it is only up to a maximum of £15 (or was £10 I forget) then it went to £20 and now it is £30. The increase is way more than inflation!

    1. Will Godfrey Silver badge
      Unhappy

      Re: The limit keeps rising!

      Exactly!

      If you check your receipts against your monthly statements (how many people do that?), then it's potentially £900 lost before you know it - and that assumes only 1 bad 'un a day.

  19. Doctor Syntax Silver badge

    Meanwhile back in the UK

    The swipe motion seems to be embedded deeply in the psyche of check-out operators as they all seem convinced that barcodes can only be read whilst in motion.

  20. x 7

    " Robert Fripp, Bow Wow Wow .........."

    Fripp was taught the technique by Brian Eno (for the "No Pussyfooting" sessions), who had previously used it on "Discrete Music"

    Whether either were aware of Terry Riley's earlier work with two looped tapes is uncertain. I have a feeling John Cage may have got there earlier as well

    1. Deryk Barker

      I think you mean Steve Reich

      It was Reich who used two very-slightly-out-of-sync tape loops in his 1965 piece "It's Gonna Rain".

      Eno claims to have been involved with the Scratch Orchestra (I don't ever remember him performing, but it was over 40 year ago) in which case he would *definitely* haveknow about Riley, Reich and, with a bit of work back then, Glass.

      I am unaware of any Cage work using tape loops.

  21. Dr_N

    US Rules...

    I thought it was swipe & signature for credit, swipe and PIN for Debit?

    No sign of a chip anywhere. (Well my US issued card doesn't have one...)

    1. WolfFan Silver badge

      Re: US Rules...

      Not all US issued cards have chips. My MasterCard and Discover cards don't. My Visa and American Express cards do. I'm not holding my breath waiting for Capital One ("What's in your wallet?") to update the MasterCard, but am slightly surprised at Discover. Amex and Chase, the bank I have Visa with, have updated their cards since April and May, respectively. The Discover card is linked to Apple pay, so I don't actually have to use the card and can have a tokenized security signal sent instead of having to swipe the magnetic stripe, so it's not totally insecure.

      1. Charles 9

        Re: US Rules...

        They will pretty soon. Rules are going into effect now and will be enforced at the beginning of the year. Once that happens, first link in the chain that isn't toeing the line gets the fraud bill.

    2. Number6

      Re: US Rules...

      I think it's being done in slow, easy stages. I've just been sent new cards on an account which have chips on them. I actually read through the accompanying blurb carefully, because I didn't see any mention of a second letter containing the PIN, and it turns out that one is not issued. The only difference now is that instead of swiping the mag strip, the chip gets read, then I have to sign as before. To be fair, given that compromised terminals and concealed cameras seem to be easy to obtain, the PIN isn't really much of a security improvement, all they've done is make it harder to access the account without the real card (although said concealed camera may be able to get a picture of the CCV on the back and so make it usable on-line).

      1. Charles 9

        Re: US Rules...

        In most banks, adding a PIN to your chip is at your discretion, usually if you're going abroad as you're more likely to need one. Otherwise, as you said, the US will transition to PINs in time. The hard part (getting Chip-reading PIN pads installed) is in progress, and the Chip helps defeat cloning and replay attacks which are the current major headache for credit card companies (online theft requires the CVV code which most shoulder surfers normally won't see, and the paranoid can tape it over after memorizing it).

  22. Anonymous Coward
    Anonymous Coward

    Very few retailers have chip card readers in the US so far. We have several cc's but only 2 have sent out new chip cards.

    1. Charles 9

      Actually, many do, especially the big retailers. They just haven't turned them on yet. Ingenico iSC250 and 350 models, both of which are NFC- and Chip-capable (it's in their datasheets), are popping up all over the place, and the other manufacturers are keeping up. Walmart has already turned their Chip readers on, for example. Even the third-party CC handlers are starting to encourage smaller retailers to swap out their PIN pads for newer chip-capable ones, again for liability reasons.

  23. Bleu

    I could swear that

    whoever wrote the headline had The Bloodhound Gang's biggest hit swimming about in his or her brain at the time of writing.

  24. Barry Rueger

    Choose your poison.

    Some thirty-five years ago I knew the guy who launched the very first no-name, white box ATMs in Canada. He's now stupidly rich.

    At the time he said that the banks were entirely aware that it was a simple matter to copy bank cards, and in any case your PIN was on the stripe, and at four digits was pretty much useless as security.

    Now the same banks are rushing headlong into pay by bonk.

    There was significant retailer pushback because the transaction fee for a contactless payment is much higher than a regular chip and PIN debit.

    As for using my phone for payments, I'll consider that when manufacturers and wireless companies will promise security fixes to my Android software will arrive in weeks instead of every other year when Google does a major version upgrade.

    (I expect to see Marshmallow sometime in mid-2016.)

    (Still wondering what plausible security is enhanced by entering the three digit CVS number from the back of a card.)

    1. Dan 55 Silver badge

      Re: Choose your poison.

      Blackberry apparently will push out updates for the Priv in a timely fashion. Last paragraph here.

    2. Giles C Silver badge

      Re: Choose your poison.

      The cv2 number is meant for card not present situations, the idea being that if you have copied a card, picture, brass rubbing etc, you won't have got the three digits off the back.

      I think it must date back to the old carbon copy rollers as mentioned earlier.

      1. Number6

        Re: Choose your poison.

        A conveniently-placed camera can capture the CCV. Even if it only has a success rate of one in a hundred it would work, and at that rate it may even hinder those attempting to discover the compromised terminal. Admittedly the US cards I have with a CCV only have the three digits, the UK cards (which are older) helpfully have the last four digits of the card number to assist in matching the picture to the card.

        1. Anonymous Coward
          Anonymous Coward

          Re: Choose your poison.

          Where would you place such a camera that it wouldn't be spotted and still get a good angle to the back of the card? The swipe angle differs from reader to reader.

          That's another reason to transition to chip. as they all require the card to go in face-up, reducing the odds of the CVV being visible (and underside camera would have to practically be obvious to work).

      2. CrazyOldCatMan Silver badge

        Re: Choose your poison.

        > you won't have got the three digits off the back.

        Unless it's an Amex credit card (their 4-digit auth numbers are on the front - they still have a 3-digit CVV number on the back but it isn't used..)

    3. Charles 9

      Re: Choose your poison.

      "(I expect to see Marshmallow sometime in mid-2016.)"

      Marshmallow's rolling out RIGHT NOW.

      And the CVS number's not on the magstripe, meaning you have to contact the card issuer (the only other source of the CVS) to verify the card. That's why they're used for "Cardholder Not Present" transactions.

  25. Bleu

    Atlantic, pah! Learn a little.

    These technologies originate here in Japan. The others are all just copies to get around paying patent fees to Japanese companies.

    Which is why introduction is so recent in USA, Europe, etc.

    1. TRT Silver badge

      Re: Atlantic, pah! Learn a little.

      Hence the jujitsu required to get the damned things to read.

  26. illiad

    magstripe?? MAN, how 90's...

    we dumped magstripe AGES ago, chip n pin is much more secure, well, you gonna need more that 'reader' to hack it...

    As for NFC, the problem is 'standards' :( :( our London transport buses have 'oyster touch and go' to pay your ticket, means the overworked driver does not need to carry wads of cash (while being watched, shouted at, and generally berated by management electronically over his shoulder for going too fast or too slow.. )

    so I get a new NFC bank card... it interferes with oyster.. hopeless!

  27. Henry Wertz 1 Gold badge

    Several points...

    I must make several points...

    1) I don't know that (as a practical matter) these will actually improve security. Presently, it's a mess, if I go to one store (with my mag stripe card) the checout never asks for my PIN; if I go to another, they ask for my PIN if I run the card as debit but not credit. I've seen a demo (linked off the Register!) probably 5 years ago where someone (with card holder's permission) cloned a chip card and ran a transaction on it (and the UK banks insisted it is secure even after being shown the video.) Apparently, these cards being rolled out in the US are not chip'n'pin, but chip'n'signature. I think require PIN is the best way to ensure security.

    2) Theory aside, as a practical matter, I've had *one* ATM that did not want to read my card, and zero checkouts act up reading it. The door cards, I doubt anyone was responsible for cleaning the reader; on ATMs presumably the ATM owner cleans the reader when they add cash, and at checkouts I'm sure if nothing else the cashier cleans the thing when it starts acting up for them. Or they're self-cleaning, or immune to dirt... I don't know, I'm just saying I have not had mag stripe problems even to the degree I would expect, let alone what you'd expect based on those mag-stripe door locks.

    3) I was going to comment how I don't want a card that can be copied or have a transaction run against it while it's still in my pants. But it turns out, these cards are not NFC, they rely on contact with the card reader! 8-)

    1. illiad

      Re: Several points...

      metal contacts are easy to clean.. add a drop if oil, or rub with an eraser... :)

  28. Deryk Barker

    WTF?

    "'Nadians"???????????????

    The proper abbreviation for Canadians is Canucks.

    This Canuck is seriously offended by your headline writer's - what? - insensitivity? ignorance? stupidity? all of the above?

    I realise the Reg has a thing for "amusing" headlines - this wasn't one of them.

    1. Alistair Dabbs

      Re: WTF?

      Like 'Mericans'. As Mr Trump will soon find out, just one letter away from 'Mexicans'.

    2. 404

      Re: WTF?

      I wondered what the connection was, Nads are balls, short for gonads, for example 'I got hit in the nads'. So balls? testes, gonads? What does that have to do with Canadians*?

      *I just call them Canadians, but I'm old, evidently.

      1. Alistair Dabbs

        Re: WTF?

        Nads are balls

        Hooray, at least someone got it.

        As a Brit, I find it amusing to read what Johnny Foreigners invent to describe my nationality: Poms, Ros-bifs, etc. Foolishly, I assumed Canadians were similarly laid back but apparently not. What a shame. And I found Terrance and Philip so entertaining...

  29. AdamWill

    Actually just the US

    Actually this isn't really North America, just the U.S. Canada more or less moved everything to chip and PIN at the same time as the rest of the world, and most retailers have bonk now too. It's only US banks that are behind. Canadian retailers (especially near the border) tend to accept chip-and-sign to accommodate travelling USians, but all Canadian cards are chip-and-PIN.

  30. Bleu

    Won't withdraw my earlier post,

    but I think you will find that a lot of the chips, particularly for NFC, are from a Japanese company.

    They didn't used to be intrusive, but I suppose the ones linked to a credit card, multiple accounts, etc., probably are.

    Used to do related work, but restructs, not for some time, so forgot.

    NDA, can't say more, think the above is alright.

    1. Mookster
      Facepalm

      Re: Won't withdraw my earlier post,

      doubt it. Smartcards are French.

      1. Caustic tWit

        Re: Won't withdraw my earlier post,

        "doubt it. Smartcards are French."

        So... Invented by shifty Euro-peons?

  31. Anonymous Custard

    Vive La Difference

    One other place where you're stuck with mag stripes are on the French Autoroutes, if you want to pay the tolls by card.

    I only discovered this when I managed to slightly crack my card at the top, through about half of the strip. It'd been like this for ages, and I thought nothing of it (having been using the chip of course back in dear old Blightie) until I stuck it in the toll booth machine and it spat it out again.

    Took a moment for the euro-cent to drop, followed by a curse and a route around for another card (with a growing queue of cars behind) and a mental note to order a new card when I got home.

    1. Bilby

      Re: Vive La Difference

      What kind of moronic toll road system allows motorists to stop and pay at toll points?

      A toll point that even makes vehicles slow down, much less come to a stop, in order to pay is counter-productive - surely the reason you wanted to use the toll road in the first place is that it is faster than the other roads?

      Around here, your 'tag' is scanned by the toll point as you drive through at the 100 or 110 km/h speed limit, and your account is debited. The tag beeps once to let you know it worked, and a couple of extra beeps if your account balance is low, to remind you to top it up (if you haven't set up a direct debit to top up automatically). If you don't have a tag, the system snaps your numberplate and you are required to pay within a couple of weeks (by phone or internet - signs alongside the motorway advise the contact details), or you get a fine for toll evasion.

      1. Kubla Cant

        Re: Vive La Difference

        What kind of moronic toll road system allows motorists to stop and pay at toll points?

        The sort of moronic toll road system that is used by people who don't have a tag, because they only travel on the road infrequently? I drive on French autoroutes about once every two years, so I'm not going to acquire a tag.

  32. Anthony Hegedus Silver badge

    I was in California in July and in a couple of shops, the terminal asked me to type my UK Debit card number PIN in. The person at the till wasn't in the slightest bit fazed by this. On one occasion, I was quite surprised that the payment device asked me if I wanted to pay in GBP or USD and told me their own exchange rate.

  33. DainB Bronze badge

    Never understood it

    Banks claim that paypass and chip do increase security, can someone explain how's that if in case I lost my wallet on a Friday night anyone can pick any card, go any bottle shop and buy as many AU$99.99 bottles of whiskey as bank allows, which would be pretty much all your money.

    1. AdamWill

      Re: Never understood it

      Because banks assume liability for bonk transactions - i.e. if you challenge them, unless the transactions look wildly suspicious or you have a history of doing it, they'll just refund you. It's not really more secure, but it's true that the consumer's exposure is pretty limited. (And there is the fact that you really do need to have the card or a very good facsimile in close proximity to the reader, i.e. somewhere you'll be on a camera).

      The banks ran the same numbers Starbucks ran a few years back, when they stopped bothering to ask people to sign credit card receipts (and hence assumed liability for the transactions) - whatever they lose on the few people willing to faff around stealing $4 lattes, they gain more on the shortened transaction time for the far greater number of honest customers. Ditto for bonk payments, which is why there are various caps and cutouts, not just the single transaction limit. (If you tried the whisky wheeze you'd find PIN prompts would start showing up somewhere around the fourth or fifth bottle shop).

  34. Herby

    Embossed digits

    Yes, these are the original method of entering the card number (dates back to at least the 50's). For gas cards of the time, they used 51 column IBM cards and the raised digits of the card were inked into the merchant (card like part), and the "tissue" top part that was given to the customer. When processed, they got holes punched into them and nice big IBM iron calculated your nice bill. You even got the merchant part back with the bill. A cross country jaunt (like the one I took with my dad and some of my siblings) produced a quite bulky bill from the oil company. It was the 50's and I was young.

    Fast forward to when I got my first card. It had no stripe on its back, and for the first bill they enclosed the chits that had my signature. These were 80 column IBM card size. I don't know if the amount was punched in or not.

    Fast forward even further and the latest card my wife got DOESN'T HAVE the embossed digits any more. I guess that part is obsolete. They still have the mag stripe though. Life goes on with the chip as well.

    Mow with the chips being mandatory, I guess they will need "portables" so you can enter your pin at the table of the restaurant. Not very convenient!

    1. GrahamT

      Re: Embossed digits

      Restaurants in Europe use WiFi enabled hand-held terminals for card PIN & chip reading. No big deal.

      1. Anonymous Coward
        Anonymous Coward

        Re: Embossed digits

        It is when you're on tight margins and you suddenly have to put down for new, expensive, and (note you said WiFi) potentially vulnerable infrastructure. Not to mention training if you use man-portable ones instead of ones that sit on the table (which require power supplies, etc.). That's why there's lots of point-of-sale pushback.

    2. Anonymous Coward
      Anonymous Coward

      Re: Embossed digits

      "Fast forward even further and the latest card my wife got DOESN'T HAVE the embossed digits any more. I guess that part is obsolete. They still have the mag stripe though. Life goes on with the chip as well."

      Those without embossed digits are all "Must call to verify" for those who don't have PIN pads and/or swipe readers.

  35. raving angry loony

    Dabbs needs to get out more.

    The USA is not "North America". Please write that a few thousand times. No copy-pasting.

    The USA still uses swipe. Everywhere I go down there, it's swipe, swipe, swipe. Not even gas stations use chip-and-pin down there.

    Whereas Canada has been using chip-and-pin for a decade or two. In the "just over a decade" since I moved here, the only time I've been asked to swipe was when their chip-and-pin terminal was broken. The only reason "swipe" is still accepted is mainly because of American tourists who don't know what chip-and-pin is. Still.

    I believe Mexico also went chip-and-pin many years ago as well, but I've not visited there often enough to know much about it. Kind of like Dabbs and Canada, obviously.

    1. GrumpenKraut
      Boffin

      Re: Dabbs needs to get out more.

      > The USA is not "North America". Please write that a few thousand times. No copy-pasting.

      for (unsigned j=0; j<1000; ++j) printf("The USA is not \"North America\".\n");

      OK?

      1. raving angry loony

        Re: Dabbs needs to get out more.

        Fucking pedants. Well played sir or ma'am.

  36. Stevie

    Bah!

    Well, I live in New York and have been issued with a chipped credit card or two. Here's the actual truth, Stevie-side.

    The chip is not protected by a PIN.

    The card is not "tapped", it is inserted in the bottom of the reader and a lengthy wait then ensues before the authorization acknowledgement is requested. Sometimes, quite often in fact, the chip reader does not work and the card must be swiped anyway. So it is lucky that the mag stripe is still very much in evidence, innit?

    At gas stations, the card is inserted into a reader. which reads the mag stripe, not the chip. I know this because the frequent customer card I use to make the cheap as water gas even cheaper has no chip, just a mag stripe, and in each case the insert and "remove quickly" instructions are the same, and if not followed properly the transaction will fail.

    The legislation making fraud the vendor's issue is not yet in place and has been modified since it was proposed much in line with the system in the UK. This, I understand, at the vendors' request, on infrastructure cost grounds.

    The Dabbs Scenario is coming, but as my grandma used to say, so is Christmas, and at this rate it'll be here first. (This had more poignancy in January, I admit).

  37. Mystic Megabyte
    FAIL

    Doors

    The hotel that I stayed at last week issued me with a mag. key card. I was told to swipe it with the arrow pointing upwards as they had all been misprinted. Easy to do when sober......

  38. DerekCurrie
    Stop

    It's NOT the mag strip, dummy. It's the mag strip READER that's the problem.

    There's a faerie tale Target told the victims of their massive customer account security breach. They said the cause of it all was that mag strip on credit and debit cards.

    No it wasn't.

    100% of the problem was the Windows XP Embedded mag strip readers that stupidly stored all the scanned mag strip data in-the-clear (no encryption) in RAM, ripe for the picking by malware infecting those readers. Once ALL the crap mag strip readers are dumpstered, the problem will be gone.

    The Target faerie tale continues that, if only the USA would embrace NFC (RFID) credit and debit cards, security would be attained and happiness would reign throughout the kingdom.

    Wrong.

    There are first generation NFC cards that suck, from which any old passing granny can steal its customer data by way of a portable scanner. Oops, dear old granny bumped into you, her scanner read your card, you're screwed. That's what Target wanted everyone to use instead of mag strips. Awful idea.

    Now there are second generation NFC cards the suck far less. They only output a one-time-use number for a purchase, meaning that NONE of the user data can be stolen. These are, at long bloody last, effectively 'safe' cards to use for shopping.

    Taking the one-time-use number farther are services such as Apple Pay, where the user has to physically approve any NFC data dump. There is no longer the ability of naughty granny to grab even that that number. That is the best option. That's happiness.

  39. Keithjw

    I'm a Canadian

    We've had Chip and Pin for about 5 years. Am I the only Canadian el reg reader? Who's sober and awake? Did anyone ask a Canadian Banker (me)? I didn't quite get to the bottom so I may be piling onto some other's glory - but did anyone fact check this?

    1. raving angry loony

      Re: I'm a Canadian

      5 years? I've been in Canada since 2002 and my cards have ONLY ever had chip-and-pin. Not only that, there's only one store in that time that regularly swipes, and it's because their head office refuses to fix their chip-and-pin reader (cheap bastards).

  40. DanceMan

    elaborate pre-swipe routine

    "I knew one guy who used to employ an elaborate pre-swipe routine"

    You knew Norton?

  41. Daedalus

    Pity the poor American banker

    Having laboured for decades under laws that stopped banks from operating across State lines - and in some cases across county lines - the American banks finally clawed their way up to being National in scope sometime in the 90's. Finding of course, that the credit card landscape was a fractured mess. Visa and Mastercard were never more than clearing houses. Some credit cards were not affiliated with any bank at all.

    So you can excuse them for not having the advantages of centralised planning and dictatorial governments.

    Dabbsy can rest assured that NFC, or whatever you care to call it, is showing up in various outlets even as I write, and has been for a few years. Chip&Pin may have a short shelf life. We will see.

  42. OldSoCalCoder

    Just my experience

    In a few days I'm driving 200+ miles to one of our locations in California to sit on the phone for an hour and update one card terminal to use this newfangled chip thing. I'm going to be on the phone with tech support from the card processing company that supplies our terminals while we replace the OS. That's two people tied up for one hour. For one terminal. I was told by their tech support that each OS had to be built for each terminal beforehand, and some people were on hold just to talk to support for an hour. Makes me vaguely wonder why the terminal didn't have the update when we received them a year ago, but that's just crazy talk.

    A side note - I bought a pair of pants on Sat at a store, they had pin-enable card reader on counter, I went to put my card in slot and clerk said 'Oh, we don't have that working yet. You need to slide your card.' I slide the card. Sun night at 9pm I receive two texts, one call to my cell phone and one to my home phone from the credit card company. Someone had stolen my credit card information and was trying to make purchases. I find that ironic.

    Sorry this has nothing to do with Breaking & Entering your own hotel room.

  43. Petrea Mitchell

    Swipe is still the rule

    This article gives the impression that most US businesses have duly complied with the deadline and only a few lone luddite holdouts are sticking with swipe terminals. Nope. In the entire metropolitan area where I live (Portland, OR-Vancouver, WA), the only chance I've ever had to use NFC is when using the fare machines for the light rail system. Most of the readers I commonly encounter don't even look like they have ability to read a chip.

    I seem to be ahead of most US-based commenters in this thread, though, in that all but one of my cards *have* chips at this point.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon