back to article Paying a PoS*, USA? Your chip-and-PIN means your money's safer...

The value of online fraudulent transactions is expected to reach $25.6bn by 2020, up from $10.7bn last year, according to a new study from industry analysts Juniper Research. The researchers predict that by the end of the decade, $4 in every $1,000 of online payments will be fraudulent. Juniper’s study, Online Payment Fraud: …

  1. Ugotta B. Kiddingme Silver badge

    The most frustrating thing to me

    are all the retailers who have the new readers capable of taking chip-n-pin cards but also sporting a hand-written sign saying "chip reader not operational yet, please swipe your card." If the reader had been installed last week, I could understand. However, yesterday I explained to the manager of the grocery I use that I would no longer shop there because those hand-written signs were still in place SIX MONTHS after the readers were installed.

    1. AlanC

      Re: The most frustrating thing to me

      "Six months"...

      A few places have had it much longer than that, although the retailers concerned didn't know they had it.

      I remember about 7 years ago at a supermarket and also an ice-cream place in Hawaii paying with my UK chip-and-PIN credit card and in both cases, after swiping the card in the usual way, the sales assistant looked puzzled at the on screen instructions telling them to put the card in the slot (which they didn't know was there) and entering a PIN (what PIN??). In both cases, I had to guide them through the process; in the supermarket I even had to go round the check-out to her side of the till to reach the PIN pad.

    2. asdf Silver badge

      Re: The most frustrating thing to me

      Funny the most frustrating thing to me is that it now takes a few minutes longer to check out but you can bet the end consumer is not going to see any savings from the reduction in fraud. Maybe if you own lots of stock and even then it probably will get eaten up as management bonuses rewarding themselves.

      1. leexgx

        Re: The most frustrating thing to me

        "Funny the most frustrating thing to me is that it now takes a few minutes longer to check out "

        rubbish , the extra time at the moment is because banks and not real banks in the USA are not using Chip and pin on there cards at the moment (as they made sure there cards Lacked chip at all) and the shop tiller has forgotten how to use it

        (until the deadline last year they made sure they never issued cards that could do Chip and pin) its going to take about 5 years before Chip and pin becomes normal, in the UK when it became normal the way it happened was the smaller companies like conor shops as they go there card readers replaced (as it happens norm over 2-3 years) and as customers had there expired cards replaced the Last companies to do it was super stores or large chains (like large hardware stores and places like PC would)

        Tap and Pay is aggressively been rolled out in the UK most shops have it now (apart from supermarkets but as items tend to be over £30 tap and pay is not useful there as you're forced to chip and pin) it should have complete roll out in about 3 years (some shops in Problem areas have disabled Tap and pay due to fraud and banks or the payment processor are annoying to deal with customer fraud when it comes to Tap and pay, whereas Chip and pin the customer has to prove it was not them whereas Tap and pay the shop has to prove it, even though Visa or mastercard are supposed to eat the fraud be it stolen card or customer fraud)

        in any case there is no way i would use a debit card in USA (or outside of the UK any way)

        1. asdf Silver badge

          Re: The most frustrating thing to me

          For the record US banks are now required to issue chip and pin and have even started enforcing it with a new chip cards even if your current one doesn't expire for years. Also being I haven't been in Europe in almost a decade I was talking exclusively about the US (sorry didn't make clear). Maybe it gets better but currently instead of a one second swipe followed immediately by the time it takes you to enter your pin you put your card in and have to wait at least 15 seconds and then still enter your pin, be sure not remove the card and wait some more and finally remove it and if you don't wait wait you start over. Also one difference I think between the US and UK in mindset is at least in the US you are only responsible for at most $50 at least on a credit card for a fraudulent purchase made by someone else.

  2. BoldMan

    US still not using Chip and Pin? About time you caught up with the modern world of oh, about 10 years ago...

    1. Anonymous Coward
      Anonymous Coward

      luxury!

      I remember coming to the UK about 13 years ago and being confused by your lack of pincodes and insistance of putting your hot and cold water in separate taps. although to be fair I don't think i came from a chip-and-pin situation myself but from a magstrip-and-pin. Still confusing as to why I had to sign for my purchases though...

      So the US is far far behind the rest of the world, but only 10 years behind the UK.

      1. BurnT'offering

        Re: luxury!

        You think thats archaic? In the UK, hot and cold water is still delivered to the taps in separate pipes

        1. Def Silver badge
          Headmaster

          Re: luxury!

          In the UK, hot and cold water is still delivered to the taps in separate pipes

          I think you'll find hot and cold water is delivered in separate pipes all over the world. ;)

          But I know what you meant. There's actually a very good (semi-historical) reason for that.

          In most UK houses (older houses certainly, I'm not sure how it's done now) the hot water heater is fed from a cold water storage tank in the roof, which in turn is fed from the mains pipe opened and closed through a ballcock similar to the average toilet. (I.e., the surface of the water when the tank is full is below the pipe feeding it.) The tank in the roof also feeds all other cold water taps in the house except for the kitchen sink which is supplied straight from the mains (and is the only cold water tap you can safely drink from).

          This arrangement means that the water pressure, at least in the kitchen, is usually different between hot and cold taps, so installing a mixer tap could potentially allow cold water to push back into the water heater if the mains pressure was sufficiently high, ultimately flooding the house from the roof down - although that's probably quite rare given that the tank in the roof will have an overflow pipe leading outside the house. It's usually safe to installer mixers in all other rooms - unless they too are fed directly from the mains.

          Setting up the pipes like this ensures every household has a small, clean supply of both hot and cold water in case of a burst water main, and also that if the mains pressure does drop opening a tap doesn't allow contaminated water (from whatever source of contamination) to feed back into the mains (thus spreading the contamination further).

          1. BurnT'offering

            Re: luxury!

            "In the UK, hot and cold water is still delivered to the taps in separate pipes"

            Strewth - it was a joke. Everyone knows that, in the UK, you have two pipes. One for ambient temperature water, and one for water heated at vast expense to slightly above ambient temperature.

    2. Sherrie Ludwig

      US is not using chip and PIN still. The loudly touted "chip" cards here are not much more secure than the mag strip. NO PIN is needed with these chip cards, so if it is stolen it's still "tough luck" to the cardholder. Just more expensive for the crook to duplicate a card.

  3. Stephen W Harris

    US appears to be primarily going chip'n'sig

  4. Rich 2

    Blame the banks

    The reason Car's fraud is so common is because for the most part it doesn't cost the banks anything. If it's not the innocent punter that foots the bill then it's the equally innocent retailer. The banks are happy to refuse to accept responsibility and u til they are forced to, it won't change

    1. Rich 2

      Re: Blame the banks

      Sorry. That should've card. Nor Car's. Bloody phone!

  5. zanshin

    The ones who've adopted Chip 'n Pin

    ... are mostly the retailers that got hit hard with fraud, like Target and Home Depot.

    And they still aren't "'n Pin". They use the chip but have you sign your name. I'm not sure what that's about, other maybe than some procedural/cultural inertia. It's always been ridiculously rare for anyone to validate your signature against your card, so I wish they'd get on with it.

    1. Ugotta B. Kiddingme Silver badge

      Re: The ones who've adopted Chip 'n Pin

      Last three times I've used my chipped debit card (at retailers who actually HAD that function enabled), I've entered my PIN and not a signature. In fact, I cannot recall a single instance of signing when using my chipped card - granted this is a debit card which takes directly from my checking account and not a traditional credit card where one pays the bill at end of the month.

      1. zanshin

        Re: The ones who've adopted Chip 'n Pin

        Debit cards have used PIN since as long as I've owned one, and long before they had chips. And the bank where I maintain my deposits sent me a chipped debit card long before the bank with whom I have a credit card did.

        It's pure credit cards that are still doing signature.

    2. Gene Cash Silver badge

      Re: The ones who've adopted Chip 'n Pin

      Actually no. Target's the *only* vendor I've used with chip AND pin. Most are swipe & pin, and a couple are "stick it in the chip slot and wait a while"

      And as for credit card signatures, I sign with an "X" and have not been challenged. Ever.

      1. zanshin

        Re: The ones who've adopted Chip 'n Pin

        Target where I live (near Chicago) is still not using PIN for credit cards. Just chip.

        Home Depot is doing the same. No PIN unless you're using a debit card.

      2. Captain DaFt

        Re: The ones who've adopted Chip 'n Pin

        "I sign with an "X" and have not been challenged. Ever."

        >sigh<

        What ever happened to imagination?

        Be creative, vary it up a little.

        "Iam Batman", "Wotta Fraud", "Noah Count", something like that. :)

  6. Jungleland

    Fear Not

    The TPP/TTIP deals will bring everyone into line with the outstanding financial security of the US.

    (And if Trump gets elected, the Mexicans will pay for it all)

    1. Anonymous Coward
      Anonymous Coward

      Re: Fear Not

      Ah yes! Like NAFTA?

  7. MR J

    The local news station where I am from (NW Louisiana) ran deep investigation pieces on how this "Chip and Pin" thing was dangerous and put the customers at huge risk of data theft.

    They stated that People were getting phishing calls asking for their SS Number, Name, Address, Mothers Maiden name, Birth information, Phone number, and Bank account details so their new "Pin Card" could be configured correctly. They urged customers to get in touch with their banks and demand that these new cards not be issued due to the ease of data theft.

    I have lived in the UK since these cards were introduced, the US is nearly 15 years (15 YEARS!) behind the rest of the world in getting this adopted. That's one reason why we still have to suffer with Mag Strip fraud. We have needed that on there just in case we go to 3rd world places that don't have chip and pin.

    I have a "pin device" at home that works with my cards, while it is a hassle sometimes to use I do look forward to the day that banks set it up so I can use the card for online verification of regular purchases, perhaps similar (in rules) to the contactless payment we have in the UK.

    US Consumers as a whole are simply never told the truth on these things in such a way to make the migration easy. If this was some investment scam (Bank savings) or drug dealer (Pharmaceutical breakthrough) there would be 85 adverts on television every hour for them. Without even looking on American TV stations I can guess that there have been less than 1 consumer focused commercial explaining that "Chip and Pin" were being introduced.

    1. heyrick Silver badge

      "They stated that People were getting phishing calls asking for their SS Number, Name, Address, Mothers Maiden name, Birth information, Phone number, and Bank account details so their new "Pin Card" could be configured correctly."

      The problem isn't that chip and pin is insecure, it's that people are still dumb enough to fall for such a scam.

    2. Def Silver badge

      Norwegian banks introduced the first EFTPOS terminals (and the debit cards to use in them) to shops in 1991. While I wasn't in the country back then, from what I understand they were verified with PIN codes 25 years ago.

      On a related note, most Norwegians I know laugh when they hear that cheques are still used in other countries. I've been here 11 years and cheque books were a distant memory for Norwegians even back then.

  8. TomPhan

    Remembering PINs is difficult

    I've been trying for years to get a chip & PIN card, if only so that I've got something acceptable wen I'm not in USA, and thought my dream had come true last year - then discovered that all the chip cards were signature only. And the reason given by most banks, often in print, is that it's a good thing because it's one less PIN to remember.

    1. sms123

      Re: Remembering PINs is difficult

      Why should you have to remember the PIN? In Australia you can have your PIN changed to be whatever you want (you aren't allowed ones like 1234). Assuming you haven't shared it with someone else or been robbed and been forced to give it to someone else you can keep the same PIN for life. My PIN hasn't changed since I first got some kind of card to use it with.

  9. Ian Ringrose

    Very few stolen cards are used, as there is a risk the card has already been reported stolen. The chip makes it nearly impossible for someone to clone a card. Therefore just using the chip of “chip and pin” gives most of the benefits.

    1. Richard 12 Silver badge

      In my experience, all stolen cards are used

      When I got pickpocketed, all the cards in my wallet were used.

      One at a cashpoint (presumably a shoulder-surfer, I'm more careful now), the rest were used at a couple of shops.

      This was before online shopping became a big thing.

  10. DougS Silver badge

    Chip & PIN is not the answer to online fraud

    Worrying about the US using chip and signature is silly. That's only for credit cards, debit cards are chip and PIN. The reason chip and signature is so prevalent is because use of credit cards is so prevalent in the US. Not because we are mindless consumers (well not only for that reason) but because the fraud laws are VERY consumer favorable for credit card fraud, not so much for debit card fraud! That, combined with the better rewards for credit cards make it STUPID to use debit cards for payment in the US. Honestly, anyone who does is a moron, unless they are one of those people with poor impulse control who has learned the hard way they should not have access to credit.

    The answer to online fraud is virtual card numbers. They experimented with them a few years ago but the infrastructure on the consumer side wasn't ready. Now, thanks to smartphones using Apple Pay and Android Pay, it is. I should be able to start up Apple Pay on my phone, hit a "generate payment" button, enter the payment amount, and be given a one time code good only for that amount for the next five minutes. I enter that into an online site where it asks for the credit card number, the now-unnecessary expiration and CVV fields are greyed out when it recognizes it as a one time use code, and I'm done. The banks should be happy to pay Apple 0.15% on each such transaction (and even more happy to pay Google 0%) since it would almost completely eliminate that 0.4% of online fraud.

    If you took too long it would put up an error "one time use code expired, please generate a new one" and you could hit the button to re-generate another in the same amount as the last one. If the site has their DB hacked and they get your one time use number, who cares, it is only good for one purchase, of that exact amount, and only for five minutes after being generated! If the site has problems connecting to the bank to authenticate your one time code you could always pay via the old method - and the site would be punished by the credit card company charging a higher fee on that transaction, so it would behoove them to make things easy for online shoppers to pay with a one time code.

    1. heyrick Silver badge

      Re: Chip & PIN is not the answer to online fraud

      "The answer to online fraud is virtual card numbers."

      I've been able to do this for something like a decade. I start the banking app (iOS, Android, or via the web portal) and enter an amount. A one-use Mastercard is created, compete with expiry date and CVV (it looks and feels just like plastic to the vendor end; it needs no special handling). The card is valid until expiry, up to the pre-defined amount, and only to the company that makes the initial transaction. As an added bonus, payments over a certain amount will invoke the bank's regular "we'll text you a number to enter" verification.

      It's a service called "Virtualis" offered by Le Crédit Mutuel. I won't go near eBay/PayPal without it.

      1. joed

        Re: Chip & PIN is not the answer to online fraud

        Just to add to the conversation. Chip & PIN may only provide false sense of security as - if I was to believe one of sec podcasts - the whole system can be easily worked around and knowledge of the PIN effectively dropped. And with responsibility for fraudulent charges being potentially shifted to the customer (owner of the card), I have no reason myself to support the system.

      2. DougS Silver badge

        Re: Chip & PIN is not the answer to online fraud

        A small number of individual banks like yours may still offer it, but originally it was something Visa itself offered until they gave up on it because it was too soon for the market. It needs support on that level again to become ubiquitous.

        In the meantime I just use my credit card for online shopping, and deal with the fact that every 3-4 years it will get compromised and I'll have to call them, get the charges reversed, and have a new card with a different number sent. Costs me nothing except a few minutes of my time. The only annoyance is that I will have my card number memorized so I can type the details into the sites quickly, when they send a new card I have to buy a couple dozen things before the new number and new CVV sticks in my brain.

        But I'd use a virtual number if it was supported like I outlined. In order to get consumers interested in using it (since in the US at least, we don't personally bear the costs of fraud on our accounts) you have to make it easier. So integrating it into Apple Pay / Android Pay is IMHO necessary since that is much easier than starting up a dedicated banking app (which in your case would be different for different banks, so you if you used two cards you'd need two apps that may work differently) Also drop the expiration / CVV thing when using it because that's superfluous when using a one time number.

        If they make it easier to pay this way than to pay the regular way, they'll get people on board with using it and cut their fraud costs. So the bank wins, the merchant wins, the consumer wins and Apple/Google win. Pretty rare when you have something where everyone's a winner and no one is a loser except criminals!

        1. heyrick Silver badge

          Re: Chip & PIN is not the answer to online fraud

          "Also drop the expiration / CVV thing when using it because that's superfluous when using a one time number."

          It seems to me that there's only a finite number of potential card numbers, so I wouldn't be surprised to find the same number allocated twice, with the date and CVV to tell them apart.

          But more than that, the two should remain even if entirely superfluous because it makes the virtual card look and feel like a real card. The alternative? For every single retailer to modify their platform to detect all known types of virtual card and understand what is and isn't necessary. The useful thing about expiry/CVV is that the retailer and payment processor DOESN'T know the difference. It's "just a Mastercard"...

        2. John Brown (no body) Silver badge

          Re: Chip & PIN is not the answer to online fraud

          "In the meantime I just use my credit card for online shopping, and deal with the fact that every 3-4 years it will get compromised "

          Holy shit! And you "just accept" that? Maybe I've just been incredibly lucky and never, ever had a card compromised. I've still got the same debit card number I've had for 20+ years.

    2. Anonymous Coward
      Anonymous Coward

      Re: Chip & PIN is not the answer to online fraud

      Downvoted for calling anyone who does not think exactly like you is a "moron". Anyone who uses credit or debit for transactions that can be paid with cash may be the "moron", to use your term, since you have just given world+dog intimate knowledge of all your spending behavior. I prefer to fly under the radar when possible.

      1. heyrick Silver badge
        Coat

        Re: Chip & PIN is not the answer to online fraud

        "is a "moron""

        Doesn't that mean "carrot" in Welsh?

  11. Anonymous Coward
    Anonymous Coward

    POS

    Point of Sale machine. Why, what did you think we meant?

    That, and the other. Both meanings are correct in this case.

  12. Benno

    Heck, even my AMEX card is contactless...

    I've been using contact & contactless for as long as they've been available in Australia, no fraud yet!

    (contactless is a $100 limit without PIN here in AUS)

    Some terminals even allow contactless with PIN for values over $100.

    Although some terminals don't like the AMEX, and I have to go chip 'n' PIN - bah, old-school :)

    1. Jay 2

      That's been the down side to AMEX as far as I can remember... it's not quite as acceptable as VISA/Mastercard. Always annoying when it's the AMEX that has all the nice point-collecting-for-goodies stuff on it.

      1. Fibbles

        Re: not quite as acceptable as VISA/Mastercard

        That's because all your nice AMEX rewards are paid for by the retailer rather than the card company.

      2. heyrick Silver badge

        "That's been the down side to AMEX as far as I can remember... it's not quite as acceptable as VISA/Mastercard."

        Good luck using it in France. Maybe in Paris and some places in larger cities, but around here (rural) they almost go out of their way to point out that AmEx is absolutely not accepted.

        1. Version 1.0 Silver badge

          AMEX

          I gotta jump in on this one - I was in Barcelona a few years ago and had my wallet stolen on a Friday at a trade show - with my AMEX, Visa and Mastercard credit cards as well as my US Green Card. Calling Mastercard and Visa to report the theft was a complete farce - basically they said they would look at doing something about after the weekend.

          Calling AMEX was wonderful - they offered to get a new card to me the next day and when they found out that I'd lost my Green Card (which I needed to return to the USA) they called the local US Embassy, and arranged for an appointment to get travel papers that afternoon. Frankly, that kind of service gets my attention and I always present my AMEX card as the first method of payment.

          Back in the US on Monday, I had to call Visa and Mastercard and go through the whole rigamarole all over again to get the cards cancels and replaced.

        2. This post has been deleted by its author

  13. Gerry 3

    No security at all with Contactless...

    Here is the UK we have done away with both PINs and signatures for Contactless purchases of £30 or less.

    We can do this because we simply don't have any thieves, dishonest family members, carers, office colleagues etc in this country.

    What could possibly go wrong?

    1. heyrick Silver badge

      Re: No security at all with Contactless...

      Are you sure? While contactless usually doesn't require a PIN, the card is supposed to block after a certain threshold (I don't know if this is by combined value or times used) and require you to enter a PIN; exactly as a form of damage limitation on stolen cards.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019