Are the chips doing their job?
April 5, 2016 10:48 PM   Subscribe

Are instances of various types of credit card fraud in the US in fact really decreasing now that chip card usage is becoming much more widespread (albeit without the added benefit of pins), not to mention a small but growing percentage of people are starting to use smart phones to pay with credit cards?
posted by OCDan to Technology (8 answers total)
 
I can't speak to US statistics, but this article (and I haven't had chance to fact-check this myself, so YMMV) suggests that in the UK and Europe, where we've had chip and pin for 10 years, fraud hasn't so much been reduced as redirected to other avenues (e.g. customer-not-present, over-the-phone and -internet).
posted by gmb at 11:47 PM on April 5, 2016 [5 favorites]


I suspect it's too early to tell for the US (obviously, we have data from elsewhere in the world which should more or less translate, despite being chip + pin). I have credit cards from two banks. One replaced the non-chip card a year ago in August. The other last month. The only place I go to regularly that uses a chip reader is Trader Joe's. I also remember using it at Walmart and Home Depot. Walmart will account for a lot of transactions, but only a small fraction of the total. Everywhere else has swapped their machines over, but hasn't turned on the slot.

(Some gas stations have updated the picture of the credit card on the pump to show the chip. I'm guessing they're not reading it yet, though, since you don't leave your card in for nearly as long as Trader Joe's.)
posted by hoyland at 5:04 AM on April 6, 2016


I just got a new card with a chip but the mag strip is still on the card.

I've read to fully benefit from the security of chip and PIN, the mag stripe has to be eliminated and PIN use enforced.

My Target issued credit card is fully chip/PIN with no mag stripe. Target's recent (bad) experience with credit card security is perhaps why they went all in on the new standard. There's still a number on the card but I'm not sure if that's typical with chip/PIN. Target's fraud experience going forward will be a good indicator of how effective chip/PIN is.
posted by LoveHam at 6:01 AM on April 6, 2016


It's a farce in the US in terms of preventing fake cloned cards from being used* at POS terminals. The magnetic stripe includes a simple bit on it indicating whether the card has a chip present or not. Obviously, if you've cloned a physical card then you just turn off that bit, and the card will be accepted on chip readers as a swipe card. This is why sometimes you'll swipe your card, and the reader will insist you instead insert the chip. The cryptographic security of the chip is totally irrelevant until magstripes are removed.

Now, whether that's actually a relevant amount of total credit card fraud, I don't know. Obviously, though, chips are useless for online transaction security and other card-not-present situations.
posted by odinsdream at 6:32 AM on April 6, 2016


A lot of stores have the chip readers up and running, but it seems like the cards haven't caught up completely either. I know at my store (a tiny Dollar General) we have a chip reader but still end up having to swipe probably half the chip cards we come across because for whatever reason they don't work or the person hasn't activated it properly.
posted by Kimmalah at 6:55 AM on April 6, 2016


If I understand the fully implemented chip system will encrypt a onetime transaction number. But that has not been fully rolled out in (most/any) locations, so other than international convenience it seems like no.
posted by sammyo at 7:09 AM on April 6, 2016


Chip and PIN has been known to be broken since at least 2010. The protocol used is insecure. IIRC there have been additional vulnerabilities since. Researchers: Chip and PIN Enables ‘Chip and Skim’ I've seen pictures of skimmer boards that can be inserted into POS terminals, and have gone through several generations of development already so are quite advanced.

Some of the older known vulnerabilities may have been fixed in the US deployment. But then, they are leaving out a crucial part of the security (the PIN) in the first place.

My understanding is that the entire point of the switch to Chip cards is, it shifts liability for fraud away from the bank. The operator of the terminal that is exploited becomes financially liable. So the banks don't care how good the security is, it only has to be good enough enable that liability shift.
posted by joeyh at 8:35 AM on April 6, 2016


My understanding is that the entire point of the switch to Chip cards is, it shifts liability for fraud away from the bank. The operator of the terminal that is exploited becomes financially liable. So the banks don't care how good the security is, it only has to be good enough enable that liability shift.

Yes. This is how it was explained to me. The owner of the least advanced technology is on the hook for fraud or breaches. So if Target hasn't upgraded their POS machines to take advantage of the chips and a breach happens, Target is on the hook. If Target upgrades and a breach happens to only Citibank cards, then Citibank is on the hook for the fraud.

Right now, there isn't enough data to support or disprove the theory that EMV chips will reduce fraud. The law only went into effect in October and as far as I've seen, it's being implemented sporadically.
posted by teleri025 at 3:14 PM on April 7, 2016


« Older Freud's Quote(s) About Psychology Only Being Able...   |   How to talk numbers and not-numbers Newer »
This thread is closed to new comments.