23

(I'd expect this question to be duplicate, but couldn't find any that matches the point)

It seems to me that the security of credit card transactions got worse by the switch from signing to chip usage. As is well known, nearly all providers in the US do not ask the PIN when paying (supposedly because Americans wouldn't be ble to remember a PIN), so the comparison to me is:

Before: If I lose the card, the finder needs to fake my signature (not too difficult, but not a freebie); if I mark the card with 'Check ID', there is a chance that he fails.

Now: If I lose the card, anyone can use it freely anywhere. No limits, zero risk of getting caught.

So we got a new system that is slower, and makes abusing lost / stolen cards easier?? Why?

I am aware that you can call the credit card company and report the card stolen, but that is not always as easy. When you are travelling, roaming can cost you easily 100 $ just while your call is in the wait line, and many 1-800 numbers are not even callable from outside the US. Anyway, that is not the point -

why would the industry burn money into a system that makes stealing and then quickly using credit cards easier?

Aganju
  • 37,683
  • 7
  • 57
  • 119
  • 1
    No, chip-plus-pin or chip-plus-signature are both stronger than signature alone. Chip-only isn't, but that is still stronger than mag-stripe-only which it replaces. – keshlam Jun 13 '16 at 21:31
  • 5
    That's only theoretical. In practice, 'mag-stripe & signature' gets replaced by 'chip-and-nothing'. That's my point. – Aganju Jun 13 '16 at 21:45
  • 27
    Is this a legitimate question or did you simply come here for an argument? – JTP - Apologise to Monica Jun 13 '16 at 22:04
  • 3
    @JoeTaxpayer , maybe you have a point and I should not have asked. It is not a question where the answer will influence my life or my decisions, but I really would like to understand why. I feel that my cards have become less secure, and I am concerned (if only slightly), and I thought someone can tell me what the reason for this seemingly silly change is. So I'd say it's mostly curiousity. I am not trying have an argument. – Aganju Jun 13 '16 at 22:13
  • 2
    Fair enough - I'd read Are the new “Smart” or “Chip” Credit Cards better from a security standpoint? which answers the question you are sort of asking. – JTP - Apologise to Monica Jun 13 '16 at 22:16
  • 2
    I did read this one before posting; it is six years old and reality seemed different now than what was planned in 2010. But possibly there is no better answer than that, may be the total amount of fraud I look at is just much smaller than the copy-the-mag-strip kind, so it's kind of accepted 'collateral damage'... – Aganju Jun 13 '16 at 22:25
  • 5
    See also https://security.stackexchange.com/questions/49234/why-are-chips-safer-than-magnetic-stripes there are many questions on the security site about them. Stealing the actual card is much less common than cloning the mag strip. – VBCPP Jun 13 '16 at 22:33
  • 6
    Chip-and-nothing is a risk for the vendor, not for you; they accept that risk in exchange for lower processing fees. Actually, credit cards have pretty good consumer protection generally, at least in the US, so this is not the item if spend a lot of time worrying about. – keshlam Jun 13 '16 at 22:39
  • 2
    About your last point, many credit cards (all three of mine), have a non-800 number and will accept collect calls for problems when travelling internationally. – KeithB Jun 14 '16 at 02:14
  • 2
    Because even if a retailer does (improperly) implement "chip + nothing" for EMV card use vs.mag stripe + signature for old cards the "signature" step is functionally equivalent to "nothing" in almost all cases. Nobody ever bothers to check to see if there's a signature on a card, let alone compares that to the signature the purchaser gives, let alone declines a transaction because the two don't seem to match sufficiently. So, even where a store stops requiring signatures you pit the (not perfect, but still significant) benefits that come with chip usage against little-to-no practical loss. – mostlyinformed Jun 14 '16 at 06:10
  • 14
    So the US finally started using chipped cards but failed to enforce the PIN?! Meanwhile we've all moved on to contactless :) – OrangeDog Jun 14 '16 at 08:32
  • 3
    @OrangeDog: right, they've jumped ahead of the curve. We're only failing to enforce the PIN for small transactions, they're doing it for everything ;-) – Steve Jessop Jun 14 '16 at 09:06
  • 2
    I never understood how signatures could every be considered trustworthy. It's just a scribble on a piece of paper, come on! Even if people actually checked the signatures (which is incredibly rare), they don't give you any decent guarantees that the signature was made by the right person. I'll take a cryptosignature any day, thank you ;) – Luaan Jun 14 '16 at 09:12
  • 4
    @JoeTaxpayer - how that hell does that make a question "illegitimate"? Is the question legit only if you pull it out of your ass, with no context or reason? – Davor Jun 14 '16 at 10:27
  • 2
    @Davor - interesting. To my legitimacy comment, OP took no offense and replied kindly, then I in return. What, exactly was your issue with that dialog? Since then, 12 hrs ago, much has happened, including a +15 answer from a member who addresses it spot on. – JTP - Apologise to Monica Jun 14 '16 at 10:38
  • 1
    @JoeTaxpayer - I'm asking you a simple question. What about having a context makes a question illegitimate? – Davor Jun 14 '16 at 10:41
  • 3
    @Davor Because many questions that come through these stacks are simply rants that are thinly veiled as a question. JoeTaxpayer seems to be addressing that by asking if OP really was concerned with the answer or if it was simply a disgruntled customer who dislikes the new card. Not saying either person is correct or taking sides just stating what I've seen many times before on this site. – DasBeasto Jun 14 '16 at 12:08
  • @OrangeDog, many ATMs and debit-card systems in the US are still using magstripe-and-PIN. In that situation, chip-and-nothing is more secure than chip-and-PIN: many card readers use the same slot for reading chips and magstripes, so a skimmer can steal both the magstripe and the PIN from a chip-and-PIN transaction, but gets only the magstripe from a chip-and-nothing transaction. – Mark Jun 14 '16 at 20:32
  • 1
    It should be noted that 'Check ID' or 'See ID' is not technically valid (without signature) on most major credit cards (see, e.g., UNSIGNED CREDIT CARDS), and vendors accept such cards at their own risk. – user2338816 Jun 15 '16 at 00:02
  • In my experience, nobody who has stolen a card (or copied its details) ever goes to some shop trying to buy stuff. They go online and order things, where you neither need a pin nor a signature. – PlasmaHH Jun 16 '16 at 08:06
  • As others have mentioned, the primary benefit of chip cards is reducing the ability to 'skim' data - it's not to protect against lost/stolen cards, which is a small percentage of cc fraud anyway. That said, I'm confused as to what you mean by chip cards requiring no signature? My chip credit cards require a signature for purchases over a small amount (I think it's $25?) the same as my magstripe one used to, and my chip debit cards require a PIN (or a signature if I clear the PIN screen) same as my magstripe. – CardFellow Jun 27 '16 at 14:50

4 Answers4

69

One advantage of the chip cards is that the card information needed to make purchases can't be easily skimmed or "stolen". Another is that it is more difficult to create a fake physical card. These advantages still exist regardless of what form of verification is used (or even if no verification is used).

The type of fraud you're describing, in which your card is physically lost or stolen, is a relatively small proportion of total fraud (14% according to this site). One reason this is not as big a problem is that often, if you lose your card or get robbed, you know the card is compromised and you can cancel it. (Even if it takes you a while to do this, at least you are on the alert.) The real danger comes when your card info is stolen without your knowledge, and this is harder to do with a chip card.

It's also worth noting that there are more ways for a fraudster to get nabbed than being caught red-handed entering the wrong PIN at the point of sale. The credit card companies are still tracking card usage and watching for unusual purchases that might indicate fraud. Also, sometimes fraudsters do surprisingly dumb stuff, like use the card to buy something online and mail it to themselves. So it's not correct to say that there is "zero risk of getting caught". With both stripe and chip cards, you can catch the person by tracking them via their usage of the card.

The biggest security risk with the new cards is that many vendors don't actually require use of the chip at all -- they still let you swipe. However, with changes to credit card liability policies, this is a risk for the vendors, not for you.

BrenBarn
  • 23,964
  • 6
  • 60
  • 80
  • 12
    Yes. When evaluating a security procedure, you have to consider all realistic threats. It's quite possible for a new procedure to make you more vulnerable to attack X, but nevertheless be a good idea because it makes you less vulnerable to Y to an extent that more than makes up for X. And I'd add, signatures don't really offer much security. I rarely see stores check my signature. And if someone stole your card, he could practice forging your signature. – Jay Jun 14 '16 at 03:23
  • 1
    "The biggest security risk with the new cards is that many vendors don't actually require use of the chip at all -- they still let you swipe." This. The day that new payment cards in the U.S. no longer come with magnetic stripes in the first place will be a great day for financial information security. – mostlyinformed Jun 14 '16 at 06:13
  • @halfinformed or at least the day when the terminal can verify with the issuer whether the card is supposed to have a chip, and deny a swipe if so. Until then, an attacker can clone a card from the magstripe and simply zero the "I have a chip" bit, and the "PLEASE INSERT CARD" message won't come up. – hobbs Jun 14 '16 at 06:35
  • @halfinformed I personally intentionally wreck my mag stripe, and don't use it anywhere that forces me to swipe it. To me, any place that does not have a chip reader is sketchy. – Cruncher Jun 14 '16 at 15:07
  • "The credit card companies are still tracking card usage and watching for unusual purchases that might indicate fraud." Which is great right up until it isn't. When I moved a few years ago, the bank had records of me discontinuing automatic payments at my old location, and they had records of me buying gas, meals, and hotel rooms along my route, but when I went to buy some furniture for the new place, it got flagged as fraudulent due to being an expensive purchase far away from where I lived, and it took me 2 hours on the phone with bank reps to clear up! :( – Mason Wheeler Jun 14 '16 at 15:16
  • 7
    @MasonWheeler: Did you actually inform your bank of your new address before you make the purchase? If you didn't, that means the fraud detection system is actually working great; I would have been much more annoyed if the bank naively let that transaction through. Leaving record of stopping automatic payments isn't the same as telling the bank that you are moving. – Lie Ryan Jun 14 '16 at 15:29
  • So your suggestion is to hide the body well when stealing someone's credit cards for optimal use? – Hannover Fist Jun 14 '16 at 19:00
  • @Cruncher I'm not sure why you think not having a chip reader is inherently sketchy. Fraud liability for stripe was legally shifted to retailers less than a year ago, and some point of sale software vendors still haven't updated their software, so stores that use those vendors don't have a choice. I also haven't seen any smartphone or tablet-based card readers that use chip yet. You'd be locking yourself out of a lot of retailers, including pretty much all gas stations and restaurants. – user2752467 Jun 14 '16 at 22:23
  • @hobbs they already do that. I tried swiping my chip card and the terminal rejected it saying i had to use the chip. – Andy Jun 14 '16 at 23:28
  • @Andy yes, but it does that based on information on the card, specifically the magstripe. – hobbs Jun 15 '16 at 02:22
  • Last night I had to swipe and insert the card. Before at this store, I would just insert but for some reason when I put the card in, it asked me to take it out and swipe and then reinsert. – JimmyJames Jun 15 '16 at 15:31
  • @JustinLardinois: I've had a chip reader for my smartphone for a couple of years now, from iZettle (in the UK). – Andrew Aylett Jun 15 '16 at 20:42
  • @halfinformed I'd actually say getting rid of the raised lettering would be a good move too - merchants can still submit charges using the old roller imprint "click-clack" card machines, although they do take a signature. – Mark Jun 15 '16 at 22:34
  • @AndrewAylett Well of course they're available easily outside the US. I was just saying that smart device-based readers that I've encountered here (almost always Square) are magnetic stripe only. – user2752467 Jun 19 '16 at 02:53
28

I don't have much to add other than your signature is not required to process a charge. Signatures are kept on file for validity in the event you dispute a charge. Your signature isn't held in some magical database with signature recognition software. If you draw an shark in the signature section of a receipt that won't stop the charge from processing. In fact, many merchants don't even bother requiring the signature below a certain threshold.

There are loads of behind the scenes processing improvements offered by the EMV chip; namely prevention of card number skimming and duplication via encrypted transaction signing. While requiring a PIN adds an additional layer of security, simply processing via chip dramatically improves the network fraud prevention tools in a manner that is almost completely transparent to the user.

To your point, if your wallet is lost and an imposer holds your physical card there is no anti-fraud improvement. At any rate, you have zero fraud liability in the US.

quid
  • 48,976
  • 11
  • 99
  • 161
6

One of the main advantages is that duplication from a few sources is no longer a vector. The two big examples, the lesser first, card skimming and breaches like Target's. The chip essentially generates a unique transaction code, and that is generated inside the chip. So even if you installed a chip skimmer, you'd have to beat the merchant to using the code, and it would only be good once. The same is true if you get something like the Target breach. Instead of a giant dump of card numbers, you get a giant dump of used codes, which aren't very useful for getting money. Even if the risk of stolen cards goes up, it should be a huge advantage for the banks.

Additionally, a number of the banks are now implementing quick and short term freezes, like the Discover It card app. You simply click freeze in the app if you aren't sure where your card is, and unfreeze it when you do. The assumption here is that people are more likely to freeze it and do so sooner than if they have to wait for a new card in the mail. Theoretically, there's nothing stopping a consumer from keeping the card frozen all the time, and unfreezing it when they walk into a store, except the impracticality of it.

John
  • 161
  • 2
4

Chip and Signature cards do not substantially alter the paradigm you mention in your question. The chip alters how the machine obtains your account number and transmits it for authentication, but it does not significantly alter the interaction with the clerk. It is solely intended to reduce "skimming" and similar card-number-stealing and card-forging attacks.

Specifically, a clerk is still welcome to ask to see the card to verify the signature if they wish, and/or to ask to see an ID to use the card. Some changes occurred around the same time as introducing Chip and Signature that meant that clerks will be less likely to ask for signatures for certain purchases (raising the dollar amount for no-signature-required purchases, mostly), but those changes are distinct from the introduction of EMV (chip) authentication.

Joe
  • 35,786
  • 6
  • 90
  • 128