Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Crime Security The Almighty Buck

Credit Card Fraud Could Peak In 2015 As the US Moves To EMV 449

dkatana writes Some analysts expect fraud to increase this year as thieves will step up their efforts to capture more credit card details before the Europay, MasterCard and Visa (EMV) standard conversion goes into full throttle. The next time U.S. cardholders receive a new card it will probably be equipped with an EMV chip, and most likely be contactless. The U.S. is finally making the transition to secure cards based on the European EMV standard, mostly because the liability shift imposed by the three big credit card brands — Visa, MasterCard and American Express. The European Union, where EMV became standard ten years ago, has the lowest level of credit card fraud in the world, while the U.S. accounted for 47.3% of the worldwide payment card fraud losses but generated only 23.5% of total volume.
This discussion has been archived. No new comments can be posted.

Credit Card Fraud Could Peak In 2015 As the US Moves To EMV

Comments Filter:
    • by gutoandreollo ( 1816754 ) on Wednesday February 18, 2015 @09:42PM (#49083897)
      Your next creditcard (in a couple years) will probably have a chip-and-pin system, which can not be easily cloned as the magstripes of today can. The analysts cited believe fraud will escalate soon, while most people still DON'T have a chip-and-pin card, since defrauding those people will be harder in a couple years.
      • I've already got two, both of which I acquired this week after switching from a card that yielded a lower cash back reward percentage. Neither have a contactless component (which I assume means some kind of RFID/NFC chip.)

        Haven't yet seen any vendors with an ISO7816 reader though. Last time I used one of those for a payment method was when I was in the Army, and that was over 13 years ago. Obviously the technology hasn't caught on anywhere besides AAFES stores.

        • by rickb928 ( 945187 ) on Wednesday February 18, 2015 @10:14PM (#49084073) Homepage Journal

          EMV is NOT contactless. If your new card(s) include electrical contacts, It's EMV .

          • EMV is NOT contactless.

            EMV is not contactless in the same way that TCP/IP is not wireless. EMV is a payment specification, it can be done contact or contactlessly. There are contactless specifications based on EMV from all of the big card brands.

      • by stevel ( 64802 ) * on Wednesday February 18, 2015 @09:56PM (#49083975) Homepage

        Chip yes, PIN, no. In the US, "Chip-and-signature" is what we get, with extremely rare exceptions. It is more secure than the magstripe to stop massive hacks such as Home Depot and Target, but does nothing to stop stolen card fraud. Note that if your card does not support chip-and-PIN (it can support it even if it's not the default, but US banks aren't doing this), then you can't use the card at many automated kiosks (train stations, etc.) outside the US.

        I disagree with the summary that contactless goes along with the chip - it doesn't. There are some banks offering contactless payment cards, but this is not common right now.

        • by Nutria ( 679911 )

          One thing that I wonder about is the definition of "fraud".

          If C&P isn't as secure as banks say [], can the bad guys steal people's money but the banks deny it, saying that C&P is secure?

          • by rickb928 ( 945187 ) on Wednesday February 18, 2015 @10:16PM (#49084095) Homepage Journal

            Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.

            Britain has had a lot of trouble with this.

            • by Nutria ( 679911 )

              so if your account is compromised, you're assumed to be at fault.

              Even if C&P isn't secure. That's what I was afraid of.

              • Even if C&P isn't secure. That's what I was afraid of.

                You missed part of what GP implied here. It ISN'T secure, and yes the banks HAVE hushed it up. When that didn't work very well, they tried shifting the responsibility.

                They do have known vulnerabilities which have been exploited by fraudsters for years. It might be a while before U.S. fraudsters catch on to the new tricks, but you can count on that being a short time indeed. All they have to do is buy the information if they don't want to figure it out themselves.

                • by Z00L00K ( 682162 )

                  It's still better than the magnetic stripe. But I agree - it's not as secure as it can be.

                  Compromised card readers are one item that can be used to spoof cards.

            • by ArmoredDragon ( 3450605 ) on Wednesday February 18, 2015 @11:32PM (#49084459)

              Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.

              This is not at all the case in the US.

              When TFS says liability shift, they're referring to the merchants (at least, in the context of the US anyways.) The merchants have an agreement with visa, mastercard, et al (and the banks) that determines who is liable in the event of fraud. Presently mastercard/visa/amex assume most of the liability (and they very well better for the transaction fees they charge.)

              Visa and mastercard have issued an ultimatum of sorts to the merchants saying that this will only continue for magnetic stripe until the end of 2015, after which the merchant assumes liability for fraud. The merchant can avoid that by simply replacing their POS systems with a chip and pin system, in which case visa/mastercard assume most of the liability.

              For you as the card holder however, nothing has changed in that regard: The law in the US still stipulates that credit card holders can only be liable for up to $50 (which most banks waive these days.)

              • by bradley13 ( 1118935 ) on Thursday February 19, 2015 @04:08AM (#49085361) Homepage

                My wife has a small company that accepts credit cards. As the parent comment points out, the credit cards want to push liability for fraud onto the merchants. This has two aspects

                - First, the physical card: Chip and pin is standard here, which would be fine, but don't think your fees go down when they hand you the liability. My wife has, to my knowledge, never had a case a fraud in 20 years, but that doesn't matter either. Mastercard/Visa are completely in collusion, there is no competition, they can demand whatever fees they want.

                - Second, the Internet: I wrote her first web-shops, including the payment processing. This has become completely impossible. The credit card companies impose ever more impossible rules. Ultimately, if you handle credit card numbers electronically, they began insisting on quarterly audits of your IT infrastructure. We used an ISP - so they were going to insist on auditing the ISP infrastructure. Our ISP was - shockingly - actually ok with this, but the whole nightmare just got too complicated. In the end, the rules appear to be nothing but a way of forcing you to use their approved payment processors - yet another way to suck money out of merchants.

                Will some Internet payment service please, please spring up and actually give Mastercard/Visa some real competition? Paypal has been largely co-opted, Bitcoin is a joke - we need something that your average Joe can and will use. So far, nothing...

                • Will some Internet payment service please, please spring up and actually give Mastercard/Visa some real competition? Paypal has been largely co-opted, Bitcoin is a joke - we need something that your average Joe can and will use. So far, nothing...

                  You might think Bitcoin is a "joke" but it's all you're gonna get. PayPal wasn't co-opted - they settled down into the state you would expect given that they have little competition and ultimately still rely on the banking / credit card infrastructure. Why do you t

            • Chip & PIN is a liability shift. You're expected to protect your PIN, so if your account is compromised, you're assumed to be at fault.

              You sort of imply that this shouldn't be the case? I'm no expert but just wondering how a crook could get a PIN other than lack of reasonable protection from the owner? It seems a whole lot more secure than a scribble which is extremely trivial to imitate.

              • by hjf ( 703092 )

                I stand behind you in the line, see you type your PIN into the terminal, wait for you outside, mug you, then use your card.

                Really? You couldn't think of that one? It is that easy. They sell little "shades" for CC terminals to avoid this, but they are accessories. Most CC terminals don't have them.

          • by stevel ( 64802 ) * on Wednesday February 18, 2015 @10:21PM (#49084117) Homepage

            Yes, in fact they can, and this has happened in Europe. One problem with C&P is the "offline PIN" mode which doesn't exchange data with the bank. In the UK, at least, the consumer is liable for any fraud with a C&P card as it is assumed that if the PIN was entered correctly it was by the cardholder. In the US, all the card issuers assume liability for fraud, no matter what, so there is less incentive to require a PIN.

            The article you linked to is informative, but as the US transitions to EMV, it will become harder for thieves to use magstripe cards.

            As I noted earlier, the biggest benefit of EMV, with or without PIN, is that merchants and payment processors aren't holding on to vast quantities of card numbers, and card skimming becomes far more difficult.

            • by Kjella ( 173770 )

              One problem with C&P is the "offline PIN" mode which doesn't exchange data with the bank. In the UK, at least, the consumer is liable for any fraud with a C&P card as it is assumed that if the PIN was entered correctly it was by the cardholder.

              Fairly sure this is not so in Norway, liability is put on the merchant because they are the only ones who can invest in systems to bring and keep terminals online. Even waiters at the table generally have online wireless terminals for this, apart from one bus company that apparently haven't updated their terminals in ages, a few old parking meters and a few remote cabins selling coffee and snacks to cross country skiers it's all online. I've used it if their line is down, but then it's in their interest to

        • by Harlequin80 ( 1671040 ) on Wednesday February 18, 2015 @10:06PM (#49084029)

          As at the 1st of August last year you were no longer able to sign for purchases on your credit card in Australia. A pin became required for every transaction.

          With regards to a contactless payment system, it is referred to here universally as paywave (even though that is Visa's name for it) and my AMEX, Visa and Mastercards all support that functionality. They contactless system allows an up to $100 purchase just by tapping your card on the reader. Kinda scary if you lose your wallet but soooooo convenient. Total transaction time is around 1 second.

          • by dAzED1 ( 33635 )
            and I really, really don't see how that's an improvement to security. Why the fark are we doing contactless, and not just going with the chip+pin?
            • Chip & pin is more secure than chip and signature. Simply because your average pleb can't tell a genuine signature from a forgery.

              The setup in Australia means a pin is not required for transactions of under $100 but is required for transactions over. I assume that the risk assessment from the card companies is that under a $100 exposes them to a small risk for the increased usage that using contactless creates. Anecdotal evidence is that when my mastercard went contactless but my amex wasn't I pretty

        • but does nothing to stop stolen card fraud

          i guess you are talking about physically stealing a card. that's almost almost zero percent of the problem. that requires physical theft which criminals don't want to risk for the most part.

      • by Nutria ( 679911 )

        I received an updated CC from Bank Of America, and it's got a chip-looking thing, but didn't receive a PIN, and don't remember seeing anything where I had to request one.

      • Your next creditcard (in a couple years) will probably have a chip-and-pin system

        most likely chip and signature. the difference being what you'd expect ... no pins, but signature verification required. the reason being that the big three are afraid people will spend less if they are forced to remember a PIN (yes, really).

        chip and signature is arguably less secure, but it does prevent credit card cloning ... you can't clone the chip.

        • by rlwhite ( 219604 )

          Yeah, I don't get this either. I choose debit just about everywhere because it's faster and more secure. It would be tempting for me to move my bank account specifically to get chip and pin if a bank were using that as a competitive advantage, but I don't know if that's even possible given the standard they've adopted.

      • by mlts ( 1038732 )

        Sad thing, the PIN part here in the US is optional. However, it does stop the sales clerk who swipes the card and uses it for mail order stuff.

        As for mail order, I'm sure Visa/MC will continue to have a web object that pops up, asks for a PW or PIN, which is used for shopping via the Internet.

        Is this a security increase? Yes, and much needed. Cloning a chip is a heck of a lot harder than writing down numbers or writing a magnetic strip on a blank.

        However, because PINs are an option in the US, it won't be

        • As for mail order, I'm sure Visa/MC will continue to have a web object that pops up, asks for a PW or PIN, which is used for shopping via the Internet.

          This is truly where credit card fraud is going to go in the next few years. As EMV rolls out in the US (finally!) credit card fraud is going to move online. Card not present transactions will be the next target and participation in multifactor authentication schemes like Verified By Visa and MasterCard SecureCode will become critical and possibly even mandatory.

      • Chip and pin is an obsolete solution. Sure point of sale in person fraud went way down in Europe but online and telephone fraud went way up making total fraud almost the same. Meanwhile merchants lost the ability to contest fraud and had to pay for card readers. Bits expensive to replace lost cards. And it's been hacked multiple times already so it's not secure .

        The only silver lining here is that forcing merchants to pay for new point of sale terminals will force an upgrade that can slipstream in apple p

      • by Hadlock ( 143607 ) on Wednesday February 18, 2015 @11:27PM (#49084441) Homepage Journal

        I got a warning message in Spanish when I took out money from the ATM in Cartagena, Colombia (Caribbean edge of northern South America). Since my money came out ok I didn't pay it much attention. My buddy who spoke Spanish, however, was pretty amused.
        He said,
        "Did you see that warning message," "Yeah?" "That warning message is telling you your card only has a magnetic stripe, and no secure chip-and-pin system which is really insecure and you should ask your bank to upgrade it for you. This is the same system the Europeans use. Fuckin' Colombia's banks, in South America is a decade ahead of the United States banking system when it comes to technology. Typical."

    • Honestly, it means what Europe was using 20 years ago, and what much of the world has been using for at least 10 years is slowly being adopted by American banks.

      In the mid 90's we talked about chip-and-pin cards in a crypto class, and I knew people from France who had them. I've had one in my pocket for at least 10 years.

      Essentially American banks move at glacial speed, and are taking up what is now fairly old technology.

      Why American banks move so slowly? I can't say.

  • Worry it not, minions. We won't steal money from you again. We will steal it directly from the source - the big fat banks. And we will grab your password and purchase history and personal details along the way. -- signed, the Internet Barron.
    • Well they never did steal from "minions" using this method anyways. For the last 40 years or so, the law has put a limit of $50 on credit card liability, but almost all banks these days just give you zero liability (technically as a courtesy, but if they don't, their competitors do, which is why almost all of them offer zero liability anyways. You have to have really absolutely terrible dog shit credit to not be able to find somebody that offers it.)

  • Well... (Score:4, Insightful)

    by duck_rifted ( 3480715 ) on Wednesday February 18, 2015 @09:38PM (#49083873)
    Time to make a Faraday Cage wallet.
    • by Nos. ( 179609 )

      Just because it has the chip and pin portion doesn't mean it has to have the contactless part as well. My debit and credit card for years (in Canada) were chip and pin, but not contactless. I just recently got cards that are contactless. Given that the maximum transaction size is $50 and it's a one time thing, I'm not really that worried about it, especially when it comes to my credit card where I have $0 liability.

    • by jonwil ( 467024 )

      You dont need to make one, just buy one of the many varieties of metal credit card wallets already on the market that do the job of blocking the cards just fine.

    • Re:Well... (Score:4, Informative)

      by w_dragon ( 1802458 ) on Wednesday February 18, 2015 @09:49PM (#49083937)
      One of my RFID-enabled cards came with a blocking sleeve for it. We've had these for years in Canada.
    • Honestly speaking, those little sleeves are snake oil products sold by people praying on your fears of "them hacker kids." Much in the same vein as those "radiation blocking" stickers for cell phones.

      Sure, it can be used to pull the card numbers on the older contactless cards, but those alone aren't sufficient for a transaction. On the newer ones it has to establish an active two-way communication with a card, and at some point a PIN has to be entered as well in order for an actual transaction to happen.


      • by dAzED1 ( 33635 )
        except for the fact that many of the current (and EMV compliant) cards still offer the magstrip fallback info FROM THE RFID ITSELF, because...stupid (see the many hacking demonstrations of such cards). And as others have pointed out, most of the RFID systems don't require a pin. And I also don't want to deal with letting a machine pick which of the 6 cards in my "wallet" I want to use to pay with, since a contactless tap won't tell the difference. Yes, I have 3 different Visas, 2 AMEXs, and a MC. And th
        • The readers are very low powered so unless you actually put your wallet against the reader with multiple cards in it this isn't a issue. Just pull the card you want to use from the wallet. Yes, I have multiple contact less cards on me. A couple of credit cards and travel cards.

    • Actually I don't think you need to. All my cards have contactless capability and the net effect is that the readers seem to be unable to separate 1 card from the other. It is also the most common cause of failure of the contactless systems that I have encountered. It picking up more than 1 chip.

    • I've added a full wallet sized sheet of Mylar. I need to test that theory since it isn't fully enclosed, but maybe an easy solution. I'd much rather not have any stupid RFID cards at all, not that I'm even sure any of them are such, as I don't use it to pay.

    • Re:Well... (Score:4, Informative)

      by jenningsthecat ( 1525947 ) on Thursday February 19, 2015 @12:36AM (#49084749)

      Time to make a Faraday Cage wallet.

      Time to permanently disable contactless payment [] on all your cards.

      Apparently the banks and credit card companies in some countries will send you a new card without the RFID on request. But here in Canada at least one company simply refuses to do this. My bank DID disable contactless payment on my new debit card in their records, but of course the RFID is still physically intact so there's no guarantee that it won't suddenly start working as a result of some administrative fuckup. I'm going to call about my new credit card, but I'm pretty sure they'll tell my politely to piss off. At that time I plan to get out my drill, put a hole in the appropriate place, and test. If it disables Tap and Pay, then all of my cards will get the same treatment.

  • The next time U.S. cardholders receive a new card it will probably be equipped with an EMV chip, and most likely be contactless.

    When I got my 2nd new card in a year (Target & Home Depot hacks) it came with the chip. Also the numbers are no longer the pressed-in type and are on the back. Every time I've used it I have to let the person know the last 4 numbers are on the back.

    I'm still hoping more NFC in terminals and more support for Apple Pay. The handful of times I've used that, it's been much fast

    • by dAzED1 ( 33635 )
      "and it is more secure" why on g-d's green earth would you possibly think that, when it can be hacked by someone standing next to you on the bus (as demo'd many times)?
    • The handful of times I've used that, it's been much faster and it is more secure.

      and how did you determine that?

  • I, for one, welcome this innovation!

    As the US demonstrated during the recent massive-clusterfuck-in-a-casino financial meltdown, advances in technology and worker productivity now allow the production of enough fraud to supply the entire industrialized world by a relatively small number of highly trained knowledge workers!

    Why, then, should we have an inefficient, unproductive, labor force of blue collar criminals laboriously committing fraud, by hand, like some sort of pre-industrial master/apprentice
  • According to new research, chip-based "Smartcard" credit and debit cards - the next-generation replacement for magnetic stripe cards - are vulnerable to unanticipated hacks and financial fraud ref [].
    • by green1 ( 322787 )

      The difference is that because these cards are "fraud proof" the bank will refuse to reimburse you for the fraud, and will instead leave you on the hook for the bill. In some cases the banks have actually had people arrested for daring to say that they were the victims of fraud.

      The credit card companies aren't doing this for you, they aren't doing it for security, they're doing it to shift the risk.

      • by Harlequin80 ( 1671040 ) on Wednesday February 18, 2015 @10:38PM (#49084181)


        I have had credit card fraud on a card of mine that had a chip and pin. The crim racked up $25k in flights in a couple of hours. I got a call from my bank asking me about the transactions as it had set off alarms, I said it wasn't anything I had done. Card got cancelled immediately, new card arrived 3 days later and the $25k was immediately refunded. The bank then went through every transaction for the last 3 months and flagged ones they thought were suspicious and once I confirmed they were nothing to do with me those too were refunded.

        My experience has always been very positive when it comes to issues with my cards.

        • by Nutria ( 679911 )

          once I confirmed they were nothing to do with me

          You have a computer and it's the second decade of the 21st century. How did you not see them?

          • Because I have a wife whose card hits the same account and I don't go through my back statements each month. I put EVERY transaction on my credit card, from buying a coffee to parking to supermarket and everything else in between. That means my credit card statement is LONG. Yeah I know I should keep every receipt and check it against the statement at the end of the month but no.

      • In the US the maximum fraud liability for any fraud reported within 24 hours of discovering the card is lost (not from when it was lost) is $50.

        This is federal law, they try to stick you with anything more than $50 and they would be up for some serious penalties and as a result they won't. Most just wave the transactions because alienating a customer for $50 isn't worth it.

        It doesn't matter what the technology or fraud prevention is because they simply can't charge the customer if the customer reports the f

  • Same 16 digit code, expiration date and CCV?

    • Yes no change.

      Australia has had chip and pin systems for the best part of a decade. And prior to that were magstripe and pin. Purchasing online is still just the numbers. same with ordering over the phone.

    • by pla ( 258480 ) on Wednesday February 18, 2015 @10:18PM (#49084101) Journal
      Great question! I had wondered about this myself - How does C&P really make the card more secure if you still basically just need a photocopy of it to use it? Or do they have an entirely different mode of operation when used online (like easy generation of disposable one-use card numbers)?

      Not that it matters - US vendors will fight this to the bitter end. I already have cards with a chip in them (not sure about the "pin" part, since I certainly don't know any pin to use with them), one of which I've had for over five years. And I have *never* found a merchant that it works in any mode other than "swipe and sign". My local supermarket actually has readers compatible with them - And have intentionally disabled that feature because it "confuses" people - Damned straight, it confuses people! It confuses the hell out of me that you've intentionally made your readers insecure, and that after a major breach a few years ago!

      Fuck the PCI, and fuck merchants. Give me security or pay me real penalty-money when your latest data breach results in my identity getting stolen. None of this "$50 maximum liability" bullshit - You lose my identity, BAM, $100k in my pocket. Anything less, and we'll keep hearing about the latest record-breaking breach-of-the-week.
      • by Harlequin80 ( 1671040 ) on Wednesday February 18, 2015 @10:42PM (#49084197)

        My bank has an additional layer of security for when you purchase online. When you purchase with the credit card it spawns a page that comes from my bank. I gave it a personal statement that it uses to show that it is real - ie "Your wife's favourite food is potato chips" and then it asks for a password. If I give the correct password the transaction will go through.

      • It a combination of things. Sure you can photocopy a card if you can get access to it for long enough but
        requiring a pin forces the customer to go to the card reader or the card reader to be brought to you. This
        reduces the window when the card can be photocopied or the magstrip being fraudulently read. Add to
        that the CC# is tagged as requiring a pin so you can't just put the details onto a blank and use it.

        Online transactions still need the CCV.

        No security is perfect.

      • by dave420 ( 699308 )
        Here in Germany it's a bit weird. Any online banking done through my bank's website requires the use of a separate TAN-generator device. One inserts the card into the side, presses a button, and holds it against a flickering pattern on the screen. After a couple of seconds the device shows the last few digits of the payee's account number and the amount to be transferred/paid, and then a TAN which is typed back in to the website. It gets weird with things like Netflix or Amazon - one can simply enter th
  • Chase Visa Freedom sent me one of those chipped credit cards a month after I thought about asking for it for upcoming trip to Europe on vacation.

    The instructions that came with it said that there is no pin code for the card and that it still comes with the magmatic strip and can be used normally like that. So it appears that the presence of the chip is only for compatibility and compliance with a new standard not actual security since it falls back to the insecure magmatic strip or even less secure numbers

  • by jd ( 1658 ) <> on Thursday February 19, 2015 @01:21AM (#49084893) Homepage Journal

    US businesses are as incompetent and insecure as Sony, but can be provoked into taking absolutely minimal action when their profits are under direct threat by sufficiently powerful financial organizations. You mean nothing, you never have, you never will. You have no say, you have no power, you have no rights, you cannot walk away. You aren't the customer, merely the product. Easily replaced if damaged.

    You aren't getting security because security matters. You aren't getting security because you matter. You're getting it because two vendors and a trading bloc said so.

  • by DrXym ( 126579 ) on Thursday February 19, 2015 @05:23AM (#49085621)
    My typical experience as a traveller - I walk up to checkout with an item, present my card, it's swiped, I scrawl a signature on a (usually broken) digital capture device but the cashier never bothers to authenticate the card, or look at the name on it, or ask for id, or match the signature to the card. In a restaurant, the card might even be taken away to be swiped and it doesn't occur to either the restaurant or customers why this might be a bad thing.

    So it's hardly surprising if the US receives the highest amount of fraud. It's trivial to skim the details because it's all stored on the magstripe, stores hold the info in arcane systems, there is no authentication and there is no financial burden on the store if fraud occurs.

    Chip and pin isn't perfect but it's FAR better than the US system. In Europe every business has a chip and pin device. Restaurants have a portable chip and pin device. Supermarkets and stores have one at the cashier. You pay by sticking the card in the device and authenticating with it. There is less scope for the card to be skimmed because the card never leaves the customer's hands. There is less scope for a malicious store because authenticating and authorisation is via a secure payment system.

    Ideally cards wouldn't even have a mag stripe any more. Give businesses 5 years to replace their decrepit equipment and banks to upgrade their ATMs and then get rid of them. Chip and pin and NFC cover the same use cases and provide better security into the bargain.

  • by nospam007 ( 722110 ) * on Thursday February 19, 2015 @09:29AM (#49086585)

    I'm from Europe and I have had such cards for 10 years.

    I was hit twice by thieves, once an hotel reception guy in Rome copied my card details and bought stuff for 4500€ online, another time it was a restaurant in London who did it the same thing.

    Both times a simple email was enough to avoid having to pay, but chips don't help there.
    They only make copying the cards themselves a bit more difficult.

    You still have to check your account carefully each time.

Make it myself? But I'm a physical organic chemist!