Jump to content

U.S. retailers insist on PIN requirement in smartcard rules

Guest

By Guest
in The Restaurant at the Edge of the Universe

 Share

Recommended Posts

Guest LilBambi

Guest LilBambi

Posted
Posted

Chip without PIN doesn't offer full protection for consumers, they say; Visa, Mastercard argue that PIN isn't needed

 

Of course a PIN should be required. They always try to dumb everything down. And make things insecure in the process.

Link to comment
Share on other sites
crp

crp

Posted
Posted (edited)

Of course a PIN should be required. They always try to dumb everything down. And make things insecure in the process.

I don't think you are addressing the concerns of the creditcard companies. To them, the amount of fraud that occurs to people faking signatures is but a pittance to the problem of creditcards that are not real. That is where the chip comes in. Much harder to fake those than the magnetic stripe, and much harder to manipulate the chip.

Now, imagine the frustrations of having a customer at the check out line and having everything in order and then forgetting the PIN. I would think the creditcard companies would much prefer having signature provisions then dealing with customers calling in all day and night to get their PIN changes. And imagine the trouble with making sure the phone calls aren't social engineering tricks.

Edited by crp
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

I think I am answering it pretty well. It's worked well enough with requiring pin and/or zipcode with the old magnetic strips at gas pumps for years.

 

Maybe require a PIN and signature for anything over $50 would make them happy?

 

Don't forget that many convenience stores run the card and hand you a receipt with no authentication of any kind up to about $10 or $15 already with the magnetic strips ones.

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

I've seen "no signature required for purchases up to 35.00. I don't think requiring a PIN on the card is going to be that big of a deal. It is good security. We do this every day in the US Military with our Common Access Cards.

 

Most cards have PINs already for ATM access.

 

Adam

Link to comment
Share on other sites
crp

crp

Posted
Posted

On automated machines the signature can not be checked. The gas stations I use do not ask for zip code when using creditcard at the counter, they check the signature. Odd, gasoline they check any amount but in the store section less than $35 they don't check.

Link to comment
Share on other sites
crp

crp

Posted
Posted

When I pay at the pump, which is generally what I do, the pump software sometimes ask for PIN and/or zipcode before authorizing.

were I live, debit card - PIN, creditcard - zipcode .
Link to comment
Share on other sites
ebrke

ebrke

Posted
Posted (edited)

When I pay at the pump, which is generally what I do, the pump software sometimes ask for PIN and/or zipcode before authorizing.

were I live, debit card - PIN, creditcard - zipcode .

I really find this interesting. I've never to my recollection been asked for any information aside from my signature, and frequently not even that (haven't signed for gas purchase in years), anywhere I used my credit card(s) in my home state. Only one retailer used to ask for a zip on credit card purchases, and I always thought that was a marketing thing--maybe I was wrong--and even that retailer stopped asking several years ago. Debit card used as debit card would require pin, but if used as a credit card, same as above, nada. Edited by ebrke
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Asking for PINs and/or Zipcode is generally at the pump only.

 

And I am sure Adam is right about the $35 before being asked for a signature ... at least at many places.

 

Some always ask for a signature. But never at the gas pump.

Link to comment
Share on other sites
abarbarian

abarbarian

Posted
Posted

here in the UK we have had mandatory pin numbers for all cards for some years with no difficulty. mind you we have an excellent education system and brits are quite bright so remembering a four digit number is not a challenge for us. :devil:

  • Like 1
Link to comment
Share on other sites
ebrke

ebrke

Posted
Posted

here in the UK we have had mandatory pin numbers for all cards for some years with no difficulty. mind you we have an excellent education system and brits are quite bright so remembering a four digit number is not a challenge for us. :devil:

You made me think of what happened today while I was getting my hair cut. An elderly woman was trying to pay using her debit card, and didn't get her pin right. The owner then put the card through as a credit card (no PIN), and it was accepted. All I could think was if anything should look like fraud to a card issuer, that transaction should have.
  • Like 2
Link to comment
Share on other sites
abarbarian

abarbarian

Posted
Posted

You made me think of what happened today while I was getting my hair cut. An elderly woman was trying to pay using her debit card, and didn't get her pin right. The owner then put the card through as a credit card (no PIN), and it was accepted. All I could think was if anything should look like fraud to a card issuer, that transaction should have.

 

Here in the UK we have separate cards for debit and credit. Debit cards are the best as if you have no loot in the bank your card will not let you overspend. Credit cards are best used as a very last resort in emergancies or for on-line purchases as they offer more buyer protection and you are not giving your bank details to everyone so it is a slight security buffer.

Old folk pose a problem to security due to forgetfulness and this can leave them open to abuse. they have the same or similar problem if they use cash though. A difficult problem to solve.

If I was world ruler I would take out anyone ripping of old folk and stand them up against a wall and shoot them.Quick clean and effective and a very cheap solution.

Dc0ZWCf.gif

Link to comment
Share on other sites
crp

crp

Posted
Posted

You made me think of what happened today while I was getting my hair cut. An elderly woman was trying to pay using her debit card, and didn't get her pin right. The owner then put the card through as a credit card (no PIN), and it was accepted. All I could think was if anything should look like fraud to a card issuer, that transaction should have.

Transaction fraud is much less of a problem than physical card fraud to the card issuers. The assumption is made in such situations that ID and signature were inspected before card went through as a credit charge.
Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Yes, they will be made, and folks could get into trouble.

 

But this is a case of risk mitigation. By switching to chip and PIN, the industry is mitigating a significant number of problems with mag stripe transactions. It will be much more difficult (I am not suggesting in any way it will be impossible) to duplicate the chip on the card than a simple mag stripe.

 

There is no way to completely secure all transactions without completely overhauling the payment systems in use by all vendors. It would be impossible to do so without a significant disruption to the world's combined economies. This is a step in the right direction, but just that. A step.

 

Adam

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

I am all for chip and PIN if we have to use these cards.

 

I keep mine in a case where they can't leak either way, but requiring a pin isn't going to hurt anyone.

Link to comment
Share on other sites
ebrke

ebrke

Posted
Posted

By switching to chip and PIN, the industry is mitigating a significant number of problems with mag stripe transactions.

What about the situation of pirate hardware attached to a POS device that fraudulently captures the PIN from each swiped card? Would having the chip mitigate this?
Link to comment
Share on other sites
ross549

ross549

Posted
Posted

There is no panacea when it comes down to transaction security. As I said earlier.....

 

There is no way to completely secure all transactions without completely overhauling the payment systems in use by all vendors. It would be impossible to do so without a significant disruption to the world's combined economies. This is a step in the right direction, but just that. A step.

 

Sure, a chip skimmer would possibly have security complications, but I do know having a PIN makes it much harder to be able to execute a transaction without the PIN. It does nothing, however, for transactions online- only POS terminals.

 

Adam

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

The Chip in Chip and PIN is RFID is it not?

 

 

Although not ALL RFID blocking cases/cages are created equally and some don't block entirely, there is apparently a way to block it entirely (noted in BOLD below):

 

Shields or wallets marketed as RFID-blocking devices can make it more difficult for someone with an electronic reader to read your cards, but they don’t entirely block transmission of card data. When Recursion’s security experts tested 10 types of shields and wallets currently being sold to protect contactless cards, they found that none blocked the signal completely, and there was dramatic variability even among samples of the same brand. Using a different approach, Recursion’s experts created a credit-card-sized jamming device for the wallet that prevents cards from responding to any reader.

 

Our reporter offered her own homemade shield constructed of duct tape and lined with aluminium foil. It provided better protection than eight of the 10 commercial products, including a stainless-steel “RFID blocking” wallet selling online for about $60.

 

 

 

But when I looked it up, Recursion RFID credit card jammer is missing in action?!

 

Apparently each one has their own frequency too which makes it hard for the jammers...

 

But there is also this:

 

Make a Faraday Cage Wallet - WikiHow

 

Sans Recursion's jamming device, it looks like the reporter's homemade duct tape and aluminum foil seemed to do better than $60 RFID blocking wallets sold online...

 

:whistling:

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Chip and PIN is simply a storage chip on the card. You have to physically insert the card into a smart card reader to get any data off. RFID is that goofy low power chip +antenna.

 

The chip is simply another way (probably poorly encrypted) to store the number on the card. I'd bet the PIN unlocks the credit card number from the [probably poorly] encrypted blob on the chip.

 

Adam

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

Chip and PIN to replace magnetic strips here.

 

Chip and PIN is the brand name adopted by the banking industries in the United Kingdom and Ireland for the rollout of the EMV smart card payment system for credit, debit and ATM cards. The word "chip" refers to a computer chip embedded in the smartcard; the word PIN refers to a personal identification number that must be supplied by the customer. "Chip and PIN" is also used in a generic sense to mean any EMV smart card technology which relies on an embedded chip and a PIN.

 

OK, sorry. I was thinking CHIP and PIN were being used in tandem with RFID.

 

The basics of chip-and-PIN credit cards - WashingtonPost

 

How are chip-and-PIN cards different from RFID credit cards?

 

RFID, or radio-frequency identification, cards are contactless. They have a chip and radio antenna that transmit account information, raising concerns (which people are still arguing about years after the cards were introduced) that criminals may use readers to skim consumer details. Chip-and-PIN cards work only when inserted into a merchant’s reader.

 

They work like the old credit cards before smartcards with RFID, except they have a chip instead of magnetic strip, and require a PIN to be used.

 

Gotcha!

Edited by LilBambi
Link to comment
Share on other sites
zlim

zlim

Posted
Posted

The problem I foresee with PINs is that we have 3 different credit cards and two ATMs (same bank but we both use different PINs). Now I'll have to some how remember what PIN goes with what card. Just me getting older and my memory not as good as it used to be. (My husband will expect me to know the PIN on every card. <sigh>)

We have 3 cards because I carry one, my husband carries another and the third is only used on the internet. We do this especially when traveling in case one of us gets a purse or wallet stolen, we do not have to cancel every credit card.

 

Just like passwords, I will not use the same PIN on any of the cards.

Link to comment
Share on other sites
abarbarian

abarbarian

Posted
Posted

The problem I foresee with PINs is that we have 3 different credit cards and two ATMs (same bank but we both use different PINs). Now I'll have to some how remember what PIN goes with what card. Just me getting older and my memory not as good as it used to be. (My husband will expect me to know the PIN on every card. <sigh>)

We have 3 cards because I carry one, my husband carries another and the third is only used on the internet. We do this especially when traveling in case one of us gets a purse or wallet stolen, we do not have to cancel every credit card.

 

Just like passwords, I will not use the same PIN on any of the cards.

 

You could do ,

 

1234

1235

1236

or

5091

5092

5093

or some such system to make life easier. :breakfast:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...