SoylentNews is people
SoylentNews
According to an article in BankInfo Security, Visa and Mastercard have given fuel pump terminal vendors an additional 3 years to add support for EMV.
Visa and MasterCard announced this week that they are pushing back their liability shift dates for counterfeit card fraud that results at non-EMV chip-compliant U.S. pay-at-the-pump gas terminals to October 2020 from October 2017.
That news is an early Christmas gift for convenience-store operators and the petrol industry, even though if it leaves issuers on the hook three years longer for counterfeit fraud that might result from a hack or skimming attack at self-serve gas pumps.
But I wonder how much fuss issuers will make about the extension. Counterfeit card fraud at gas pumps pales relative to retail point-of-sale and ecommerce fraud. And despite what we heard five years ago about pay-at-the-pump skimming reaching nearly "epidemic" proportions, we hear much less about it today. That's not to say it's gone away, by any means; but it no longer appears to be a looming epidemic
Visa and MasterCard made the right decision to give gas pumps a break on EMV. The question now is, will the three year extension be enough?
(Score: 3, Insightful) by Anonymous Coward on Wednesday December 14 2016, @08:55PM
So the pumps in New Jersey, where you're not *allowed* to pump yourself (and some other backwater states) will work how when this time period expired? A wire-connected pin pad shoved in front of you ass while you're sitting in the car? Some device that can easily be used to skim your data because who knows what it's connected to... whether that is wired or wireless.
Or will I be deemed 'capable enough' to start pumping in NJ myself? (not likely)
(Score: 2) by VLM on Wednesday December 14 2016, @09:10PM
I have never seen a chip-n-PIN in the wild in the USA although I assume it would be just as convenient as using a checking account debit card with a PIN number today.
I have, and have used, chip-n-sig in the wild at actual retailers (well, a retailer) and I would guess we'll be signing gas station pumps in the future, I don't see any way around it.
The only legacy brick and mortar store I know of for certain that has a working chiphole is Home Depot. Not my gas station or grocery store or any restaurant or nuthin. Home Depot that's all.
(Score: 0) by Anonymous Coward on Wednesday December 14 2016, @09:14PM
You must live in a backwater... 90% of shops in my neck 'o the woods has the chip reader and of that 90%, about 80% (so 80% of 90 to be clear) have it working.
I have no idea where all you idiots live that you (can) keep complaining about that chip not working.
(Score: 1, Interesting) by Anonymous Coward on Wednesday December 14 2016, @09:19PM
Its getting better around here. It is about 50/50. The mom and pops are starting to catch up. They have had the hardware since early last year. Most have a note which way to go. It is the clearing houses that have been dragging the issue out. The only big retailer around me that has not caught up is Sears/Kmart.
My bet is gilbarco (gas pump manufacture) does not have the readers and backend infrastructure yet for it.
The mom and pop shops mostly do not own the pumps anyway. It is the large conglomerates that own the gas that own them. Most mom and pops are suckers who 'bought' a 'franchise' and are stuck with all the bills and none of the profit. They usually run the pumps but do not own them. The gas companies (shell, exon, BP, etc) are the ones who own them.
(Score: 2) by LoRdTAW on Wednesday December 14 2016, @11:19PM
The wally world on long island has them. So do all of the home depots in the metro NY area. Same for many small mom and pop shops with the little hand held readers. I've also seen it in big chain pharmacies like rite-aid and I'm sure others.
(Score: 2) by LoRdTAW on Wednesday December 14 2016, @11:22PM
Wait, I just realized you are referring to two factor chip *and* PIN. The chip readers are all over but none require a PIN when using a credit card. In fact, I dont have a pin for my credit card. However, if using a debit card, you do in fact use the chip and pin.
(Score: 2) by takyon on Wednesday December 14 2016, @11:38PM
If you are getting PINned while using a credit card, that's probably a sign you are about to get charged out the ass for cashback or some obscure feature.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Appalbarry on Thursday December 15 2016, @12:24AM
Apropos of nothing, up in Canada, the GF still has a Mastercard that demands signature every time. She tried to get it changed to a PIN, it proved to be beyond the skills level of the bank employees in the branch, and she can't be bothered trying again.
Seriously, when was the last time that any card issuer actually looked at a signature unless there was an actual claim of fraud? And even if they did, what good would it do them to determine that they had a bogus signature?
I expect that your average credit card thief knows too well that you can scribble pretty much anything on the credit card slip.
(Score: 0) by Anonymous Coward on Wednesday December 14 2016, @09:36PM
So the pumps in New Jersey, where you're not *allowed* to pump yourself (and some other backwater states)
Oregon is the other state that you're thinking of. Apparently all those fixie riding hipsters assume that gasoline can only be handled by "professionals".
(Score: 2) by bob_super on Wednesday December 14 2016, @09:50PM
Hey, do you know how I've paid in European restaurants for the last quarter century?
After waiting for hours to get her attention, you tell the waitress you don't need the check because you know how to add (tax and tips included, round numbers).
She brings you the card terminal, which looks like a printing calculator. She types the amount and puts the chip in, hands it to you for the code
5 seconds later, the card has authorized the code, you pull your card out, which never left your sight, and the receipt is printing.
Done.
Again: a [bleep]ing quarter of a century of having figured it out.
(Score: 2) by Scruffy Beard 2 on Wednesday December 14 2016, @11:05PM
Technically, those terminals are never supposed to leave the sight of the waitress.
I have been told by the owner of one of my former ISPs that the payment processors were very reluctant to send terminals to small businesses, presumably due to the possibility of tampering.
(Score: 2) by opinionated_science on Wednesday December 14 2016, @11:25PM
Yes , in Europe this is the standard - card never leaves your sight.
Here in the USA, I was in Miami and the gas station skimmed my card. Did some googling and it had been reported on the local news over 6 months previous.
In essence , CC companies are the middle men that just pass the costs on to us suckers.
Google/Apple/Whatever pay from bank accounts, might upset that if widespread enough.
Google Pay uses a virtual account number, so it is impossible to skim. Surely, that would be trivial for banks to add?
Oh right, not in their interests to let you get fraud free payment, as they probably don't get a kick back....
(Score: 2) by Scruffy Beard 2 on Wednesday December 14 2016, @11:36PM
I think you missed my point.
Yes it is good that replay attacks are shut-down, but the card must trust the payment terminal.
If the payment terminal skims your PIN, have fun proving it: the burden is now on you, the customer. (Though in practice, I suspect they would notice if the same location generates many complaints).
(Score: 2) by theluggage on Wednesday December 14 2016, @11:29PM
So the pumps in New Jersey, where you're not *allowed* to pump yourself (and some other backwater states) will work how when this time period expired?
Same as (I presume) the current routine - you pay them the cost of the gas, no more, no less, in honest-to-God American dollar bills. Only way to be sure that, if they turn out to be passing criminals posing as gas attendants, they won't get any more than the cost of the gas (although you might have a repair bill when you find out what they actually filled your tank with).
A wire-connected pin pad shoved in front of you ass while you're sitting in the car?
So what happens at the moment? Is it like a (USA*) restaurant where you hand over your card and they disappear with it for a couple of minutes (plenty of time to xerox both sides including the handy specimen signature on the back)? Yeah, that's way more secure.
* As others have said, here in the Rest Of The World we've been happily using chip & PIN for over a decade - including wireless terminals in restaurants etc. - and one of the good things about it is your card never leaves your hand.
(Score: 2) by ledow on Thursday December 15 2016, @12:32PM
Indeed.
I insist, if they say their wireless terminal is down, that I follow the card. Whether that's me standing the other side of the bar while they swipe it behind the bar, or me going to wherever they intend to authorise my card.
They refuse? Not had one refusal yet, but it would result in non-payment.
I'm offering you a payment method. I have no other payment method (I don't carry cash). If you think you should call the police, do so - because if "the card computer is in some back room" - guess what? I come in that back room with my card, or you don't get paid.
But, the wireless terminal not working is rare, and nobody has ever refused to let me follow my card.
The fact that you HAVE NO IDEA that the box you're typing your PIN/entering your card into is actually from the bank is neither here nor there - man in the middle attacks can happen any number of ways, no matter how much technology is involved.
(Score: 0) by Anonymous Coward on Thursday December 15 2016, @03:18PM
But it doesn't even matter, since chip+pin is properly two-factor. Knowing the PIN means nothing unless you also have possession of the card.
(Score: 2) by ledow on Thursday December 15 2016, @03:52PM
Tell me how you would know if they ran two transactions on your card, rather than one, using a PIN recorded from a fake PINPad which relays the PIN / card interface to TWO card readers in different places (e.g. over the Internet).
Or even fake the amount you're authorising by providing you with a dummy terminal that says $2.00 and records your PIN but pulls the chip-pins through to the bank terminal unaltered with a transaction for $200 and presses the same buttons for your PIN.
(Score: 2) by theluggage on Thursday December 15 2016, @06:09PM
Tell me how you would know if they ran two transactions on your card, rather than one, using a PIN recorded from a fake PINPad which relays the PIN / card interface to TWO card readers in different places (e.g. over the Internet).
Because a chip & pin card is not just a regular card with the magstripe data stored on a ROM chip. Here's an example that might help:
My bank supplies me with a cheap-and-cheerful, self contained card reader (no WiFi or cellular, no connection to my computer - just a 10-digit display and a keypad) which their online banking site uses to check my identity when I want to make certain transactions. Here's how it works:
So, the PIN doesn't leave the reader, and the key doesn't leave the chip. You can't simply "clone" a card or send the same information twice.
OK, so in practice its a complex system, and there have been vulnerabilities [bbc.co.uk] - in that case the fault was in ATMs that were sending a predictable challenge code, so a clever crook with a gimmicked reader could collect the response from someone's card in advance. However, you have to balance these technically sophisticated cryptographic MITM attacks using modified hardware against the old system where crooks just needed to copy the card number and a rough approximation to your signature while they, legitimately, had physical possession of your card.
The biggest vulnerability of chip'n'pin cards is that they still have to support support swipe + pin or "cardholder not present" payments over the phone/internet.
Daft really - people obsessing over high-tech cryptography apps while still happily giving their card number out over the phone...