SoylentNews is people
SoylentNews
Deterred by the security capabilities of chip cards for in-store payments, thieves have resorted to stealing credit-card numbers and passwords or opening new accounts with false credentials to use in making online payments for purchases, according to recent studies. Botnets also comprise some of the biggest increases in online card fraud.
"We predicted this [online fraud increase] would happen following [chip] cards in the banking industry years ago," said Mike Lynch, chief strategy officer at InAuth, a vendor of mobile and browser security products. (InAuth was recently purchased by American Express, but will remain a subsidiary.) Other countries, including Canada and Australia, also saw big jumps in online card fraud after chip cards were adopted, he said.
Lynch said the online fraud increase is probably higher for financial institutions than for merchants, but merchants are more open about the problem and discuss it more freely. "Banks don't typically want to disclose fraud," he said.
The amount of dollars put at risk by online fraud went up 55% from the second quarter of 2015 to the second quarter of 2016, according to the Pymnts.com study. That was a jump from $4.90 to $7.60 per $100 of online sales. For luxury goods alone, the dollars at risk were $12.10 per $100 in sales in late 2016.
Botnets were behind many of these attacks. The rate of attacks by botnets increased by 47% for the same period for all goods and by 87% for luxury goods alone, Pymnts.com said.
-- submitted from IRC
(Score: 2) by shipofgold on Sunday February 05 2017, @12:53PM
The answer is in making sure those who are authorized to make a charge on an account are the ones actually making the charge. Used to be signatures filled that role for in store purchases, and I am not sure why the merchants stopped checking signatures. I used to have my 5 year old son sign restaurant receipts for fun...he was creative. But in store purchases and in restaurant purchases certainly had a "card present" requirement.
I think the online answer is "chipcard present" is remaining a requirement for high value purchases. You must prove that you have the card in your possession before the transaction is approved. This could be a device that plugs into the USB port on your phone/computer or a trip to the local grocery store/other merchant for a "verification" of the purchase.
Obviously this would impact sales to some vendors, and you could give vendors the choice of requiring "card present" or not. High value sales might require it, but low value sales would not. If I am making a $500 online purchase I might not find it such a hassle to verify as I would a $5 purchase.
(Score: 2, Insightful) by nitehawk214 on Sunday February 05 2017, @04:45PM
That makes no sense whatsoever. At home therefore is nobody there to verify the hardware has not been tampered with. How could you possibly prove the USB chip reader was even real? Magic encryption keys on the device? Laughable.
Heck even in stores with a cashier or camera watching, machines get tampered with.
What are you proposing, making every home PC a regulated back box tightly controlled by the government, or worse... Microsoft?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Sunday February 05 2017, @06:22PM
The encryption keys we care about are the one on the chip itself. The security of the chip-card system is already based on it being difficult to extract the encryption keys stored in the chip on the card. It's not completely unreasonable to have a USB device that would let a computer communicate with that chip for online purchases, but I don't know if there's issues that would make it infeasible.
(Score: 2) by sjames on Sunday February 05 2017, @11:54PM
Some of the chips the banks did not select for use in credit cards are capable of enough processing to require passwords and to sign transaction records presented to them.
The system they SHOULD use would have the card reader acting as a serial connection to the chip. In store purchases could be handled entirely by a POS or the customer might prefer to enter a password and a transaction limit using his own device and then slot the card so the POS can present it with a transaction record to sign.
Online sales would simply require that the customer somehow sign a transaction record using a key the bank will recognize. One such way would be a dirt cheap USB card interface (dirt cheap since all it needs to do is provide power and a serial port to the chip) and their credit card.
Since the transaction is driven by the chip on the card, there's no need to trust the PC OR a POS terminal.
(Score: 2) by gidds on Tuesday February 07 2017, @02:49PM
This already exists, and it doesn't use USB or anything else insecure. It just uses a Chip-and-PIN card.
See here [wikipedia.org]. (I have a Barclays account, and they sent me the first device pictured there.)
In fact, all the security is on the card itself; the device is just a way of querying it. When I log onto the bank's web site, it asks me to insert the card into the device, enter my PIN, read the 8-digit code it displays, and enter that into the web site. The code is unique and time-limited, so the web site knows I have the card in my possession (along with the PIN). Similarly, when doing a big transfer or paying someone new, the site asks me to enter my PIN and transaction details, and generate another code; it then knows that someone with the card (and PIN) has confirmed the transaction.
The device is small, stand-alone and battery-powered, so it can be used anywhere. And using it simply needs the ability to read the display and type in the codes.
So far I've only needed this on the bank's web site, but I'm sure it could be extended to other transactions too. (For those, the 'Verified by Visa' scheme [wikipedia.org] seems to provide some minimal level security. If you don't even have that, then of course you'll suffer from fraud.)
[sig redacted]