New Identity Theft Technology Fails to Protect 280
Nuclear Elephant writes "According to BBC News, identity thieves are quickly adapting to new technologies such as chip-and-pin credit cards using human nature tactics rather than cracking the technology. At least that's what Dr. Emily Finch (UEA), who interviews career criminals about their activities, claims. Finch swapped credit cards with a male coworker and performed a number of transactions without being challenged by cashiers. Finch also believes biometric identity cards will only exacerbate the problem. Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"
As the T-shirt says (Score:5, Insightful)
Re:As the T-shirt says (Score:3, Funny)
Work in progress (Score:2, Funny)
They're working on it. It's called Smack-Me-Smart.
They take people who are stupid, like really stupid, can't get any dumber stupid.
Then they hit them, until the stupid comes right out.
This process is often implemented in 3rd World Countries and states like Texas and Florida, onto children and wives.
The process is not yet perfected, but it is a work in progress.
Re:human-stupidity-fix.diff (fixed formatting) (Score:2)
Unfortunately the Microsoft patch crashed the system.
But nobody could tell.
It was said better... (Score:5, Insightful)
and earlier, by Schneier:
"If you think technology will solve your security problems, either you don't understand the technology, or you don't understand the problems."
Re:It was said better... (Score:3, Informative)
Credit Card prank (Score:2, Interesting)
It's very funny, until you realize the implications. I no longer make my signature on credit card reciepts anything like the one on my card. Why bother?
Re:Credit Card prank -LINK included now (Score:3, Funny)
http://www.zug.com/pranks/credit_card/ [zug.com]
Re:Credit Card prank (Score:2, Informative)
Since chip and pin was introduced they barely look at the card (many don't even take it from you - they just ask you to put it in the card reader).
Re:Credit Card prank (Score:3, Informative)
I remember when something similar happened over here. I was working as a cashier at the local supermarket during summer and winter breaks. Up to one summer everything with credit cards was done by us at the register, there is a keypad for entering pins directly across from us. That winter there are card readers installed, the generic for credit and debit cards ones you see everywhere now and they were further away from us, so
Re:Credit Card prank (Score:3, Insightful)
The obvious answer is to put the chip into the person, rather than into a card the person carries. That makes it a lot harder, although I suppose not impossible to steal. Implantable chips have been in use for animals for a while already. RFID and other readout methods exist for these chips. In combination with biological data, such a system would considerably harder to circumvent.
This sort of thing was pr
A friend of mine... (Score:2)
But this all does bring me to a question I've had: what's the point of that number on the back of the card? I mean it's just one more piece of information, sure, but it's not any harder to obtain than the card number and expiration date.
So what practical benefit does it really offer?
Re:A friend of mine... (Score:2)
Re:Credit Card prank (Score:2)
Signatures are a laughably stupid "security precaution" in the first place, that's why nobody looks at them, and you don't even need them to order online (including over the phone).
Does that surprise anybody? Considering the would-be theif has the signature right in front of their face? It's like a password challenge in which the prompt includes the password.
But so what? Cash never had ANY notion
Always a way! (Score:3, Interesting)
Re:Always a way! (Score:2)
Re:Always a way! (Score:3, Interesting)
I would never go for an embedded "credit card chip" either - having your wallet stolen is one thing, but having the part of your body with the chip in it swiped is quite another (I'm being serious - there has been at least 1 case I am aware of in which a carjacker cut off the car owner's finger for the fingerprint because it had a newfangled fingerprint scanner ins
Re:Always a way! (Score:2)
Re:Always a way! (Score:3, Interesting)
You're talking about a device stuck under the skin that's going to blast out EM radiation into you 24/7, continuously, or pulsed every few minutes. I can't see that as being very healthy.
Re:Always a way! (Score:3, Interesting)
yes, there should be a second level of security, I'm not for imbedded in my skin chips, perhaps a 2nd pword/pin or 2nd chip also carried on your person in a place other than where the card is carried. If it's small enough it could be attached to anything you have with you everyday, on a keychain, in a watch, in a piece of jewlery or cont
Re:Always a way! (Score:2)
I wonder if people would go for this? Mark of the Beast indeed.
Credit card companies don't care (Score:5, Insightful)
As a glaring demonstration of how unconcerned credit card companies are about theft, on the same credit card I had someone fraudulently use it three times. Each time I asked for a new card with a new number on it. Each time the issuing bank (Citibank) said, "Let's just wait to see if it happens again". I had to insist on the third time because I was sick of dealing with it.
When they can just pass costs onto merchants and consumers, is it any wonder they're designing ineffective solutions?
Re:Credit card companies don't care (Score:3, Informative)
Really? Cool (Score:2)
Re:Really? Cool (Score:4, Insightful)
The only responsibility the merchant has is that if he does too many fraudulent transactions percentage-wise, the card handling service he goes through may drop him, and he'll have to find another. I don't know if the card service eats the fraud or if the bank does in those cases. Either way, the merchant is always paid. It's this guarantee that makes a merchant willing to only get like 97% of the purchase price without the right to charge extra for credit purchases. (extra charges for credit purchases are against the credit card processing rules)
Another somewhat unknown fact is that if someone steals your card or through any other circumstances charges to your cc #, you can be held partly liable. The banks can make you pay up to $50 of the balance of "disputed charges". From the three or four people I've seen get their cards stolen though, the bank usually eats the $50 they could otherwise push on the consumer. I find this very odd for a bank to be generous to the tune of $50, but for some reason they do it. They probably make well over $50 in interest for most card holders during any 2 year period, so for them it's probably better to roll on the $50 and keep them using their plastic.
The first thing you need to do if your card is missing is report it lost. The $50 limit applies only to unauthorized charges made before the card is reported lost. Anything after that is entirely the responsibility of the bank.
Re:Really? Cool (Score:3, Interesting)
"Dear Sir,
Seeing as your card and your PIN were used for this transaction, you must have written your PIN down or something. Your problem.
Kind regards,
Your bank."
Now you have to take the bank to court. Should put off anyone claiming less than a few hundred pounds.
Re:Really? Cool (Score:2)
The other problem with chip and pin cards is that the theif no longer has to go off and practice your sig anymore (giving you more time to notice your cards gone). They can just enter a number and be done with it.
Re:Really? Cool (Score:2)
I have to take issue here. I think PIN numbers can be forged perfectly, and signatures can be forged less perfectly.
What you REALLY mean is that PIN numbers aren't written on the card, signatures are. If they implemented a system of scanning everyone's signature, putting them on a database and having the signature show up on the cashier's register after they scanned the card, instead of having the signature written on the card itself, security also would
Re:Credit card companies don't care (Score:2)
I could be wrong, but I thought in this case the card owner could be liable because they obviously didn't protect their PIN well enough.
Re:Credit card companies don't care (Score:2)
Re:Credit card companies don't care (Score:2)
embedded identity (Score:4, Interesting)
I fail to understand how an embedded chip would make identity theft any less of a problem. While it may reduce social enginering which the article defines as a problem, how would it eliminate the technical (and in the case of securing identity information, most important) aspect.
For example, assuming that theives can get around biometric data. What is going to stop them from removing a "read-only" chip and installing a "read/write" chip?
Re:embedded identity (Score:2)
Back to basics (Score:4, Interesting)
If it does work outside of your body, it won't work inside your body. There is no absolute way to prove identity. It's a bummer, I know.
You can prove (within acceptable limits) that some biometric data (like a DNA sample) comes from you, but there is a gap between that information and identity. Identity is solely a "web of trust" issue. Trying to solve identity theft with some piece of information (like a password) or biometric data (like a fingerprint) will only raise the bar for identity theft.
Re:Back to basics (Score:3, Funny)
s/If it does work outside of your body/If it doesn't work outside of your body/
Take my cards, dont' rip my arm away !!! (Score:5, Insightful)
Re:Take my cards, dont' rip my arm away !!! (Score:2, Interesting)
Care to back that up with sources? (Score:2)
The absolute majority of RFID tags that could be embedded under your skin are passive devices with no power source. ie: they only respond when interogated by an external device and they really don't care whether they are alive, dead or even still attached to your body.
Active tags which have a power cell are around the size of a 10 penny piece are wholely unsuitable for placing under the skin and, of course, would require a minor operation every time the battery needed changing. (Oh, and just *pray* the cell
Re:Take my cards, dont' rip my arm away !!! (Score:4, Funny)
I mean, you'd be sitting there trying to staunch the flow of blood as they run off with your finger, chuckling to yourself, and muttering "Those fools. They don't even know it won't work. What a bunch of idiots. I'm way smarter than them."
Re:Take my cards, dont' rip my arm away !!! (Score:2)
Re:Take my cards, dont' rip my arm away !!! (Score:2, Funny)
Eye gougings are up 20% this month since the introduction of the new Visa-Eye card, which owes its high security to the uniqueness of the user's iris pattern.
Re:Take my cards, dont' rip my arm away !!! (Score:3, Informative)
Prior art [bbc.co.uk]
Credit Cards (Score:4, Insightful)
There is no substitute for hard Commonsense. Signatures are meaningless. Retailers are interested in making the sale and not annoying the customers with suspicion.
In my case, my signature cannot fit on that tiny space provided on the credit card, and so resembles nothing like it. Most clerks will make a perfunctory "check" of signatures, if they even bother.
Regard your credit card like you would cash, since there is little more security involved. Though, most institutions that issue Credit Cards and increasingly Debit Cards will give you a chance to dispute charges and have them removed.
Re:Credit Cards (Score:5, Informative)
Re:Credit Cards (Score:3, Insightful)
The result of the first is that you may have to limit purchases for a while. The result of the second is that transactions in progress (bills, taxes, and other debts paid) may fail. You will likely be held
"New technology"? (Score:3, Informative)
Dr Finch says criminals have told her how they now look over people's shoulders to see a person's pin being entered on a keypad and then attempt to steal the card at a later date.
It's called shoulder surfing [wikipedia.org], hardly new.
Re:"New technology"? (Score:2)
Very true. The difference is that Chip and PIN now actively encourages shoulder surfing, as the retailer will not worry as long as the PIN is correct. Someone taking the card early on a Saturday will pretty much have all the rest of the day to make valid transactions (at other stores) before the owner notices the loss and gets the card blocked.
One Time and for All (Score:5, Interesting)
I know that credit card companies cover fraud loss over $50, so they are paying some of these costs of fraud. But automation has made frauds <$50 much more profitable and common. And identity theft comes after one leak in the identity privacy chain, often without direct damage to the leaking organization. And usually in much greater amounts than the original transaction could have allowed - and usually with much further damage to future transactions than even the value of the theft.
One-time password tech is much cheaper than the losses we're suffering. And the necessary automation overhead could make the entire transaction system safer and more efficient for legitimate transactors. Where is it? Are banks just making so much money off all their transactions that new systems like one-time passwords are just to low on their priority list? With all the ID theft running rampant, what crisis could it require to force action to protect us?
Wait one minute, your not Doc Ruby (Score:3)
Moderator! Moderator! Moderator!
Take this imposter away!!!!
Re:Wait one minute, your not Doc Ruby (Score:2)
Re:Wait one minute, your not Doc Ruby (Score:2)
All the more reason to go cash (Score:5, Interesting)
Am I alone in noticing that the more protections they build in the easier theft becomes? It would seem that the more you tell people they are too dumb to protect themselves the more they act like idiots.
Re:All the more reason to go cash (Score:4, Interesting)
I probably shouldn't have used "return" above, as you might think I'm referring to financial investing. I'm not. A return would be to reduce your commute time by 2-5 minutes, allowing you to sleep a bit later. The risk you add is driving faster and closer to the car in front of you than conditions would otherwise permit because you have ABS and air bags. Or reducing the effort required to mow the lawn by getting a self-propelled lawnmower, and then using a velcro strap to lock it in the "on" position so you can mow one-handed, closer to that steep hillside, increasing the chance that you and the (locked-on mower) will careen down the bank, cutting out chunks of your [insert appendage here] and destroying your neighbor's [insert anything valuable here].
Re:All the more reason to go cash (Score:2)
If you were on your way to buy a high spec laptop, for example, I'd be just as happy with the cash, thank you.
I'd also like you to do things like checking into a decent hotel, booking a flight, renting a car without using your credit card.....
It's all about liability (Score:5, Interesting)
Sometimes I would try and explain the catch.
Since chip & pin supposedly makes fraud impossible, banks have shifted the liability for chip & pin fraud away from themselves and onto the consumer.
That is -- is someone clones your card and forges your signature with a traditional credit card, you can call the credit card company, tell them you didn't make that purchase, and (unless they can prove you were lying) they will refund you the money. They might write the money off, or they might pursue the criminals responsible; it's not your worry. Accepting this risk is all part of their business model. That's what banks are all about.
However, in the UK at least, this changes with chip & pin. If someone shoulder-surfs your PIN, pickpockets your card, and spends money on your card, the bank now says it's YOUR responsibility.
In one way: fair enough, there are precautions you can take to safeguard your PIN, but on the other hand, isn't taking on that liability one of the things we're (directly or indirectly) paying our card providers for?
Re:It's all about liability (Score:2)
When I used to work for a company making magstripe & PIN systems in New Zealand 8 years ago, there was a regula
Re:It's all about liability (Score:2)
Astoundingly, they do [chipandpin.co.uk].
Re:It's all about liability (Score:2, Funny)
What? They asked you that?? And they said they were looking forward to the extra security??? Wow! The only thing cashiers in the States ever ask me is if I want a receipt, and that's the smart ones. I'm shopping at all the wrong places.
Re:It's all about liability (Score:2)
I disagree, I don't believe we will see chip and pin in the US.
It's much more profitable for Visa/MC when debit card transactions are debited via Visa/MC systems. In the United States, this is done by selecting "credit" on the hypercom and signing a receipt.
Choosing "Debit" on the hypercom and entering
Re:It's all about liability (Score:3, Informative)
chips won't work either. Nothing will (Score:5, Interesting)
They were taking DNA samples in real time from people for access control.
The guy went to extreme measures to defeat the real time DNA sampler.
No matter what they try, no matter what measures they try to take and enforce, there will always be people that will find ways around it.
Personally, I will tell them to stick their chips up their asses. When it gets to that point, I'm leaving civilization and heading for an island somewhere, I'll live off of coconuts and iguana stew.
Re:chips won't work either. Nothing will (Score:2)
I suggest taking a 2 - 3 litre blood sample per transaction for DNA testing
Reminds me of "Demolition Man" (Score:3, Interesting)
John Spartan on Simon Phoenix being unable to buy anything because you need an implanted chip:
It would be a waste of time to mug somebody . . . unless he rips off someone's hand, and let's hope he doesn't figure that one out.
reminds me of... (Score:3, Interesting)
When I and my wife got a joint account, the bank swapped our pictures on our atm cards. We look nothing alike, each being easly taken for our respective genders. I used mine (with her picture) for six months without anyone even glancing at the picture. Eventually, when I got passport photos at a local picture processing shop: the clerk looked at the card and refused to process it.
Literally after hundreds of transactions including a good number in the $250/300 range. Unfortionatly "Security" (tm) is everyones job, but no one wants to do it.
Re:reminds me of... (Score:2)
People are stupid, and security measures must take this into account:
1. The original signature system didn't take this into account because the shop cashiers are stupid and don't check the signature.
2. The new chip & pin system doesn't take this into account because the card holders are stupid and don't protect their pin.
Admittedly (2) can be reduced by having well designed keypads that reduce the vi
Sig is that you agree to cc contract terms (Score:2)
Re:reminds me of... (Score:2)
PIN technology was probably the easiest, cheapest, fastest solution. It's merchants that get hurt the most with fraud.
Biometrics cellphones (Score:4, Interesting)
I also heard years ago that somewhere in Scandinavia you could pay some soda vending machines just by calling the phone number on its front with your cell phone.
It is interesting to see phone companies grabbing part of the credit card market.
Maybe it'll converge to using your phone/phone account as an ID, driver's license, bank account, credit card, and even to call people!
Instead of money, you'll be paid in talktime credits...
One possible solution (Score:2, Interesting)
Considering that (Score:2)
Every once in a great while a clerk will ask to see my card at my local supermarket. But those occasions are few and far between.
They don't even cross match the store ID card with the card you swipe. I understand that there are flaws such as a spouse having a store card with the same number on it. But there has to be a better way of checking to be sure the credit/debit card holder is who they say they are.
This is why
Re:Considering that (Score:2)
Re:Considering that (Score:2)
And most banks haven't yet made the transition from mag-stripe to smart-chip. The entire infrastructure would have to be changed.
As to why there isn't any serious effort to combat fraudulent credit/debit usage that's simple. The people who suffer are the merchants and the card holders. The banks, card issuers, and card processors are competely off the hook when it comes to fraud.
A me
Re:Considering that (Score:2)
I'm not happy with the idea of using my thumb print / iris scan / etc as part of the transaction - seems to me it would invite the criminals to chip off my thumb or scoop out my eye at the same time as swiping my wallet. I'd be much happier with something like electronic signature recognition - much harder to forge a signature than punch in a pin number and you're nolonger relying on someone to bother to check the signature ma
Re:Considering that (Score:2)
But most importantly make sure the thumb, iris, etc. is attached to a living, breathing being. Most of the theft of credit/debit cards is non-violent anyhow. Most of it exploits technology or processes
But signatures are worthless. The signature on my card and on my drivers license is far different from the way I actually sign things. It's why I always make i
Re:Considering that (Score:2)
Ok, so after someone has looked over my shoulder and seen my pin, instead of just mugging me for my card they'll take the trouble to cut my finger off too - great.
But signatures are worthless. The signature on my card and on my drivers license is far different from the way I actually sign things.
Signatures are not worthless - signature analyser systems look at the _style_ and order of your pen strokes, not the exact shape of the finished signature. So it doesn't matt
Re:Considering that (Score:2)
Re:Considering that (Score:2)
Re:Considering that (Score:2)
Signature analyser systems look at the _style_ and order of your pen strokes, not the exact shape of the finished signature. So it doesn't matter that your signature is different every time, you're still drawing it in the same way (just as handwriting analysis can match handwriting to a particular person even though the 2 samples of writing ar
scary! (Score:2)
Re:scary! (Score:2)
Well, the "hackers" are supposed to be the curious test-the-system type of guys. It is it the "crackers" with their "cracking tools" that you should really be worried about...
Easy identity theft (Score:3, Interesting)
Re:Easy identity theft (Score:2)
I still prefer signatures. (Score:2)
Re:I still prefer signatures. (Score:2)
How stupid (Score:4, Insightful)
This is like saying "Login & Passwords schemes are insecure! If I give my login and password to my coworker, he can impersonate me! The sky is falling!"
Actually, the Chip&PIN scheme is better than Login/Password schemes since you need a physical device (the smart card) to perform the transaction.
If this new scheme forces thiefs to switch to "Social Engineering", well, it's a good thing, since people can be educated about them.
I love this quote:
The amount of "card-present" fraud in France (where this scheme is in use for about 20 years) is severals orders of magnitude lower than in other countries with similar caracteristics. Ok, the "Problem of fraud" has not been reduced, but the "Amount of fraud" has, and that's what matters.
Re:How stupid (Score:3, Insightful)
Be careful what you wish for; social engineering comes in many forms.
[Points gun at head]: Give me your card.
What is the PIN? [Pulls trigger]
You've just been socially engineered out of your funds, and life. Raising the bar on security doesn't always mean it's harder for a criminal, or safer for you.
Credit cards in the Philippines ... (Score:2)
Even the most brain 2 dollar a day cashier chicks carefully verify credit card transaction, and, if there's a question, they'll gather another two or three cashier chicks to cluck at the card before summoning a manager, who will the
New Tech mostly usless (Score:2, Insightful)
The only way to be secure is to use more than one security technology...
For instance, you have cards that are read by proximity detectors...all I have to do, as a bad guy, is get a reader and scan people as they walt past me...store the data, and copy it into new cards...bingo!
What we need is more security, not more technology...
For instance, a smart card credit ca
Who needs eyes? (Score:2, Insightful)
Re:Who needs eyes? (Score:4, Interesting)
Re:Who needs eyes? (Score:3, Informative)
No need to encourage that behaviour, indeed. I live in a state that allows me to carry a concealed handgun, and I am certified to teach the state concealed handgun course. The most effective deterrent is the occasional would-be thief that is shot by his intended victim. This encourages thieves to move to areas that require potential victims to be unarmed.
From the article... (Score:4, Insightful)
Oh please! Because the authentication of people's credit card applications is completely broken, the problem of cloned and stolen cards shouldn't be fixed? I'm the first to admit that technology alone isn't enough, but this absolute stupidity of authenticating people by "personal" "secret" information has got to stop. (And no, trying to fix that by safeguarding the info better will never work.)
Emedding chips will not stop ID theft (Score:2)
And as another poster has put it so clearly, why do we even NEED credit cards? At present our debit system works well enough. I have stopped using credit cards long ago. I still buy stuff (albeit less stuff I don't need since I have to think more about what I buy) and my bills are paid reliably.
In my view, only two things require credit -- houses and cars. For some people, cars don't require credit either... lucky them. But for anything else, there's cash.
cashiers asking for ID (Score:4, Interesting)
My experience:
I was standing in line one time and two friendly-looking white women ahead of me used their credit card without the cashier asking for their ID. When it was my turn, the cashier asked for my drivers license to check my signature on the receipt. I guess the cashier assumed two white women are less likely to commit fraud compared to an asian guy. Acting casual and friendly is how con-artists get away with fraud.
I don't mean to turn this into a race issue, but it cannot be ignored.
embedded chips under the skin? (Score:2, Interesting)
Re:new? (Score:2)
More secure? Not until people start behaving responsibly.
Re:new? (Score:3, Interesting)
Did you ever use your card in France? Your seemingly well protected PIN card does not need a PIN there - cashiers will just swipe it, and that's it. A very nice option for card thieves: Paris is just 6 hours by train. Yes, the thieves are with the program, they have been for a long time 8)
And by the way, PIN cards for payment in shops have been around since the early nineties - in 1970 people were still fuzzing about with 'spaa
Re:Who says.. (Score:2, Interesting)
At the door paying: The return of lost money in shipping.
Lost Money in Shipping: The return of online credit card payments.
BTW, the point of credit cards is not to have to lug around tons of cash, and not having to have your account full. If you know how to manage your money, you can say goodbye to paying interest on a credit card bill.
Note: Credit Cards not reccommended for those who spend more than they make.
Re:Write "SEE ID" on your credit cards (Score:2, Informative)
From a letter I received from Visa:
"Please be assured that merchants may not refuse to honor a Visa card simply because the cardholder refuses a request for supplementary information. The only exception is when a Visa card is unsigned when presented. In this situation a merchant must obtain authori
Re:no big threat from 'hackers' (Score:2)
Nope. Revelations says it has to be in the forehead or the right hand. Technical considerations are all very well, but if you were to put the chip in the buttocks then not only would you make the whole enterprise a bad joke but you'd make the Bible into a colossal LIE! HERETIC! UNBELIEVER! You will burn in the pits of HEL