How the hell does this happen

[dmaziuk]

I think it’s cultural.

I didn’t come in the US recently but in Europe for example we had mandatory chip and pin for all credit and debit cards for a while.

I don’t think if that’s still the case but I remember paying credit card transactions with a signature in the US and sometimes using the magnetic stripe?

If chip fails 3 times you can swipe: using the magnetic stripe.

Chip doesn't do anything other than "prove" that whoever paid had the physical card in their possession. So the bank can weasel out of refunding the money because it was you who failed to keep your card safe, it's not the bank's fault. Just because you over in EU let your banks do it to yourselves doesn't make you any more secure.

Chip stops the "skimmers" but doesn't do squat for the most common type of fraud: "CNP".

 

[dmaziuk]

You are a man of many skills

I do computers.

I used to fix cars but the parts are too heavy, too dirty, and too caked in. Computers are way easier.

 

[BlueTrin]

If chip fails 3 times you can swipe: using the magnetic stripe.

Chip doesn't do anything other than "prove" that whoever paid had the physical card in their possession. So the bank can weasel out of refunding the money because it was you who failed to keep your card safe, it's not the bank's fault. Just because you over in EU let your banks do it to yourselves doesn't make you any more secure.

Chip stops the "skimmers" but doesn't do squat for the most common type of fraud: "CNP".

The reason I said that is that often people cite that the slow adoption in security measures in the US is the belief that the customers won’t want to change their methods.

This would transfer to having 2FA for example.

About your second point, one issue is that alot of protocols are global so if you are limited by your weakest points (as you already know)

For example EU cards could be victim of fraud in the US if they accept weaker protocols so that the customers travelling in the US could pay there.

 

[Pearlman]

Plus your saying it's my fault that someone stole my number, made a physical card and used it.

This happened to me a month after I used my debit card at an ATM in Puerto Galera/Sabang, Philippines on a vacation. All the ATMs down near the beach area were non-functional so I took a bike taxi a few km up the hill to look for a working one. Even up there the main well lit ATMs were not usable and the only ATM I found that I could use turned out to be a dark dimly lit in shady corner off the main street. Being Infosec aware I was hesitant, but then I had no cash for beer and bars that night. Classic example of temptation and that heart over head feeling… I got my cash, enjoyed my vacation night without downtime and returned to my home country all fine.

One month later I got two SMS for a PoS transaction on my card done at some vague International location. 400usd in all. So apparently my chip based card had been skimmed and duplicated and used. I had to file a police report, show my passport stamps to verify I was in the country at the time and submit it before my bank refunded the amount.

But yeah as an Infosec aware person, it was my fault - at least partly!

 

[Searcaigh]

The only time I used my debit card in the Philippines to withdraw cash it was rejected immediately and I received a call from my bank asking me where I was.

Once it was established I was in Manila a pre-arranged amount was set for me to withdraw from that ATM within minutes.

I generally carried cash to Puerto Galera as I was warned that there was no ATM at Sabang.

When I use my CC I also receive an SMS from my bank.

One morning I woke up to find a message on my phone for a transaction on Air Canada, I was on the bank fraud line immediately and funds were not deducted. I hope they managed to locate the person who was trying to buy the airline ticket as their name must have surely been on it.

 

[dmaziuk]

The reason I said that is that often people cite that the slow adoption in security measures in the US is the belief that the customers won’t want to change their methods.

Yes, but you are not "the customers": the stores accepting CCs are. In order to start accepting chipped cards, the store needs to replace their POS terminals with the new ones equipped with chip readers. Which 99.99% of the time require updating the software, which in turn requires upgrading their 21yo Windows XP server, and so on.

That's what "the customers won’t want to change" means.

This would transfer to having 2FA for example.

There's a term in computer security: "usable security". Having to jump through the 2nd factor after waving my card over POS terminal at a soda stand isn't.

About your second point, one issue is that alot of protocols are global so if you are limited by your weakest points (as you already know)

For example EU cards could be victim of fraud in the US if they accept weaker protocols so that the customers travelling in the US could pay there.

Where "global" bit comes in is you the CC network have to run two systems to do the job of one.

The "weakest point" is "Card Not Present" sales, it doesn't care which side of the pond you and your card physically happen to be, and it has not changed in decades apart from asking for an extra 3 digits of CVV.

 

[formernuke]

The "weakest point" is "Card Not Present" sales, it doesn't care which side of the pond you and your card physically happen to be, and it has not changed in decades apart from asking for an extra 3 digits of CVV.

This is true nothing can really be done about the internet ones.

These in person where the cards are cloned could easily be prevented. The Shearwater and Garmin scam is largely in person with cloned cards. The thief makes a card with the stolen card number and a ID to match it. All the CC companies have to do is have the merchant computer show the true card holder and wham a lot of the in person ones stop.

 

[dmaziuk]

All the CC companies have to do is have the merchant computer show the true card holder and wham a lot of the in person ones stop.

Thankfully we have the virus now so the computer can just show an image of a cloth mask, problem solved.

 

[BlueTrin]

Yes, but you are not "the customers": the stores accepting CCs are. In order to start accepting chipped cards, the store needs to replace their POS terminals with the new ones equipped with chip readers. Which 99.99% of the time require updating the software, which in turn requires upgrading their 21yo Windows XP server, and so on.

That's what "the customers won’t want to change" means.



There's a term in computer security: "usable security". Having to jump through the 2nd factor after waving my card over POS terminal at a soda stand isn't.



Where "global" bit comes in is you the CC network have to run two systems to do the job of one.

The "weakest point" is "Card Not Present" sales, it doesn't care which side of the pond you and your card physically happen to be, and it has not changed in decades apart from asking for an extra 3 digits of CVV.

I fully understand that the problem is to change the terminals. If you read the article I posted, it is mentioned exactly as you said that the problem is the point of sales. You are possibly wrong: most studies say that terminals is an issue but often cite that end customers may not remember their PIN, so you are possibly incorrect in your statement that terminals is the only factor and end customers are not.

About your last point, it is exactly what I said in the post I replied, you are limited by the lowest security denominator. In Europe it is common to limit the amount on contactless for visa or Mastercard.

In the UK it will force you to use chip and pin after too many contactless transactions. Even for online transactions, with my bank, I will get often a prompt to type a password or do a 2FA to enable an online payment. So yea it is possible to do it and keep it simple (your second point)

On another note, you can easily implement two factor with phones now. Granted some people don’t have smartphones, but it would be nice if I can lock my own card to not support any transaction for more than £50 a day without 2FA for example. So your last point is not valid: I cannot set my own higher security even if I want to go through that loop with many card issuers. OP cannot disable the CNP sales without 2FA even if he wanted to: this is exactly my point.

Btw, for OP, I think Revolut has disposable virtual cards.

 

[kelemvor]

Even if the rental is already pre-paid?
Here often your employer pre-pays for the rental, so of course you cannot show the credit card of the employer (in my case it remains in the safe hands of the director of my department). I must just proof my identity, which must correspond to what declared by the secretary who booked the rental and issued the payment for it.

When doing business rentals, the normal way to do it is the employee uses their corporate card. There are instances where someone else pays (such as an insurance company) but you're still going to have to give the rental company a credit card when you pick up so they can screw you a little bit extra.