But ... chip and pin is the world-saving Idea of the Century.
I heard it here, and one can't deny facts like that.
That many El Reg commentards couldn't just be blowing hot air.
YES!! Cowchip-N'-Pen will be the end all of card security! NO WORRIES from NOW on!
"In Europe consumer protection isn't anywhere near as good as the US"
Um really? I always thought consumer protection in Europe was supposed ot be much better than in the States? Guaranteed return periods, chip and pin technology, guaranteed warranties, etc.
I thought the US was far more company friendly than consumer friendly? Any of our American Cousins care to comment?
Seems a strange comment to me. I'd like to see a citation for this, but I suspect he is using alternate facts.
In the US, VISA has adopted a policy that basically says the cardholder shouldn't ever lose money because of fraud. You can just do a chargeback without any fuss.
In Europe, not so good. I don't know the formal differences or what the reason is, but there's a lot more resistance from many card issuers.
There has even been some news stories here about people being signed up for recurring charges against their will and the issuer's response being along the lines of "You must have clicked OK so that means you agreed to it! No chargeback for you, come back never!".
Such a scam would never fly in the US, and neither would the merchant account used for long since it'd be nuked once resulting flood of chargebacks arrived.
"but I suspect he is using alternate facts."
The difference is that most transactions use Chip and pin in the Europe, which means loss and mis-use of the card is far harder. In the US it basically comes down to your word against the retailer with the only proof being a illegible scribble, therefore banks has fewer ways to verify true loss against fraud.
Saying that if it was a choice between better security(a.k.a chip and pin) and trying to recover lost money from a bank, I would go security every dat
There's more details in our paper summarised here https://www.benthamsgaze.org/2016/06/02/international-comparison-of-bank-fraud-reimbursement-customer-perceptions-and-contractual-terms/
Basically, in the US Federal Regulations E and Z require a bank to promptly refund any disputed transaction. In the EU the Payment Services Directive (PSD), and its replacement (PSD2) allows the bank to refuse to refund in a number of situations, the most important being if they believe the customer to have been negligent. What this means is that if (on the basis of an internal audit report that the customer can't see) it is more likely that a disputed transaction was the result of negligence on behalf of the customer rather than a technical failure of the bank, then the customer is not entitled a refund.
What the banks usually claim is that the customer didn't protect the PIN according to the bank rules, which is not surprising since bank rules are regularly broken for very legitimate reasons https://www.benthamsgaze.org/2016/02/17/are-payment-card-contracts-unfair/
"Any of our American Cousins care to comment?"
In my experience, it's a bit of a mixed bag. On the one hand Chip and Pin, properly executed in EU but largely NOT in US, makes fraud a tiny bit harder so one point for EU. On the other hand, Visa/MC/Discover policies in the US of "customer is (nearly) always right" pretty heavily favors the consumer so a point for US. If we could ever get PROPER execution of Chip and Pin over here, I think we could have the best of both worlds. Reality, however, would likely mean that the aforementioned consumer-friendly policies would be rolled back by the card issuers as "no longer needed." If I MUST choose between the two, I prefer the existing US "customer is (nearly) always right" policies, which I have used quite effectively the few times I needed them.
This policy predates chip-and-pin, so, no.
Apparently another commentard was able to point to the relevant legislation that seems to be the reason for the difference.
In all of my bank history, I had one brush with fraud. I had gone on holiday to the US (back when it was still the Home of the Brave) and one small shop had tried to skim me by presenting the same bill twice, but the second date was days after the first.
As soon as I found that on my statement I went straight to my BNP representative and showed him the issue. The refund was immediate and without fuss.
As far as I'm concerned, the EU environment of Chip & Pin is very efficient for me and I largely prefer it to the totally insecure magnetic strips still used in the US.
That said, I'd prefer my VISA to not have any mag strip at all. I guess it's to remain compatible with the US and other countries that have not yet migrated or are still in the process of doing so.
Re: @ patrickstar
I assume you mean BNP Paribas, not the right wing scum?
The comment in the article was about "consumer protection" which is a lot broader than just talking about chargebacks. And "anywhere near as good" means there is a massive disparity, which there just isn't in either law or practice.
Secondly, looking at it from a customer and merchant point of view as I am involved with both, the customer in the UK is almost always proved right unless the merchant can prove the customer wrong usually with CCTV - which I guess would be the same as the US.
The difference with chip and pin is that if a pin is used then the initial idea would be that the customer must have used it as they would be the only entity to know their pin and if it is a CNP transaction and the CSV is known then the person at the other end of the phone must have access to the card.
However I have never been refused a chargeback as a customer in the UK (I don't tell my PIN to anyone and cover it when using it), and as a Merchant we have not been successful in stopping a chargeback unless we have CCTV evidence or it was used a a Chip and Pin reader with PIN entered.
First off, I would like to say thank you to Dr Murdoch for joining the conversation. It's not often we get to have an expert quoted in an El Reg article joining in the Forum debates.
From my reading of everything, it appears to comes down to the fact that whilst Americans are more likely to suffer bank fraud (for lack of the additional security of chip and pin style technologies), they are more likely to get their money back than in the same case in Europe.
I would also suggest that the comment that Americans have better consumer protection than Europeans may not hold in all cases as Europe has extremely strong laws on consumer warranties, guarantees, and return periods. Americans might be better protected in banking, but in regular purchasing protection not so much.
Thanks to everyone for joining the discussion...
On this side of the pond if I see a fraudulent charge on a bill I can contest it and at worst am responsible for $50 US of the charge no matter how much it is. I've had my card used to pay for a family (not mine) outing to Hawaii, I received a call while they were in flight, I was in Rome at the time and the family was detained at Honolulu airport. No cost to me. rental car insurance is included on my cards at no extra cost so that's a nice perk. Those are my top 2 cents worth.
> Ajay Bhalla [...] said: "Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security. It's not something that can be taken"
Methinks the gentleman has not heard of the meat cleaver.
> There has even been some news stories here
Ah, yes. News stories.
Regulatory protection does vary somewhat by State, but in line with general contract law, the principle of balance and protection of the weaker party applies. In practice, the terms and conditions as far as theft / fraud is concerned are much the same in the EU and the US. I've had both US and EU cards.
Also in practice, during a social chat with my bank manager years ago he said they usually can take a pretty good guess at whether a "stolen" card or "unauthorised" charge is really so, but they absorb it anyway as part of the cost of doing business. Of course, the bank may subsequently decide not to re-issue a card to certain people, but that is indeed their privilege.
And in Canada chip and pin has been available for years, as has tap and pay with no pin at all, and yet the card holder is not liable for fraud.
Europe consumer protection > US. In Europe, chip and pin exists for close to a decade before introduction in US. CC industry excuse for US is that merchants do not like the slow transaction, especially during holidays, and consumers can dispute fraud charges, etc. In reality, merchants and CC just want to separate $ from consumers as quickly as allow.
In US, CC and big merchants write off their losses as tax deductible, so there's no need to provide consumers with protection or secure services. Minimal requirements and unless requires by regulation and all that from the big boys.
> "On this side of the pond if I see a fraudulent charge on a bill I can contest it and at worst am responsible for $50 US of the charge no matter how much it is"
Same here. Just change "$" to "£". :)
Also: "...since we leave our fingerprints everywhere they should not be considered secret..."
But those fingerprints won't be scanned and sent straight to GCHQ/NSA/ETC.
And fwiw, I think that, apart from my own possessions, I only leave my fingerprints on doors and beer glasses, which is hardly 'everywhere'.
Time for the resurgence of the cheque (PITA that most UK places hate them now)
A scribble that has varying degrees of difficulty to forge, and also needs a card to be presented with it, but as you inevitably get your fingerprints on cheque when handling it, if you have used it will have your prints in a few places so can prove if fraudulent use as they can lift prints from the cheque.
In worst case scenario, if your cheque book is nicked, only really a chance of stray prints of yours on the "top" cheque (you may have got prints on when removing last cheque) and as likely to do fraud with > 1 of your cheues then pattern of dodgy use (without your prints) will be convincing evidence that "top" cheque was also a fraud transaction
Re: Cheque Mate
Not used a cheque in a while (so long that my computer doesn't recognize as a word) , but I seem to remember a pretty typical method was 1) try and pull out 2) separate cheque from other cheques (putting prints the one below) and when that doesn't work 3) touch every cheque everywhere as you slowly rip off
Re: Cheque Mate
'A scribble that has varying degrees of difficulty to forge'
Honestly, I don't remember the minimum wage shop assistants examining the signature on my credit card closely enough that just writing my name wouldn't work. I don't see why a cheque would be any different, there's very little incentive for them to refuse one.
In fact at one stage the signature strip on my card was worn off, it caused me slight difficulty in one petrol station.
Re: Cheque Mate
Cards present have not been required for cheques for several years, and ATM cards (well, your debit card) specifically say 'NOT a cheque guarantee card', i.e. 'can't use this to verify the person signing is the card holder too'.
Tap to pay - that's the future. What more could you need?
Tap and pay is an insecure system, which is why I told my bank to give me a normal debit card, which they did, just a shame they thought I changed my mind when they renewed it in march and I had to go through the process of getting a non-contactless card again
A dremel though the antenna works wonders on contactless cards..
Am I missing something? If I've read that correctly, the fingerprint sensor is on the card - so, presumably, to get their fingerprint on the card in the first place, the card holder has to have it scan their fingerprint.
With a PIN, when you get a new card the PIN is sent separately. This is done to hopefully avoid the issue of a batch of post being stolen, and the crooks finding both the card and the PIN in the same pile. If the above is so, it won't matter - they only need the card. They can then scan their fingerprint onto the card.
The point is that doing so is supposed to cost more than what you can gain from abusing the card. Just like changing/reading the PIN of the card would.
They'll post out some new fingerprints.
> This is done to hopefully avoid the issue of a batch of post being stolen, and the crooks finding both the card and the PIN in the same pile.
Also helpfully (for criminals) with the new approach, is that if they get a hold of someone's card... it'll generally have the owners fingerprints all over it.
... and fingerprint duplication is no longer difficult.
I've not seen them explain how the cards are provisioned, but... the local (South African) banks are connected to Home Affair's National Population Register which offers the bank to perform fingerprint validation.When I'm in the bank, I can present a finger to be scanned and the bank can ask the NPR "is this John Doe's fingerprint?". Now the bank knows it's me, they can calculate the fingerprint data to be burnt onto the card. No-one but me can now use the card.
What's more interesting is how they prevent an employee from putting her own fingerprint meta data on the card and then using it though that loop could be closed by keeping the card disabled until positive delivery confirmation is received. I already have to provide positive identification, i.e. ID book/driver's licence, on receipt of the card.
Aside: How do they deal with people who don't have finger prints (adermatoglyphia) or those whose fingerprints might not be usable, e.g. those working with harsh chemicals/cleaners.
How do I go about changing my fingerprints after this gets hacked?
You have 9 changes available.
My prefered method
1. Preheat oven to 350 F / 180 C
2. Place non-stick cookie sheet in oven, preferably with some nice chocolate chip cookie batter on it
3. Bake for 14 min or until cookies lightly browned
4. Remove cookie sheet from oven without the aid of oven mitts
Will remove your finger prints for about two weeks, but that's okay because you'll need more cookies by then!
Unless Your Name Is Timothy Ifield!
You only have eight fingertips & two thumbprints.
I see a Tim Ifield situation developing in the near future.
How did Captain Hook die? He had a ***k with the wrong hand!
...the password you leave on everything you touch.
"...the password you leave on everything you touch."
Exactly! A fingerprint is a username, NOT a password.
How about thieves making fingerprints from photos of your hand or any item you have touched when making a purchase?
Always wear surgical gloves?
Though it might be a bit tricky if you were to get stopped at night by the police; "No officer, I wear these so the thieves don't steal my fingerprints". "Yeah that's a likely story laddie. I am placing you under arrest for posession of burglary tools."
Worse (theoretical) problem: How about cold blooded killers who just chop off someone's hand in order to gain access to their fingerprints so that they can clean out the creditcard?
Assuming they don't know already then they'll need you alive to obtain your PIN, which could give you some leverage.
"or any item you have touched when making a purchase"
Like, say... the shiny, glossy, credit card that they just nicked off you and now need a fingerprint to unlock.
Nick card from wallet.
Bit of sticky tape and a gummi bear.
Hey, presto, card with "full authority" to spend what you like with no cardholder co-operation (or even knowledge) required.
Fingerprints ARE NOT AUTHENTICATION. They are IDENTIFICATION. They say who you are / claim to be. They do not verify that you are actually that person.
Any card company that tries this on me will be informed that I don't have fingers.
Not entirely theoretical – https://www.theregister.co.uk/2005/04/04/fingerprint_merc_chop/
In this case however, it looks like they want to do biometric payments at point of sale where there is a staff member present, so showing up with an amputated finger may draw attention.
Unattended biometrics are more challenging for several reasons, so maybe why they are not tackling them right now.
How about cold blooded killers who just chop off someone's hand in order to gain access to their fingerprints so that they can clean out the creditcard?
Properly done biometrics check for bio-electrical activity. That's why, for example, Apple's Touch ID stuff fails when your hands are wet, or greasy, or if there's grease or something on the sensor. There ain't no electrical activity once you're dead or once your hand/finger got chopped off.
This, of course, means that a certain critical plot point in the latest Star Wars movie won't actually work, but that's Hollywood.
"This, of course, means that a certain critical plot point in the latest Star Wars movie won't actually work, but that's Hollywood."
I think Spaceballs got around that plot hole. The goon used for the hand-print sensor was only unconscious.
The sensor fails because the water or grease on the sensor smoothes out your fingerprint either by filling the troughs making it harder to pick out the ridges or by being electically conductive and therefore confusing the sensors as they would otherwise detect the patterns of conductivity on a finger - depends on the implementation and many sensors are the the electical conductivity type. Nothing much to do with measuring bio-electrical activity or heat.
So if I understand correctly I'd need to skin the finger and wear the epidermis like a finger cot perhaps with an electrically conducting gel to get a good connection.
Modern,finger print readers are clever enough to be able to spot non-alive fingers. They're more expensive than the cheap'n'cheerful ones, but the additional protection they provide may well make it worth it.