75 comments

[ 2.8 ms ] story [ 136 ms ] thread
I take my UK credit card to the US and can't pay for gas at the pump as I don't have a valid zip code.

I have to go inside and pre-auth. This process sometimes only requires a swipe, sometimes chip and pin - but never a zip code.

Could they just fix that?

Canadian postal codes are of the form a4b 5c6. Most US things that ask for a zip code will accept either 00456 or 45600. Do UK postal codes have numbers in them? Have you tried left- or right padding those numbers with zeros?
They have letters. SE16 4EP is a code from near my home there. It's probably not worth making it work.
So do the Canadian ones, you just skip the letters and add zeroes. Try 00164 or 16400 for SE16 4EP.
Oh I misunderstood what you meant! That's a clever thing to have tried. Fortunately, I have local cards in all of these countries so I haven't tried anything like that. How interesting that it works!

One of my British cards (Capital One?) has me use all zeroes.

the fact you have to hand your card to a (hopefully) trusted source to swipe the card on a (hopefully) trusted terminal means it shouldn't be scraped there. the outdoor card swipers are just open to the public 24/7 for someone to stealth slip on a device
An edge case, with ~0 financial impact, and a functional workaround?

They could fix it, but I'd be surprised if anyone decided it was worth allocating any resources towards.

>Could they just fix that?

In my experience the zip code is built into the gas pump machines for 2 reasons: a) provide a least a modicum of security at the pumps the card user is an authorized user; and b) more importantly there is a good chance the manual input of the confirmed zip code provides a slight discount to the gas station with respect to their merchant services contract (which is probably pretty important on low margin purchases of gas).

Last time I encountered this issue (in LA) the attendant correctly advised me that 00000 would work instead. Worth a shot next time!
whew, this garbage is starting to make that tesla worth it
If only the problem would stop at gas pumps. Many POS devices that have old cc tech are vulnerable for this type of hack.
That suggests a different acronym for POS than the one you probably meant.
(comment deleted)
Ya, because your network connected, computer controlled, self driving car is and will always be completely secure.
Lots of reasons going to gas stations sucks. It's one of the reasons I plan on going electric soon. (You still have to deal with charger stations which have similar issues but only when you are traveling, not day-to-day)
Ouch. That seems quite hard to fix.

I've taken to using my revolut card for places that look a little shady. But ACME petrol station probably wouldn't register as shady for most.

This is why I've got live messages from my bank for all transactions possible. Makes for a good deal of noise on my phone but it's caught stolen cards twice for me so far.
Which banks support that?
In my personal experience, Simple has real-time push notifications for every charge (which once saved me/them from a fraudulent $1k charge, when I noticed a $1 test charge and immediately locked it). So does Apple's card.
I have this setup for all of my Chase and American Express cards. The notifications show up within seconds of me making a purchase, which makes it very easy to sanity check.
My UK debit cards are great for this. AMEX is a bit 'meh' - sometimes I'll get an instant notification, sometimes it'll happen a bit after, sometimes it just doesn't seem to happen. Annoying because I use that card the most.
That's possibly as much a problem with the merchant as it is the bank, sometimes they don't fully commit the transactions until the end of the day. Though usually I see a message at first that there was an authorization for purchase at least in those case.
Chase's app will let you do it; you have to dig deep into the notifications menu and find the item for sending a notification for purchases over a certain threshold. Add it, and set the threshold to $0, and you get a notification for every purchase.

For American Express, at least on Android, I get notifications through the Google Pay app for all purchases made (even if those purchases weren't made using Google Pay).

Unfortunately it seems like support for this does greatly depend on the issuing bank.

Capital One Credit cards support it
I've got it with Wells Fargo, but I think all the bigger banks these days support it.
All credit and debit cards that I have seen and used in South Africa do that.
I have done this before -- but I found it to be a waste of time. The couple of times I've had a compromised card, my banks have spotted it immediately. And even if they didn't, they're fully liable for the charges by law anyway. A quick glance through my statement is good enough.
I wish they had NFC so I could use Apple Pay. I hate inserting cards into the pumps even though I always check for skimmers. I'm pretty sure the past two (read: only) times my card got stolen it was through gas stations.
I’ve seen NFC on a couple Chevron pumps, but it’s not common.
I've encountered a couple of gas stations that supported NFC, in the last year. The most recent one was at ARCO - although in that case I couldn't actually use it since they only accept debit and at that point I only had my credit card in Google Pay.
ARCO near me has been accepting credit for about a year and it works fine with their NFC.
Where's that? This was in Mountain View. I'll have to try again.
My local WaWa installed NFC readers in their pumps.
This is one of the reasons I like my Galaxy Note 10. Samsung Pay supports Magnetic Secure Transmission (MST). You can use it to pay at the pump without risking your actual credit card number as it creates virtual rolling card numbers.

This feature won't be too useful in a few years when every payment terminal has NFC, but until then it is nice to have backwards compatibility.

Aren't gas station supposed to be all on a chip system this time next year anyway?
The liability shift happens for them in October 2020, but I suspect a lot will miss it.
They are liable but why wouldn't they just keep making us type in our zipcode. We are basically doing chip and pin how about we do it for real.
IIRC, gas stations are doing it voluntarily to get lower transaction fees. If we had chip+pin, we'd be entering a pin everywhere, right?

Call me old-fashioned, but I still like being able to open a bar tab.

You can do this with the chip card as well, also you can still tip.
With chip+sig, yes. But I’ve never managed to be able to open a tab in a chip+pin country.
If the card still has a mag strip, then a skimmer can still be introduced into an American chip reader, since you still have to shove your card in the slot.
> The problem is, many such businesses have very old technology and must replace the entire pump at an estimated cost of up to $250,000 per station

This feels like a business opportunity. Surely there must be a way to build an adaptor?

This is a bit of a tangent, but my parents owned a gas station in the late 90s and early 2000s. When they bought it, pay-at-the-pump was rare. Towards the end of their ownership, it was becoming common, and they were under a lot of pressure to install it. The installation was going to cost more than $250k on top of eating into the profit margin on gas sales (through credit card transaction fees) and discouraging folks from going into the store -- and in-store sales were by far the primary profit generator, as gas margins were low, zero, or negative depending on the constantly changing state of hyper-local competition and global gas prices. They opted to just sell the entire business instead and let it be someone else's problem.
Probably a lot harder than you would think because there are tons and tons of different versions of the pumps out there. You'd also need to get your solution certified for each model of pump. It could make sense if there is a particular model that is especially common and reasonably modern (so you aren't asking the owner to upgrade a pump that only has a couple of years left on it anyway), but my impression from driving around is that there are about as many gas pump designs as there are service stations.
... isn't that basically what a credit card skimmer is?
Still shocks me how widespread magnetic stripe credit card use is in the US. The rest of the world moved on a very long time ago.
Chip doesn't work once in a while, they end up swiping instead when that happens. Not sure why.
Most of the time, in my part of the world, it's an old machine that won't accept chip and pin. In which case the merchant (and/or Visa) should be 100% liable for fraud.
The general populace has no reason to care. We aren’t liable for fraudulent purchases; it’s just an inconvenience more than anything.
No immediate, concrete reason to care, but it's not like we're not paying for that fraud in the long run. Costs go up to account for the losses.
More security may not be worth it, if the total costs of fraud go down, but they are largely shifted to the individual victim rather than financial companies. I'm pretty sure this has been mentioned a million times; have you ever considered it before?
The financial companies don't treat fraud liability as a charitable gift they give to their customers.

They set APRs, fees, etc. to absorb it. The cost is, ultimately, borne by all of us, in either scenario.

There is an almost unfathomable value in being able to rely on getting the average outcome, rather than being one data point in the average. Insurance is a thing, you know? Also, people prefer taxes to armed robbers. And stuff like that.
I'm confused as to what you're arguing here.

I'm not advocating that individuals be held responsible for credit card fraud. I think the current setup is probably the best - the folks with the most ability to smooth out the losses (the banks) have most of the liability.

I'm simply objecting to the "The general populace has no reason to care" statement up-thread. That we're not directly liable for the fraud doesn't mean we're not getting screwed financially by it.

Better security is an opportunity for businesses to deny that they made a mistake when it is breached. If you have a compulsory PIN, then when a transaction goes through, they can say "it's impossible unless you were at fault". Is it? Who knows, but there are stories and rumors. I'm morally certain that companies will do this if they have the opportunity and are able.

It's no different as an abstract concept than Boeing purportedly sacrificing hundreds of people to try to produce a 0.1% higher ROI. In general, you optimize a number that describes a large system, and you have to consider that there may be tradeoffs - things may get...lumpy.

It's not so much evil as that people have jobs that involve optimizing certain numbers and certain related consequences are outside their purview.

A quantitative improvement could mean implicitly taking away insurance that was gratis.

I don't see how any of this can feasibly argue against pushing for better adoption of contactless payments.
In my recent US experience, gas pumps are the only things still using magstripe. Everyone with a card reader at their register seems to be using the chip reader.
The gas stations in my area just switched over to chip readers (at least the ones where I go). However, looking at it, you still have to insert your card all the way into the pump. This means that it would still be possible to add a magstripe skimmer in front of the chip reader. In this case, the gas station would be protected, but you'd still have the possibility of getting your CC # skimmed.
Many places nowadays seem to have card readers that accept swipe, chip or tap. Yet many of them don't seem to have tap activated, and if someone else handles your card (very common in bars and restaurants), you can be sure they will swipe it.

I was in NYC for a week and had to swipe my card at least 6 times during that period. I imagine the rest of the country isn't leaps and bounds ahead.

> I was in NYC for a week and had to swipe my card at least 6 times during that period. I imagine the rest of the country isn't leaps and bounds ahead.

Really? I have worked in NYC for over three years, and the only card I have ever had to swipe in that time is my FSA/transit card that, inexplicably, does not have a chip yet. There were a few smaller merchants in suburban New Jersey that lagged behind, but even they were on chip by 2017.

If the chip interface doesn't work, the backup is swiping. People talk like everything always works perfectly every time. The shinier a new technology is, the more unprepared people usually are for it breaking.

“The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.”

My point is that I have never had to resort to said backup. I have had problems with my chip from time to time, but even in those cases the chip has gone through eventually.
Well, philosophically, you could convince yourself that the chip will always work if you try it enough times. One can't prove that's false. I have no interest in arguing angels on the head of a pin; what I know is that after a few failures, a cashier will tell you to swipe it, and it's obvious it isn't an unusual experience for them, seeing a ton of transactions per day. So any argument you may have based on technical, logical, or scientific grounds seems beside the point. Let alone plain incredulity.
Yep. Swiped at least 3 or 4 times by servers in bars and restaurants, had to 'dip' in the MTA machines a few times (which I assume is a swipe), a few times at random bodegas, and once at a CVS. In all of the cases there was no other working/active option besides cash.
I try my hardest to only go to stations that accept Apple Pay. If they don't I use a card that I know will overnight me a new card if I get a fraud alert (in my case, Chase).
The chip readers in the US don't do chip and pin. It's just chip or chip and signature. Wondering if the article just got the details wrong, or if something is changing.
Migration to chip cards started in 2012. US retailers other than gas stations had to convert by 2017. Gas stations got 3 extra years. Now that time is running out. Many pumps can be upgraded. Here's a migration guide.[1]

This is classic gas station operator whining. Back in 1984, US gas stations were required by the EPA to install double-walled tanks and leak detection. One in four of the old tanks was leaking. Gas stations got 15 years to do it. At the end of 1998, many were hoping for a further extension. They didn't get it. No more fuel deliveries, and they had to go out of business.[2] That's also why, for some years, you saw recovery systems at former gas station sites, trying to suck the gasoline out of the soil.

[1] https://www.gilbarco.com/us/emv-migration-guide [2] https://www.latimes.com/archives/la-xpm-1998-oct-25-me-35989...

Somewhat off topic, but I think there’s big business to be had in the future pulling gas station fuel tanks out of the ground and remediation with the move to electric vehicles.
Chip based systems don’t prevent card skimming, in fact you also get the pin with those since you can still read the track 2 data and also get the pin with a skimmer that is placed on top or even inside of the pin and chip reader.

This is essentially the same exploit as ATMs with often lower risk since gas station pumps aren’t inspected for skimmers.

The only way to prevent track2 skimming is to remove the magnetic strip however there are also many skimmers today that don’t read the track 2 data but rather scan both sides of the card giving you the CC number, exp date, CVV/CVV2, issuer code (if present) and the card holder details then you can usually perform a card not present transaction fairly easily at best you’ll only have to match the card holder with a post code or a billing address however most issuers will let you pass security with any address that was tied to the card for the past 5 years so your google search results on the name doesn’t even have to be super up to date.

Basically anything but a bulletproof wireless E2EE system will allow skimming. And I’ve seen PoCs for near IR photographic skimmers that try to photograph the card from within the wallet or sleeve with moderate success.

I believe the goal of chip based system is to get rid of "your username is your password" problem of credit cards in the long run.

Is the world ready to remove the magnetic stripe and numbers on the card? Only expose them through your online bank and keep them separate from the card. Then only some online payments will be vulnerable - like hotel bookings.

For example Revolut cards still have the stripe, but the card details are hard to read, almost invisible for the eye unless under proper light

This to me is Visa and Mastercard's problem, not anyone else's. I'd LOVE to be able to enter a password or pin to authorize and cryptographically sign a transaction proving I authorized the transaction. Someone can literally take a picture of your card, or listen with a sensitive radio to "hear" credit card numbers being swiped. This technology is needs to be replaced.