6 comments

[ 5.3 ms ] story [ 79.9 ms ] thread
We are just going to have to stop putting dumb cards into smart terminals.

The user needs to own the device that approves or rejects the transaction, and with all of the MITM prevention efforts we expect from any other system.

Years ago someone demonstrated a credit card with a display and a keypad built into it. Probably still a bit expensive, but then the first credit card sized calculator came out in 1978 and by the 90's they had solar powered ones the thickness of a few credit cards. It can be done.

Smartphones are already doing that, particularly in countries that have leapfrogged over credit cards as a payment system.
They profit off the people that never bother to fight the bank / etc...

Sure, you might get a fraudulent $2000 (USD) charge and fight it out with the bank, but people like Dan Bilzerian or Travis Scott will just say fuck it and let it slide or get preferential treatment from that bank (the bank is making more than $2k in fees from them alone).

When enough people catch up they will stop using cards (debit or credit or whatever really...) or move to banks that actually care and bring the whole system down but as of right now it is what is is, sadly.

They're not copying or spoofing the chip on the card, they're skimming the mag stripe and getting the fixed credit card number, right? Then stealing your pin (second factor). I'm not 100% sure what methods they use for purchasing after collecting this info.

Couldn't we stop this today by rejecting transactions that use a mag stripe? Or just severely restricting them? My understanding is less secure transaction types have higher fees specifically because of fraud.

Mandating tap-to-pay (which has been in wide use for something like over 20 years now) eliminates this capture vector. I would love to opt-in to totp as a pin...while its used widely in tech I can see concerns with mandating it widely.

I feel like making this way more secure can be done with the tech already out there. It's the incentives that are preventing that from happening; i.e. the user is on the hook or it's "cheaper" to let the money get stolen.

I need to look more at how tap-to-pay works, because unless it's doing something very clever I'm unclear how that prevents skimmers or other MITM attacks from still working.