26 comments

[ 4.6 ms ] story [ 58.8 ms ] thread
(comment deleted)
(comment deleted)
(comment deleted)
Might be that people think you're spamming egifter or don't know that 911isajoke is a song reference?
(comment deleted)
I don't have anything insightful to say. I'm just really sick of this crap and wish that US banks and retailers had incentives that would lead to smart-card adoption.
In Canada we adopted EMV chip debit cards years ago. It's worth noting that even when you switch to EMV, there is about a 5-year conversion period where vendors have to support older non-EMV cards. This is assuming all banks switch to EMV. Canada only has about 5 major banks and they all did it quickly but only recently are swipe-cards losing support.

Since it will take a while to be 100% chip-and-pin from both investment by banks and adoption by consumers, USA can look forward to debit and credit card breaches for a long time. So they'll have to invest heavily in information security, not just EMV.

What's the benefit for me, as a consumer? I've gotta remember and enter a PIN all over the place. If there is a compromise, I've gotta now prove it wasn't me to a much higher level.

Whereas in the current US system, I rely on my bank/Visa to figure out fraud detection and sort things out. If there's ever a problem, I dispute it and move on with life. Now and then, I have to get another card. That's a hassle, sure.

If I was responsible for the fraud, then sure, I'd want all sorts of security. But I'm not. Same logic used by my bank: My credit card gets blocked every couple of months (I'm always traveling). My debit card, which requires me to take more responsibility, has never been blocked by the bank.

Virtually all of my bills except my mortgage are automatically charged to credit cards. This means that every time my card gets compromised and replaced by the bank, I have to go update it 20+ places. And there are always the odd ones that only charge a few times a year (or once a year) and I forget until the charge is declined. Yeah, I may not be liable for the fraudulent charges, but it's still a big pain in the neck when it happens. I'd be more than willing to memorize a PIN if it solved this problem.
Visa/Mastercard/Amex all offer systems that can automatically alert merchants that you got a new card. I've just got my American Express card replaced and about half the merchants that I have a subscription with were still able to charge my card without my intervention.
Banks catch less than half of card fraud. The rest is caught by cardholders, and if you don't catch it, you pay for it.

And that's just known fraud - a lot slips through and cardholders pay for it unknowingly.

So you have to check your charges carefully. While you may not be liable in most cases for the fraud, you have to catch it first. Use an app like BillGuard for that (FD: I work at BillGuard).

Or you could, you know, use cash.
Oh, that thing that doesn't get me frequent flyer points when I buy gas, food, etc? That thing that if lost or stolen I don't get back? No thank you, I'll stick with my credit-card.
Not to mention, finding an ATM is always hardest when you need it the most.
One interesting thing I've noticed as a home depot customer is they don't require you to have a receipt for returns, as they can access all previous transactions based on your credit card number (... and therefore presumably have a centralized database which maintains a record of any credit card used at a home depot, hopefully in some hashed/encrypted format)
(comment deleted)
> presumably have a centralized database which maintains a record of any credit card used at a home depot

That's a bit of a leap. I'd assume they just have a hash of the data.

CC numbers are not that large of a space and can be enumerated. They could use a short hash (like a 26-bit hash) so each hash value has multiple plausible numbers -- at the risk of having collisions.
What does that get you, though? The formula for a valid card number (Mod 10) is public. If Home Depot uses a 1-way hash for the card number, and ONLY uses the card number, you gain nothing - you still need the expiration date/CVV/Name to do much else.
That's true whether or not they use a hash function.
Let's be honest here. They probably have the full details of every transaction in plain text in a database.
If they do, they're not PCI compliant and risk having their ability to conduct credit card transactions revoked.
The list of people not hacked is much shorter than those who have. At least it seems that way.
Would a chip + pin approach not make it substantially more difficult to pull off these kinds of attacks? I ask because I don't know the particulars of how Home Depot (ot previously Target) were said to be compromised.