No credit card required
Browse credit cards from a variety of issuers to see if there's a better card for you.
I'm not yet familiar with the Apple Pay payment system, so I can't really comment on that one for now. However, I will comment on the Cornell document. The thing that really jumps out at me is Line 1 of the Limits of Liability section:
"(1) A cardholder shall be liable for the unauthorized use of a credit card only if—"
That word unauthorized is the one that's trouble. If your correct PIN is used, then as far as the banks are concerned, that transaction was an authorized use of your card. If a customer walks into their bank branch and says "my card was used for an unauthorized transaction", the bank will investigate, and if the report comes back and says that your correct PIN was used, then the bank says "You made (authorized) that charge, so you have to pay for it!" How exactly can someone argue with them? They've got the report from VISA or whoever that proves it was you that did it, and the banks never, ever admit that it might not have really been you, so there's no unauthorized charge to dispute. The stance of the banks is that Chip and PIN is impregnable, uncrackable, flawless, perfect. If the investigation comes back with a Y (yes) showing in the 'Was PIN verified?' section, then it could only have been you that made the transaction.
Personally, I love the Chip and Signature system. It's not that easy for a card cloning crook to forge my signature. Even if they have my real card, I purposefully don't sign the back of my cards unless and until some merchant points out that it's not signed. In 99% of the cases where a chip terminal is used, the merchant never even gets to handle the card and therefore never sees the blank signature panel. If the bank has a transaction with an obviously forged signature (non match) on the receipt, then I win the fraud dispute.
G
@Anonymous wrote:I'm not yet familiar with the Apple Pay payment system, so I can't really comment on that one for now. However, I will comment on the Cornell document. The thing that really jumps out at me is Line 1 of the Limits of Liability section:
"(1) A cardholder shall be liable for the unauthorized use of a credit card only if—"
That word unauthorized is the one that's trouble. If your correct PIN is used, then as far as the banks are concerned, that transaction was an authorized use of your card. If a customer walks into their bank branch and says "my card was used for an unauthorized transaction", the bank will investigate, and if the report comes back and says that your correct PIN was used, then the bank says "You made (authorized) that charge, so you have to pay for it!" How exactly can someone argue with them? They've got the report from VISA or whoever that proves it was you that did it, and the banks never, ever admit that it might not have really been you, so there's no unauthorized charge to dispute. The stance of the banks is that Chip and PIN is impregnable, uncrackable, flawless, perfect. If the investigation comes back with a Y (yes) showing in the 'Was PIN verified?' section, then it could only have been you that made the transaction.
Personally, I love the Chip and Signature system. It's not that easy for a card cloning crook to forge my signature. Even if they have my real card, I purposefully don't sign the back of my cards unless and until some merchant points out that it's not signed. In 99% of the cases where a chip terminal is used, the merchant never even gets to handle the card and therefore never sees the blank signature panel. If the bank has a transaction with an obviously forged signature (non match) on the receipt, then I win the fraud dispute.
G
Since the terms of use require that the card is signed before it is valid, not so sure. I think the bank could argue (if of course they knew) that by not signing you were being reckless ((as well as violating agreements) , so the thief could sign your card in any way they chose and produce a matching signature.
Here's the video I was referring to earlier: https://www.youtube.com/watch?v=XeZbVZQsKO8. Just as a warning, it's fairly technical and it's about an hour long. I'm not too worried since those vulnerabilities seem to require that one have the physical card. AFAIK they haven't managed to clone a chip card yet.
@Anonymous wrote:Here's the video I was referring to earlier: https://www.youtube.com/watch?v=XeZbVZQsKO8. Just as a warning, it's fairly technical and it's about an hour long. I'm not too worried since those vulnerabilities seem to require that one have the physical card. AFAIK they haven't managed to clone a chip card yet.
They're not going to either, from the card alone, the encryption used is extremely strong and relies on a shared secret that is never transmitted. You'd need access to the bank's database to get that secret to be able to clone a card.
Insecure implementations are always a concern of course, including CVM downgrade attacks that aren't properly checked. I cannot comment on the original poster's story. The UK drastically increased consumer protections after banks pulled this one so the same situation wouldn't happen in the UK. I think we can assume fake transactions can happen, but they rely on implementation weaknesses.
Look at the attack on American cards in Brasil recently - totally nonsense cryptograms were submitted, and the bank authorised the transactions!
Yes, it's definitely not advisable to lose (or have stolen) an unsigned card! Of course, under Chip and PIN, the PIN is considered the person's "electronic" signature, so the physical signature becomes less important. There are even some newer cards that no longer even have a signature panel on them. But it's still a good point. If I ever find a fraudulent transaction on my card, I'll be sure to sign the back before I file a report.
G
There is a big marketing push among the US CC issuers to promote "zero fraud liability". It would be a good exercise to read through the fine print of these offers to ensure there aren't any "oh by the way" issues such as authorization by PIN.
And the idea of limiting a card credit line makes sense. What good is a low-utilization, high limit credit card if a fraudster boosts your utilization by $10k
@Anonymous wrote:Every single major issuer is preferring signature here, not PIN. Judging by how hard they're pushing Apple Pay and the like I highly doubt that'll change any time soon.
BTW, http://www.law.cornell.edu/uscode/text/15/1643 is good reading.
This is true. Americans have a fairly large number of cards and issuers are wary of making cards harder to use by requiring pins. The bulk of fraud is cloned cards, not stolen ones. Cloning info is easily grabbed from mag stripes and sold in bulk to cloners. Shutting that down is the main goal bankers here have.
As for the OP's point, there are a number of MITM attacks against pins with EMV chips. They involve compromised ATMs but there have been some reported cases over at krebsonsecurity.com. These will probably be ironed out but pins are still a pita.
EtoA:
I too decreased the daily purchase limit to 2k on one of my debit cards that the bank had increased to 10k. Way too much exposure.
Great post OP and thanks for sharing it. I relocated near the Canadian border a couple years ago and this is very useful to me. You sound very experienced and I hope you stick around.
I am not worried about chip & pin security if you follow the recommended security advise. After all I have been using chip & pin daily for the past 12 years and no issue so far. Just have to make sure when entering the pin you cover up the terminal so no one can pick up your pin when you enter it and certainly do not carry it around in the wallet. It is so much more efficient at check out outside the US. The double paper slip printing takes forever then the merchant comparing the signature and with mine asking for ID in most cases as when in a hurry my siggy does not look the exact same as on the card. Love the pin entry