New secure credit cards? - Page 3

Do you have a question? Post it now! No Registration Necessary

Translate This Thread From English to

Threaded View
Re: New secure credit cards?

Quoted text here. Click to load it

I have had a Westpac Mastercard chip type card for maybe 6 months, and
only ever found one retail outlet with a chip reader during this time.

BTW
Westpac will be issuing new cards for some customers this month.
Mastercards will go back to Visa. Only a couple of years ago, I was
pushed from Visa to Mastercard. :-)

There are two new systems the banks have been pushing on us for on line
transactions for possibly 18 months now. (perhaps longer) Google for
Visa's "Verify by Visa" and Mastercard's "Secure Code".

Basically, when you enter your credit card details, you are shunted off
to a new web page that asks for your password. If you can't provide it,
no transaction. If you aren't registered via your card issuer, they will
ask you to register, so you can add this password feature.

As a merchant, we can manually circumnavigate this if requested to do so
by the customer, but this usually entails a phone call from the customer.

It has been a real pain in the butt for merchants, as you may loose the
customer, or have the need to go through the manual steps. Customer is
never warned in advance, and we can't switch it off.

But it's all done for our security.
I have an LCD device I have to keep pressing the button on, when I wish
to access my CBA account, and Westpac has the qwerty keyboard, password
system.

INGdirect, has an ever changing numeric-keypad layout, so that mouse
movements are never constant, and so it goes on.

Cheers Don...



--
Don McKenzie

Site Map:            http://www.dontronics.com/sitemap
We've slightly trimmed the long signature. Click to see the full one.
Re: New secure credit cards?


Quoted text here. Click to load it

My wife got an ANZ card with a chip ages ago - back in 2007 I think it
was. At that time there were very few of the readers about, and I can
remember that the staff in the few places that that did have them were
often flummoxed  when they had to use the new-fangled devices. These
days the readers are popping up all over the place.

The last card I got from CBA has not only the chip for PIN
verification, but also a RFID chip. The RFID chip is used for
something called PayPass to pay for items up to $35 with no
verification of identity at all (no signing, no PIN). I have yet to
see one of the readers for that system - their web site lists only 20
of them in Sydney.


Andy Wood
snipped-for-privacy@trap.ozemail.com.au

Re: New secure credit cards?
Hi,


Quoted text here. Click to load it

Hah, I remember when they tried to force me to Mastercard too. However
it seems they were obliged to still offer Visa to those who did not want
to change, so I stuck with it, glad I did that now :-).

Quoted text here. Click to load it

Yes I've seen that. It's mildly annoying, but I think it might be a good
thing. I have had my card used for online fraud a number of times now,
one time it was used to purchase airline tickets in Indonesia! I can't
understand how someone could board a flight using tickets that were
purchased by a completely different person, or how the airline could
sell them these tickets, but anyway.. With this new password
verification system, the online fraud would've been less likely I think.

Regards,

Ross..

Re: New secure credit cards?

Quoted text here. Click to load it

  Because the purchaser of the tickets are not always the USER of the tickets.

  Much like when I've booked flights for my aged aunty who's english is barely
good enough to get through hello pleasantries, let alone get onto the 'net and
make an online booking with a credit card she doesn't have.

  Or when work sends us to sites (domestic and international), they book and
pay a travel agent, who books and pays the airlines.  Apart from our names,
the airline doesn't care who paid for it or how.
  The last thing I want is to book in, and be asked why I wasn't the one who
paid for it.  More importantly, I'm not always aware of the agent who booked
and paid for it anyway - so I can't even verify that even if I wanted to.
--
Linux Registered User # 302622
<http://counter.li.org

Re: New secure credit cards?
Hi,


Quoted text here. Click to load it

I understand that, I have purchased tickets for my relatives in the
past, using my credit card.

However I still find it mildly perplexing that a large national airline
in Indonesia accepted an Australian credit card with a totally foreign
name through their Indonesian website and sold multiple airline tickets
to different people with the same credit card (people who incidentally,
did not provide complete address details, so the bank couldn't even
prosecute them).. These people could have been anyone, e.g major
criminals, and due to lax processes, no one can even track them down.

Quoted text here. Click to load it


< .. >

You're talking about a travel agent arranging the purchase here. The
credit card fraud that we are discussing is via WEBSITES. If a travel
agent fails to notice that a person used a stolen credit card with them,
then that's a bit different.

Regards,

Ross..

Re: New secure credit cards?
Quoted text here. Click to load it

the chip holds your card details and is supposedly harder to forge than
the mag stripe

I have seen eft-pos machines etc with chip-card slots in the top and
with magstripe groove in the side.




Re: New secure credit cards?
Quoted text here. Click to load it

The supposed protectiona against forgery is an illusion as long as
systems are willing to fallback to using the magnetic stripe if the chip
communication fails.

On a related note,

"Organized crime tampers with European card swipe devices"

http://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines /

Sylvia.

Re: New secure credit cards?
On Thu, 19 Feb 2009 19:59:57 +1100, Sylvia Else

Quoted text here. Click to load it

How do credit cards now work when there is no signature at all.
For example, all over the phone transactions dont require a signature
but the banks still happily pay out.
Just what is the mechanism that allows them to do this.


Re: New secure credit cards?
Quoted text here. Click to load it
http://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines /
Quoted text here. Click to load it

Basically, the merchant takes the risk that the consumer will repudiate
the transaction, and the merchant will not get paid. Usually there's a
requirement that any goods that have to be physically delivered are sent
to the address that the card issuer has for the holder. If the goods are
delivered, but the consumer denies having ordered them, then at least
the merchant can get the goods back.

In the end, its a business decision - take the risk to get the custom.

Sylvia.


Re: New secure credit cards?
On Fri, 20 Feb 2009 22:51:56 +1100, Sylvia Else

Quoted text here. Click to load it
http://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines /
Quoted text here. Click to load it
Yes that I understand.
What exactly is the merchant telling the bank that causes the bank to
debit the alleged purchasers credit card.
Or can any merchant anywhere simply by having a persons credit card
number cause a bank to pay up just by telling the bank that the
purchaser has allegedly bought something.


Re: New secure credit cards?
Quoted text here. Click to load it
http://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines /
Quoted text here. Click to load it

Basically, yes, there's nothing to stop a merchant fraudulently claiming
that purchase have been made when they haven't.

But the merchant should also expect the card holder to deny having
authorised those transactions, and get them reversed.

Unless it's for a small amount, of course. I suspect there's a degree of
fraud along these lines based on the assumption that the consumer won't
do anything about a small debit they don't recognise.

Sylvia.

Re: New secure credit cards?
On Sat, 21 Feb 2009 12:03:59 +1100, Sylvia Else

Quoted text here. Click to load it
http://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines /
Quoted text here. Click to load it


Ok,so does this mean that once a card holder has denied authorizing
the transactions, the bank has no choice but to reverse them, ie there
is a legal obligation to do so, and the bank cannot refuse.


Re: New secure credit cards?

Quoted text here. Click to load it

Of course they can refuse, but the Banking Industry Ombudsman will usually
help you if you have a case.

MrT.



Re: New secure credit cards?
Quoted text here. Click to load it
http://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines /
Quoted text here. Click to load it

Although one talks of 'reversing' it, the reality is that the entry in
the account simply reflects the bank's view of how much the account
holder owes the bank. The account holder can reasonably have a different
view. Faced with a denial by the account holder that a transaction was
authorised, and no signature, the bank is on shaky ground if it persists
in its view that the account holder owes it the money. A small claims
court would very likely find in favour of the account holder, and the
bank would know that.

Sylvia.

Re: New secure credit cards?
Quoted text here. Click to load it
Providing the merchant has 'cardholder not present' authorisation from
the bank.

Of course a merchant could type in the number pretending that the
card/chip wouldn't read but that makes the transaction look suspicious
to the bank.

It also depends on the 'floor limit' of the machine which the merchant
wouldn't necessarily know, some machines authorise online with every
transaction so they'd be taking the risk that you hadn't used the card
in the last few minute/hours many miles away from their location as the
bank's anti fraud software would detect that and flag the transaction as
suspicious, possibly blocking the card (which can be hugely inconvenient
to the card holder but is ultimately 'a good thing').

There's definitely fraud of this sort happening but it's a fairly low
risk.

Quoted text here. Click to load it

--
Clint Sharp

Re: New secure credit cards?
On Wed, 18 Feb 2009 02:30:11 -0800 (PST), "David L. Jones"

Quoted text here. Click to load it


They are starting to roll out eftpos terminals with smart card readers
in au, there is a few places I visit on a regular basis that require
you to use the smart card.  There is no real demand in AU as yet due
to the relativly low credit card fraud rates in AU compared to the
cost of rolling out smart card technology. The plan is to eliminate
mag stripe cards to enhance security, but as we all know the criminals
always catch up eventually. However, the harder you make it, the
longer it takes and the lest it costs the banks.

BTW. I have been a victim of CC fraud. I went around to all the stores
that had purchases on my card and most were big chains. However one
was Autobarn, which was a private franchise. The owner was really
pissed off because apparently all the banks do is reverse the charge
and refund it to the consumer. I got all my money back. Fortunately it
was my wifes card that got stolen, and she figured out who it was. It
was stolen from her work. I cancellled the cards as soon as she
noticed and contacted the police. Printed out all transactions from
internet banking and gave them all receipt copies I obtained from the
stores.  The idiot who stole it decided to to fuel up a car at a
service station that had CCTV!! Justice. I doubt the owner of Autobarn
would have ever got his money back though, the woman was a drug
addict.  None of this would have happened if PIN's were enforced.

Re: New secure credit cards?

Quoted text here. Click to load it

Well, that's not so clear. The chip based cards contain the PIN. It's
encrypted, and the chip is meant to be tamper proof, but the chip itself
is clearly capable of validating a requested PIN. In theory getting the
PIN wrong three times locks the chip, so that it will no longer respond
to PIN checks, and has to be reset at an ATM (which can validate the PIN
at the central computer system, and presumably track further failed
attempts).

However, this all depends on the tamper resistance of the chip. If
someone can deduce where the failed PIN attempt counter is kept, they
could conceivably reset it before each attempt. They could then perform
an automated exhaustive search of all 10,000 possible 4 digit PINs.

This article is illuminating in regards to tamper resistance of chips.

http://www.cl.cam.ac.uk/~rja14/tamper.html

Sylvia.

Re: New secure credit cards?

Quoted text here. Click to load it

  How do they cater for pin changes were your card is never inserted anywhere
to have an opportunity to be updated?  (yet?)

  Or in this case, is it checked online where available, and in an off-line
application, the user told to get lost if their new valid pin has not been
written to their card yet?

  If the pin can be updated willy-nilly as often as the user updates their pin
with their bank (or whoever), how long before the card pin update is hacked,
and used in an offline application where it trusts the card pin?

  Or better still, since they still take signatures everywhere, why not forget
the pin, and forge the user's signature (which conveniently is written on the
back), just like everyone's been doing since dot?
--
Linux Registered User # 302622
<http://counter.li.org

Re: New secure credit cards?
Quoted text here. Click to load it

It would appear to me that inserting the card into an ATM is a
prerequisite for changing the PIN.

Quoted text here. Click to load it

Some of the documents cited in this thread indicate that in any case,
for the offline transaction situation, it's simpler just to make a card
that claims that any PIN is valid.

But PIN updating can be made secure using public key encryption - at
least as long as the chip remains physically immune to tampering. All
bets are off anyway if crims manage to overcome the chip's tamper
protection.

Quoted text here. Click to load it

 From the bank's perspective, that's what they're trying to get away
from, since if the signature is forged, then it's the bank's loss, or
possibly the merchant's loss, but never the consumer's loss.

Sylvia.

Site Timeline