weaker security at U.S. banks
December 23rd, 2013 at 8:39:24 AM
permalink
In its coverage of the fallout from the theft of 40 million credit card numbers at Target, USA Today reported: In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother. "The U.S. is the top victim location for card counterfeit attacks like this," says Jason Oxman, chief executive of the Electronic Transactions Association.
****
The obvious question is: why did foreign banks upgrade their security, but not American banks?
The short answer is because the upgrade would be expensive, and the American banks are battling the American retailers over who should foot the bill. I find this answer inadequate. The Target fiasco has proven that these security breaches are an expensive headache for the banks. And by failing to keep up with international standards, the American banks make themselves vulnerable easy targets (no pun inteneded) to international thieves unable to crack Europe's sophisticated security. Surely the genuises running America's banks must know that in the long run it will be cheaper to upgrade than to do nothing.
Moreover, Europe's upgrade must have been just as expensive, but their banks did it anyway. I guess I'm too patriotic to believe that American bankers are stingy tightwad penny-pinchers and European bankers aren't.
****
The obvious question is: why did foreign banks upgrade their security, but not American banks?
The short answer is because the upgrade would be expensive, and the American banks are battling the American retailers over who should foot the bill. I find this answer inadequate. The Target fiasco has proven that these security breaches are an expensive headache for the banks. And by failing to keep up with international standards, the American banks make themselves vulnerable easy targets (no pun inteneded) to international thieves unable to crack Europe's sophisticated security. Surely the genuises running America's banks must know that in the long run it will be cheaper to upgrade than to do nothing.
Moreover, Europe's upgrade must have been just as expensive, but their banks did it anyway. I guess I'm too patriotic to believe that American bankers are stingy tightwad penny-pinchers and European bankers aren't.
December 23rd, 2013 at 12:05:53 PM
permalink
It has nothing to do with cost. It's in their best interests for the credit cards to be as easy to use as possible. In return, they cover all fraud. This is a good deal for them -- they make more in additional use than they lose to fraud.
I've had my card compromised in the past. It was no problem for me. I called them late at night They removed the fraudulent charges and overnighted me a new card. Why would I want something more secure but less convenient, when I don't bear the cost of the fraud?
In many parts of Europe, with chip+pin on the cards, they assume that fraud is impossible, and the cardholder is responsible for any charges (since they are assumed not to be fraudulent). Unfortunately, fraud still occurs (they are actually not all that secure) so it's a much worse situation for the cardholder. I'll take the US system any day -- I don't want to be responsible for fraudulent charges.
I've had my card compromised in the past. It was no problem for me. I called them late at night They removed the fraudulent charges and overnighted me a new card. Why would I want something more secure but less convenient, when I don't bear the cost of the fraud?
In many parts of Europe, with chip+pin on the cards, they assume that fraud is impossible, and the cardholder is responsible for any charges (since they are assumed not to be fraudulent). Unfortunately, fraud still occurs (they are actually not all that secure) so it's a much worse situation for the cardholder. I'll take the US system any day -- I don't want to be responsible for fraudulent charges.
December 23rd, 2013 at 12:52:26 PM
permalink
I think he is talking about this: http://en.wikipedia.org/wiki/Chip_and_PIN, or, more generally, this: http://en.wikipedia.org/wiki/EMV For a good laugh, be sure to read this section: http://en.wikipedia.org/wiki/EMV#Vulnerabilities
RFID is a different issue.
Unfortunately, chip+pin is not actually designed with security in mind; it's designed to shift the burden of fraud from the lender to the customer. This does not require real security; it only requires enough security to fool lawmakers (which is not much, since they are not security experts). With the burden shifted to the customer, the lender has no incentive to monitor or prevent fraud -- they simply don't care. Even with laws that require the lenders to show that the customers authorized the transaction, the fact that a PIN was provided is often considered adequate proof (so if your PIN is compromised you are screwed)
The US system is much, much better. The burden of fraud lies with the lenders, who are the only ones with the power to prevent it.
RFID is a different issue.
Unfortunately, chip+pin is not actually designed with security in mind; it's designed to shift the burden of fraud from the lender to the customer. This does not require real security; it only requires enough security to fool lawmakers (which is not much, since they are not security experts). With the burden shifted to the customer, the lender has no incentive to monitor or prevent fraud -- they simply don't care. Even with laws that require the lenders to show that the customers authorized the transaction, the fact that a PIN was provided is often considered adequate proof (so if your PIN is compromised you are screwed)
The US system is much, much better. The burden of fraud lies with the lenders, who are the only ones with the power to prevent it.
December 24th, 2013 at 10:22:25 AM
permalink
Quote: renoSurely the genuises running America's banks must know that in the long run it will be cheaper to upgrade than to do nothing.
Fraud amounts to 52 cents per $1000 in transactions. Much cheaper to just let it ride and do nothing beyond PCI-DSS
December 24th, 2013 at 1:20:56 PM
permalink
Quote: AxiomOfChoice
I've had my card compromised in the past. It was no problem for me. I called them late at night They removed the fraudulent charges and overnighted me a new card. Why would I want something more secure but less convenient, when I don't bear the cost of the fraud?
I agree with Ax. A few months ago, I noticed three bogus charges on my Visa. I called, and the charges were promptly removed. The call duration was around 5 minutes. A new card was in my hand the next business day. What could be easier?
Now, if you are using a debit card, I would advise you to stop. Dealing with bogus charges on a debit card can suck.
Talent hits a target no one else can hit; genius hits a target no one else can see.
