Time to Switch From Debit to Credit When Paying for Things?

This sounds strange for me over in the UK!

In the UK using Debit and Credit cards at a POS terminal is identical – you enter a PIN for both – and so PINs for both can be captured by a rogue POS. Over here, the advantage with Credit Cards is that you get extra anti-fraud protection over the use of Debit cards.

So, in the US, do you still sign for Credit purchases?

In Holland almost nobody user credit cards plus there are almost no shops that accept them either. Purely a chicken and egg thing stemming from a traditionally frugal Calvinist culture.

CC owners are by and large associated with CEO-type people who travel a lot and/or show-offs.

What we use most here is what I believe in English is called Direct Debit. Plus they’re all unbranded cards (meaning not Visa/MC/AmEx etc.) automatically provided by your bank with your account.

Buy groceries, pay at the garage for a repair, typically anything less than €1000, just swipe the card, punch your PIN and the money is transferred immediately from one account to the other without delay.

With all the news on the ‘net about fraud rampant phantom CC rate increases I’m even more afraid of ever getting a CC for travel purposes.

What ever happened to cash?

Hi Mike, I think you mean ‘Debit Cards’ – they are just the same as what you use in Holland.

Direct Debit in the UK is a kind of variable Standing Order, typically used to automatically pay for varying amounts on a monthly basis – such as telephone, electric bills etc…

I wish ‘cash cards’ where available – just dump an amount you would normally put in your wallet and then pay with that – no change etc to worry about. Debit cards are quite near, but you can’t really pay for good less than say £5 with them. (Technically possible but it is frowned on).

Hi Adrian, I stand corrected on the “Direct Debit” thing then. But I purposely didn’t say “Debit Card” because I think that implies that the user needs to re-charge the card prior to usage. If that’s the case…we have that too IN ADDITION to what I described above.

It’s called a “Chip-Knip”. “Knip” being old-fashioned parlance for a wallet. The verb is “Chippen”. According to Wikipedia it should be called a “Stored Value Card”?? Go here [ http://nl.wikipedia.org/wiki/Chipper ] and hover with your mouse pointer on the left where it says “English”

The whole “re-charging money on your card” thing never caught on here and the banks have decided to let it die off.

We have a verb here called “pinnen”. If you’re not paying with cash, (and thus going digital) 98% chance it’s “pinnen”, 1% it’s credit card, 1% chance it’s “Chippen”.

With “pinnen” the funds disappear from my account and automagically reappear in another account. There’s no middle man holding the funds. With “Chippen”, if I lose the card or it gets stolen, that money on the card is gone for good. Not reimbursable. Ever.

Equens [ http://www.equens.com/ ] (formerly called Interpay) has a monopoly on providing the banks with the payment infrastructure.

I guess my point really is this: if I can do absolutely EVERYTHING under the sun requiring a payment in this country, and I can do this digitally if I so choose, without a CC or Debit Card, why isn’t this “possible” in other countries?

The whole notion of gotcha-fees, credit rating, and skyrocketing CC rates is alien to us here. We have 16M people here and the only fraud concerning our bankcards is the occasional Eastern European skimming crew who rig the odd in-store unit or ATM. It all gets sorted in the end, the banks close whatever loophole there is and everyone’s happily reimbursed.

interesting article, it was from dec 2004 tho and i havnt heard about this happening anywhere

having worked in a supermarket for the last 4 years i can tell you chip and pin is far more secure then signatures, which most checkout staff do not even look at.

i would be more concerned with wireless technology being used in POS systems.

CW,

Becoming fairly “routine” here in Canada. I believe the MO is: 1) Obtain (steal) one of the commonly used handheld PIN pads from any store (two plugs and it is yours). 2) Open in up and insert a datarecorder in parallel with the regular circuitry to capture the swipe and the keypad. 3) Go to a different store and swap your rigged pad with the externally identical unrigged one. 4) repeat 2-3 as many times as you like. 5) After a few days, start harvesting the pads you’ve already placed using the same process as step 3.

There are obvious ways to make this process much harder to do and much harder to detect. I’m not privy to either side of the process so I can’t say which are being used (from what I have seen as a consumer, nothing to make me consider debit as an option).

re:elf

well that dosnt surprise me but id still rather have this system then signatures which dont even get checked.

with any system there are risks but at least with chip and pin the devices need to be tampered with as oppose to general human lazyness.

and it is next to impossible to avoid that kinda of man in the middle attack any authentication system that does not involve direct human interaction will be vunerable to that be it DNA, iris scan, finger print or this chip and pin system

This article is ridiculous.

The main point being that if PINs were actually imprinted on your card, then it would be far too easy to steal information without ever putting it through a POS machine. Because if the PIN was on the mag stripe it would have to remain unencrypted and could be read by any scanning device. In other words, you could get the PIN without having to authenticate with the Financial Institution. You could just rewrite the mag strip with whatever PIN you wanted.

PINs are stored in encrypted form at the Financial Institutions database. CHIP and PIN do function differently though as PIN is a one time authentication with the Buyer and the Financial Institution and CHIP is a zero-knowledge test that probabilistically proves that buyer and Financial Institution are confident that they are in fact speaking to each other rather than a third party using the POS link.

This is much safer than any hand-made signature. Plus, Credit Cards in the US have all necessary information about the cardholders account right on the mag stripe. If you put your card through any magstripe the information can be read clear as day. This is not secure because that means that the only “protection” is when your signature is verified.

Perhaps someone should read a few papers about how POS and ABM machines actually work before spouting information where they “suspect there is a decent amount of vulnerability”.

Another thing to consider with POS swipe terminals, is that in most cases the data read from the card is “keyboard wedged” (made to appear to have been typed at the keyboard) into the POS software. This type of system can be compromised with standard key-stroke logging Trojans.

Some of the fancier Swipe terminals can do the secure card processing with the clearing house and pass a simple transaction result to the POS system, but as mentioned it does not take a lot of effort to tap the signals given the time to take one apart and insert a data recorder.

I find it curious with all the talk about biometrics that nothing has been done to analyze / authenticate credit transaction signatures, but then again, I’m seeing a growing trend of shops not requiring signatures for transactions of less than $25.

Even the so called smart chip credit cards, do nothing to increase the security of the translation. The smart chips just deliver the same mag-stripe information in a different format, the only authentication (if any) is between the card and the reader, and not between the clearing house and the card. You would think after 30 or so years of public key cryptography systems, that it would have been applied to secure credit card transactions. Geez, even a time driven secure-id type PIN code would be more secure that what we currently use….

At this point I have to agree with Bruce Schneier, this is a problem that the credit card companies do not wish to solve.

Exo

Whats the good word Mate? Very Good blog here mate…You australian?