Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On 9/Nov/18 20:26, Bill Woodcock wrote: > That was true a few years ago, but it’s been at least a year since I’ve seen > a swipe anywhere. The change happened quite quickly. It’s all been chip, or > chip-and-pin, for at least a year. In the last 2 years, I've seen the rise of PIN-based transactions in the U.S., and this is great. But between San Diego, San Jose, San Francisco, Chicago, Hawaii and Seattle for my 2017/2018 U.S. visits, there are just about as many merchants supporting PIN's as there are that don't. Mark. signature.asc Description: OpenPGP digital signature
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
> On Nov 8, 2018, at 1:11 AM, Mark Tinka wrote: > It has always been curious to me how/why the U.S., with one of the > largest economies in the world, still do most card-based transactions as > a swipe in lieu of a PIN-based approach. That was true a few years ago, but it’s been at least a year since I’ve seen a swipe anywhere. The change happened quite quickly. It’s all been chip, or chip-and-pin, for at least a year. -Bill signature.asc Description: Message signed with OpenPGP
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Once upon a time, Stephen Satchell said: > On 11/08/2018 07:50 PM, Chris Adams wrote: > > Signatures are no longer required for chip card transactions in the US, > > except I think for transactions where the auth is done on the amount > > before an added tip (restaurants). > > Signatures are required for chip card transactions above a certain > dollar amount, with that dollar amount varying from merchant to > merchant. I ran into this at the Sprint store when I used a chip card > to pay $800+ for my company's overdue wireless bill, and I had to apply > pen to paper by hand. And I didn't do my usual response to "sign here": > draw a triangle and put "yield" in it. That's just because Sprint wanted it, not the credit card company. For example with VISA, the signature is "optional" for chip transactions, no matter the amount, but the retailer can still require it if they want (because they want to annoy customers I guess?). https://www.theverge.com/2018/1/12/16884814/visa-chip-emv-signatures-north-america-credit-card-april-2018 -- Chris Adams
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On 11/08/2018 07:50 PM, Chris Adams wrote: > Signatures are no longer required for chip card transactions in the US, > except I think for transactions where the auth is done on the amount > before an added tip (restaurants). Signatures are required for chip card transactions above a certain dollar amount, with that dollar amount varying from merchant to merchant. I ran into this at the Sprint store when I used a chip card to pay $800+ for my company's overdue wireless bill, and I had to apply pen to paper by hand. And I didn't do my usual response to "sign here": draw a triangle and put "yield" in it.
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On 9/Nov/18 02:22, Todd Underwood wrote: > > i generally find it amusing when people from other countries mock the > US for not having PINs. this is just another way of saying "my > country has high fraud rates and yours appears not to." :-) . you can > see this in the comment below "If we were swipe-based here, we'd all be > broke :-).". the payments systems are architected to minimize cost > and maximize adoption and they are usually at (or moving towards) some > locally optimal point. the US is no exception in that. That was me - and "low" (fraud rates) is not "zero" (fraud rates). Personally, I don't want to add to the statistic. The inconvenience isn't worth the bragging right :-)... Mark.
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Once upon a time, Scott Christopher said: > Swipe-and-sign (and now just swipe for small amounts) is for Visa, > Mastercard, Discover transactions (called credit) Signatures are no longer required for chip card transactions in the US, except I think for transactions where the auth is done on the amount before an added tip (restaurants). > Skimming and card fraud is actually uncommon in the U.S. these days, and the > police are very effective at combating it. It's just cheaper for the industry > to eat fraud losses than to "upgrade" systems. The transition to chip-based > cards was a debacle. Skimming is still highly active at gas pumps, where chip support was pushed off (current requirement I believe is late 2020, but may be delayed again). The skimmers get more creative all the time; they're getting inside pumps (possibly with help of low-paid station attendants, but also because of poor physical security) and installing the skimmer hardware out of sight. The hardware has Bluetooth, so the bad guys just pull up and get gas and someone in the car can retrieve the data (from multiple pumps even). -- Chris Adams
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
This is a confusing and off-topic discussion with respect to network engineering. But for completeness: Payments systems are architected by fraud rates, not by isolated security requirements or engineering mandates, as i think most network engineers can understand. The fraud rates in the US for credit card transactions were historically very, very low and being a large jurisdiction with a single national law enforcement branch (the FBI) enforcement was effective. Compare this to Europe in the 1980s when credit cards were accepted very few places. This was for two reasons: 1) the fraud rates were much, much higher, which created chargebacks for merchants that they preferred not to eat; 2) trans-national enforcement was virtually nonexistent. interpol had ~zero time to deal with credit card fraud. so the best european fraud rings always operated from a different country than where they perpetrated the fraud. when chip-and-pin was introduced, the point was actually twofold: A) security B) shifting liability to the consumer somewhat famously, even after chip-and-pin was proven compromised, UK banks continued to make consumers liable for all fraudulent transactions that were 'pin used'. this was very, very good for the adoption of credit cards in europe but it was very, very bad for a few people. banks, as usual, didn't are and made some decent money. So why did the US get pin-and-signature? Target. International fraud rings finally got wise to the ripe opportunity that was the soft underbelly of the US economy and figured out ways to perpetrate massive, trans-national fraud in the US. and as soon as that happened, the US got chips. the signature-vs-pin part is mostly about the fact that there are *still* low rates of fraud here as tracked by chargeback rates and as a result there's no real need to pay the cost of support to set everyone up with a pin. and that's what security is always all about: cost tradeoffs. people in countries where everyone has a pin have eaten that cost already and had to because the fraud rates were high enough to justify it. people in the US do not have PINs that they know and setting those up costs money and maintaining people's access to them costs money. so if that's not worth it, it doesn't get done. nor should it. i generally find it amusing when people from other countries mock the US for not having PINs. this is just another way of saying "my country has high fraud rates and yours appears not to." :-) . you can see this in the comment below "If we were swipe-based here, we'd all be broke :-).". the payments systems are architected to minimize cost and maximize adoption and they are usually at (or moving towards) some locally optimal point. the US is no exception in that. now, the checking/chequing system is a whole other, embarrassing beast and mocking that one is just the correct thing to do. :-) anyway, let's talk about networks, no? cheers, t On Thu, Nov 8, 2018, 19:07 Frank Bulk I have a low-cost/high interest rate account at one of the Canadian bank > and each "assisted" transaction is $5. > > Frank > > -Original Message- > From: NANOG On Behalf Of Mark Tinka > Sent: Thursday, November 08, 2018 3:35 AM > To: George Michaelson > Cc: North American Network Operators' Group > Subject: Re: CVV (was: Re: bloomberg on supermicro: sky is falling) > > > Speaking of "cost" as a motivator, in South Africa, most of the banks > are now using extra fees as a way to force users to do their banking > online (phone, laptop, app, e.t.c.). If you want to walk into a bank to > deposit money, withdraw money, make a transfer, e.t.c., you pay for that > service over and above, while the process costs you zero (0) when done > online. This has led to banks now renovating banking halls into where > there was once 23 tellers, you now have 1 service usher, 1 teller, 2 > support agents and 20 self-service computers. > > I hope the U.S. does catch-up. If we were swipe-based here, we'd all be > broke :-). I know a number of major merchants in the U.S. now use PIN's, > and I always stick to those when I travel there. > > Mark. > > > >
RE: CVV (was: Re: bloomberg on supermicro: sky is falling)
I have a low-cost/high interest rate account at one of the Canadian bank and each "assisted" transaction is $5. Frank -Original Message- From: NANOG On Behalf Of Mark Tinka Sent: Thursday, November 08, 2018 3:35 AM To: George Michaelson Cc: North American Network Operators' Group Subject: Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Mark Tinka wrote: > I hope the U.S. does catch-up. If we were swipe-based here, we'd all be > broke :-). I know a number of major merchants in the U.S. now use PIN's, > and I always stick to those when I travel there. In the U.S., pin codes are required for EFTPOS transactions (called debit) over interbank networks like Pulse, STAR, etc Swipe-and-sign (and now just swipe for small amounts) is for Visa, Mastercard, Discover transactions (called credit) Skimming and card fraud is actually uncommon in the U.S. these days, and the police are very effective at combating it. It's just cheaper for the industry to eat fraud losses than to "upgrade" systems. The transition to chip-based cards was a debacle. -- S.C.
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On 8/Nov/18 11:16, George Michaelson wrote: > There are two parts of the problem. The first is the assumption of > risk: the current model of operation in the US (like in other western > economies) puts the onus of risk of misuse of the card on specific > actors. When you change the basis from signature (fraud) to chip+pin > (leak of knowledge) you have to change the legal basis. Remember, this > is an economy where WRITING CHEQUES is still normal. Clearly, the > legal basis of money transactions in the US is hugely complicated by > savings and loan, credit unions, banks, state and federal law, taxes. > We all have some of this worldwide, they have a LOT. > > Secondly, the cost basis. Who pays? In most of the world the regulator > forced cost onto specific players because they could, and forced > people to tool up because they could. But, the costs did have to get > met. Some people paid more than others. In the US, for reasons not > entirely unlike the first set, *making* people do things with cost > incursion is remarkably difficult. Making the Walmart brothers re-fit > every terminal, when they can go down to DC and buy votes to stop it > happening, Making Bank of America spend money re-working its core > finance models to suit online chip+pin when it can go down to Walmart > and lean on the owners to go down to DC and buy votes... > > Seriously: Its not lack of clue. Its lack of intestinal political > fortitude, and a very strange regulatory and federal/state model. Shame, but I can see how this makes sense as to why things are the way they are. Speaking of "cost" as a motivator, in South Africa, most of the banks are now using extra fees as a way to force users to do their banking online (phone, laptop, app, e.t.c.). If you want to walk into a bank to deposit money, withdraw money, make a transfer, e.t.c., you pay for that service over and above, while the process costs you zero (0) when done online. This has led to banks now renovating banking halls into where there was once 23 tellers, you now have 1 service usher, 1 teller, 2 support agents and 20 self-service computers. I hope the U.S. does catch-up. If we were swipe-based here, we'd all be broke :-). I know a number of major merchants in the U.S. now use PIN's, and I always stick to those when I travel there. Mark.
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
There are two parts of the problem. The first is the assumption of risk: the current model of operation in the US (like in other western economies) puts the onus of risk of misuse of the card on specific actors. When you change the basis from signature (fraud) to chip+pin (leak of knowledge) you have to change the legal basis. Remember, this is an economy where WRITING CHEQUES is still normal. Clearly, the legal basis of money transactions in the US is hugely complicated by savings and loan, credit unions, banks, state and federal law, taxes. We all have some of this worldwide, they have a LOT. Secondly, the cost basis. Who pays? In most of the world the regulator forced cost onto specific players because they could, and forced people to tool up because they could. But, the costs did have to get met. Some people paid more than others. In the US, for reasons not entirely unlike the first set, *making* people do things with cost incursion is remarkably difficult. Making the Walmart brothers re-fit every terminal, when they can go down to DC and buy votes to stop it happening, Making Bank of America spend money re-working its core finance models to suit online chip+pin when it can go down to Walmart and lean on the owners to go down to DC and buy votes... Seriously: Its not lack of clue. Its lack of intestinal political fortitude, and a very strange regulatory and federal/state model. On Thu, Nov 8, 2018 at 4:11 PM Mark Tinka wrote: > > > > On 11/Oct/18 21:31, Chris Adams wrote: > > > Requiring an ID is also a violation of the merchant agreements, at least > > for VISA and MasterCard (not sure about American Express), unless ID is > > otherwise required by law (like for age-limited products). I've walked > > out of stores that required an ID. > > It has always been curious to me how/why the U.S., with one of the > largest economies in the world, still do most card-based transactions as > a swipe in lieu of a PIN-based approach. > > In South Africa (and most of southern Africa), all banks make the use of > PIN's mandatory, for all types of cards. With the rest of Africa using > credit cards more recently, I imagine they are also PIN-based. > > Europe also use PIN's, as far as I have experienced. > > Asia-Pac was swipe-based for a long time when I lived there, but I know > places like Malaysia and Singapore have started a major PIN-based > transaction drive in the past 3 years. > > 3D Secure for the online version of the transaction also means your card > number and CVV number are less susceptible to fraud via restaurants and > the like. Of course, this is not fool-proof, as both the merchant and > bank need to support and mandate this, which is not well-done at a > global level. > > Mark. > >
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On 11/Oct/18 21:31, Chris Adams wrote: > Requiring an ID is also a violation of the merchant agreements, at least > for VISA and MasterCard (not sure about American Express), unless ID is > otherwise required by law (like for age-limited products). I've walked > out of stores that required an ID. It has always been curious to me how/why the U.S., with one of the largest economies in the world, still do most card-based transactions as a swipe in lieu of a PIN-based approach. In South Africa (and most of southern Africa), all banks make the use of PIN's mandatory, for all types of cards. With the rest of Africa using credit cards more recently, I imagine they are also PIN-based. Europe also use PIN's, as far as I have experienced. Asia-Pac was swipe-based for a long time when I lived there, but I know places like Malaysia and Singapore have started a major PIN-based transaction drive in the past 3 years. 3D Secure for the online version of the transaction also means your card number and CVV number are less susceptible to fraud via restaurants and the like. Of course, this is not fool-proof, as both the merchant and bank need to support and mandate this, which is not well-done at a global level. Mark.
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Once upon a time, b...@theworld.com said: > But asking for photo id is a good thing for legitimate card holders, > could reduce fraudulent in-person use of stolen cards. Requiring an ID is also a violation of the merchant agreements, at least for VISA and MasterCard (not sure about American Express), unless ID is otherwise required by law (like for age-limited products). I've walked out of stores that required an ID. -- Chris Adams
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On October 11, 2018 at 13:41 s...@ottie.org (Scott Christopher) wrote: > Robert Kisteleki wrote: > > > (this is probably OT now...) > > > > > I'm pretty sure the "entire point" of inventing CVV was to prove you > > > physically have the card. > > > > Except that it doesn't serve that purpose. Anyone who ever had your card > > in their hands (e.g. waiters) can just write that down and use it later > > hence defeating the purpose of "physically having the card". > > But waiters don't know your ZIP code which is the other thing needed for > online verification (in the U.S.) So be wary if they ask you for photo id which likely has your zip code! But asking for photo id is a good thing for legitimate card holders, could reduce fraudulent in-person use of stolen cards. What a mess. > 3D Secure is good enough. It will probably be mandatory for payment > processors sometime in the future. In the meantime, it just costs the > industry less to cover fraud losses. > > -- > S.C. -- -Barry Shein Software Tool & Die| b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
CVV (was: Re: bloomberg on supermicro: sky is falling)
On October 11, 2018 at 10:17 rob...@ripe.net (Robert Kisteleki) wrote: > (this is probably OT now...) > > > I'm pretty sure the "entire point" of inventing CVV was to prove you > > physically have the card. > > Except that it doesn't serve that purpose. Anyone who ever had your card > in their hands (e.g. waiters) can just write that down and use it later > hence defeating the purpose of "physically having the card". (Call me > paranoid but I usually use a black pen to make the numbers undreadable > because of this, after my card (both sides) has been photocopied a > number of times...) What you're saying is they don't work as well as you might hope, not that they don't serve that purpose. If you snatched 5M credit cards numbers and expiraton dates but, as required by contract, there were no CVVs in that db how well would that work with sites which require a CVV for a transaction? Not well at all. So there's a purpose. Also, traditionally one's signature is on the back right next to that CVV for a merchant to compare against which leaves forgery a mere exercise in, well, forgery, since the example one has to reasonably match is right there. Which doesn't mean signatures don't work, it's just not much protection against anyone who can reasonably forge a signature. But many people can't or won't try, it discourages minor criminals like your boyfriend using your card surreptitously while you were sleeping. They're also some reasonable evidence that the transaction was done in person with the card in hand. I know some merchant contracts wouldn't allow forgiveness (who eats the fraud) for charges w/o a signature where their contract claims they only do in-person purchases which gets them a lower rate. There is a concern for merchant fraud also in all this, unfortunately that's very tempting. BUT IT'S ALL WORSE THAN THAT! When I had a book of checks stolen (and reported) several turned up used in major big box stores with information like driver's license number, date of birth, etc neatly written on them tho none of that info was mine. I doubt they went to the trouble of counterfeiting a driver's license, it's possible but this was small-time fraud. My suspicion was they were in cahoots with the cashier, simplest explanation, the cashier was a friend who probably got a cut. So anything in the presumed chain of events can often be suborned. > This has always been an amusing topic. At the end of the day it's a > financial risk management call from the banks -- as long as they lose > less money on the current system than the cost of fraud, things wiull > not change. Of course, they try to push those costs onto others as much > as possible, but that doesn't change the bottom line. I agree with this. Quite a few years ago I was interviewed by a start-up manufacturer of a big parallel "mini" to head their OS effort. Something which came out in the conversation, which went on for hours! (very pleasant tho), was that a major credit card company had pledged in writing to buy $150M of their machines on day one of ship if they could run a set of their anti-fraud algorithms quickly enough (their spec) to be able to reject transactions in real time. The company had done forensics and I think the estimate was if they could have run those algorithms they would have saved them some big number like $50K/hour in fraud. But they couldn't run them fast enough to allow for reasonable transaction times. And then ya sit around the bar thinking you know how this or that startup is funded or why...that would not have been one of my guesses! -- -Barry Shein Software Tool & Die| b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Robert Kisteleki wrote: > (this is probably OT now...) > > > I'm pretty sure the "entire point" of inventing CVV was to prove you > > physically have the card. > > Except that it doesn't serve that purpose. Anyone who ever had your card > in their hands (e.g. waiters) can just write that down and use it later > hence defeating the purpose of "physically having the card". But waiters don't know your ZIP code which is the other thing needed for online verification (in the U.S.) 3D Secure is good enough. It will probably be mandatory for payment processors sometime in the future. In the meantime, it just costs the industry less to cover fraud losses. -- S.C.
CVV (was: Re: bloomberg on supermicro: sky is falling)
(this is probably OT now...) > I'm pretty sure the "entire point" of inventing CVV was to prove you > physically have the card. Except that it doesn't serve that purpose. Anyone who ever had your card in their hands (e.g. waiters) can just write that down and use it later hence defeating the purpose of "physically having the card". (Call me paranoid but I usually use a black pen to make the numbers undreadable because of this, after my card (both sides) has been photocopied a number of times...) This has always been an amusing topic. At the end of the day it's a financial risk management call from the banks -- as long as they lose less money on the current system than the cost of fraud, things wiull not change. Of course, they try to push those costs onto others as much as possible, but that doesn't change the bottom line. Robert