€1.5bn swiped from EU cards: Fraud mainly takes place in the US
Euro cops: We've got chip-and-PIN, but they don't...
Most of the credit and debit card fraud in Europe can be pinpointed to criminal transactions in the US, a police report has said.
EU police service Europol said that the European Union had invested heavily in the 3-D secure protocol, offered by Visa as Verified by Visa and by MasterCard as Mastercard SecureCode, as well as on the transition to chip-and-PIN, but these security measures weren't being used worldwide.
Chip-and-PIN (Europay, MasterCard and Visa) has been key to getting rid of domestic card fraud, although organised crime gangs were still pulling in €1.5bn a year from ripping off Europeans, cops said.
Criminals are able to target chip-enabled cards when they're used in cash machines and payment machines in the US, Dominican Republic, Colombia, Russian Federation, Brazil and Mexico.
"The ultimate solution to this problem would be to implement the EMV standard on a global level, including making United States’ merchants compliant," Europol said in its report. "Specific discussions on that are currently ongoing, however it is difficult to predict if, and when, the final stage of compliance might be reached."
With the extra security of PIN numbers for physical transactions, most payment card thievery now happens online, Europol said. Around 60 per cent of fraud losses in 2011 happened in transactions where the card wasn't seen, such as online or over the phone payments.
Credit card and bank account information traded online is used to create cloned cards, which can then be used to buy goods online. ®
Of course, the change in terms and conditions to make it the customers problem if the right PIN code is entered, hasn't biased the figures at all? I imagine there's still a substantial amount of fraud going on, it's just that the PIN is used and therefore it isn't counted. That doesn't mean it wasn't fraudulent. Peoples PINs are easy to get just by watching most people at tills etc. The number that cover the terminal or obscure vision is very small. I've heard of plenty of cases where a suitably placed camera can be used to get them on-masse.
The good news is that the chip can't be quickly or easily cloned so the PIN is only useful with the card OR the data from the magstripe.
The bad news is shoulder surfing the PIN is the least of your worries. How do you verify the machine you are typing your PIN into is A) genuine and B) hasn't been tampered with to record the PIN.
As far as I can tell there is no mechanism apart from whether you trust the shop and the staff member serving you. There aren't any holographic stickers or any proper security features like the device displaying a secret from you chip to you before you enter the PIN.
Verified by VISA is horrible
An online retailer redirects you to a third party donain unrelated to your card provider which asks you for personal details and asks you to set a password. Then liability for fraud is shifted to the customer.
Even if it is actually secure the user education message of the process is horrific.
Chip and Pin is kind of OK but never enter you PIN if the card has been out of your sight OR swiped rather than just the chip being inserted.