[cplease]

How are the EMV chip + signature cards in USA being far, far more secure?

User can just swipe and sign a stolen card same as always. Most retailers stll either incapable of using them or very forgiving as to signatures.

Card can be duplicated with the strip and without the chip, then used as a regular legacy card (until those become uncommon).

Finally, they can just steal the chip + signature cared, use the chip and they can still sign the slip and use it sama as ever.

[madeofpalk]

The key here is chip + signature, which has been removed in countries that have advanced their payment processing. Here in Australia you actually haven't been able to sign for a transaction for the past 2-ish years.

[cplease]

True, but the story is about glitches with Citigroup USA. pokstad is referring to Costco Citi cards in the USA. Some USA issues will allow you to SET a pin on chipcards (rarely by default), but they are not REQUIRED at the POS by any retailers in the USA. None will, because that's not the industry agreement standard and would lock out the majority of consumers. The adoption has been a giant clusterfuck. Most retailers are still taking stripe only. It's the weakest link. Until retailers stop accepting stripes and chip + signature, there's no need to steal the PIN.

Hell, it's 2016 and I'm still encountering retailers who end up having to key in the card, or in a couple of cases still do offline processing with manual carbon-slip imprints.

Our shitty American cards affect the rest of the world too. Traveling to Europe over the past decade+ until 2015 I apologize for my unexpectedly chipless card everywhere I went (never had much trouble using it though); same with Canada up to present. They all have chip+PIN, but our cards go through without and spit out a receipt with a signature line.

[mtgx]

Yeah chip + signature is not that much of an improvement, to the point where I'm not sure why they even bothered to support it. Even the FBI recommended stores to switch to supporting chip+PIN.

https://www.fbi.gov/sandiego/press-releases/2015/fbi-warns-t...

[douche]

I don't understand how having to sign when you make a credit card purchase is in any way secure. Most of the touch-screen/stylus setups are so bad that you can just barely get a scribble that vaguely looks like a signature.

[cplease]

It's not really supposed to be secure against fraud by card thieves. It's supposed to deter actual cardholders from falsely repudiating their own purchases. If you chargeback a purchase as unauthorized, the retailer should be able to produce the slip with your signature on it. Then you can be asked under oath or penalty of prosecution, whether or not it is your signature. It also provides protection against errors. If you are erroneously charged multiple times for one for one transaction, the retailer will only be able to produce a single signed slip. If you actually make multiple purchases in the same amount in a row, there would be multiple, signed slips with different timestamps and distinguishably different signaturs.

There's a fiction that the retailer should compare the signature on the card to the slip, reinforced by a few large retailers with policies of checking that the card is in fact signed, but this obviously doesn't happen.

[Symbiote]

> Card can be duplicated with the strip and without the chip, then used as a regular legacy card (until those become uncommon).

I don't think so. The card reader would demand that the chip be used. If there's no chip, the cashier should then call the police, as that's evidence of fraud.

[chipperyman573]

If there's no chip, do you really think a cashier would call the police? The cashier would assume the reader is broken, stick the card (without a chip) in the chip reader 3 times to force a swipe and apologise for a "broken reader"

[ThisIs_MyName]

True enough, but most of my chip cards will not work with the mag strip if the card reader supports chip. If I slide the card, I get a message on the POS screen telling me to use the chip.

The guy who steals my mag stripe has to find a store without chip readers to make use of the stripe.

[cplease]

> The guy who steals my mag stripe has to find a store without chip readers to make use of the stripe.

Like 90% of stores in USA today? Oh the pain. And what is likely to happen after the clerk apologizes for the reader being broken is that he keys in the card number manually. What, manual entry is going to be blocked too? Good luck with that. As long as lost sales to nonworking transactions >>> fraud, it's happening.

Edit, source, Krebs: http://krebsonsecurity.com/2016/02/the-great-emv-fake-out-no...

In February, Visa claims all of 17% of retailers have chip-capable terminals. My experience is that only a small fraction of chip-capable terminals are actually integrated with a POS system that enables them. Leading to the ridiculous situation of consumers facing 83% of retail locations with no chip reader, having to swipe, most of the rest having a useless chip slot and icon, and some small percentage <10% of locations actually having a working, functional chip slot (visually indistinguable from nonfunctional ones). Even where they do work, usability is poor. Beeps, lights, multitudinous prompts or even spoken instructions, and processing times in excess of five seconds or more where the stripes are just swipe and sign a second or two later.

[chipperyman573]

On one of my old cards, the chip broke (physically). On every single reader I used, putting the side without a chip in the reader 3 times would allow me to swipe.

[terinjokes]

With how slow this roll out is, I fear the thief won't be able to find any stores accepting a chip, even if they tried.

[clinta]

The indicator that tells the machine that "This card is a chip card" is a single bit on the mag stripe. Turn that bit off when cloning the card and the machine never knows it should have asked for a chip.

[Symbiote]

Hmm, I'd assumed it was known by the card's first few numbers, or similar, but you're correct.

I've had chip cards since 2004, and their use here is universal. To swipe without raising suspicion requires an American accent. It's no problem in McDonald's, but any expensive purchase will either be denied by the clerk, require the manager's approval, or a phone call to the card processor. Criminals simply don't do it any more -- it's far easier to send stolen numbers to the USA, or make purchases online.