[FractalParadigm]

Hell even here in Canada we have the Interac system, which from what little I know of the US banking system, is consistently 10+ years ahead of the game. I've had "Chip & PIN" on my cards since at least 2008, and distinctly remember getting my first "tap" card in ~2011 or so. I genuinely couldn't tell you the last time I inserted my card into a machine because anything under $100 (>99% of my in-store purchases) can be tapped for, and >99% of businesses support tap (looking at you, Walmart and Pilot/Flying J. Get with the times!). From what I understand tap is still barely on the docket at a lot of the US banks.

The big kicker for me is Interac e-Transfers, where you simply log into your banking and can email (or text) money to anyone in the country - they click the link in the email/SMS they receive, log into their bank account, and choose where the money is deposited. We've had this system in place since at least 2014? Hell I pay my rent and buy weed just by sending e-transfers, they're treated the same as cash and happen instantly. I reminds me of something that happened recently, I stumbled into a conversation with some of my American friends trying to figure out how the one person was going to pay the other >1000 miles apart; it was absolute lunacy listening to them decide between PayPal, Cash App, Venmo, etc., trying to figure out who had the lowest fees for both parties, factoring in the time it takes for the transaction to happen and transferring to/from their bank account if necessary. It's insane to me how the banking system underlying the world's largest economy is so far behind the times.

[digianarchist]

I think you're painting a rosy picture of the Interac system.

It's not instant. Transfers can be delayed for hours in some cases.

It has ridiculously low limits that cannot be raised.

Until recently it had a cumbersome question and answer system with strange character limits for each.

Virtually no businesses use it. You can buy weed (illegally) using it because they can't use credit card processing.

A revamp to the Interac system is in the works which looks similar to the UK faster payments. A frankly much better system.

https://www.theglobeandmail.com/business/article-interac-cho...

[seryoiupfurds]

Interac E-Transfers are great, except that I wish they didn't train people to click a link from their email and type in their bank password. Sure, it redirects to a login page on your own bank's web site, but how does a non-technical user know it's not a phishing lookalike?

Really, the existing autodeposit feature would be perfect if it let you log in to your online banking and confirm pending transactions before autodepositing them. For that matter it would be nice if the email gave me a string I could paste into my online banking to get to the existing confirmation page.

It's all much better than having to link your bank account to some third party or give away your credentials though.

[lstamour]

I suggested to a big bank back in 2011 that they should have an iPhone app that sends a push notification to alert me to debit or point-of-sale transactions so I could approve them as they happened, and they only recently did so. But in their defense, security can be cumbersome and hardware-integrated tokens like Apple Pay are just as good and simpler to explain, assuming we can get rid of legacy plastic at some date in the future.

Similarly, we won't be able to get rid of email but if clicking a link in an email opened an app instead of a webpage, it would be a lot harder for phishing websites to pretend to be my bank. (Assuming I'm expecting a mobile app, of course. A second line of defense is that my password manager might not prompt me to fill in the password because the URL doesn't match. But even that's not foolproof.) Even better would be if Interac E-Transfer itself was an app I could sign up for, then it could send me a push notification and I could skip my inbox entirely for these sort of transactions.

Of course, the only reason I trust apps more than websites is that I went to download them previously, rather than clicking a link that just showed up in my inbox. To that end, Gmail and other email providers have immense power if they created a design which could highlight emails from senders I've seen before as "trusted" and those from unknown senders as unknown.

Things get more gray-area though when the system itself fails: You can request money from anyone using Interac E-Transfers, and that means spammers could hijack a bank account and request money from friends and relatives you've recently sent e-transfers to, for example. Those emails would then appear as "trusted" and there's not much you can do to stop that, it's the cost of making money transfer "easy".

[tialaramex]

Yeah, the technical security in all these systems is a bit half-hearted†. However, in my opinion the key is to legislate that the banks (who built or in some cases purchased said half-hearted system) eat the cost of that. Maybe they're comfortable with say $10Mpa of fraud in the system, if they really can't build a safer one for less than $10M you can see they'd have a point.

The problem comes when banks are able to argue that their half-hearted security means they aren't liable to pay for the consequences. Consumers need protecting against that.

† In the UK we have a lot of 3-D Secure, developed by Arcot. But of course the average consumer has no idea who "Arcot" are, and so no reason why they should distinguish an arcot.com site (legitimate, you're supposed to give them credentials if necessary to authenticate you) versus say badguy.example (a hypothetical phishing fraud). Both of them can show you branded imagery from your bank, both have a padlock, both claim they're keeping you safe. How should an ordinary person know?

[enchiridion]

I was under the impression that chip and pin is more common in the UK and Canada because fraud is more of an issue, so the cost benefit works out in favor of it.

Even now you never have to pin in the US.

[pjerem]

I think it's more common in europe because the first industrial producer of chip card was created in France (Gemplus, now Gemalto). In France, payment cards are "dual network" : any card is either Visa OR Mastercard AND also "CB". "CB" is a payment network managed by the "GIE Carte Bancaire" owned by all french banks.

CB dealt with Gemplus to add chip to all new cards emitted since 1992 so we had them for a long time. I don't know how it spread over europe, but as we had the industrial capacity to provide chip cards to everyone and a free market, I think it was easy to sell that to lots of european banks. CHIP+PIN is a really great deal for banks : it's cheap and the responsibility of all payments made with the PIN is on the card owner and are really hard (or impossible) to dispute.

[stefan_]

In the US, interchange fees are an order of magnitude more than in the EU, where they are capped. So there is a lot more fraud the system can silently swallow before anyone has to consider upsetting customers and vendors with PINs.

[nly]

I thought it was the US that was still considered a hot bed for card fraud.

I've been to stores in the US where they just swipe your magstrip and hand you back the card. No signature, no pin, they don't even look at it, so you can basically clone cards like it's still 1985.

This is consistent with how my UK bank treats any transaction occurring in the US: usually it's an instant card block and a polite phone call from them to check that it was actually me.

[enchiridion]

That just sounds like basic geo-fencing. I'm sure the opposite applies too.

Sounds like the other response about transaction fees is on the right track.

[zwirbl]

In the UK it's mostly likely because of EU regulations. I've never had anything but chip and pin in the EU, got my first card ~2006

[andyjohnson0]

Chip and PIN was rolled-out in the UK in late 2003

[refurb]

Interac e-transfer seem fraught with scams and fraud. There were a few Reddit threads on how to protect transfers from being intercepted.

[smnrchrds]

Walmart added tap during the pandemic, as people did not want to touch the console to enter their pin. It's a welcome change.