[adrianmonk]

Could payment terminals be made with built-in physical countermeasures for detection? Ideas:

(1) Terminal has a scale built into its feet/mount. It periodically weighs itself, and if (ignoring fluctuations) it weighs too much, it shuts down. It's hard to build a skimmer that weighs 0 grams.

(2) Proximity sensors in key locations on the housing. My smartphone can disable its touchscreen when I hold it against my face, so a payment terminal should be able to detect when something is covering a part that isn't supposed to be covered.

(3) Light sensors. Put some in an area where skimmers need to cover (near card slot) and other where skimmers probably can't cover (the display), and detect whether they get roughly the same amount of light.

(4) Microphones. Same idea as light sensors but with sound.

[crote]

Skimming is pretty much a solved problem in Europe already. We got rid of the mag stripe, so trivially cloning a card is no longer possible. Furthermore we don't allow offline transactions, so a skimmer must somehow get in between the connection from the terminal to the card and execute a separate transaction right before or after the genuine one.

It is still not 100% impossible, but the "overlay" type of skimmer this protects against has been eliminated for a few years now.

[sangnoir]

You are correct: but I think all these measures are in place because liability is placed on financial institutions rather than individual victims. The owners of the payment infrastructure are correctly motivated to holistically solve the problem, unlike in the US were the person woth the least power and control is burdened with having to contend with "Identity theft" and losing money by default to make up for the fraud.

[tyoma]

This is plainly untrue. The US has an absurdly consumer friendly legal environment; you simply say you didn’t do the transaction and your money is immediately refunded; it is up to the payment infra to eat the losses.

The reason mag stripe and associated technologies stuck around is precisely because US banks were good enough at real-time fraud detection that the cost of fraud was << cost of replacing every card and strongaming every merchant into buying new payment terminals. Eventually they relented since the US became the place to cash out non-US cards.

And identity theft is absolutely a thing in Europe. As a random example, here is Sweden: https://globalinitiative.net/analysis/21752-2/

[sangnoir]

> The US has an absurdly consumer friendly legal environment; you simply say you didn’t do the transaction and your money is immediately refunded;

US consumer laws don't hold a candle to European ones - it's not even close.

Have you ever gone through this process yourself, or are you stating the idealized version of what should happen? I'd like to hear the bank you were dealing with, because mine tried to give me the run around ("It's not fraudulent because your PIN was used"), and I had to fight them over many calls to get a "temporary refund" by threatening to involve a state ombudsman. Later on, I got a letter in the mail that said the investigation was complete, and the refund was now permanent, only to have the refund yanked again months later.

Caping for American banks in this day and age is weird. They are mostly terrible and will rather have their clients take the financial hit before they do - even if they have to lie or frustrated you with long holds & multiple calls unless you show them you mean business.

[rrrrrrrrrrrryan]

Most Americans use credit cards rather than debit cards for their regular spending, and the additional protections of a credit card is a big reason why. They're treated differently under American law.

The idea is that if someone steals your debit card and buys a bunch of stuff, they've stolen your money, but if someone steals your credit card and buys a bunch of stuff, they've stolen the bank's money, and the bank is on the hook for it - not you.

IIRC with debit card fraud you've got like 60 days and the bank can put some of the burden of proof on you, but for a credit card you can literally just say "I didn't buy that" 5 months later and the bank basically has to give you your money back. If you abuse this, the worst thing that can happen is the bank closes your card and cancels their relationship with you, but you won't be on the hook for the spending itself. Because of this additional liability, U.S. banks got really good at early detection of fraud and irregular spending, and Americans don't really give a huge shit about keeping their credit cards safe because there aren't really any major consequences.

[sangnoir]

> Most Americans use credit cards rather than debit cards for their regular spending, and the additional protections of a credit card is a big reason why.

Which was my point exactly: European debit card users are more protected than American debit card users when their money is on the line

[tyoma]

Yes for credit transactions and yes for pinless debit and it was as simple as a phonecall. In the credit instance they called me and pre-emptively issued a new card.

I am sorry you had such a terrible experience, but mine has been completely different.

US banking regs are actually more consumer friendly than Europe, and I have sources. Security Engineering 2nd ed, chap 10 section 10.4.3: https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c10.pdf

[briffle]

Of course they can be made that way. The countermeasure built into gambling equipment like slot machines is incredible.

But then it would cost more than their competitors. With much more maintenance for false positives, etc. And the vendor doesn't really pay the price for skimmer fraud..

[jalk]

So the reason that gas, in LA area at least, have different prices for cash and card (typically ~$0.25/gal more for card) is not because of additional risk for the gas station, but just classic US exorbitant fees?

[despideme]

The price difference is a way to pass along credit card fees that otherwise would have to be paid by the station operator. It used to be against the credit card networks’ merchant agreements to have separate cash and credit prices — but a good number of LA gas stations rolled the dice and did it anyway. That rule changed a few years ago, and now most stations split their pricing. (I believe that’s also why ARCO gas now takes credit cards, after holding out for decades — they are now allowed to pass along the cost to the customer.)

[LorenPechtel]

If someone comes up with an anti-skimmer terminal the payment processors would benefit from having a lower transaction fee for transactions posted from such a terminal. That would in time push the market to use such terminals.

[gorkish]

Alternatively they could just remove the slot and require self-pay terminals to be contactless. It really makes no sense to me why merchants don't already do this proactively; they are well incentivized:

1) Contactless merchant fees are lower than dip or swipe 2) Payment terminals are cheaper 3) Less fraud/shrink

This hunk of plastic from Target is a solution looking for a problem.

[MBCook]

They’re not looking for a problem. The problem exists.

“Just use contactless” doesn’t work in the US.

Just yesterday a friend was commenting that he got a new credit card (old card expired) and the new one still doesn’t have contactless. Seems his bank decided it wasn’t worth it.

But that’s not all. Target gift cards don’t have contactless. Don’t think Visa/MC/AmEx gift cards do either. I bet EBT cards don’t, I think a rule requiring them to have chips was just passed.

I know other countries are ahead of us, and that major banks have been issuing chip cards for a while. But there are still a lot of people that leaves out.

And target wants to sell to them.

[birdman3131]

Walmart still refuses to go contactless because they went in on the QR code in the app. Annoying.

[kotaKat]

That’s because Walmart is using Walmart Pay as a vehicle to track you and your shopping purchases. They can’t track your habits the same way with just a card.

Kroger finally gave up on Kroger Pay if only because they realized customers were still entering their alternate ID/phone number during checkout so they could still link your data together.

The funny part is Walmart in Canada fully allows contactless… almost as if they don’t care they aren’t getting that customer data up there.

[monkeywork]

>The funny part is Walmart in Canada fully allows contactless… almost as if they don’t care they aren’t getting that customer data up there.

No it's because our banking system is dramatically different in Canada and the expectations of the average shopper and the POS options available to them here are all working to force that issue.

Canada had chip and pin and contactless LONG LONG before the US did - and it's easier for us to make these pivots and changes due to fewer banks and pre-defined co-operation agreements.

[MBCook]

I remember Home Depot had contactless off for a long time and I think Target too?

None of them wanted Apple Pay/Google Pay/Samsung Pay to succeed. They wanted their own thing to get out from having to pay credit card fees.

Weren’t they all members of that ridiculous CurrenC project that completely flopped?

[birdman3131]

They still track it a fair bit. For example. Put a card in the walmart app and after a bit of time all your past purchases will show up in your history.

[Terr_]

I was unpleasantly surprised by that last week, where I had left my wallet in the car (an unusual event) and couldn't pay by tap my phone.

[gorkish]

I was suggesting "Just use contactless" for customer accessible payment terminals. Want to use something less secure and more likely to result in fraud? You can hand your card to the cashier or walk inside instead of paying at the pump, just like you do with any non-card payment already.

The EBT, gift card, and lazy small banks would get their act together pretty damn quick, I'd wager.

[MBCook]

“Sorry. I know you’re on assistance because you can’t afford food, but for your security we’re not going to let you buy food with your government benefits as you may become a scam victim.

Come back when your state government decides to pay to re-issue every card with better technology.”

That’s cruel. The move to EMV was only recently mandated for EBT (if I remember correctly and it was done at all) because so many people were having their benefits stolen by mag stripe skimmers.

You can’t use a stick against powerless people to affect change. It just makes them suffer.

Even if Target did mandate contactless, the stock would plummet on news of all the lost sales and the CEO would be out. The new one would reverse it immediately.

[gorkish]

Where did I suggest this? The customer payment terminal is not the register. Both have card readers; one is fantastically less likely to be tampered with than the other. There is absolutely nothing wrong with putting your cashier in between the customer and a potentially fraudulent payment. What happens when that person gets their EBT account drained by a criminal because of a skimmer? I'm not trying to marginalize anyone; get real.

[strictnein]

> This hunk of plastic from Target is a solution looking for a problem

When you're dealing with tens of thousands of terminals that you want to check on a regular basis across thousands of stores, having a device that verifies things quickly is a solution to a real problem.

[crote]

Ironically, contactless has been the source of new types of skimmer attacks. A skimmer could just add an nfc coil and wouldn't even need to physically touch the card anymore.

[gorkish]

Yes by all means, let's use the threat of a possible attack on EMV to continue to prop up the magstrip and completely disregard that pretty much all of the successful attacks against chip or contactless involve legacy magstrip emulation. If it's good enough for Granddad, it's good enough for me!

[adhesive_wombat]

Welcome to the Internet. If your comment doesn't propose something that is mathematically proven to be perfect under all circumstances and for all people, past, present, future and hypothetical, then it's junk and you're an idiot for mentioning it.