[glitchc]

> There is no real protection on card readers (most use Linux with a small shitty password). The protection comes from the contracts and regulations between the shops and the banks.

I'm afraid that's not true. Merchant terminals have secure hardware embedded inside to store the bank and interchange keys. If those keys leaked, someone could spoof legitimate transactions.

[kuschku]

> If those keys leaked, someone could spoof legitimate transactions.

You mean, whenever those keys leak. It's not that hard to do, see e.g. https://media.ccc.de/v/32c3-7368-shopshifting#t=2207

[glitchc]

Yeah it's definitely an arms race. Interestingly, technology in the States lags behind the rest of the world. Every other country has moved on to chip and PIN, 2FA, obe time tokens and asymmetric cryptography. Whereas in the US, one can still find 3DES signatures and unencrypted authorization codes usable for a time duration (read: multiple transactions).

It seems that the banks here are okay with a certain percentage of shrinkage as long as merchants don't have to upgrade and consumers are not inconvenienced. The banks prefer to eat the cost to maintain large fraud and dispute resolution departments. Whereas elsewhere in the world they're much smaller and mainly focused on correspondent banking. It's really interesting to see that the "customer is always right" policy has such a strong influence on the financial sector.