|
Magnetic stripes seem to only still be popular in the US. It always blows my mind just how insecure card payments are there. For small payments, like several dollars, they'll swipe your card in a reader attached to the POS system and that's it. No pin code, no nothing, you just get an SMS that your card was charged several seconds later. For larger payments they'll rely on entirely human-based confirmation methods like "sign the receipt" or "show your ID". I didn't even know this was a thing before I visited the US. In Russia, where I'm from, I haven't swiped my card for at least a decade. Lately many places also started getting those square Android-based Sberbank terminals that don't even have the magstripe reader, only NFC and chip. Granted, our banking system has been effectively disconnected from most of the world since 2022, but I would be surprised if these aren't designed to accommodate MasterCard and Visa requirements for when they return. And skimmers are simply not a thing here any more. People get scammed through social engineering instead. I also remember reading that magstripe transactions cost merchants more or something like that, precisely because they carry more risk because they only need static, easily copyable data. Anyway, the point I'm making is that the threat model changes, and becomes much simpler at that, when transactions can't be made with static data. Because no matter what the scammer captures, even if that's the PIN and the complete data exchange with the card through NFC or the chip reader, they can't use that to make transactions. Obtaining the number, the expiration date, and the CVC is also unlikely to allow them to make online transactions because those need a second factor now. Except on Amazon. Amazon somehow manages to charge my card with just the number and the date, no CVC needed, and no 2fa code either. |