Good timing given that 1st of October is the EMV liability switchover for chip cards in the US. It's not going to help anything in terms of fraud but it's going to screw over retailers hard as their employees adapt to the new systems. Hopefully the PIN pads have safeguards in place but this is an industry where UX involves "how many ads and other shit for the customer can we cram on the screen at once ?"
posted by Talez at 7:17 AM on September 16, 2015 [1 favorite]

"You can get life for two kilos of cocaine, but if you’re going to get some bank fraud, OK, you’re going to get 18 months," he says.

[default comment on class basis of legal system]

It's also interesting that it was the FBI who arrested him, not the Belorussian KGB. All that the KGB cared about was his youthful protests against the government.
posted by clawsoon at 7:29 AM on September 16, 2015 [3 favorites]

Good timing given that 1st of October is the EMV liability switchover for chip cards in the US. It's not going to help anything in terms of fraud but it's going to screw over retailers hard as their employees adapt to the new systems. Hopefully the PIN pads have safeguards in place but this is an industry where UX involves "how many ads and other shit for the customer can we cram on the screen at once ?"

Why won't it help in terms of fraud? It looks like this guy got card numbers from online transactions. Does Europe have problems with point-of-sale credit card skimming (it's a huge problem in the US).
posted by vogon_poet at 7:46 AM on September 16, 2015

Why won't it help in terms of fraud? It looks like this guy got card numbers from online transactions. Does Europe have problems with point-of-sale credit card skimming (it's a huge problem in the US).

Because the chip cards just dump track 2 on the reader on demand. Compromise the pad (it conveniently has an IP connection now too! You don't even have to go back to the store to collect your fradulent details!) and you have a reliable source of card data and PINs. Make a magstripe card with the track 2 data, take to ATM, withdraw cash.

Chip-and-whatever assumes the pin pad isn't hostile. Anyone with an ounce of sense knows this isn't the case.
posted by Talez at 7:49 AM on September 16, 2015 [2 favorites]

Well, frankly it sounds like he got paid well, got a US residency and only paid back $200. Quite the deal for a moderately articulate Belorussian.
posted by jaduncan at 7:50 AM on September 16, 2015

One important ramification of the new chip cards is that after October 1st 2015, the liability for credit card fraud falls on "the entity using the lesser technology".
posted by splitpeasoup at 8:02 AM on September 16, 2015

If he didn’t know the answer to a security question, or an agent got suspicious, he had a strategy: feign impatience or frustration. American financial institutions focus on customer service at the expense of security, Naskovets says.

And here we think our problem is insecure data. It's always the human factor that's the weakest link.
posted by prepmonkey at 8:10 AM on September 16, 2015 [2 favorites]

Apparently, fraud is shifting to Card Not Present transactions.
posted by NoxAeternum at 8:12 AM on September 16, 2015

American financial institutions focus on customer service at the expense of security

They focus on something at the expense of security, but not customer service.
posted by Melismata at 8:18 AM on September 16, 2015 [2 favorites]

Because the chip cards just dump track 2 on the reader on demand.

Wait what? I was under the impression it was a public key thing, with an embedded computer in the card doing the signing. You're seriously telling me it will give out the exact same information, except on a chip instead of a magstripe? (I don't really understand the details of these systems and am now curious/horrified.)
posted by vogon_poet at 8:21 AM on September 16, 2015 [1 favorite]

If the vast majority of Card Not Present transactions are online transactions, it seems like systems like ApplePay/GoogleWallet may help close that gap. Basically, if EMV is just a way to generate one-time charge codes from a physical credit card and send them to the bank, then there's no reason you can't just enter your credit card info into an app locally that basically does the same thing.
posted by delicious-luncheon at 8:27 AM on September 16, 2015

This is a prime example of the motto, "The devil finds work for idle hands."

Here's a bright, energetic guy who can't find anything to make ends meet so he turns to crime - and not just crime, but "abstract" crime where he has no way even to find out what damages he causes (and probably, most of the damage hits the credit card companies and ends up costing each customer a dollar a year). Would I have done any different in his shoes?

Note how the government defined him as a criminal simply for his free speech activities, robbing him of his ability to earn a living, and then he turned around and became an actual criminal. (Or so he claims, but he seems pretty convincing...)

Broken justice systems and bad laws breed contempt for all law. The first time a friend of mine smoked pot (which coincidentally was the day Jimi Hendrix died) he suddenly realized, "A policeman is no longer my friend."
posted by lupus_yonderboy at 8:39 AM on September 16, 2015 [6 favorites]

The police were never your friend.
posted by sexyrobot at 8:45 AM on September 16, 2015 [4 favorites]

(Or so he claims, but he seems pretty convincing...)

I'm not saying you're necessarily wrong, but con men make it their business to be pretty convincing.
posted by Steely-eyed Missile Man at 8:58 AM on September 16, 2015 [5 favorites]

Yeah, once someone has been convicted of a crime like this, nothing they say should ever be taken at face value. Everything this guy said about being persecuted by the government could easily have been made up out of whole cloth.
posted by Mitrovarr at 9:17 AM on September 16, 2015 [1 favorite]

Which goes some way to explaining why former USSR countries and other places where the concept of “rule of law” never was particularly robust tend to produce innovative criminals.

Going by reports such as this, and much of Brian Krebs' blog, it seems that Russian has become the lingua franca of cybercrime, with most of the underground web forums/exploit markets being in Russian rather than English. I wonder whether this has led to any aspiring cybercrooks not from the USSR teaching themselves Russian to advance their careers, or in future, if the police trace a hack/scam to a broad geographical area, if they'll subpoena Duolingo for all the Russian learners in that area.
posted by acb at 9:21 AM on September 16, 2015 [1 favorite]

Talez: I don't know exactly how the US is implementing c&p but I work for an FI in Canada and my wife works in fraud tracing for an FI here as well, the impact of c&p on fraud has been staggering, a massive success. Not sure why it would be different in the US.
posted by Cosine at 9:50 AM on September 16, 2015

Our local Target is using C&P, but I haven't seen it in any other stores at all. I just got a new debit card (I lost my wallet, cancelled it, then found it again) and it's a traditional one.

When is this rollout supposed to happen again?
posted by mephron at 10:06 AM on September 16, 2015

I don't think the U.S. Plans to use full chip and pin. some merchants (like target) have already rolled out new readers in select stores and they're working as chip and signature pads, not chip and pin. It might make the physical card harder to counterfeit but does nothing to counter stolen cards.
posted by nathan_teske at 10:12 AM on September 16, 2015 [1 favorite]

nathan: damn, I heard rumours that that might happen but it is so moronic I thought for sure the powers that be would see the light before rollout.
posted by Cosine at 10:14 AM on September 16, 2015

Talez: I don't know exactly how the US is implementing c&p but I work for an FI in Canada and my wife works in fraud tracing for an FI here as well, the impact of c&p on fraud has been staggering, a massive success. Not sure why it would be different in the US.

Because criminals go primarily for the low hanging fruit. The easiest way to get a credit card is from an unsecured idiot retailer who keeps CVVs around (see: Target, Home Depot for largest examples). However, without the PIN it's entirely useless to people just trying to pull cash out. Brilliant for CNP fraud though.

Compromised terminals are still in their infancy but the practice is increasing.

The details of approximately 500,000 Australian credit cards were obtained by a Romanian organised crime syndicate which had hacked into the EFTPOS terminals of 93 small Australian merchants.

Australia has had chip and pin and contactless for years. Just goes to show you that it's not really safe to trust the pin pad.

The only thing that's really secured is tokenized transactions. They've only been in the EMV standard for just over a year and it's the lynchpin behind Apple Pay, Google Wallet and a couple of other payment systems. Nobody knows your CC number except for you and the bank. The card/phone/whatever has a token which is issued by the token issuer which signs the transaction to be submitted to your bank. The token signature is good for a single transaction only. The credit card number never actually gets passed to the pin pad, the merchant or any of the hardware so even if some idiot left the virtual front door unlocked, nobody could actually do anything with the stored token data.
posted by Talez at 10:21 AM on September 16, 2015 [1 favorite]

I have a C&P card in the US and the problem I'm having with it seems to all come down to education. I've tried to use it and had the clerk cancel the transaction because "you have to swipe the card" even though the POS device had a working chip slot. I'm on my second card in a few months because another helpful checkout person yanked the card out of the slot forcefully, breaking it, and telling me not to use it that way because "it's not secure. That's how fraud happens." The bank wanted to charge me $20 to replace the card, but I fought it off after a bunch of back and forth. Mostly though I've seen readers with the C&P slot covered with tape and/or a sign that says "you must swipe" but I can't be sure how many of those are legitimate because the reader isn't set up yet. These seem to be the same ones that have big handwritten signs on them saying "Cancel when it asks for your PIN and press CREDIT." I'm able to use Apple Pay at FAR more places than my C&P right now.

I want to use C&P because the people I know who have had identity theft issues have been mostly from skimming magstripes or otherwise getting card info at POS (one was cameras above and below the card when the clerk 'validated' the card by holding it just so for a second) and C&P seems like it'd stop a lot of what the article is describing by not getting the basic card info in these ways.

Also, nathan_teske: when my C&P has worked it has been chip and pin, not chip and signature. Including at Target - but then I live in the Target Motherland, so maybe it's different here.
posted by Clinging to the Wreckage at 10:28 AM on September 16, 2015

The details of approximately 500,000 Australian credit cards were obtained by a Romanian organised crime syndicate which had hacked into the EFTPOS terminals of 93 small Australian merchants.
Australia has had chip and pin and contactless for years. Just goes to show you that it's not really safe to trust the pin pad.

That is one case, unfortunately though it may be. What matters is overall impact, the introduction of C&P here has resulted in fraud rates dropping dollar wise by 85%.

Every form of security will be compromised eventually, adopting C&P is just the current easiest way to reduce risk and exposure.

Not using the PIN portion because you think Americans won't want to enter them is pretty nutty.
posted by Cosine at 10:46 AM on September 16, 2015 [1 favorite]

Ya, not to mention that C&S will confuse the fuck out of people when you travel outside the US, probably more than the swipe cards.
posted by smidgen at 10:50 AM on September 16, 2015

Every form of security will be compromised eventually, adopting C&P is just the current easiest way to reduce risk and exposure.

But it's really not. Once the magstripe skimming hole is closed in the US there are going to be two reliable scores of CC #s: Compromising etailers/CC gateways and compromising PIN pads. You can bet there is going to be a resurgence in fraud in between C&P and full tokenization of the card payment network. Pay a minimum wage clerk to look the other way for a few minutes while you swap a PIN pad? Easily done.

Insisting that your unlocked house is secure because your neighbour just keeps his stuff on the front lawn and is therefore a more attractive target is not wise.
posted by Talez at 10:55 AM on September 16, 2015 [2 favorites]

Anyone know if the C&S cards can be upgraded to C&P with a backend change -- without reissuing the card? I hope so... so at some point down the road I can just tell them to give me a PIN when they figure out EMV alone isn't going to cut it.

Apropos: I just got an email about a reissue of my credit card. Right in the helpful FAQ is "Good news! Capital One chip cards will be Chip and Signature cards, so there’s no additional PIN to remember.". Oh my god, what fuckery, I mean we wouldn't want in impede your shopping spree! Sigh...

I may end up trying ApplePay on my next trip... :-)

Pay a minimum wage clerk to look the other way for a few minutes while you swap a PIN pad? Easily done.

I suppose -- but this seems like risky work for not a lot of gain. Especially on the part of the clerk.
posted by smidgen at 11:00 AM on September 16, 2015

Talez, you are making my point for me, C&P has worked amazingly well to reduce fraud, it fixed the weakest link in the chain, now we focus on the next weakest link, repeat forever.
posted by Cosine at 11:02 AM on September 16, 2015 [2 favorites]

Shouldn't the situation where you have 2 different people at 2 different phone numbers, both claiming to be the cardholder, freeze purchases? Instead of triggering a trivia contest about the colors of automobiles and the names of second grade class pets?
posted by thelonius at 11:11 AM on September 16, 2015 [6 favorites]

"...it's going to screw over retailers hard as their employees adapt to the new systems."

My shop got a new C&P terminal in January and it's completely identical to our previous terminal except it now has a slot in the bottom. Inserting a card in the slot prompts for a payment amount and then a PIN, just like swiping a card prompts for an amount and then prints a receipt to be signed. If someone has trouble "adapting" to that, the problem isn't the tech.

It's a moot point for now anyway: we have yet to process a C&P transaction. Of the maybe 10 C&P cards I've been handed, not a single customer knew what C&P was or what their PIN might be, nor did they care as long as they could still use it the "old" way.
posted by bizwank at 11:21 AM on September 16, 2015

Anyone know if the C&S cards can be upgraded to C&P with a backend change -- without reissuing the card?

I tried asking Chase for exactly this before a recent trip to Europe and they replied that it wasn't possible. Of course, I ran into a number of problems -- merchants would only accept C&P, my C&S card wouldn't work at unattended ticket kiosks (leading to long waits in line), etc. I did the natural, completely rational thing and got a new card that has a C&P CVM option. Sigh. That'll teach me to do my research before going on vacation...

Anyway, here is a relatively up-to-date database of US card issuers and their CVM verification options. I found it rather useful. It's worth noting that only a handful of banks currently issue credit cards where the CVM is PIN priority as opposed to signature priority.
posted by peeet at 11:52 AM on September 16, 2015 [1 favorite]

When I got my chip credit card, I was really disappointed to see that you are instructed to "just hit enter" if it asks for a pin.... there was no option to even have a pin. Pointless.
posted by MysticMCJ at 1:24 PM on September 16, 2015

I got one of the new chip cards, but there is no pin, you just use a different slot and sign the pad. I've yet to figure out how this solves anything on the fraud end.
posted by SecretAgentSockpuppet at 1:25 PM on September 16, 2015

Two of my friends from the US visited the UK a couple weeks ago, and their Chip-and-Signature cards worked nearly everywhere as chip-and-oh-god-no-PIN-needed-I-am-gunna-get-scammed cards. They'd just insert the card, and HEY PRESTO TRANSACTION APPROVED!

Of course the signature-driven credit transation thing was always a fig leaf. I can't find it now (I could have sworn it was a cockeyed.com jape like this one), but about a decade ago someone in the US had excellent luck just writing "VOID" on the signature space every time he charged something.
posted by rum-soaked space hobo at 1:51 PM on September 16, 2015

My Chip&Signature credit card works as advertised- requires a signature. Nearly useless though since it also has a stripe so it's literally just as easy to clone as a magstripe card.

I was amazed to be greeted by a carbon-copy machine last time I was in the UK, when I paid with a magstripe. Chip and signature cards seem to confuse people slightly less.
posted by BungaDunga at 2:56 PM on September 16, 2015

As a USian, all my cards have chips now but none of them have PINs which as was mentioned sucks at ticket machines but otherwise seems less confusing compared to swipe cards when I use it overseas.

When I got my first chip card, I actually called up the issuing bank asking where my PIN was. Needless to say I was very disappointed when I learned it was chip & signature with no PIN option...
posted by inparticularity at 11:12 PM on September 16, 2015

It is now a number of years since C&P was rolled out in the UK. I recall there being an intensive advertising campaign to tell people this was happening - and then a very small cutover window before swipes and signatures disappeared (which, I guess would have implied a lot of carrot and stick work with merchants). So I'm a bit surprised to see it being done in such a silly way in the US.

But not that surprised. We still have the idiocy that is 3ds schemes such as "verified by Visa". It seems that individual banks have been given freedom to determine how to implement many details of the scheme - both the data to be entered and the password reset mechanism. My own bank likes to ask something like "enter the 3rd, 5th and 8th characters of your password". Say may password is something like "S3crecEE1!" - try making the required calculation about which letter is comes 8th in that sequence without writing anything down. I can't anyway.
posted by rongorongo at 11:46 PM on September 16, 2015

And I thought it was only me who had trouble typing in specific letters from a password! Here's my workaround: I lightly touch all the keys for the password but I don't press those down which aren't one of the wanted characters, all whilst counting out loud.
posted by yoHighness at 6:01 AM on September 17, 2015