This is an EMVCo chip card, and not an American one so it’s chip and pin most likely. Without getting too detailed, the chip generates a one time use code for each transaction, so just having the number wouldn’t help with cloning the card plus you also would need to know the PIN. Although skimmers still exist and physical card theft is a thing, it’s less common especially in markets that use chip and pin.
As far as I understand it the pin&chip system involves a challenge/response between the bank and the card. You can’t just “clone” the chip, because the secret data it contains is essentially write-only.
I’m assuming the 16 digit card number, start and expiry dates, and CVV are printed on the reverse - whereas it used to only have the CVV on the reverse and the rest of the details on the front.
What’s stopping someone with a picture of the rear of the card visiting an online retailer and going wild with a picture of just one side of the card these days - aside from multi-factor authentication at the point of authorising the payment?
Oh! In that case: absolutely nothing. Credit cards are terrifyingly insecure. Whether or not the info is on two sides or one. Any webshop you use your credit card at can just arbitrarily charge it from then on if they feel like it.
Furthermore even if a card is skimmed these days, at least in the UK, it’s still unlikely transactions would be processed online.
That’s because it’s become so commonplace now for transactions to pop-up in the banks app on the owners phone and they must confirm the transaction and / or receive a code via SMS. Some just use SMS as a means to confirm a transaction.
I guess one vector for attack still remains and that is SIM swapping, but even that is more difficult these days due to widespread awareness from carriers.
Furthermore even if a card is skimmed these days, at least in the UK, it’s still unlikely transactions would be processed online.
That’s because it’s become so commonplace now for transactions to pop-up in the banks app on the owners phone and they must confirm the transaction and / or receive a code via SMS. Some just use SMS as a means to confirm a transaction.
I guess one vector for attack still remains and that is SIM swapping, but even that is more difficult these days due to widespread awareness from carriers.
I mean, if they knew where you usually shop online, probably not. I generally get the popup when either:
1: Shopping somewhere for the first time
2: Certain businesses (presumably those that are more often targeted for fraud I guess?)
I bet if they tried to use a different delivery address (and the shop passed that on) it should (I think at least) trigger a security check.
In shops especially with contactless it’s very unlikely to be stopped though. But I think the bank needs to eat the contactless losses if I remember right. I do recall there’s a maximum number of contactless payments you can make in a given time before it forces chip and pin though.
I’m in the US, and all of my cards have the numbers on the back now, and they’re not raised. I’m pretty sure we transitioned to chip and pin like a decade ago.
The transition to contactless (where you tap your card or phone instead of inserting the card) took so long in the USA though. It only really became popular during COVID and with Apple Pay. Home Depot finally enabled contactless payments recently. In Australia, we were using contactless payment 15 years ago!
US banking is behind in a few other ways too. Apps like Venmo and Zelle just don’t exist in some other countries since you can easily do an instant transfer through your bank to anyone else for free. Some US banks still use SMS for two factor auth, which is insecure.
So home Depot actually had contactless payment for a while like a decade ago but when they switched to new card terminals they got rid of it. No clue why it disappeared but probably a money thing.
I don’t think there is in terms of process, I think payment handlers just add a higher charge for processing credit card payments, which is why stingy retailers dislike them.
This is an EMVCo chip card, and not an American one so it’s chip and pin most likely. Without getting too detailed, the chip generates a one time use code for each transaction, so just having the number wouldn’t help with cloning the card plus you also would need to know the PIN. Although skimmers still exist and physical card theft is a thing, it’s less common especially in markets that use chip and pin.
Absolutely spot on, thank you - always handy to know.
I’m wondering what it does to mitigate the “card not present” fraud though, for online purchases or remote purchases?
In my case, I have to verify online purchases on my bank’s app. Which makes online banking impossible without an android or apple phone.
As far as I understand it the pin&chip system involves a challenge/response between the bank and the card. You can’t just “clone” the chip, because the secret data it contains is essentially write-only.
Sorry, maybe I wasn’t clear.
I’m assuming the 16 digit card number, start and expiry dates, and CVV are printed on the reverse - whereas it used to only have the CVV on the reverse and the rest of the details on the front.
What’s stopping someone with a picture of the rear of the card visiting an online retailer and going wild with a picture of just one side of the card these days - aside from multi-factor authentication at the point of authorising the payment?
Most card allow you to set that transactions have to be approved either by app or by SMS.
Oh! In that case: absolutely nothing. Credit cards are terrifyingly insecure. Whether or not the info is on two sides or one. Any webshop you use your credit card at can just arbitrarily charge it from then on if they feel like it.
The CVV should really be 2FA from your card issuer.
There’s additional tools for e-commerce transactions like 3DSecure (step up authentication like an OTP) and passive identity verification tools.
I just replied this to the parent comment.
Furthermore even if a card is skimmed these days, at least in the UK, it’s still unlikely transactions would be processed online.
That’s because it’s become so commonplace now for transactions to pop-up in the banks app on the owners phone and they must confirm the transaction and / or receive a code via SMS. Some just use SMS as a means to confirm a transaction.
I guess one vector for attack still remains and that is SIM swapping, but even that is more difficult these days due to widespread awareness from carriers.
I mean, if they knew where you usually shop online, probably not. I generally get the popup when either:
1: Shopping somewhere for the first time
2: Certain businesses (presumably those that are more often targeted for fraud I guess?)
I bet if they tried to use a different delivery address (and the shop passed that on) it should (I think at least) trigger a security check.
In shops especially with contactless it’s very unlikely to be stopped though. But I think the bank needs to eat the contactless losses if I remember right. I do recall there’s a maximum number of contactless payments you can make in a given time before it forces chip and pin though.
I’m in the US, and all of my cards have the numbers on the back now, and they’re not raised. I’m pretty sure we transitioned to chip and pin like a decade ago.
The transition to contactless (where you tap your card or phone instead of inserting the card) took so long in the USA though. It only really became popular during COVID and with Apple Pay. Home Depot finally enabled contactless payments recently. In Australia, we were using contactless payment 15 years ago!
US banking is behind in a few other ways too. Apps like Venmo and Zelle just don’t exist in some other countries since you can easily do an instant transfer through your bank to anyone else for free. Some US banks still use SMS for two factor auth, which is insecure.
So home Depot actually had contactless payment for a while like a decade ago but when they switched to new card terminals they got rid of it. No clue why it disappeared but probably a money thing.
The US uses chip and signature, no joke, because the banks didn’t think people could remember another PIN.
Even though the you already have to use the PIN at an ATM.
No idea why there’s such a big functional difference between “credit” and “debit” cards.
I don’t think there is in terms of process, I think payment handlers just add a higher charge for processing credit card payments, which is why stingy retailers dislike them.
I’m happy to be corrected though.
The only time I’ve been prompted to enter a PIN is when using the same card as a debit card vs a credit card.