This Target data breach is exposing some of the laziness, laxity and lies of our credit card oligopoly.
First, as Kevin Drum points out, if we had Chip and PIN in the US, Target and banks would be in much less trouble, because you need a smartcard chip and the user’s PIN to complete a transaction using the standard most other first world countries use.
Second: I have a Target Red Card, their store card, and I used it a couple of times during the breach period. Now that Target has enough call capacity to actually answer the Red Card fraud line, rather than having it just give a fast busy signal, the first thing they are eager to point out is what the credit card industry would rather obfuscate: “You have zero liability for any charges you didn’t make.” Over the past decade there have been lots of scary commercials from businesses trying to sell identity theft protection. Some of those products are from banks that issue credit cards. People watching those commercials might think that they’re in trouble if their credit card is stolen and it is used by the thief. Though they’re probably in for a big hassle, in the end the bank and card companies are liable for the transaction. That’s part of the deal with interchange, the 2-3% that banks and card companies charge retailers for every credit card transaction.
Of course, banks are now limiting transactions on accounts used at Target to cap their liability, which is another huge hassle, but I’d cut up that card and use a different one if my bank did that. They make billions of dollars of easy profits from interchange and interest on credit cards, so fuck ’em if they can’t secure the product that they’re jamming down our throats.
evap
The U.S. really needs to adopt chip-and-pin cards. Maybe if the banks lose enough money from fraud, they will invest in changing the system. It’s getting harder and harder to use U.S.-style credit cards in Europe, and it is impossible to use automatic ticket machines in France and Germany without a chip-and-pin card. Very annoying.
Nunca el Jefe
The 2-3% is probably just viewed as the angel’s cut; it wouldn’t surprise me at all to learn that there are a sizable number of execs in that industry that really do, deep down in their wallets, think that we should pay more for protection. It’s an old scam.
catclub
I found two chip and pin card issuers in the US. One is expensive and the other is a Credit Union in Maryland, presumably near where diplomats and military bank. So you could get one for travel.
aimai
Its getting hard to travel without a better CC system as European places don’t like to take our lousy cards. In addition I had something really awful happen to me while I was travelling in Turkey a few years ago and trying to pay my hotel bill. My card had been canceled and a new one reissued–but while I was traveling. Why? When I got ahold of the company they told me that all the cards of everyone in a certain zip code were replaced because: reasons. Since they sent everyone a new card and a quasi explanation they weren’t worried about what would happen to somone who was not home to get the unexpected new card and not able to access it.
Cassidy
Good thing the NSA wasn’t involved. This place would be apocalyptic.
BBA
I refer to chip cards as “metric credit cards” because they’re used everywhere but the US.
All the networks have announced a switchover by 2017 or so. I’ve managed to convert a couple of my cards to chip-and-signature, but there are still very few chip readers in the US so unless I’m abroad I usually have to swipe the things.
srv
This is just another liberal plot to add another anchor around small businessmens’ necks and be more like the French.
If you want your CC transactions to be secure, move to Paris. Here in America, we have freedom.
Villago Delenda Est
These assholes need to be regulated to the extent that their executives cannot visit a rest room without prior approval from a GS-4.
They are that in need of regulation, because they are so lazy and greedy and think “fiduciary responsibility” means “all the money that flows into this place is MINE, MINE, MINE!”
OzarkHillbilly
Hence I never use my debit card when ordering stuff online.
It has always been my inviolate (but not necessarily legal) policy to never pay a bill I did not receive goods or services for, or cover a check that was not personally written by me. Because of this (and a stolen identity, and an ex-wife who played fast and loose with my SS# as well as a closed checking account) I have at various times been threatened with everything from penury, to leg breakings (no kidding, my lawyer said that agency was all ex-cops), to jail time. My response has always been, “Go fug yourself.”
So far I’ve never been sued and have managed to remain out of jail. Also, in the years since my divorce, I have managed to repair my shredded credit rating quite well. My ex on the other hand is doing 7 years in Chillicothe.
Your mileage may vary.
Baud
I blame Snowden and Obamacare.
WaterGIrl
How would chip and pin help if the credit cards were used over the phone?
Betty Cracker
I had to go through our accounts to make sure we didn’t buy anything from Target during the breach period. We didn’t. But I’d damn sure tell my bank to cram it if they tried to cap liability. Greedy fuckers.
Tumbrel for Hire
Chip and pin? Pshaw. If these lazy consumers would just show some personal responsibility and solve their credit problems with usurious payday loans or reverse mortgages the engine of business could finally be free from restraint.
Baud
So maybe making your trademark a big red bullseye wasn’t such a great idea.
KyCole
I used my credit card during that period. Friday I went to my bank, and they’re going to give me a new one. After the new one arrives, they’ll cancel the old one. With on-line banking its easy to see if I’ve been hacked, but better to be safe. Fortunately I didn’t use my debit card.
Villago Delenda Est
@Baud:
Well, it appears it marked the spot for some hackers looking to score.
Villago Delenda Est
I think the biggest problem with chip-and-pin systems is that they…
….wait for it…
…cut into short term profit, which is the only profit an MBA knows about.
JPL
The only way the banks will change is if it were paid for, by our tax dollars. Unfortunately few, in our society, realize who the real welfare queens are.
I went to Target the twenty-fifth of November. Even though it is outside the dates identified, I’m still keeping an eye on the account.
Tokyokie
When I’ve traveled abroad, which I haven’t done in a few years, I’ve carried just enough foreign currency to last me about a day. The exchange rates an individual banking customer gets from a U.S. bank are terrible, in large part because those are not transactions they normally conduct. (I think I had to wait a week or so to get the Swiss francs I’d requested. The only places between the coasts where one can reliably get foreign currency are the currency exchanges in the major airports, and those places have the worst rates of anybody.) However, before U.S. banks started tacking on fees for foreign-ATM transactions, the best way to get foreign currency was to use an ATM, because that way, your transaction is bundled in with the bank’s bulk transactions, and you get a much more favorable rate. But I guess I’ll have to check out that credit union in Maryland. Does anybody know whether one gets a chip and PIN card if they were to open an account with a U.S. branch of a European-based bank?
debit
I used my debit card on December 9th. No weird activity on my account, but I did expect using my card to possibly be difficult for large purchases. And yet I was not prevented from spending a very large amount of money on a new bike yesterday.
Jay in Oregon
@aimai:
Ugh, I got an email from my bank yesterday stating that my debit card was used during the period covered by the breach, and I’m flying out-of-state to Arizona for the holidays today.
I don’t want them to decide that my card number is being abused. Should I call my bank and let them know, or just use my credit card this week and pay it off when I get home?
Bill E Pilgrim
@srv:
The problem is that you still have American cards. So now you live somewhere where only your French cards work in many places. Machines, mainly. And occasionally you want to use a US card for various reasons, shuffling things around.
Realizing you were snarking but just saying, even that doesn’t solve it entirely. Just seconding/thirding/fourthing the idea that the US needs to join the rest of the world here.
It’s called a “flea” in French by the way. The chip. A puce. So people will look and say “ah, this card has no flea!”
Villago Delenda Est
A friend of mine was affected by this, and asked Target to replace his red card, and Target’s response was “sign up for this identity protection service.” No, I want a new red card. No new red card…no shop at Target!
Ultraviolet Thunder
@aimai:
I’ve been overseas twice this year for a total of 17 days. I had no trouble using Visa or Amex at hotels, restaurants or retailers. Even in smaller towns.
The Chip/Pin cards are certainly more secure, but consider the massive capital outlay for infrastructure and training if we switched to it. Not to mention the backlash from occasional users who had to change their habits. Adoption in the US would have to be transitional, and support the legacy card types for continuity.
The cost alone will prevent financial institutions from converting unless it makes a big difference to their bottom lines.
MattF
It does seem that the big weakness in current systems is for ‘physical’ transactions– point-of-sale terminals and ATMs, rather than online transactions. Is this the received wisdom on the subject or is it just a consequence of journalistic-narrative bullshit?
Ultraviolet Thunder
@Tokyokie:
I can purchase Euros, MX Pesos and Canadian currency during business hours 2 miles from my house at competitive rates, from a Chase branch. I carry enough of all of those for a 2 week stay at all times. Because that happens. Just had a surprise 4 day trip to the TX/MX border, where I usually use cash for purchases.
Bill E Pilgrim
@Ultraviolet Thunder: For tourists it’s not bad. Where it comes up is things like metro tickets. You want to buy your monthly pass in the vending machine and can’t, so you have to stand in the long line. Stuff like that. Until you get a local bank account. Tolls also, I think more of them take swipe cards now but for years those didn’t work, had to have the chip.
Supermarkets in the Netherlands by the way don’t take Visa or MC at all, for the most part. And certainly not Amex. I was stunned to discover there this year. Only local cards.
MattF
@Villago Delenda Est: About credit-card ID protection services.
Several years ago I signed up for one of those services– but then noted, eventually, that there were times when I knew my credit score was being checked and never got a notification. So, I cancelled the service and resolved not to be fooled again. The postscript is that about six months ago I unexpectedly got a $400 credit in my CC account… It seems that there was a lawsuit– and it was found that the ID protection service was a complete fraud, and never did a thing for their customers. So, the bank refunded the money to all the people who had bought it.
The one caution is that, over the years, you can end up spending a significant amount of money and not get anything in return. So, as ever: Buyer Beware.
Marc
If only healthcare.gov were built with the speed, competence, and flexibility of the private sector!
Josie
i got an email from Chase Mastercard telling me to watch my account for spending I didn’t initiate. They also stated that I was not responsible for any charges but mine. If they see a sign of problems, they will notify me and issue a new card. I appreciated the notice.
@Jay in Oregon: I would call and inform them of travel plans. I do that with Chase to avoid fraud alert calls. Some banks do notice out of state charges.
Ultraviolet Thunder
@Bill E Pilgrim:
That’s interesting. I hadn’t thought about local businesses that might not want to pay the hefty fees to accept a ‘global’ card from the US.
And local transportation is another case: primarily used by permanent residents so it’s configured for their payment preferences to the disadvantage of the casual out of town user.
I used my Chase Visa at Target during the critical hacked period. I got an email from Chase saying basically ‘you have no liability for fraudulent charges’ and ‘watch your account activity and alert us of anything odd’. I thought that was a decent and honest response.
TaMara (BHF)
Target’s response to this has been abysmal. I don’t understand in this day and age how companies don’t understand how quickly they can trash customer confidence.
I received an email from Target (and they’re saying it on their facebook page, too) that you don’t need to replace your debit, credit or red card, just monitor your accounts. What they don’t mention is the fact that these thieves often wait up to 6 mos, when they assume you’ve forgotten about the incident, to use the information.
It cost me $5 to replace my debit card and I”m without for a week. And it will be a long time before I step into another Target – not be cause of the breach, but because they’ve been such assholes about the whole thing.
Ultraviolet Thunder
@MattF:
We got talked into Life Lock, which turned out to be basically useless. We got some money back on that.
I worked for Target Corp for 18 months about a decade ago. My sister works for them now. They’re a reasonably competent corporation and I expect them to handle this data breach well. I shop there infrequently and get annoyed at having to decline the offer of a RED card every time I make a purchase.
Red in Spanish means net or network. Traveling in Mexico I was puzzled by all of the ATMs labeled RED until I figured that out.
Patrick
Darrell Issa is very concerned about the financial security of Americans. We have to admire all his hearings on ACA and its lack of security of its website. With that in mind, I am sure he will have hearings this very week on Target, the credit card industry and what have you. After all, he claims he is concerned about our financial security.
But since it doesn’t involve the black guy, I won’t hold my breath.
But I find it embarrassing that the rest of the western world have chip and pin, yet our credit card companies barely know what it is. I thought the free markets were the solver of all evils…
gbear
I shopped at Target during the hacked period. I’ve been checking my transactions via the card’s 1-800 number and there haven’t been any transactions that I don’t recongnize as my own. I needed to do some shopping at Target this weekend, but I thought the stores would be a crowded hassle after they announced that they’re giving every shopper 10% off on everything this weekend. I waited until 9:00pm on saturday night to go to the store, and it wasn’t bad at all (maybe no one wants to shop there any more). I stuck to items that were already on my list or that I use regularly (except for a couple of vanilla candles) and saved a few bucks.
I should be getting my statement in a few days but I’ll be checking that 1-800 number every day until then. I may request a new card after the first of the year.
WaterGIrl
@Josie: @Jay in Oregon: Completely agree with Josie. It’s always best to call and let them know.
My sister travels a lot, and when her bank tried to reach her with fraud alert questions, they always phoned the home number where she can’t possibly be reached while traveling. So of course they put a hold on her card! (She always phones to let them know when she travels now.)
Origuy
I didn’t have any trouble in Moscow with my American cards. Getting rubles out of the ATMs that are everywhere got a much better rate than exchanging dollars. I didn’t use credit cards as much as I would have in the US.
I don’t think I used my cards at Target during the time in question. Keeping an eye on my account, though.
ETA: I always call my bank before leaving the country now. Got stuck in Canada and changed to a 4-digit PIN because the ATM wouldn’t take a 5-digit one.
aimai
@Jay in Oregon: I don’t know what the right thing to do is. I still don’t know.
aimai
@WaterGIrl: But on this issue: I always let the banks know when and where I’m travelling. That was what was so irritating about the whole credit card closure/switcheroo. The office that handles that kind of thing does not check on anything with the office that handles putting the information on your card that you are, say, on a three week European/Asian trip and won’t even get the new card. They just don’t cross check.
cathyx
@srv: Good one.
Ultraviolet Thunder
@WaterGIrl:
I switched my contact phone number to my cell, since we rarely answer the land line. I was also able to set up my personal credit card for international use without notification because I travel frequently on short notice. This is riskier because someone in another country could fraudulently use your account and you wouldn’t be alerted.
Now whenever I use a credit card to buy gas at the pump outside of my local home area (which is most of the time) I have to punch in my ZIP code for authorization. that seems like weak security since my name is on the card and a quick Google search would reveal my home address. Maybe the John Smiths of the world have an advantage there.
muricafukyea
Glorified reddit poster muckymux is now a credit card expert. Your argument is so dumb I’m not even going to point out the holes in it. Just ask any 14yo if you want to understand just how ill informed your ridiculous solution is.
Big Picture Pathologist
Could y’all consider never shopping at Target, breach or no breach? They may be slightly better than Walmart, but it ain’t by much.
Corner Stone
Maybe I missed it, but I didn’t see mistermix proposing a solution. Just agreeing that two factor security, like a huge chunk of the rest of the world already uses, might be a decent idea.
JPL
@Big Picture Pathologist: It’s not just Target, though. I’m surprised that Amazon hasn’t been hacked yet.
Corner Stone
My bank has just started doing a SafePass verification any time you want to login online. Even from a machine that has previously “registered” on their network. They didn’t say it was a result of this but it did coincidentally start right after Target’s issue.
Tokyokie
@Ultraviolet Thunder: I live up in Fort Worth and bank with Wells Fargo, and their foreign-currency exchange is pretty primitive, although I haven’t tried getting Mexican pesos. In the tourist areas of Mexico, you can usually get away with using U.S. currency, so I don’t anticipate it being a problem until our next trip to Europe. But I see Deutsche Bank has a couple of branches in Dallas; we may open an account there to facilitate European travel.
Tokyokie
@WaterGIrl: I let the credit union where I have a Visa know that we were going overseas and would be using it. They misinterpreted the message and cancelled the card. But at least they were apologetic afterward. I had to use my Amex instead, so it wasn’t a really big deal, just a bit of a surprise when an ATM in Florence rejected the card.
MD Rackham
The reason the banks offer the $0 liability for fraudulent charges is that fraud costs them nothing. It all gets pushed back to the merchants.
As a merchant, if someone uses one those hacked Target cards with me and I ship the merchandise, I’m screwed. Why? Because sometime later I’ll be notified by the bank that what I thought was a valid transaction is now a “chargeback.” They take the full amount out of my bank account (not the amount-minus-fees that they originally deposited) along with a $30-$50 (depending on bank/card) “chargeback fee.”
*That’s* the reason the banks don’t improve security or move to chip-and-pin (which is pretty thoroughly hacked, btw). Why spend that money when fraud doesn’t cost them anything, and in some cases may actually turn a profit? They still make their 2-3% transaction fee (plus other misc “network” fees) on the fraudulent transaction, and cover their support costs with the chargeback fee.
GHayduke (formerly lojasmo)
I haven’t shopped at target for several years. We stopped when we found out they donated to bigot Tom Emmer in his race against uber-mench Governor Mark Dayton.
It’s probably been ten years since I shopped at Walmart.
@muricafukyea:
Derp.
Suzanne
My Chase debit card got essentially frozen yesterday. I found out when I tried to use it at IKEA to buy a big-girl bed for Spawn the Younger. There were multiple shoppers standing around going, “WTF?”. Mr. Suzanne called Chase and couldn’t get through, then he saw what was up on a news story on NBC. Had to run over to a branch and get cash, then return to the store. About three hours later, I finally got an email from Chase telling me what had happened. Total PITA.
But nobody died. Perspective.
BlueNC
@catclub: @catclub:
I have a chip-and-PIN card from USAA. There are also others.
BlueNC
@catclub: @catclub:
I have a chip-and-PIN card from USAA. There are also others.
Nutella
Chip and pin is not a panacea. Those systems have been hacked.
link
Successful attacks are listed here.
Is chip and pin better than what we’ve got, though? I don’t know.
Patrick
@GHayduke (formerly lojasmo):
I can’t understand why companies think this is a good idea. You alienate 50% of your customers and on top of that you paid money to do it. There are now numerous companies that are on my do not shop list because of they supported in 2012.
Ultraviolet Thunder
@GHayduke (formerly lojasmo):
I’ve bought exactly one thing at Walmart: a pair of pants when I was sent out of the country without my luggage. I’d have shopped anywhere else but the hotel strongly cautioned that it was the only safe place for me to go alone. But that’s 375 Pesos that I wish I’d spent elsewhere. Fk the Waltons.
Peregrinus
Peregrina got an email from Chase this morning on the subject, which freaked us out a bit. The email – what little of it I read over her shoulder while making breakfast – straight-out said that she was not liable for any charges she didn’t make and that they’d be mailing her a new card.
Robert Sneddon
Chip and PIN is pretty much universal here in the UK. The banks love it because it makes charges of fraud by a customer more difficult to prove even if it did actually happen to them by, say, a family member using the card without their knowledge after obtaining the PIN. It still doesn’t help for internet and phone ordering, of course.
Latest way-to-pay just coming in here is a debit card with a near-field radio which you “tap” to the receiver for small purchases to a limit of 20 quid ($30 US) a day. No signature or PIN entry needed as it’s expected that anyone who loses their card will notify the issuer within a day or two and get a stop put on it. The bank will swallow the losses up to that point. I expect the credit card companies will follow suit eventually.
Peregrinus
@Robert Sneddon:
The school I teach at uses that “tap” method for the students’ school cards on the vending machines. I can’t figure out how to get mine to work, but there it is.
Jamine Bleach
@JPL:
I stopped shopping at Target about 6 years ago, and try to avoid Amazon if possible.
It was a rainy day and I walked from my car to the Target building between spurts of rain. I had an umbrella, which was rolled up and snapped shut because it wasn’t raining at that moment. I got into the building and walked past some workers handing out plastic bags for wet umbrellas. About 3 minutes later, security and one worker approached me in the aisles and demanded that I put my (dry) umbrella in a bag. I refused and told them I had not had it open in the rain and it was completely dry (and I showed them). They demanded (asked angrily) to put it in a bag again, and I refused, at which point I was escorted out of the store by security. Of course, as I was walked out I loudly let the store know I would never shop there again and what a gulag it was. Never have shopped there again. I figure Target is probably out selling a few hundred bucks a year of merchandise (maybe more) from that single incident. Probably a couple thousand bucks by now that other competitors got.
Try to avoid Amazon as well.
Scout211
If you are one of the affected card users, please read the blog krebsonsecurity.com. This is the guy who actually broke the story before Target announced it. There are several stories, most of them quite scary, about the security breach and the cards that are “flooding” the black market.
I canceled my affected debit card the first day but my bank was taking an official “wait and see” approach in the beginning. They now will be sending new cards to everyone who was affected. It is a smallish regional bank and has only affected 3000 customers.
I just read that many Chase bank branches will be open today since they put a limit on purchases for affected customers.
StringOnAStick
@MD Rackham: OK, now that sucks. Just one more way to dump their costs of doing business onto the smaller, less politically-connected firms. How do small businesses survive with this chargeback crap? Oh; maybe that’s the point. My husband insists on writing “see ID” on all our cards; I notice that clerks in big stores rarely bother, but in smaller, locally owned and operated places they almost always do.
I used to occasionally shop at Target, and then my BIL went to work there for awhile. Your job shouldn’t require anti-anxiety meds in order to deal with your OCD boss (who wouldn’t approve a transfer to a different store)or an amazingly paternalistic HR system ‘for excellence’ that, if you score above 95% will get you a whole $0.13/hour raise; thankfully he found a different job. Having to type in a new and unique set of specific goals for improving (1) your interactions with fellow “associates” and (2) with customers every 2 weeks seemed both insulting and big brotherish.
Villago Delenda Est
@muricafukyea:
Derp. Derp-Derp. Derp.
DERP!
replicnt6
If you think the 2%-3% vig covers loss from fraud, think again: the vendor who accepted the fraudulent transaction get hit with the loss. This is why the banks don’t give a shit, and we’re not going to get chip & pin anytime soon. That would cut into the issuers profits.
Ruckus
@Ultraviolet Thunder:
I do call BS here. Back a few years ago the law changed that the card reader had to encrypt the transaction, before it got to the cash register/computer. Many, many stores had to change their hardware, including mine. It wasn’t a big hassle and it made the entire transaction safer. Not as good as what the rest of the known world uses but better. The banks/card companies could have changed to chip/pin then but that would have cost them a few cents per customer and they wouldn’t spend that much with out guns pointed at them.
StringOnAStick
I’d like to add that if you used Target during the affected period, you simply must cancel and get a new card, period. If your bank balks, get very, very pushy; change banks if you have to. Once your card number is out there, it simply isn’t worth the risk that now or 6 months from now it will be used by someone other than you; some banks will make you eat the fraudulent charges if you don’t notice it soon enough (in their opinion). This story is hot right now so Target and the banks involved will of course do the right thing; 6 months from now when it isn’t a hot story anymore, well maybe they won’t. Card thief rings are growing ever more sophisticated; don’t be in the vanguard of people who are about to find out the latest twist they’ve come up with.
elm
The problem with chip & pin (they’re marketing it in the U.S. as EMV) is one of infrastructure. U.S. retailers don’t have card readers installed that will read the chip and U.S. merchant service providers don’t have the ability to interact with chipcards.
I am curious to learn exactly how Target fucked up to allow this breach to happen. If they were following good PCI-DSS procedures, then this should not have happened — especially if they leaked CVV/CVC data.
At a guess, some of their credit-card handling servers were taken over and were running data-snooping software of some sort (which captured it in the server and leaked it to the outside world). Those servers are supposed to be be locked down and isolated from the internet in order to prevent such occurrences.
Erin
@MD Rackham:
I’m glad you brought that up. After 17 years in mail order, I have to say – I’ve always had to cover the cost of transactions paid for with a stolen credit card.
“Though they’re probably in for a big hassle, in the end the bank and card companies are liable for the transaction.”
No – unless you ship to the verified billing address with signature confirmation – it is the merchant/retailer who is liable for the transaction. If the banks were on the hook for it, we’d have had chip and pin a long time ago.
Ruckus
@MD Rackham:
This.
The banks/card co have the system rigged both coming and going. It is a pain in the ass to carry cash but that is the cheapest way to purchase anything. Not the easiest of course, because less money is made when you use cash. But you pay for the connivence of any card.
elm
@JPL: The difference between Amazon and Target is that Amazon knows technology.
That’s not to say that they are invulnerable — a dedicated-enough attacker could surely breach their systems — but a tech company is more challenging to hit than a brick & mortar retailer.
Consider this: How many Computer Science PhDs does Amazon employ? How many does Target employ?
Ruckus
@Nutella:
Better is a relative word.
Properly used chip and pin is safer. Much safer than plain card and signature. Debt card and pin is better than card and signature. Chip and pin makes the process better. But no system is foolproof. No lock is 100% secure. And given humans greedy side, never will be.
danielx
@Erin:
After watching the logrolling that went on to produce the bankruptcy “reform” legislation a few years back (a straight payoff to the CC industry in return for senatorial campaign donations), I have to doubt it. Converting to chip and pin would/will cost money, after all. If banks were on the hook for it, we’d have had laws to shift the liability to somebody else (like card users) a long time ago. Under the guise of some sort of consumer protection – the Consumer Advocacy Victory Excellency….Act – with the idea being that the proles are too dumb to look up the meaning of “caveat emptor”.
No matter how cynical you become, it’s never enough to keep up. – Lily Tomlin
kc
Why don’t hackers just target, say, Jaime Dimon? He’s got more money than all those Target cardholders put together . . .
Randy P
I have a helluva time buying things from Europe, even over the internet. I assume this has to do with our non-chip credit cards but I think there might be something else broken between our banking system and the EU’s banking system.
Most recently I was trying to send some Euros to somebody in Greece, and all the mechanisms she was recommending kept running into dead ends. For instance, TransferWise.com, which apparently is based in England, which can do dozens of different country/currency exchanges, informed me that they have not figured out how to offer a low-fee mechanism in dollars yet.
Yet some vendors, such as French Amazon, can accept my U.S. debit card and I have managed to use it in person overseas (with mixed results, but sometimes it works) as well.
It’s all very mysterious.
Ruckus
@kc:
Stealing a lot in one place gets you noticed. Stealing a little in a lot of places is less obvious.
Could you ever steal enough to keep him and his friends from affording to find you? And if you did wouldn’t you then be a great target(no pun intended)?
Jebediah, RBG
@Ruckus:
“Connivence” – perfectly appropriate wherever the conniving banking bastards are involved.
jehrler
@Erin:
And even if it isn’t a fraudulent transaction, but the customer doesn’t recognize it, you can wait a long, long time to get your money back from an incorrect chargeback.
We drop ship for one of our dealers and they pay via credit card. We charged on Nov.1 and all was well and we shipped the product (several hundred dollars) to their customer. Their card got hacked and so they went to Citibank and got a new card and went through the list of charges with them. Despite them telling Citibank that our charge was ok, Citi goofed and we got a fraudulent chargeback on 11/17.
We notified our dealer, they got Citi to confirm that they goofed and Citi said they would make it right. In the meantime, on 11/17 Citi re-charged our dealer.
It is now 12/22 and we our out our goods, the shipping costs and the chargeback fee and no repayment in sight. But Citi has had our funds since 11/17. They get the float, the swipe fees and the chargeback fees and we got nothing but bills. Scum.
We’ve been in business 13 years and this is our first chargeback and I really hope it is our last.
Ruckus
@Jebediah, RBG:
Auto correct strikes again! But at least this time gave me an even better word.
kc
@Ruckus:
That does make sense. This is why I haven’t turned to a life of crime . . . I’m not smart enough.
JoyfulA
@GHayduke (formerly lojasmo): I haven’t shopped at Target since that campaign either.
But then, I was never much of a Target shopper anyway; it seems like a prettier WalMart in its quality and selection.
pseudonymous in nc
@Bill E Pilgrim:
Yeah, pain in the arse in London getting an Oyster card, but that’s very much a first world problem. And as others have said, Chip+PIN can alter the burden of proof for fraud in nasty ways.
@elm:
Oh, that’s a false comparison. How many physical POS machines does Amazon have? I’m not saying that the physical/digital distinction is crucial — plenty of web stores have been hacked — but Amazon doesn’t have to maintain a physical payment infrastructure.
The Other Chuck
Under “Reg E”, Debit cards have the same liability protections as credit cards. It’s just the matter of your account getting cleared out and frozen while they sort it out. Debit cards are far more popular in Europe, but they have chip and pin systems for those too. Yes, chip and pin is exploitable, but it at least requires an active attack, whereas here a stolen cc# is a commodity pretty much anyone can steal, sell, or use.
elm
@pseudonymous in nc:
pseudonymous in nc
@elm:
Well, maybe. It makes the comparison somewhat beside the point, because the infrastructure for card-present and card-not-present transactions is very different. Talking about how many comp-sci PhDs Amazon has on staff has nothing to bear on whether that talent could run a hacker-proof bricks-and-mortar operation. It smacks of dot-com utopianism.
elm
@pseudonymous in nc:
Point taken, that really wasn’t what I was aiming for. In fact, I’m not even sure that I would trust a non-security-focused PhD to have much input on system security. Hubris is definitely a common and dangerous threat in that type of area.
My claim was that a tech company has the means (though not nexessarily the motivation) to practice good info security and operations.
I can assure you that I’m far from being a dotcom Utopian. My last decade of software development for software that handles credit cards has beaten all the optimism out of me (and I was a pessimist to start with).
Cervantes
Can you elaborate? What are they forcing on you?
Cervantes
Computer science is one thing — but it’s instructive to recall that Bezos hired so many people away from WalMart that he was sued by the latter for theft of trade secrets.
Amazon’s warehouses, like WalMart’s, were and are hell-holes. Instead of paying for ventilation and air-conditioning, Bezos hired private ambulances to sit waiting, ready to cart away any employee who needed medical attention.
We ought to think on that this holiday season, and every other season.
fuckwit
I know everyone here loves to hate on Bitcoin, but this is one of the major advantages of Bitcoin. You NEVER give out your “credit card number” to any merchant. Ever. You just give them a transaction. They see your “address”, but that’s not an account number, just the number of one of maybe hundreds of addresses you might own which each have some amount of value on it, like having a wallet full of gift cards. Knowing that number does not make it possible (given that the encryption of the system is secure) for anyone to actually “withdraw” the money. You have to sign a transaction with the public key of that address in order to transfer the funds to anyone else’s address. That’s Bitcoin– the protocol– in a nutshell. I think it’s a fantastic system. Yes, I’m not happy that Bitcoin the currency/commodity is deflationary, and I recognize the economic and social/political problems that creates (essentially, it encourages centralization and hoarding of capital– the last fucking thing we need in todays’ world), but I’m very impressed with the protocol and think it could be put to good use. Avoiding credit card fraud like this is one of those uses. I think if someone adds demurrage and/or fractional reserve banking to Bitcoin (the protocol), it could be a great innovation and improve it a lot.