chipandpin
Latest
How to pay for things securely
We are essentially a cashless society. With the rise of debit cards in the late 1980s early '90s, fewer and fewer of us use paper money to pay for things. Throw in online shopping and single-retailer payment apps like the one from Starbucks, and ATMs seem almost quaint.
Square sellers no longer need signatures for card payments
Square Cash is continuing its crusade to make the business of parting with your hard-earned money a little less painful. It's just announced that it's cut down EMV transaction time on Square Reader for contactless and chip even further, to just two seconds, compared to the average eight to 13 seconds. The process uses a new "dip transaction flow" that prioritizes the parts of a transaction that are critical to security, which means less time standing in line, waiting for your card info to churn through to the issuer.
Major UK electrical retailer Dixons Carphone confirms it was hacked
One of Europe's largest electrical retailers has been the subject of a cyber attack that's compromised more than 5.9 million card records and as many as 1.2 million personal accounts. Dixons Carphone, the owner of Currys PC World and Dixons Travel stores, says that most of these cards have chip and pin protection and noted that the data accessed doesn't include PIN numbers, card verification values (CVV) or any authentication data "enabling cardholder identification or a purchase to be made." However, some 105,000 cards were from non-EU countries and do not have the chip and pin feature.
Those chip and PIN cards aren't as secure as we thought
Chip and PIN cards and readers are finally rolling out in the United States. Unlike traditional magnetic cards, which use static information to make a transaction, these pieces of plastic create a new key with each purchase, based on a standard by Europay, MasterCard and Visa. That should make purchases or withdrawals more secure, since the information is only valid for 60 seconds. As it turns out, according to Rapid7 security firm researcher Weston Hecker, a lot can happen in that minute.
The Coin universal card is ready for 2012
If your wallet is bursting at the seams with credit, gift and loyalty plastic, the Coin universal card is supposed to lighten the load. Just add all your information to the app, sync it with Coin and get ready to buy all the things with a swipe or an NFC tap. Except when you can't. While the premise and feature set are intriguing, and in some cases helpful, in practice, it feels like too little too late. With Apple Pay, Android Pay. Samsung Pay and others already working on the future of transactions, Coin might have missed the boat.
Square's new reader arrives to accept mobile payments and chip cards
We've known about Square's new NFC-friendly reader for a while, and now the point-of-sale gadget is available for use. Starting today, 100 merchants in "select cities" (quite a few, actually) will begin accepting NFC-driven payments like Apple Pay, Android Pay, Samsung Pay and those newfangled chip credit/debit cards. The reader is a square pad (of course) separate from the company's usual POS setups and sliding readers, allowing you to hover your phone or insert a card to complete purchase. The unit is wireless and pairs with either a countertop system or Square's free mobile app to handle the transactions. However, the new reader itself will set businesses back $49 in order to get started. For the initial rollout, look for the device at businesses in the following cities: Atlanta, Austin, Boston, Chicago, Denver, Los Angeles, Nashville, New Orleans, New York, Miami, Minneapolis, Philadelphia, Phoenix, Sacramento, San Francisco, Santa Cruz, Seattle, St. Louis Tampa, and Washington, D.C.
PayPal's new Here card reader can handle NFC payments
PayPal is no stranger to mobile payment solutions, but at Mobile World Congress, the company is making a useful upgrade to its Here card reader. In addition to being able to handle payments from those chip-and-PIN credit/debit cards, the new version of PayPal's transaction tech will also support NFC. This means that not only will the latest version of Here wrangle touchless payments from the aforementioned cards, but it'll also allow retailers to accept funds from mobile devices. It's said to work just like terminals in retail stores, except this add-on connects with a separate mobile device to power the whole thing. That's good news for the PayPal faithful as Apple Pay, Samsung Pay and Android Pay all leverage NFC to transfer funds. There's no word on pricing just yet, but the new version of Here will hit the UK and Australia this summer, with a US debut slated for later this year. Don't miss out on all the latest news, photos and liveblogs from MWC 2015. Follow along at our events page.
Poynt's smart store terminal lets you pay any way you like
One of the many reasons you don't see widespread support for mobile payment tech like Apple Pay or Google Wallet is the hardware investment needed to make it all work. Why should a store spend thousands of dollars on machines that miss out on some features, or will be obsolete in a few years? That's what Poynt wants to fix with its new smart terminal. The Android-powered device takes just about every form of payment imaginable, including NFC transactions from your phone, chip-and-pin cards, QR codes and old-fashioned magnetic stripe cards. You can even add a cash drawer through USB. The countertop machine also has Bluetooth beacon support for in-store offers, and its app platform lets stores adapt to new services by either downloading apps or writing their own.
New White House efforts help secure your payments
American banks and stores may already be planning to tighten your payment security, but the White House wants to give those efforts a boost. President Obama has signed an Executive Order that will require the federal government to both issue more secure chip-and-PIN (aka EMV) payment cards and upgrade terminals to match. This isn't just for protecting day-to-day staff expenses -- it also means that pensions, Social Security and veteran payments (all of which tend to go through official debit cards) should be safer. There should also be fewer risks when you're buying from federal locations like national parks and the passport office.
Square's new chip card reader will make your payments more secure
There's a good reason you don't usually see Square readers outside of the US: they're built to read payment cards with magnetic stripes, not the more secure chip-and-PIN cards that are common everywhere else. All that's set to change, however. Square has revealed plans for a reader that accepts the chip-based EMV format alongside stripes, letting shops handle credit and debit cards from around the world (and the US, once it catches up). The company will only start taking pre-orders for the payment device later this year, but it could be worthwhile for stores and customers alike. Besides the greater availability, it's much harder to clone a chip card -- you shouldn't have to worry about an unscrupulous clerk (or a clever hacker) stealing your credit card and going on a shopping spree.
United States credit card system begins complete overhaul in the next 18 months
The United States is lagging behind most of the world when it comes to credit card technology, but luckily it's about to catch up. In the next 18 months, the US is gearing up to transition debit and credit cards away from the magnetic stripe to embedded chip technology, which is already widely used in Europe, Asia and beyond. Who can you thank for the long-overdue upgrade? Target, whose data security breach earlier this year highlighted the security flaws in the magnetic stripe system. It's a 50-year-old technology, after all, and it's much easier to counterfeit than the computer chip in your next Visa card.
'Chip and PIN' card reader for iOS selling in European Apple Stores
Merchants here in Europe will soon be able to walk into an Apple store and buy a Bluetooth "chip and PIN" reader that talks to the iPhone right off the shelf. Until now, merchants here didn't have a lot of immediate access to tech that allows them to take payments via their iPhones and iPads. Square is still not available in Europe, while the Swedish iZettle card reader can't be bought in retail stores. But things are about to get easier, because Payleven has just inked a deal with Apple to carry its chip and PIN device in stores, reports TheNextWeb. Unlike Square, Payleven doesn't connect directly to your iPhone. Instead it uses Bluetooth to talk wirelessly to it -- something that is nice because you don't have to hand your iDevice to dozens of different customers each day. After the merchant enters the amount of the transaction in the Payleven app, customers insert their credit or debit card into the chip and PIN reader and enter their PIN, at which point the app processes their payments. The Payleven Chip and PIN reader is available in Apple stores for £99. Users also get a £20 credit for card processing fees. There are no subscription fees to use Payleven, but merchants will be charged 2.7% per transaction. The Payleven app is a free download.
iZettle comes to Android for a few lucky Swedish Samsung owners
Square gets most of the media hype, but without an international presence, would-be competitors have had a chance to carve out their own niches in the mobile commerce market. Sweden's iZettle has managed to make quite a splash in its homeland, and it's expanding its mini empire by finally bringing its wares to Android -- albeit in an extremely limited form. Unless you've got a Galaxy S III, S II or a Note then iZettle still isn't for you and with availability in a single Nordic country, it might seem more accurate to describe Android support as being in beta, but the company has ditched the testing tag regardless. Rest assured, however, it is actively working to add more handsets and export the app beyond its particle board-loving borders.
Security experts hack payment terminals to steal credit card info, play games
If a payment terminal could be forced into servitude as a crude handheld gaming device, what else could it be made to do? Researchers at the Black Hat conference showed just what mischief a commonly used UK PoS terminal could get up to when they inserted a chip-and-pin card crafted with malicious code. That enabled them to install a racing game and play it, using the machine's pin pad and screen. With the same hack, they were able to install a far less whimsical program as well -- a Trojan that could record card numbers and PINs, which could be extracted later by inserting another rogue card. On top of that, criminals could use the same method to fool the terminal into thinking a transaction was bank-approved, allowing them to walk out of a store with goods they hadn't paid for. Finally, the security gurus took a device popular in the US, and used non-encrypted ethernet communication between the terminal and other peripherals to hack into the payment device and take root control. Makes you want to put those credit cards (and NFC devices) away and stick to cash -- at least you can see who's robbing you blind. [Original image credit: Shutterstock]
Barclays releases Pingit mobile payments app, we go hands-on
Barclays Bank has unleashed Pingit, an iOS, Android and BlackBerry app that lets you send up to £300 ($470) a day to family, friends or technically-aware muggers. UK mobile number and bank account holders can get started in minutes as long as they've got one of the Barclays-branded PINSentry tools. You'll be asked to come up with a five-digit code that will lock the app to anyone but yourself (or, you know, that mugger) and then you can start spreading your cash around, baller-style. We set up our own account through the app and if you're curious about our impressions, you can find out what we thought after the break.
iZettle's chip-reading Square competitor will take your money, no swipes required (video)
Everyone seems to be getting on board with Square's iPhone credit card reader -- Apple started selling the device in its stores last week, and even Visa has taken a financial interest in the company. However, due to the popularity of fraud-fighting chip-enabled smart cards on the other side of the pond, Square's offering doesn't quite fit the bill. iZettle has a similar solution for Europe that includes the ever-so-necessary smart card reader, which the company is launching in Sweden this June. Not only does it enable you to accept credit card payments from friends or customers, the app adds a social twist. Merchants can email a photograph and receipt to buyers, who can then share their latest spoils on Facebook. Of course, if this starts to catch on, it could make explaining that "awesome deal" you scored on a new laptop that much more difficult when it pops up on your significant other's news feed. [Thanks, David]
Cambridge University finds credit card security flaw, uses the money for beer pong supplies (video)
Oh, those crazy kids at Cambridge University -- when not doing keg stands or playing Hacky Sack in the quad they're hard at work proving the vulnerability of the EMV verification used in credit and debit cards (or as it's called across the pond, Chip and PIN). We won't go into too much detail (because we don't have much detail) but a flaw has been discovered that allows one to convince the terminal that a card's PIN has been entered -- and you know what that means: free money! All you really need to pull it off is a fake smart card connected to a card reader containing the stolen card and some fancy software. (Place the contraption inside a hat box or bowling ball bag if you want to be slick.) What could be simpler than that? "We think this is one of the biggest flaws that we've uncovered - that has ever been uncovered - against payment systems, and I've been in this business for 25 years," said Professor Ross Anderson from the school's Computer Laboratory. Sure, this is a proof-of-concept thing, and not yet a clear and present danger, but we have faith that the hackers will see this one through. Maybe we weren't crazy to bury all that gold in the backyard after all! British TV news (with the appropriate dramatic music) after the break.
UK Chip and Pin machines headed to the home
Barclays bank is doling out at least 500,000 Chip and Pin machines (the fancy UK term for credit card reader) for use in the home by its customers. The system is similar to the key fob that PayPal offers to its users, which generates six-digit passwords for use in supplement to the traditional username and password to add a layer of security to your PayPal account. The card readers that Barclays is shipping out generate an eight-digit number for logging onto your online banking account, but first you have to swipe your card and enter your pin number. You're also required to perform the same action for money transfers. This should beef up security considerably for users, and guard people from being compromised fully by phishing attacks, but we're fairly certain your money and identity will never be safe until you bury it all deep in the woods somewhere, later to be discovered by three camping buddies who are soon to become mortal enemies... we'll stop now.
Kingston unveils flash storage vending machine in UK
We wouldn't recommend hopping on the next non-stop flight to London Gatwick Airport's North Terminal or anything, but for those passing through in dire need of an extra SD / CF card or USB drive, Kingston's got your back. Joining SIM cards, iPods, digicams, shoes, and all sorts of other bizarre goods, Kingston's self-branded vending machine will doll out presumably overpriced flash memory to travelers in need. Reportedly, New Jersey-based MyMemory will be operating the machines, and of course, they will all be open 24/7 for your late night (and mid-day) flash storage requirements. Interestingly, the UK units will supposedly utilize the oft hacked Chip & PIN technology, which means the countdown to gobs of free memory (and a high-speed police chase) has officially begun.[Via EverythingUSB]
Chip & PIN Tetris hackers can steal credit card info, too
Hacking into sensitive machines and playing brain games on them certainly isn't new -- and a pair of researchers at Cambridge have already done just that on a "tamper-proof chip-and-PIN payment terminal," -- but in a recent (and more serious) development, they've extended the exploit to demonstrate how they can "compromise the system by relaying information between a genuine card and a fake one." Saar Drimer and Steven Murdoch, members of the Cambridge University Computer Laboratory, have not only played Tetris on a banking machine, but have devised a scenario where a terminal is actually connected to a thief's laptop (instead of a bank, for instance), thus passing through crucial information without throwing a red flag to the now-screwed customer. Through a series of RFID, WiFi, and SMS connections, the duo even explains how something so simple could be used to steal thousands of dollars in diamonds and jewelry if working with a trained crew. Still, it's noted that this kind of stunt would be "difficult to execute in practice," and of course, whoever tries it runs the risk of being imprisoned for quite some time, but if you're interested in an eerily detailed description of just how beautiful you life can become if you actually pull this off, the read link demands your attention.
