My friend had a USB smartcard reader in like 2001. He'd dip his AmEx to perform a transaction on his PC. It's twenty years later and the industry still hasn't caught up?
What's different about Europe that they seem to have figured this out decades ago?
Because the banks and vendors are liable for unauthorized charges in the US [1], not the user. The banks/vendors handle the fraud in aggregate on the backend. They could roll out fraud prevention at the end-user level, but they choose not to; which means it is probably not worth it for the issuer relative to the extra user convenience (and extra charges).
In contrast, in many places in Europe the user is responsible for unauthorized charges. Regular people care a great deal about not being wrongfully charged as that is almost always proportionally worse, so they demand robust end-user protection so they will not be wrongfully charged.
This is kind of a case of, “everybody would drive safer if instead of a airbag you had a bunch of knives that shoot out and kill you if you get in a crash”.
As someone whose lived in multiple European countries since I was born, I also don't understand this comment. I don't know anyone who uses these smartcard readers at home. I don't think it's common at all.
> As someone whose lived in multiple European countries since I was born, I also don't understand this comment. I don't know anyone who uses these smartcard readers at home. I don't think it's common at all.
Which EU countries? Bank card readers are super common in .nl (ING for sure) and .be (just about every single bank there) for example.
Nowadays banks often allow to use either that or, say, an app on your phone or a dedicated physical token. For example you can confirm transactions you make on your computer by unlocking an app and confirming with your fingerprint from your smartphone. But that's semi- recent. Before that kind of 2FA became a thing, it was all done with card readers.
Some countries still live in the past like, I shit you not, Societe Generale in France still has a "2FA" where it shows digits randomly on the screen and you have to click you PIN (some people still have an account like that): that is however quite pathetic and not the norm.
If I want to buy anything online using any one of my credit card, I must put it in a physical reader and reply correctly to a challenge/response.
These readers are different from the electronic ID card readers, which are also used in many EU countries (for example to fill my taxes online).
> What's different about Europe that they seem to have figured this out decades ago?
Our governments actually care about monopolies and security. The PSD2 directive was an utter pain to deal with, but at least it stopped a lot of common scams and thefts in its tracks, and it forced banks and other payment actors to open up their system.
> The PSD2 directive was an utter pain to deal with, but at least it stopped a lot of common scams and thefts in its tracks
Inded. More specifically SCA (Strong Customer Authentication) which is required by PSD2. VISA says the "SYH" (Something You Have) is either "a mobile phone, a card reader or other device evidenced by a one-time passcode".
Note however that I cannot log nowadays to any of my bank in the EU without having a big banner saying something like (paraphrasing): "WARNING: scammers are trying to steal your funds. Neither the bank nor the police nor anyone else shall ask you your PIN or to confirm anything on your card reader."
Basically: life is harder for scammers so they try to trick (mostly old) people into validating transactions over the phone.
In Denmark, there's a national system for authentication used for government sites and banks. I have a small device with a single button on it that shows a 6-digit code when you press it. I enter that code along with a password any time I make a purchase online.
(There's also an app that most people use. But I like the hardware thingy better.)
It is just lobbying preventing good policy. If we moved to chip + pin, we'd get rid of almost 100% of CC fraud. But retailers don't want the friction so instead the consumer pays for the fraud instead.
Why do you think this requires a government mandate? What evidence do you have of counter-lobbying as opposed to simple consumer and retailer preference?
> Why do you think this requires a government mandate?
It's a classic tragedy of the commons situation (inverted, like the economics textbook example of a lighthouse), to which government intervention is the classic solution. Fraud prevention benefits everyone, but any individual actor is better off skipping the fraud checks.
I have never ever seen an online payment processor that was capable of using a card reader to perform a transaction from a webpage (on a non-specialized device). I don't think there is even any established standard for using a smartcard from a website. WebUSB/WebNFC may work (although browsers have blacklists of vendor IDs to disallow access to e.g. Yubikeys, so at least some smartcards may not be accessible this way), but that's all experimental and questionable stuff.
It might've been possible someone had something like that in ol' good '00s with ActiveX, but that must've been surely an exception (and a security nightmare).
A card reader is a stand-alone device and has nothing to do with any web tech.
You put your ATM card in the device, enter your PIN code, and then the device has a tiny camera that scans the QR code on the web page. Next, you can see the transaction details on the device and confirm. It will then output a signing code which you enter on the web page.
It is what was commonly used in some EU countries before we switched to mobile banking apps. Most banks still supply them for when you do very large online transactions.
No it's much simpler than that. You either confirm the transaction on your phone with pin or FaceID, without the card involved. Or if the amount is too high (50k+ at my bank) or you don't have your phone, you use a small device provided by the bank.
The device reads your card, asks for the pin and then spits out a 2FA code to enter on the website or app. The old ones only did this code thing (usually with SMS as a backup way to get the code, but most banks have moved away from sms now). Some more advanced ones have a digital signing capability by taking a photo from a QR-like code on the computer screen and then displaying the signing code for you to enter.
These advanced ones are a bit out of use now that everyone uses the mobile app, except for business accounts and larger amounts like my bank's 50k limit on mobile app confirmation. But I don't regularly transfer more than 50k in one transaction anyway.
They're less common in the UK now mobile apps have taken over, but in the early 2000s banks would issue a standalone device to every customer. When making payments via online banking you'd put your card in the device, hit a button, and give it a code that the online banking page provided. The device then did some magic via the chip on your card to provide a code that you'd give back to the online banking site to validate that you were in possession of your card.
Some banks may have used this for 3D Secure during online card payments as well, but I've never encountered one. Validation for that in my case evolved from setting a password on my account, which they'd ask for some characters from, to tokens sent via SMS to my registered phone number, to a push notification from my bank followed by FaceID to authorise payment.
In person Chip & PIN, and more recently contactless, is ubiquitous. Magstripe payments are so rare I have to explicitly enable them in my bank's app for the card, and it'll turn itself off again 7 days later. I never encountered chip & signature until going to the US, where everyone in the group I was with looked at it like some sort of joke (and indeed it is, because there's no signature recorded against my card for validation).
Not everyone and it's not necessarily connected to the PC. Some card readers are, some aren't.
And there are two things that are not to be confused: electronic ID card readers (used for stuff like VAT tax filings, income tax filings, etc.) and debit/credit card readers (which may or may not be connected to the PC) used as 2FA (with a challenge/response). The ones that aren't connected to the PC generate a number which you then enter to confirm you login/order.
Many banks in the EU enforce at least one type of 2FA. The shittiest, most pathetic ones, still do it by SMS (but it's still 2FA and still better than nothing). Others use a card reader (in which you literally plug your bank card, which signs orders / challenge/response style and never leak the card's secret). Other give a physical RSA-like token with codes changing every x second. Others allow the use of an app on a smartphone to confirm transactions.
When I log to at least one of my bank I've got a list asking me which type of 2FA I'll use to log in and confirm payments. Card readers (two different types) are on the list.
I use that to log in, confirm wire transfer and buy stocks too.
The rest of the world has to put up with the US banking system because when all you have is an overfunded military, everything looks like a target.
That logic doesn't quite translate internally, so it's important to maintain the perception that the banking system is all that stands between the little people and a hungry mob of scammers. If the scam problem were demonstrably easy to solve at the POS, it would be harder to justify the merchant fees and other bank-related overreach.
In the United States, there is minimal incentive to do so. It took many years to transition away from magnetic stripe cards to pin+chip. IIRC, the regulators kept pushing back the date for banks to re-issue pin+chip cards and for merchants to begin accepting them. I think it was only when the processors began to threaten merchants with 100% liability for fraudulent transactions processed with mag stripe is when it started to hit critical mass (2015-2016?).
Europe is better organized, simply. People are tightly crammed together compared to the US, and historically were fighting each other for 'living space' instead of progressively occupying almost a whole continent. Things just have to work better - and by and large they do.
If you don’t you significantly increase the friction in using your service and will lose business to those who do accept the hand typed card where the user doesn’t have to adopt new hardware or software.
Everyone would need to mandate the security feature while have a short term incentive to not.
Fuck smartcard readers. Also: fuck 3d secure. The nice thing about old, "insecure" card payments was: I just needed to memorize my credit card number, expiry date and CCV and I could pay online for everything. No need to always carry a phone for SMS/app authentication.
My friend had a USB smartcard reader in like 2001. He'd dip his AmEx to perform a transaction on his PC. It's twenty years later and the industry still hasn't caught up?
What's different about Europe that they seem to have figured this out decades ago?