銀行卡盜刷猖狂，過時磁條惹的禍？

U.S. credit and 1）debit card 2）fraud is on the rise. According to one survey， nearly a third of American consumers have reported credit card fraud in the past five years.

And part of the problem， as Andrea Rock of Consumer Reports tells us， is that U.S. card issuers rely on security systems that lag behind measures taken in other countries.

“The credit and debit cards that most Americans use are really surprisingly vulnerable to fraud，” Rock says. “Because， unlike cards in most of the rest of the world， they rely on outdated technology. The account information that’s needed to make a transaction on American cards is stored， 3）unencrypted， on a magnetic stripe on the back of each card.”

That information is easily copied and reproduced on a 4）bogus card. Rock says that in general， thieves prefer to target debit cards， which allow them to get cash from an ATM， instead of conducting risky transactions in a store.

Other countries moved beyond this technology years ago. The U.K.， Canada and Hong Kong are already using chip-based cards， which are considered more secure. （Magnetic stripe technology is decades old.） Cards using the chipand-5）PIN system have an embedded microchip. Instead of swiping the part with a magnetic stripe， you put the card into a terminal， then enter a PIN or sign your name. It’s more expensive for criminals to forge these cards， says Brian Krebs， a security journalist.

The newer chip-and-PIN technology “simply raises the costs for the bad guys，” Krebs said. “It’s not that they can’t break the system—but it makes it more expensive for them to 6）fabricate these cards.”

But why hasn’t the U.S. already adopted this technology？

That’s the wrong question to ask， says Ross Anderson， who has worked on payment technology for almost 30 years and is a professor of security engineering at the University of Cambridge.

“Simply blocking off one of the avenues of attacks by fraudsters isn’t enough to make fraud vanish，” he says.

It can be a game of cat and mouse. Anderson says after it became common to pay with chipbased cards in the U.K.， around 2003， the level of fraud went up because thieves turned to schemes involving mail and telephone orders.

Eventually， criminals figured out how to make fake terminals that steal information from the card. Also， the cards still have magnetic strips， in case European cardholders want to travel abroad. According to Krebs， some criminals simply steal the information from the cards in Europe， and because they can’t pay with magnetic stripe cards over there， they send the information to crooks in the U.S. for illegal shopping sprees.

Americans are actually lucky， says Anderson， because they have the thing that matters more than technology—consumer protection.

“If there’s fraud， the issue is who pays for it； is it me or is it the bank？ And if the bank is running the system， then I want the bank to pay for the fraud，” Anderson says. “American citizens are lucky because [since the 1970s and early 1980s， they have] very strong consumer protection in the form of 7）Regulation E， Regulation Z and various decided court cases.”

If U.S. cardholders become victims of credit card fraud， they can call their bank and be done with it， losing at most $50 or so. In the U.K.， for instance， cardholders have to write a letter to file their claim.

“The U.S. is ahead in terms of consumer protection， and if you’re thinking about the public interest and how things affect you as a bank customer， that’s by far the most important thing，”Anderson says. “How the banks use technical mechanisms to limit their own exposure then simply becomes an engineering problem for them to solve.”

He says this consumer protection is why online shopping took off in the U.S.

Starting Oct. 1， 2015， Visa will encourage the use of the new chip-embedded cards in the U.S. After that， if someone uses a chip card at a store that hasn’t adopted the new terminals for reading chip cards， the store may be responsible for any fraud that happens.

Anderson also says this is an exciting time for payment technology. There hasn’t been much innovation for the past 30 years or so， but he says mobile payment systems like 8）Google Wallet could be widely used in five to 10 years.

美國的信用卡和借記卡詐騙犯罪不斷增加。據(jù)一項調(diào)查顯示，在過去的五年里有近三分之一的美國消費者報告過信用卡被盜。

而據(jù)《消費者報告》雜志的安德烈亞·洛克向我們所述，問題有一部分源于美國的發(fā)卡機構(gòu)所依賴的安全機制遠遠落后于其他國家的標準。

“大部分美國人所使用的信用卡和借記卡是相當容易被偽造的，” 洛克說道，“因為，不像世界大部分其他地方的卡，這里的卡依賴的是過時的技術(shù)。美國的銀行卡片上完成交易所需的賬戶信息沒有經(jīng)過加密，就儲存在卡片背面的磁條中?！?/p>

這些信息能夠輕易地被復(fù)制到偽造的卡片上。洛克認為，通常竊賊更傾向于以借記卡為下手目標，因為這樣他們就可以直接從柜員機取得現(xiàn)金，風(fēng)險比到店里去通過消費來獲利更低。

其他國家多年前就提升了這方面的技術(shù)。英國、加拿大和香港都已經(jīng)在使用芯片卡片了，這種卡的安全性被認為更高些。（磁條是幾十年前的老技術(shù)了。）使用“芯片加密碼”系統(tǒng)的卡上帶有一個嵌入式芯片。與刷卡上的磁條不同，人們使用這種卡時要把卡插入終端設(shè)備，然后輸入密碼或者簽名。安全新聞記者布萊恩·克雷布斯認為，對于詐騙犯來說這種卡的偽造成本要更高些。

這種更新的芯片加密碼技術(shù)“只是增加了壞人的成本而已，”克雷布斯說道，“不是說他們不能攻破這個系統(tǒng)——但對于他們來說，偽造這種卡片的成本要高一些?！?/p>

但是為什么迄今為止美國還沒有采用這種技術(shù)呢？

這個問題問得有點不當，羅斯·安德森說。他已在支付技術(shù)領(lǐng)域工作了近三十年，而且還是劍橋大學(xué)安全工程學(xué)的教授。

他表示：“僅僅阻擋住詐騙犯們所采取的其中一條攻擊路徑是不足以消滅欺詐行為的?！?/p>

就像是貓捉老鼠的游戲。安德森說，在2003年左右，當使用芯片卡片在英國成為普遍現(xiàn)象時，欺詐的水平也提高了，因為竊賊們轉(zhuǎn)而通過包括郵件和電話訂單的方式來進行欺詐。

最終，犯罪分子想到了如何制造能夠偷取卡片信息的假冒終端設(shè)備。而且，卡上依然帶有磁條，以備歐洲持卡人出國旅游時使用。據(jù)克雷布斯所說，一些犯罪分子只是從歐洲盜取卡片信息，而因為在那里他們不能用磁條卡進行支付，于是他們把信息發(fā)送到美國，讓騙子在那里進行瘋狂盜刷。

安德森說，其實美國人是幸運的，因為他們擁有比技術(shù)更為重要的東西——消費者保護。

“如果發(fā)生了詐騙，問題就是誰來為損失買單；是持卡人自己還是銀行？如果是銀行在運行該系統(tǒng)的話，那么我希望是銀行來為詐騙損失買單，”安德森如是說道?！懊绹袷切疫\的，因為（從上世紀七十年代和八十年代初期起，他們就已經(jīng)擁有）以《E條例》、《Z條例》和各種已決案例為形式的強有力的消費者保護?！?/p>

如果美國持卡人成為了信用卡欺詐罪的受害人，他們可以打電話給銀行，然后就萬事大吉了，最多損失50美金左右。而在其他地方，比如英國，持卡人則要寫信提出索賠。

“從消費者保護方面來說，美國是走在前沿的，且如果你是從公眾利益及作為一名銀行客戶所受的影響這些方面考慮的話，那么這就是目前為止最重要的事了，” 安德森說道?！岸y行如何采用技術(shù)機制去減低其風(fēng)險，則不過是他們需要自己去解決的工程問題而已?！?/p>

他說這種消費者保護正是網(wǎng)上購物為何會從美國開始興起的原因。

從2015年10月1日起，維薩信用卡將會在美國推動新型嵌入式芯片卡的使用。屆時，要是有人在還未配備新終端讀卡設(shè)備的店鋪里使用芯片卡而發(fā)生欺詐事件時，那么該店鋪有可能要負責(zé)。

安德森還表示，這是支付技術(shù)上令人振奮的時刻。在過去的三十多年里都沒有過多少創(chuàng)新，但他同樣表示移動支付系統(tǒng)，例如谷歌錢包，有可能會在未來的五至十年間得到廣泛的應(yīng)用。