Slashdot Mirror
Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video)
The answer seems to be: sort of, a little, but not a whole lot, according to Jerry Irvine, who is a member of the U.S. Chamber of Commerce Cybersecurity Leadership Council and CIO of Chicago-based Prescient Solutions. More security theater? It sounds that way when Jerry starts reeling off the kinds of attacks the new cards will do nothing to prevent. Even so, October 1 is the date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
I'll just avoid the merchants that require it. My local Home Depot has a sign up saying that after tomorrow they will no longer swipe credit cards. Guess I'm going to Lowe's.
date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
It's the date after which merchants are supposed to be liable for fraudulent purchase made with New-style chip and PIN cards which are made as signature transactions (e.g. with an old terminal).
Their idea is: The bank will be liable for a fraudulent charge if the original bank/card doesn't support Chip and Pin but the merchant does, AND the Merchant will be liable if the Bank's issued card supports chip and pin, but the merchant doesn't support the feature.
...that's not the system we're getting in the US, at least for the time being and at most retailers. We're getting Chip and Signature, which is much less secure. We're just calling it Chip and PIN, but most retailers aren't actually using PIN numbers to complete transactions...
You guys don't have chip and pin yet?
What?
How does this work for online retailers? How do I get my own time pin out of the card? Does this mean you can't save a credit card anymore?
I've had most of my cards replacements come with a chip, but I've certainly not been offered or required to do any type of PIN number for it...I just call and activate it on the phone the usual way.
I think it is only Europe mostly that does the PIN part too?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
It does increase security a little bit. Don't forget: What really protects you, the consumer, is that fact that you're almost never responsible for fraudulent charges on your card unless you were grossly negligent.
The credit card companies don't want to (and cannot) completely prevent fraud. All they need is something to keep it at a manageable level so their high profits remain high. And chip-and-PIN is a little better than mag-stripe.
There's no PIN. I thought the "industry" decided we Americans were too stupid to remember a PIN so they went with sig only.
Isn't that correct?
-Lee
What the hell kind of "security" have you been using the whole time?
Always some fat neckbeard running his mouth about some shit. It's hard to watch because you can hardly stop laughing because their neck-fat flaps around like a bowl of jello during an earthquake.
Total fucking fail.
"Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video)"
" sort of, a little, but not a whole lot, according to Jerry Irvine, w"
yeah i am the same stupid as slashdot. yeah yeah yeah yeah, yeahs it will increase security, yeah , yeahs a little, and a sort of and, yeah yeah yeah, am I slashdot or what ????
Despite the physical similarity to the European chip&pin system, the US one is different. It's basically the same thing as a magstripe, but different form factor. It's security through obsurity, in that the fraudsters haven't figured it out yet and the equipment to skim and clone a chip card is not yet common. It's a jump ahead in the race, but does nothing to stop the race.
These Chip and Pin cards are called "EMV" cards.
For those who are curious about what's inside those chips, check out Cardpeek, an open-source tool to read the contents of smart cards.
http://pannetrat.com/Cardpeek/
Lots of stuff in there.
The problem is that there are six million merchants out there with mag stripe readers, and nobody can force them all to change to EMV overnight. It took Europe four years to get even to 90% adoption rates. Until such time as most all retailers take them, the crappy mag stripes are required for backward compatibility. And if we say "this does nothing", that's wrong. It takes us one step further down a path we need to fully traverse.
John
Chip-and-PIN is not a new idea! We've had it for over a decade in Britain and we weren't the first to implement it! One of the reasons the banks pushed it here was because other countries that have tried it saw substantial reductions in fraud!
It works!
US chip cards are set to "prefer signature". Many of them don't have PINs at all.
It's less secure, but likely it doesn't matter. Part of chip and PIN was designed to blame the customer for all in-person fraudulent charges on the idea that if your PIN was entered, you must have been there (and not just your card). This does not pass muster with US consumer protection laws, so there isn't a lot of reason to go to chip and PIN in the US.
Not that chip and PIN wouldn't work, I think the retailers just saw it as too much hassle to make all merchants put in card readers which face the customer instead of the employees.
Chip and sign cards cannot be cloned. That's what adds the most protection anyway. Especially since much stolen credit card info from around the world has been used in the US since you could make a cloned stripe card from account info for chip and PIN cards and then use it in the US.
http://lkml.org/lkml/2005/8/20/95
Outside of the US, everyone already has it.
It's also used in Canada... it acts as a replacement for signature on CC purchases that take chip and pin.
File under 'M' for 'Manic ranting'
Studies in europe showed that when chip and pin nearly eliminated point-of-sale (in store) fraud, that within a year or so the fraud moved to card-not-present sales (that is, the fraud occured by european cards used on the internet, phone, and also countries where the Pin network was not integrated back to europes clearinghouses like brazil, the US, and off-the-grid stores). The total amount of fraud was roughly the same as it had been (one can argue about details or if it's less than it would have been).
For in-store (card present) sales, It isn't lost cards that are the biggest problem. It's stolen card numbers being either cloned onto forged plastic. Stolen card numbers are easily transmitted faster and also can be replicated many times, which is better than the original card itself. Just having the chip there can shut this down. You don't have to have the pin. thus card+signature is just as good as chip and pin for practical purposes. The pin just shuts down people using the original stolen card which is a small slice of the problem.
So no this isn't going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn't help much.
Some drink at the fountain of knowledge. Others just gargle.
The *user* should never trust the merchant to begin with. We have this flaw that is unbelievably obvious that has been exploited by criminals in Europe. The criminals bug the merchants terminals. The user should never have to enter a pin into a terminal in the first place. The way the system should work is every user's card should have a number pad on it where they enter there pin. It should display the merchant's name, an amount of the transaction, and a transaction ID (ie the receipt). The card should then encrypt a message with GPG that is then transmitted to the card holders bank authorizing the bank to release the funds to the merchant. The system would work with both merchants on the internet and in the real world. The merchant would need not ever be liable for fraudulent transactions.
If you have a gun to your head and someone steals the card and forces your pin out of you then you need to file a police report. You might lose money, but it'll be a *major* crime and the police *would certainly* investigate.
Merchants are on the hook when a fraudulent purchase is made, with a NEW style card, but the merchant hasn't updated to a new style reader. Issuers are on the hook when a fraudulent purchase is made with an OLD style card.
(If at first you don't succeed, do it different next time!)
In sweden we have had 4digit pincodes for our credit/debit card for at least 20years, the reasons US don't is that americans are to stupid to remember 4digits (at least that was why it was postponed last time).
The chip was introduced some 10years ago to prevent cardtheft.
If you buy online you have to enter a second code with a technique accepted by your bank (usually using a app in the phone to generate a code)..
It's always amusing hearing americans describe there bank system, it's like sweden in the 60th's
It hasn't stopped my boss from cracking the whip the last three months to get us to get EMV implemented.
Secession is the right of all sentient beings.
So following up my own post, notice that paypal and apple pay both have the means to verify the user of the transaction for card-not-present transactions. Other card methods like say samsung-pay are just wrappers around the card right now and emulate the old swipe system. Thus samsung pay is actually obsolete before it even happened. Chip and Pin now forces you to carry your credit card not just the credit card number. Thus you will already have the credit card in your wallet making samsung pay replace exactly nothing you would have carried anyhow. Apple pay and pay-pal don't have that problem because they can conduct secure transactions through the stores payment mechanism.
Some drink at the fountain of knowledge. Others just gargle.
Despite the physical similarity to the European chip&pin system, the US one is different. It's basically the same thing as a magstripe, but different form factor. It's security through obsurity, in that the fraudsters haven't figured it out yet and the equipment to skim and clone a chip card is not yet common. It's a jump ahead in the race, but does nothing to stop the race.
Not exactly. The new US cards use a one time token for the transaction like other PIN and chip cards, but MC/Visa have not required issuers to force PINs. So no 2-factor but still much safer for physical transactions than magstripe, provided you don't lose the card itself. Doesn't do shit if the card itself is stolen or for online transactions though.
I browse on +1 so AC's need not respond, I won't see it.
The US went chip & signature instead of chip & PIN, so the entire change is basically meaningless.
The US chips will be cracked in a matter of a months, maybe a more, and we gain almost nothing.
The chip & PIN system uses PKI and only communicates with the payment transaction system when the authorized user provides the PIN. Sure, you could have a rogue retailer push transactions in excess of what the buyer thought he was paying, but that will be caught and prosecuted swiftly.
The US system has no real authentication of the card user since (a) no one checks the signature to begin with, (b) most users leave an unintelligible scrawl, and (c) no retailer has a full-time handwriting expert on staff.
We finally had a good push to revamp the payment card infrastructure, and they totally blew it.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Samsung Pay still provides a virtual card number, so there's some benefit to it. And it can be used now, unlike Apple/Android Pay (which may very well never have anywhere near 100% acceptance if most retailers choose to keep NFC support on their brand new terminals turned off).
US businesses that currently accept chip and PIN/signature
Sorry, UK guy here. Somebody seems to have a made a repost from the early 2000s...
We're just in the process over here of replacing chip and pin with 'contactless', thus removing the security that the PIN afforded us.
Besides, as long as the merchant and the bank are responsible then the card provider can choose how little or much security they provide without it really being my problem. Though I'll wait for everyone else to test the PIN-less 'contactless' system first to see what the problems are...
The US went chip & signature instead of chip & PIN, so the entire change is basically meaningless.
The US chips will be cracked in a matter of a months, maybe a more, and we gain almost nothing.
The chip & PIN system uses PKI and only communicates with the payment transaction system when the authorized user provides the PIN. Sure, you could have a rogue retailer push transactions in excess of what the buyer thought he was paying, but that will be caught and prosecuted swiftly.
The US system has no real authentication of the card user since (a) no one checks the signature to begin with, (b) most users leave an unintelligible scrawl, and (c) no retailer has a full-time handwriting expert on staff.
We finally had a good push to revamp the payment card infrastructure, and they totally blew it.
Not only that, if I put my card in the chip reader rather than just swiping it, seems to take 10 seconds longer. Or twenty seconds, or thirty.... I think in many cases convenience will trump security.
It's a jump back. Not everyone had a mag strip reader in their pockets and required special read heads to roll your own.
Smart card tech ain't new. Its the same tech we have had in the consumer space for decades in the form of cell SIMs, Cable/Sat set-top Box cards, PC terminal logins, etc. Its actually cheaper to get a reprogrammer for a smart card than a mag strip. Encryption you say? You tell me how long you expect hardware based encryption running off an induction powered IC will hold up to a mid-range PC creeping into multi peta-flop range.
Samsung Pay still provides a virtual card number, so there's some benefit to it. And it can be used now, unlike Apple/Android Pay (which may very well never have anywhere near 100% acceptance if most retailers choose to keep NFC support on their brand new terminals turned off).
Why would they turn it off?
Some drink at the fountain of knowledge. Others just gargle.
The data on the chip is a signed certificate; but its not encrypted. So if you can do a bit for bit copy of the data to a new chip, viola the card is cloned and useable. IF the data was encrypted and required a pin to unlock, THEN you would have a little security because even if you clone the data, you don't have the key to unlock it to allow the transaction. HOWEVER the spec doesn't allow for that, the spec is basically half of Private Key cryptography.
Chip And Spin
I'd honestly have thought they'd have given up on this stupidity already, having known that the damn stuff flatly doesn't work.
Some of the CLEAR problems with Chip and PIN
This shit was brought up to have real and serious issues and shown to be a farce back in 2006(!)- which means they should be goddamn ashamed of themselves to FORCE this because now they're going to blindly follow what the EMV system tells them and YOU are going to be the one to eat the fraud not the bank. I'm limiting how much I spend on my card from here on out- because they're going forward with this joke. Just because you use crypto and "smart card" tech does NOT magicially make it secure, sound, or even sane.
It's basically the same thing as a magstripe
Other than the unique one time code that's generated for every chip transaction, of course. And the extreme difficulty of retrieving the private encryption keys needed to generate those codes from the chip itself.
US businesses that currently accept chip and PIN/signature
CVS told me they have to do it for HIPAA reasons in their pharmacy.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
interesting. News reports said CVS and Walmart didn't do it because they are launching a competitor.
Some drink at the fountain of knowledge. Others just gargle.
A large number of US retailers actually rely on non-consensual tracking/data mining as part of their business models. NFC would really interfere with that. Not to mention there are a few (like Walmart) who really hate Visa/MC and at best want all of the benefits card acceptance brings without paying anything.
US businesses that currently accept chip and PIN/signature
Yep, CurrentC. Which is basically a usability and security/privacy disaster. It'll probably fail (and some retailers such as Best Buy already have abandoned it), but there will still be holdouts.
US businesses that currently accept chip and PIN/signature
.. so, if there are some disputed charges on your account, the bank can either 1) chase the retailer to get the lost money back - assuming the retailer has not given you the opportunity to use Chip and PIN or 2) chase you, since clearly if there is a transaction on your account, and your card is a Chip and PIN card, either you have given someone your card and PIN (in which case it's your fault) or someone has stolen your card, and found out your PIN (in which case you failed to keep it secure, and bugger me, it's YOUR FAULT again).
I was a victim of an early fraud about five years ago, at a coffee shop at Paddington Station. I bought a coffee using my chip and pin from my business account (well, there were lots of us having coffee, and I decided for once it was a business expense). A few days later, I noticed some charges on my account I couldn't identify, and I contacted the bank. Their immediate reaction was that I must have let someone have my PIN. It took six weeks to have the money returned to me by the bank - and then only when they could displace the blame on to the retailer (apparently I wasn't alone, and an investigation by the police turned up a hacked card reader which stored PINs on an SD card).
The way the system should work is every user's card should have a number pad on it where they enter there pin. It should display the merchant's name, an amount of the transaction, and a transaction ID (ie the receipt). The card should then encrypt a message with GPG that is then transmitted to the card holders bank authorizing the bank to release the funds to the merchant.
...and that's how it works with lots of European banks' e-banking interface:
a completely offline device (either chip-card in a small calculator-like device, or card with keypad directly on them) are used to sign transaction (or simply the numbers they display. But you get to see the numbers).
European banks do it because:
- it's really the best possible security at this level of conveniance, thus less risk for their customer and thus less possible liabilities for the banks themselves.
- it's their own e-banking infrastructure, they get to do what pleases them (see point above for what pleases them).
That would be completely different with credit card payment:
- because the bank themselves don't get to decide. Instead they have to abide to whatever Visa and MasterCard imposes on them, and Visa and MasterCard are interested in a different point of balance on the security vs. conveniance scale (they need the credit card usage to be as easy as possible because they need as much transaction as possible to happen, which makes more money flow, which gives them more earnings from the percentages)
What some european banks have introduced is complete out-of-bound confirmation of transaction:
you get an SMS asking you to confirm the transaction that you do with the credit card. Even if the terminal is rigged/bugged, the SMS will show you that that the transaction amount isn't what its supposed to be.
Currently, that's not very convenient (slows down the procedure a lot), it's not very secure (all it takes is a rigged/bugged picocell spoofing the SMS), but at least it helps discover and intercept fraud much faster (wait, why am I receiving a confirmation SMS when I'm just sitting at work ?!?) and is a first baby step in the right direction (the user should rely on an external non-trusty device for displaying info about the transaction and asking PIN to sign the transaction).
-----
Sadly, for the sake of convenience, some of these separate e-banking authentication are replaced... by smartphone apps.
Yup. Software running on *always online* devices that can be hacked.
All this because the user have already a phone in the pocket, and because the smartphone has a camera which is convenient for reading data from QR codes.
-----
For the record: Bitcoin protocole also relies on the user signing a transaction that they see on their side.
Except that instead of getting checked by on single authority (that might have some sort of privacy policy), the check is distributed and each transaction is publicly broadcast for the whole network to store it in its distributed ledger (no true anonymity trades for no single point of failure).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The US went chip & signature instead of chip & PIN, so the entire change is basically meaningless.
The US chips will be cracked in a matter of a months, maybe a more, and we gain almost nothing.
The chip & PIN system uses PKI and only communicates with the payment transaction system when the authorized user provides the PIN. Sure, you could have a rogue retailer push transactions in excess of what the buyer thought he was paying, but that will be caught and prosecuted swiftly.
The US system has no real authentication of the card user since (a) no one checks the signature to begin with, (b) most users leave an unintelligible scrawl, and (c) no retailer has a full-time handwriting expert on staff.
We finally had a good push to revamp the payment card infrastructure, and they totally blew it.
Not only that, if I put my card in the chip reader rather than just swiping it, seems to take 10 seconds longer. Or twenty seconds, or thirty.... I think in many cases convenience will trump security.
Problem is that the readers which support the chip will also detect that the card has a chip and force it to use the chip. Ran into that already; the mag stripe won't work with them - it's chip only. Or at least, retailers can configure it that way, which I'm pretty sure they'd be required to do under the mentioned requirements by MC/Visa/AMEX
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
You guys are only just getting chip and pin? ... I forget how far behind the rest of the world the USA is sometimes...
Most Brick and Mortar Merchants are already liable for the vast majority of fraudulent transactions. Chargebacks for identity fraud (ie, a stolen credit card) currently hit the merchant, not the issuing bank.
That liability will shift temporarily to the bank, IF the merchant has the new technology, AND the bank does not. Once both have the tech, the liability falls back on the merchant, because anybody with a stolen card, has also stolen the chip.
This is primarily a stick for the banks, since they will have to eat a larger percentage of chargebacks until they issue new cards. There is very little carrot for merchants. The best incentive is for early adopters to defray some of their equipment costs, as the money drops off very quickly, as banks issue new cards.
In six months to a years time, there is going to be almost zero incentive for any merchant to buy new chip & sig equipment, until it becomes part of PCI rules. The US implementation is ridiculously stupid without the pin, and this entire transition will prevent exactly one type of fraud- when organized crime manufactures fake cards with real numbers. The more common types of fraud (stolen physical cards & stolen card numbers used online) will not be impacted one bit, and merchants will continue to eat the costs.
Australia no longer accepts signatures at all. August last year it became chip & pin only
For online purchased why doesn't the bank issue two factor codes like I use to log into AWS?
While the USA are getting on board with Chip and Pin, the rest of the world has already moved on to NFC.
I don't recall the last time I used a magnetic strip.
There was a petrol station near me that did exactly the same. Bonus was it was the cheapest in the area so loads of people used it...
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
It prevents card cloning, nothing else. The PIN makes an additional step required for cloning (which shouldn't be possible in the first place).
With mag stripe only, you can clone a card in about a minute with minimal equipment and the original card in hand for about 2 seconds.
The data on the chip is a signed certificate; but its not encrypted.
Most certificates aren't encrypted.
IF the data was encrypted and required a pin to unlock, THEN you would have a little security because even if you clone the data, you don't have the key to unlock it to allow the transaction. HOWEVER the spec doesn't allow for that, the spec is basically half of Private Key cryptography.
That wouldn't be private key cryptography, that would be shared secret cryptography.
In EMV theres a couple of modes, modern cards use what is called DDA. in DDA the card provides the unencrypted public certificate to the terminal, the terminal then provides 'random' data (and this is where the few attacks on emv happen if the terminal is broken and provides not truly random data). The emv chip in the card then uses its own internal private key to sign that random data and returns the signed random data. The terminal then uses the cards certificate it received earlier to validate the signature, then forwards the information on to the processing company. at no time does the private key ever leave the chip and touch the terminal.
Now some earlier chips did do SDA where it just had a pre-signed set of data on the card, that has not been the use case in EMV for about 5 years now. I just checked every card in my wallet and all of them in fact do use DDA.
The whole point of the chip is that you can't skim it (e.g. you can't simply read the information and make a fake card that outputs the same info).
Sure there is no law of physics that says you can't copy the chip in theory, compared to magnetic stripes which are designed to be read to even work, their is currently no easy way to copy a computer chip.
Comparing the security of a magnetic stripe to a smart chip is like comparing the security of a paper document folded in half to an encrypted digital file. Sure there is no guarantee that the encryption can't be broken at some point in the future, but it is almost incalculably more secure than hoping no one unfolds the document and reads it.
Are there any mainstream Chip & PIN credit cards in the US? The only ones I've found are either Chip & Signature ("so you don't have to remember another PIN" was how a support drone explained it to me), or default to that even if they have a PIN. So not that useful in the civilised world.
Until there is a way to feasibly copy the data on the chip, encryption doesn't really buy you anything. I think we should probably still do it, as it's probably not that expensive (we already know how to do it).
I'm just saying that this alone is pretty secure especially compared to magnetic strips.
The US chips will be cracked in a matter of a months, maybe a more, and we gain almost nothing
1000 years is still 12000 months, so your claim is basically unfalsifiable
Which is why the US banking system, in its infinite wisdom, went for chip and signature, which is worthless as a security measure. The one advantage of the system is that when we go to Europe, our credit cards will at least work in European machines, rather than eliciting hapless giggles.
So I steal your card and use it, scribbling a sig if needed. Who cares about the unique one time code. If I had to enter a PIN then I'd not be able to use it.
You could buy a new set of strings for your viola!!
Australia no longer accepts signatures at all. August last year it became chip & pin only
Untrue. I was there in March of this year, and made north of 35 signature transactions up and down the entire east coast on at least two different cards. For cards without chips, Visa tells you specifically that all merchants that accept their cards are REQUIRED to accept signatures. Their travel department goes as far as to tell you that if you are refused a transaction because a merchant refuses to accept a signature as verification, to call Visa collect from the store and they will straighten things out for you.
I imagine that policy will now change starting tomorrow, but until that point - including early this year - they accepted signatures.
I've had a chipped card (issued by a US bank) for years now. But I've never seen a reader in the USA capable of using it. Some years ago, I was preparing for a trip to Europe and I figured I'd better get the PIN part of the card activated. One more interesting fact: This card was issued to me by a bank that I don not have an account with. Credit is the only business I do through them. So I call the service number and ask about the PIN. According to them, in order to have a PIN, I'd have to 'attach' the card to a bank account, effectively making it a debit card.
Other accounts I have also seem to be pushing their debit card products. The problem (as I understand it) with debit cards is that the liability for fraud falls harder on the consumer. Charge my credit card fraudulently and laws protect me and minimize my losses. Charge my debit card and someone can empty my bank account. And it's my problem.
So, whatever happens tomorrow, I'm going to watch my card agreement information very carefully. To make sure that my credit card doesn't magically turn into a debit card.
Have gnu, will travel.
...It's basically the same thing as a magstripe, but different form factor....
I'm 99.9999% sure you are absolutely wrong!
Granted, the chip&signature that the US is adopting is far weaker than the chip+pin used elsewhere (the pin is "something you know" which prevents the card from being used by others, whereas the signature is just a scribble of anything you want and doesn't technically lock/unlock anything).
However, you can swipe a mag stripe and read all the info from it via VERY cheap hardware (for example, a free square reader). Doing so will give you every piece of info that is printed on the front of the card. It's the same info you'd get if you did an old style carbon copy rubbing of the card like gas stations used to use, and that's the same info you'll get off the new chip+sig mag stripes and imprints. The chip isn't there to prevent theft of the physical card.
If, however, you use the chip, then the merchant does not get the actual card number. There's a two way communication from your card, to the terminal, to the bank, and back, all using crypto. You can think of it like an SSL handshake. Once that handshake is complete, the merchant has a one time use token to use for the purchase.
What does this solve? It ensures that the merchant can't log your card number and store it in their insecure database for thieves to later take, ala the Target breach**, because they'll never have that number. More importantly for the banks, it's "proof" that the card was there, and not some cheap copy.
** I think that's what happened at Target, but there have been mixed stories, and I'm not 100% certain... maybe it involved data they got from the web instead, but I doubt that. I'm pretty sure it was card numbers scanned locally.
I don't think the old cards have been used here in Oz for a while now, haven't seen one in years, my own cards have been chip and pin for over a decade. Doesn't matter if you swipe or insert the card, you still require a pin. "Pay wave" is the latest thing, you just wave the card over the reader like an office entry card no pin or signature required, works for purchases up to $100. If you have had a few drinks, don't let the bar staff wave it for you!!!! There is no phone call required to activate the card, it comes in the mail, pin comes separately in the mail on a different day, the card is automatically activated when the old one expires.
If the lights go out businesses can still use the old paper imprint method - at their own risk!
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Jerry Irvine is wrong on most of the points he makes. Just to correct some of them:
1. The PAN (the primary account number) is not enciphered on a chip card.
2. If you have a chip reader and easily-found software, you can recover the card PAN easily and quickly.
3. Cards do not provide support for "unlimited number of transactions" - as almost all cards have amount and velocity limits.
4. Most transactions will go online to the card issuing bank for authorization - allowing for lost and stolen cards to be blocked.
5. Each purchase with a chip card does not "create a separate token". He appears to be confusing tokenization with cryptography, though it's hard to know exactly what he means.
6. Issuing banks do not create tokens. Instead, they are created by a Token Service Provider, usually an independent third-party.
7. A partial EMV implementation would have mitigated against certain segments of the Target fraud. A full implementation, with PCI, industry-wide, would have mitigated against much more.
8. Mobile payment systems, in general, today, do not provide higher levels of security than chip cards.
Documentation on most of the above is freely available from EMVCo's website at http://www.emvco.com/
Mr Irvine's four minutes are, as a whole, inaccurate and unhelpful.
The true purpose of chip cards is to transfer the cost of fraud away from the issuers.
Yall need to get your heads out of "the card" it doesn't matter the physical form factor or the auth mechanism. It's the pki infrastructure BEHIND the card that makes the transactions traceable and auditable. PCI compliance people couldn't care any less if your rent is stolen.
I've lived in Oz for over 50yrs, I had to google the question out of sheer curiosity, turns out you and the GP are both correct, the law only affects cards issued in Australia, I assume yours were issued in the US?
BTW: Hope you enjoyed your visit, Melbourne to Brisbane via the coast is still one of the world's great road trips, I've lost count of the number of times I've done it, first time was 1966 in the back seat of Dad's bright red VW beetle, it's changed quite a bit since then, hell of a lot more people and cars now. For any tourist, Oz is a hell of a long plane trip away, I don't understand (english speaking) tourists who come all the way to Oz and then don't leave the city they landed in??
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
This still does nothing about internet transactions which are always "signature"; actually, there's not even a real signature involved.
So I steal your card and use it, scribbling a sig if needed.
My bank will reverse the charges provided I report it stolen and the card will stop working at that point. Thats how it works with both mag and chips, no difference there. What does change is you have to actually steal my card, whereas before all you had to do was get ahold of it for a few seconds to scan the mag strip so you could clone it later.
Chip & Signature is an option in most EMV countries. Some quite notable people in the UK use Chip & Signature rather than Chip & PIN, for various reasons.
This is not a different system. It's still EMV, just it doesn't require a 4 digit PIN to be entered. The chips are almost identical. Terminals can be configured to reject Chip & Signature, but few are because it's turning away customers. So the only actual difference is that the US decided to ship Chip & Signature by default, whereas other countries selected Chip & PIN by default.
What is it that you suppose will be "cracked in a matter of a months" ? Cloning magstripe cards was easy because the readers and writers for magstripes are a commodity item needed for lots of purposes, a bored teenager could set up a card cloning factory in their basement. But getting the secrets out of the middle of an EMV card, whatever kind it is, is specialist semiconductor forensic work. The sort of people and equipment you need are used to steal multi-million dollar chip designs or break into foreign government security systems, not program a hotel card key or ride the subway for free. So they don't care about your stupid credit card, their machine cost more than your life earnings.
So, in practice nobody clones EMV cards, which means if you've still got your card, nobody else has the card. That's a huge improvement straight away.
Because EMV cards are smarter, when you do an offline transaction the card and terminal can figure out between them if there's a problem. Today in the US even if I stop a card, payments (fraudulent ones) will keep showing for days, even weeks, from offline transactions. They can be rejected, but somebody has to eat the cost of that. With EMV the card itself (which remember you can't clone) will eventually realise something is wrong when it keeps being used for offline transactions and never gets to go online & see everything is OK. So the fraud dries up more quickly after the card is stopped when e.g. it's stolen.
For example most people's cards might be set to do only $100 of transactions in no more than 5 transactions without going online. A midnight stop for gas at an unattended filling station on a highway may be offline, or a train ticket from some station miles from anywhere but your grocery shopping or morning coffee are almost certainly online and will reset the counter because they prove all is still well.
Ok...I guess if no one else is going to...
https://www.youtube.com/watch?v=B80SyRmtbdI
Thank you guys for this video. I love these videos about banking and other security.
I think in many cases convenience will trump security
If you want convenience, you should check out PayPass or PayWave (one is Visa, the other Mastercard, I forget which). Here in Australia for purchases under $100 you can just tap your card on the payment terminal. No signature, no PIN, no buttons to press. It's also much faster than paying cash and/or getting change. If the purchase is $100 or over, then you tap and punch in your PIN, which is still pretty quick and no messing with cash.
Once, everyone has one, maybe, thirty days till the black hats will have found a way to defeat it. I'm betting on the cloned ATM, with mega-tries. You know the old add one to the results. After all the equation cannot be unsolvable.
Hey right. The sales point cannot notify security, and film the people in the sales area. Right. To see who is using the card.
I believe the target was a fishing plant. The target vendor should not had access to the other software in the system. Some MBA over rode the hired help and had a better way. The target system was basic, everyday internet. And like apple, they stored everything. Even their target friends. That lets you target the ads, and saving you much,for loyal shoppers. Now, here's the cute bit. The unique identifiers, per customer with card, means more cards per your pocket. Or on your phone. Meaning more and better backdoors. Remember, you have your health accounts numbers, ssn's, bdays, all kinds of stuff now identified. Who will need to hack your card, just clone your phone...
Not true. I used a chip and signature card in Melbourne in March this year.
Hey right. The sales point cannot notify security, and film the people in the sales area. Right. To see who is using the card.
Notify security so they can do what? When a card gets reported stolen it just stops processing payments, it doesn't print out something on the terminal telling the cashier to arrest you and as soon as the card gets declined the offender is going to know the jig is up and make himself scarce asap. Filming the sales area is all good and well but the kind of criminals who steal cards go places they can avoid being filmed.
im amazed by all the wrong information out there on EMV cards.
They track data is still present in Tag 57 and in most cases this still goes up to the credit processor in the track 2 field (either encrypted or plaintext but over an SSL connection). the "tokenization" he is talking about is an additional EMV data field called the Issuer Application Data (among many other data elements) that gets passed to the issuer to verify the card is authentic.
he is correct in any online purchase will not have this extra EMV data so any database breach is still possible because you have to type in your card number and exp date.
The US went chip & signature instead of chip & PIN, so the entire change is basically meaningless.
How so? With chip and PIN, if your card is stolen, the attacker either has to accurately guess the PIN before the chip self destructs (unlikely, but not impossible), or disassemble the chip to extract the data. It buys you a small amount of time to contact your card issuer, and have your card key deactivated. With just chip, your card is stolen, and can be used immediately, so you potentially have a couple additional transactions that you would not have had were it protected with a PIN.
In either case, the card must be stolen. That's the real purpose. A stolen card with a PIN is only going to buy you a few extra hours. The real protection is that the private key stored on the card cannot be non-destructively accessed. It cannot be skimmed without the owner's knowledge. It cannot be stored by a retailer and compromised. The owner is expected to notice the loss of the card and report it to their issuer, deactivating the key.
In the US, table service restaurants virtually NEVER have customer-facing credit card readers.
Bars don't either.
In both you give them your card.
Really the places that do reliably have them facing customers are retail checkouts and anything with a self-serve kiosk.
http://lkml.org/lkml/2005/8/20/95
Clarification - it is only on Australian issued cards. If you are on foreign cards signatures are still accepted.
Stolen card fraud is something we all pay for. But requiring PINs would require making all CC readers face the customer. That costs money. The CC companies also surely worry people won't remember their PINs and will thus not use their CCs. And then there's that chip and PIN is even slower than chip and sign which is already slower than swipe and sign.
There are a lot of different factors in a lot of different directions. This is the decision they came up with, it hardly seems terrible.
Frankly, given that clearing fees are being jacked so companies can take a bigger cut just to give "cash back" I don't know we'll notice the fraud rate difference between chip and PIN and chip and sign.
http://lkml.org/lkml/2005/8/20/95
Doesn't matter. The purpose of this is to screw over merchants and customers and to try to make banks not liable for the horribly insecure mess that is our electronic payment system.
Any other effects are unimportant.
How so? Go check the European news. Chip and PIN was compromised years ago. The banks have been trying to cover it up and in doing so blaming the victim in fraudulent transaction cases. This provides no benefit to anyone except the banks which will claim infallibility where it doesn't exist just to avoid liability.
Just more bankster fraud at work here.
Chip and PIN was compromised years ago.
Can you cite one instance of chip and pin being compromised?
Heres a tip, that chip and skim paper was about faulty terminals that allowed you to guess the nonce they would provide, the actual chip and pin design itself was and still is secure. Idiot manufacturers just didnt build to the chip and pin spec in their terminals.
The paper
https://www.cl.cam.ac.uk/resea...
You guys are far behind times. Over here in Europe, we are just starting to switch AWAY from chip and pin, to the next fad in credit cards: Contact less credit cards. RFID cards which can be read from quite a distance with the right equipment (involving high-tech hardware like a Pringles can), and no pin required for purchases up to $50.
No pin, no signature, and you don't even have to have the card in your hand (could be in another customers pocket).
Now, THAT's progress. For criminals.
For me, that means I'd keep my card at home, except when going to the ATM to pick up some cash.
So if you can do a bit for bit copy of the data to a new chip
That's an awfully big "if". It's very impractical to copy the data; the chip on the card isn't simply some flash memory chip, it contains a microprocessor. And it has memory that's only accessible by that microprocessor. So if you can't read that memory, how are you going to write it to a new chip? Maybe you could remove the chip from its packaging and look at the silicon with an electron microscope, but nobody's going to go through that time and expense to copy a card that has a $5000 credit limit or whatever.
Chip cards have been around for over a decade in Europe. While there have been some attacks on them, none involve cloning the card. (There was a paper describing an attack that has "cloning EMV cards" in the title, but the flaw was actually in the card reader terminals. The card wasn't literally cloned... they just found a way to trick the terminal into thinking another card was the same as the original card).
To "skim and clone" an EMV card, regardless of whether it uses Chip & PIN, Chip & Signature or some hypothetical new auth method using reserved bits in the protocol, you need to have the ability to open up a tiny integrated circuit and get the data inside its ROM, then manufacture a new IC with the same data inside.
You might think "Oh, I can open that up". Nope, what you did was bust open some big metal surface contacts, the trick needed to "skim" a chip card is to slice open the tiny little chip actually buried under those contacts, without damaging it. The slices are many times smaller than a human hair. Good luck doing it outside a specialist laboratory. And if you've got a specialist laboratory, you're either doing research at one of a handful of public universities with that sort of money, or using it to take apart stolen foreign technology so that your companies can use it - multi-billion dollar crimes, not credit card fraud.
Unlike with magstripes this is able to be hard because it is NEVER NECESSARY. Reading and writing a magstripe are essential elements of issuing and using the magstripe cards. But slicing the tiny chips in an EMV card open to read data out of their ROMs is completely unnecessary, the bank makes whole new cards, and if yours expires or is faulty they just ask you to destroy it. Nobody should ever need to read the ROM data, so it's OK that doing so costs millions of dollars. And thus fraud through cloning _evaporates_. Fraud hasn't gone away, but this particular _type_ of fraud doesn't happen in EMV countries.
And you might notice that while I jokingly called this "skimming" it's going to require stealing the card and destroying it, and will probably need days or weeks of effort by specialists. So, not going to happen when a restaurant employee disappears out the back with your card for a minute.
That paper outlines how a compromised reader can be used to perform a MITM attack, not that Chip and Pin is broken, regardless of the title of the paper. So we're still waiting...
" chase you, since clearly if there is a transaction on your account, and your card is a Chip and PIN card, either you have given someone your card and PIN (in which case it's your fault) or someone has stolen your card, and found out your PIN (in which case you failed to keep it secure, and bugger me, it's YOUR FAULT again). "
So horrible to be resposible for your own belongings instead of pushing the cost to everyone else. Regarding your example.. the perp got caught, with magstripe & signature it could have been anyone, and never gottten caught.
Buying something with a magstripe normally involves swiping the card in a reader and scrawling a signature onto a screen. Theoretically the cashier might ask for ID or compare the signature to the card but they rarely do. And the cashier might even be cahoots with the thief, knowing the card is stolen and not do any check at all. On top of that the merchant might store transaction details insecurely, or their software may be hacked. And in some scenarios such as bars & restaurants, the card might be taken from the sight of the customer which increases the risk of it being skimmed. All of these are major vulnerabilities that thieves have been known to exploit.
A chip and pin reader means that the card holder must authenticate themselves before proceeding. That stops someone from picking up a card, or cloning one and being able to use it without the pin. And authentication is to the payment processor and not to the store or cashier so it's not possible to bypass this check. It also means the store never captures the credit card info (they only get partial info and some payment authorization code) so hacking the store does not put details at risk. And chip & pin devices are portable so payments in bars & restaurants can be made in the presence of the customer so they are less likely to be swiped.
So yes it closes some very obvious security flaws. Is it perfect? Of course not, but it's a hell of a lot better than a magnetic stripe. It's a damned shame that it's taken the US so long to even switch to chip and pin. The next step would be to get rid of the magnetic stripe altogether but I expect we can look forward to years of lobbying by ATMs and banks how this couldn't possibly be done.
Please don't insult people that once would have been called 'retarded' by comparing them with Americans. That's really unfair and rude to them.
The whole point of the chip is that you can't skim it (e.g. you can't simply read the information and make a fake card that outputs the same info).
Sure there is no law of physics that says you can't copy the chip in theory, compared to magnetic stripes which are designed to be read to even work, their is currently no easy way to copy a computer chip.
Comparing the security of a magnetic stripe to a smart chip is like comparing the security of a paper document folded in half to an encrypted digital file. Sure there is no guarantee that the encryption can't be broken at some point in the future, but it is almost incalculably more secure than hoping no one unfolds the document and reads it.
The chip cards still have the CC # printed in clear text on the front, they also still contain a magnetic strip. Lets say I go to a restaurant with my chip and pin card, whats to stop someone from just writing down the card number or skimming off the mag strip? Those won't require a pin to use for online purchases.
The European chip&pin system is same but the US one is different.
It's basically the same thing as a magstripe..
Ev arkadasi ara
Why do I hear a moo-ing sound when I read this?
As the security gets more complex it creates more points of attack. Future hacker buzz word,"Token Spoofer".
Whether a cellular carrier charges extra to receive an SMS isn't a country-dependent thing. Or even carrier-dependent. It depends on which plan you have purchased.
Whether low-end cellular plans include charges for receiving is certainly country-dependent. They have been commonplace in the United States. In the United States, the tradition has been to offer plans that charge both the sender and the receiver. They have not been commonplace in European countries. In European countries, the tradition has been to offer plans that charge only the sender.
All major providers in the US (and probably all providers, even the minor ones, but I haven't actually looked) offer plans with unlimited SMS
Which then means you have to consider the cost of upgrading from your current plan to a plan with unlimited SMS. These plans cost plenty of extra dollars per month compared to an occasional-use pay-as-you-go plan only for urgent calls. If you use services with 2-factor authentication to make money, then perhaps unlimited SMS is worth $120 per year. And if you don't share a house with someone with a landline, then your landline-replacement plan may already include SMS. But for someone who mostly uses cellular to arrange an occasional ride and currently pays less than $10 per month to begin with, the cost of multiple incoming texts per day, one for each service that uses 2-factor authentication, can add up.
Indeed. When I had an ATM card cloned (I have no clue how), the criminal took the cloned card to one of the few ATMs in the area without a camera. They know where it's safe to use cloned cards, and where it isn't.
Karma: Poor (Mostly affected by lame karma-joke sigs)
Your in Europe, Aren't you? The spec the American card companies are using is SDA.
Will they still be using the card number as not all devices and pc's have a smart card reader on them.
They could have solved the whole thing using two factor with magstripe, pin plus second factor - could be an RSA token, Google Authenticator, or what have you. It would make pretty much all card fraud impossible.
The chip-pin setup really secures the credit card industry from all the lawsuits currently, no one can identify who's responsible and the gov't points the finger at the card industry to pick up the loss.
This just clearly helps the card industry by pushing some of the fraudulent claims back to consumers. And I'm sure they get to pass on the new infrastructure costs to consumers and business as well.
Consumer fraud protection in the US means you're not liable if they copy down your details. And the companies seemingly would rather do it this way, it saves money in the end, even though any fraud that happens raises their clearing fees. Remember, there is nothing stopping US restaurants from bringing a portable transactor to your table. Those things read swipe cards and PIN cards just fine. So if they aren't doing it by choice, there could be a good reason.
It does reduce waiter back-and-forths, but is that really the limiting issue? The waiter bringing the reader and waiting while you use it increases waiter time spent which costs money.
If you want to go fast, ask your waiter to do the job fast. Otherwise, the restaurant can save money by having a pile of those little trays/folders and waiters picking up and running 3 at a time.
http://lkml.org/lkml/2005/8/20/95
I am not sure this is common but... My Visa provider, for internet purchases where I present the code on the rear of the card, as part of their validation,
intercepts my transaction and asks me a personal question. I have to respond with a matching answer. And if I do, the transaction is allowed to pass through to the rest of the validation routines (amount balance under limit, etc.). If validated, the vendor gets an approval. With some vendors, the transaction times out, but it works fine with other vendors.
Is my Visa provider unique, or is it uncommon practice.
Leslie Satenstein Montreal Quebec Canada
I completely disagree with the arguments prematurely concluding chip-based credit cards are insecure. For that matter any system is insecure if you consider a super strong adversary, there will be security problems in any system. Magnetic strip based credits cards should have been replaced long time ago! And, the chip-based cards are better and step in the right direction even without a user supplied pin. Why? 1. To the best of my knowledge, the chips themselves are tamper proof and its internal logic cannot be replicated easily -- very much so compared to magenetic strips. So you can't steal a card without "actually" and physically stealing the only card. This is much better as it is not hard for one to notice a lost card and immediately report it, making the stolen card invalid and useless. Note that it does not have any information to replicate or steal any identifiable information. 2. Chip's OTP based token transactions are much better than communicating the account number and password. Much of the burden on the POS system being secure is lifted any stored transaction information (which could potentially be stolen) is useless as the information can be used only for one-time use. And, the reference to Target breach seems to be inaccurate. It is true that a flaw in the backend enabled installing a malware on the POS systems, but the attack did rely on magnetic strip based credit cards and the POS systems had access to all the necessary account credentials for a future cardless transaction.
The fact that the cards still have a magstrip and numbers is not important. What the chip gives you is extra information.
If the credit card company sees that a purchase was made using the chip, they can be reasonably sure that whoever made that purchase was in physical access to the card.
If the credit card company sees that a purchase was made just using the printed info or the info on the mag strip, they know that people could have simply copied this information to make the purchase. At some point they may even refuse to accept those kinds of payments.
It is also probable that it will be common for consumers to own smart card readers to allow for safe online transactions. Even on a compromised computer, purchases will only be able to be made when the card is in the reader. This is analogous to giving your card to a waiter at a restaurant. They will only be able to charge the card when they are in physical possession of it. This is different than traditional cards where waiters can copy the information and make purchases in the future using that information.
The addition of a pin makes it hard for waiters and infected computers to make purchases even with physical access to the chip.
How does chip and pin work?
If you have to enter the data into the vendors system, it is not secure. You have to swipe the card. You have to use their equipment at their Point of Sale to enter the pin. So if they add software that stores the card data and stores the pin, the card has just been compromised. Perhaps the chip is harder to fake than a strip?
To really make this more secure, you should swipe the card/insert card to have chip read, and then receive an instant request from the bank, not the vendor, to approve the expense. This could be done with phone call, text message, email, or app push notification. Of course the vendor could wait for you to approve before letting you out of the store with their goods.
That way, the pin is never delivered to the vendor.
I am still waiting for photo recognition. If you buy something with a card, it should take a picture of your face and send that in with the transaction request. People will cry privacy, which is a silly argument. If you want privacy, pay with cash.
"it patently clear no-one else agrees with your position" - by dave420 (699308) on Friday September 25, 2015 @04:44AM (#50595241)
Here's some that are QUITE contrary to yours from /. users + experts in the field:
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
"I like your host file system." - by Karmashock (2415832) on Wednesday September 09, 2015 @03:57PM (#50489401)
&
"his hosts program is actually pretty good" - by xenotransplant (4179011) on Monday August 10, 2015 @03:34PM (#50287195)
---
* Let's see - a TOP antimalware company hosts AND RECOMMENDS my ware, & real users here like it - you're outnumbered, outthought, & OUTSMARTED, easily as usual, by "yours truly"...
APK
P.S.=> To top all THAT off? Better people that a "ne'er-do-well" MORON troll who's never accomplished a thing of good note in computing in yourself AGREE with me hosts are good security:
Quote of Aryeh Goretsky of NOD32/ESET doing so in fact -> http://it.slashdot.org/comment...
You UTTER blowhard do nothing "ne'er-do-well" troll... "eat your words" & tell us:
HOW DID THEY TASTE?
Flavored with the "bitter taste of SELF-defeat" since your mouth wrote checks your dimwit brain can't cash? Rammed down YOUR THROAT since you stuck your FOOT IN YOUR MOUTH too?? LMAO...
... apk