Slashdot Mirror
Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video)
The answer seems to be: sort of, a little, but not a whole lot, according to Jerry Irvine, who is a member of the U.S. Chamber of Commerce Cybersecurity Leadership Council and CIO of Chicago-based Prescient Solutions. More security theater? It sounds that way when Jerry starts reeling off the kinds of attacks the new cards will do nothing to prevent. Even so, October 1 is the date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
...that's not the system we're getting in the US, at least for the time being and at most retailers. We're getting Chip and Signature, which is much less secure. We're just calling it Chip and PIN, but most retailers aren't actually using PIN numbers to complete transactions...
How does this work for online retailers? How do I get my own time pin out of the card? Does this mean you can't save a credit card anymore?
As someone in the UK where we have had chip and pin for years it does not change online purchases one little bit.
All chip and pin does is replace the bullshit signature with entering a pin. This is important because it prevents two types of attacks that used to be commonplace:
1) Have a friendly guy in the shop who didn't look too closely at your signature in return for a couple of quid.
2) Have a moron in the shop who didn't look too closely at your signature.
Both of these are pretty common place when you realise that working in a shop is basically a McJob with no real future. done by kids mostly paid barely minimum wage. Even if you get fired for repeatedly not noticing you took a stolen card you will get another job in some other shop in no time.
The reality is that you guys in the states have to start using chip and pin, or you can forget ever travelling to Europe where most of our terminals and moving to PIN only. Within a few years most retailers over here will have blanket bans on signature transactions, quite a few do already.
Oh, and I know it is not actually that much more secure, if it is at all as now the pin is stored on the card in encrypted format and not sent to the bank but that does not change anything. The attacks you can mount it are fairly high tech ones, which will always be an issue and not the banks priority. Chip and Pin is designed to beat the low tech, commonplace attacks I describe above that are done en-masse by thousands of chancers that cost banks a fortune (here in the UK banks are liable for this sort of stuff, unless that can prove you were negligent).
I dont read
They're only liable for magstripe transactions on cards that have a chip.
Magstripe-only cards still work the same way they always did, legally and functionally.
So basically his local Home Depot is just being a panicky bunch of dicks.
Despite the physical similarity to the European chip&pin system, the US one is different. It's basically the same thing as a magstripe, but different form factor. It's security through obsurity, in that the fraudsters haven't figured it out yet and the equipment to skim and clone a chip card is not yet common. It's a jump ahead in the race, but does nothing to stop the race.
Not exactly. The new US cards use a one time token for the transaction like other PIN and chip cards, but MC/Visa have not required issuers to force PINs. So no 2-factor but still much safer for physical transactions than magstripe, provided you don't lose the card itself. Doesn't do shit if the card itself is stolen or for online transactions though.
I browse on +1 so AC's need not respond, I won't see it.
The data on the chip is a signed certificate; but its not encrypted. So if you can do a bit for bit copy of the data to a new chip, viola the card is cloned and useable. IF the data was encrypted and required a pin to unlock, THEN you would have a little security because even if you clone the data, you don't have the key to unlock it to allow the transaction. HOWEVER the spec doesn't allow for that, the spec is basically half of Private Key cryptography.
You've clearly never worked in retail. There are rules. If the merchant follows the rules, they are protected, and either the merchant service or the issuing bank eats the loss.
(Online companies, mail order companies, and other "card no present" merchants cannot follow the rules, so, yeah, they're hosed.)
EMV means the rules are changing, and they're more complicated, but if the car has no chip, the old rules still apply, and the merchant is protected if they follow the rules.
The data on the chip is a signed certificate; but its not encrypted.
Most certificates aren't encrypted.
IF the data was encrypted and required a pin to unlock, THEN you would have a little security because even if you clone the data, you don't have the key to unlock it to allow the transaction. HOWEVER the spec doesn't allow for that, the spec is basically half of Private Key cryptography.
That wouldn't be private key cryptography, that would be shared secret cryptography.
In EMV theres a couple of modes, modern cards use what is called DDA. in DDA the card provides the unencrypted public certificate to the terminal, the terminal then provides 'random' data (and this is where the few attacks on emv happen if the terminal is broken and provides not truly random data). The emv chip in the card then uses its own internal private key to sign that random data and returns the signed random data. The terminal then uses the cards certificate it received earlier to validate the signature, then forwards the information on to the processing company. at no time does the private key ever leave the chip and touch the terminal.
Now some earlier chips did do SDA where it just had a pre-signed set of data on the card, that has not been the use case in EMV for about 5 years now. I just checked every card in my wallet and all of them in fact do use DDA.
The whole point of the chip is that you can't skim it (e.g. you can't simply read the information and make a fake card that outputs the same info).
Sure there is no law of physics that says you can't copy the chip in theory, compared to magnetic stripes which are designed to be read to even work, their is currently no easy way to copy a computer chip.
Comparing the security of a magnetic stripe to a smart chip is like comparing the security of a paper document folded in half to an encrypted digital file. Sure there is no guarantee that the encryption can't be broken at some point in the future, but it is almost incalculably more secure than hoping no one unfolds the document and reads it.
We are going Chip-and-Signature in the U.S., but if we were going Chip-and-PIN it could shift liability to the cardholder. Chip-and-PIN is thought to be secure, so the presumption of innocence may not hold as it does today.
See quote below from Jonathan E. Jaffe posted on Krebsonsecurity.com:
"Take a look under the May 2014 section of http://nc3.mobi/references/emv... on what is happening in Europe under EMV. That page has lots of links, but here is the relevant text.
Change in Presumption of Innocence
An article in The Register (whose slogan is Biting the hand that feeds IT) is rather critical of chip-and-pin citing established weaknesses and some new ones referred to in the new paper Chip and Skim: cloning EMV cards with the pre-play attack from the Computer Laboratory, University of Cambridge, UK (16 page PDF) presented at the 2014 IEEE Symposium on Security and Privacy in San Jose, California 5/19/2014.
In this paper paper it is worth looking at the change in what we call presumption of innocence as it describes the case of a Mr Gambin, "who was refused a refund for a series of transactions that were billed to his card and which HSBC [ his bank ] claimed must have been made with his card and PIN at an ATM in Palma, Majorca on the 29th June 2011. In such cases we advise the fraud victim to demand the transaction logs from the bank. In many cases the banks refuse, or even delete logs during the dispute process, leaving customers to argue about generalities." [ The bank deleted the evidence that would have shown the fraud. highlighting ours, see right column page one of the 16 page PDF -ed]"
Better than magstrip and signature.
When I worked in retail 15 years ago I had someone pay with a credit card, and while checking the signature, which matched perfectly, I saw the card number on the receipt didn't match the card. I only paid attention because they were suspiciously easy to up-sell to.
They had written someone else's magstrip data on to their own card.
All you need to do is buy a $100 device from ebay, sneakily swipe customer cards while you're working your low paying gas station job and write the data to your own card.
You can then go on a spending spree, writing a new stolen card number for every purchase so the automated fraud detection algorithms don't catch you and block the stolen card.
You can't do that with a chip card, since you can't clone the card.
It's even harder with NFC, since the customer never lets go of their card.
...It's basically the same thing as a magstripe, but different form factor....
I'm 99.9999% sure you are absolutely wrong!
Granted, the chip&signature that the US is adopting is far weaker than the chip+pin used elsewhere (the pin is "something you know" which prevents the card from being used by others, whereas the signature is just a scribble of anything you want and doesn't technically lock/unlock anything).
However, you can swipe a mag stripe and read all the info from it via VERY cheap hardware (for example, a free square reader). Doing so will give you every piece of info that is printed on the front of the card. It's the same info you'd get if you did an old style carbon copy rubbing of the card like gas stations used to use, and that's the same info you'll get off the new chip+sig mag stripes and imprints. The chip isn't there to prevent theft of the physical card.
If, however, you use the chip, then the merchant does not get the actual card number. There's a two way communication from your card, to the terminal, to the bank, and back, all using crypto. You can think of it like an SSL handshake. Once that handshake is complete, the merchant has a one time use token to use for the purchase.
What does this solve? It ensures that the merchant can't log your card number and store it in their insecure database for thieves to later take, ala the Target breach**, because they'll never have that number. More importantly for the banks, it's "proof" that the card was there, and not some cheap copy.
** I think that's what happened at Target, but there have been mixed stories, and I'm not 100% certain... maybe it involved data they got from the web instead, but I doubt that. I'm pretty sure it was card numbers scanned locally.
In the US, table service restaurants virtually NEVER have customer-facing credit card readers.
Bars don't either.
In both you give them your card.
Really the places that do reliably have them facing customers are retail checkouts and anything with a self-serve kiosk.
http://lkml.org/lkml/2005/8/20/95