Slashdot Mirror

← Back to Stories (view on slashdot.org)

Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video)

Posted by Roblimo on from the we-love-security-theater dept.

The answer seems to be: sort of, a little, but not a whole lot, according to Jerry Irvine, who is a member of the U.S. Chamber of Commerce Cybersecurity Leadership Council and CIO of Chicago-based Prescient Solutions. More security theater? It sounds that way when Jerry starts reeling off the kinds of attacks the new cards will do nothing to prevent. Even so, October 1 is the date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.

6 of 317 comments (clear)

  1. Chip and PIN would, but... by gweilo8888 · · Score: 5, Informative

    ...that's not the system we're getting in the US, at least for the time being and at most retailers. We're getting Chip and Signature, which is much less secure. We're just calling it Chip and PIN, but most retailers aren't actually using PIN numbers to complete transactions...

  2. Re:Only if you use App Cards with APPS! by EvilSS · · Score: 5, Informative

    Despite the physical similarity to the European chip&pin system, the US one is different. It's basically the same thing as a magstripe, but different form factor. It's security through obsurity, in that the fraudsters haven't figured it out yet and the equipment to skim and clone a chip card is not yet common. It's a jump ahead in the race, but does nothing to stop the race.

    Not exactly. The new US cards use a one time token for the transaction like other PIN and chip cards, but MC/Visa have not required issuers to force PINs. So no 2-factor but still much safer for physical transactions than magstripe, provided you don't lose the card itself. Doesn't do shit if the card itself is stolen or for online transactions though.

    --
    I browse on +1 so AC's need not respond, I won't see it.
  3. Re:None of my cards have a chip! by taustin · · Score: 4, Informative

    You've clearly never worked in retail. There are rules. If the merchant follows the rules, they are protected, and either the merchant service or the issuing bank eats the loss.

    (Online companies, mail order companies, and other "card no present" merchants cannot follow the rules, so, yeah, they're hosed.)

    EMV means the rules are changing, and they're more complicated, but if the car has no chip, the old rules still apply, and the merchant is protected if they follow the rules.

  4. Re:Only if you use App Cards with APPS! by TsuruchiBrian · · Score: 4, Informative

    The whole point of the chip is that you can't skim it (e.g. you can't simply read the information and make a fake card that outputs the same info).

    Sure there is no law of physics that says you can't copy the chip in theory, compared to magnetic stripes which are designed to be read to even work, their is currently no easy way to copy a computer chip.

    Comparing the security of a magnetic stripe to a smart chip is like comparing the security of a paper document folded in half to an encrypted digital file. Sure there is no guarantee that the encryption can't be broken at some point in the future, but it is almost incalculably more secure than hoping no one unfolds the document and reads it.

  5. Re:Only if you use App Cards with APPS! by unrtst · · Score: 4, Informative

    ...It's basically the same thing as a magstripe, but different form factor....

    I'm 99.9999% sure you are absolutely wrong!

    Granted, the chip&signature that the US is adopting is far weaker than the chip+pin used elsewhere (the pin is "something you know" which prevents the card from being used by others, whereas the signature is just a scribble of anything you want and doesn't technically lock/unlock anything).

    However, you can swipe a mag stripe and read all the info from it via VERY cheap hardware (for example, a free square reader). Doing so will give you every piece of info that is printed on the front of the card. It's the same info you'd get if you did an old style carbon copy rubbing of the card like gas stations used to use, and that's the same info you'll get off the new chip+sig mag stripes and imprints. The chip isn't there to prevent theft of the physical card.

    If, however, you use the chip, then the merchant does not get the actual card number. There's a two way communication from your card, to the terminal, to the bank, and back, all using crypto. You can think of it like an SSL handshake. Once that handshake is complete, the merchant has a one time use token to use for the purchase.

    What does this solve? It ensures that the merchant can't log your card number and store it in their insecure database for thieves to later take, ala the Target breach**, because they'll never have that number. More importantly for the banks, it's "proof" that the card was there, and not some cheap copy.

    ** I think that's what happened at Target, but there have been mixed stories, and I'm not 100% certain... maybe it involved data they got from the web instead, but I doubt that. I'm pretty sure it was card numbers scanned locally.

  6. Re:you never eat in restaurants? by shilly · · Score: 4, Informative

    Which is another reason why restaurants in the UK feel a shitload more secure than in the US....here, the waiters bring a wireless card reader over to the table. They don't wander off with your card to some back room where they can copy down the details. (It also speeds things up, as it involves fewer waiter back-and-forths)