Slashdot Mirror

← Back to Stories (view on slashdot.org)

Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video)

Posted by Roblimo on from the we-love-security-theater dept.

The answer seems to be: sort of, a little, but not a whole lot, according to Jerry Irvine, who is a member of the U.S. Chamber of Commerce Cybersecurity Leadership Council and CIO of Chicago-based Prescient Solutions. More security theater? It sounds that way when Jerry starts reeling off the kinds of attacks the new cards will do nothing to prevent. Even so, October 1 is the date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.

6 of 317 comments (clear)

  1. No.... by mysidia · · Score: 4, Insightful

    date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.

    It's the date after which merchants are supposed to be liable for fraudulent purchase made with New-style chip and PIN cards which are made as signature transactions (e.g. with an old terminal).

    Their idea is: The bank will be liable for a fraudulent charge if the original bank/card doesn't support Chip and Pin but the merchant does, AND the Merchant will be liable if the Bank's issued card supports chip and pin, but the merchant doesn't support the feature.

  2. Re:None of my cards have a chip! by gweilo8888 · · Score: 3, Insightful

    Good luck with that. No major retailer is going to stick with swipe cards only for any length of time, because they are now liable for any fraudulent transactions on swipe cards, rather than the credit card companies bearing the liability.

  3. You are right for the wrong reason by goombah99 · · Score: 4, Insightful

    Studies in europe showed that when chip and pin nearly eliminated point-of-sale (in store) fraud, that within a year or so the fraud moved to card-not-present sales (that is, the fraud occured by european cards used on the internet, phone, and also countries where the Pin network was not integrated back to europes clearinghouses like brazil, the US, and off-the-grid stores). The total amount of fraud was roughly the same as it had been (one can argue about details or if it's less than it would have been).

    For in-store (card present) sales, It isn't lost cards that are the biggest problem. It's stolen card numbers being either cloned onto forged plastic. Stolen card numbers are easily transmitted faster and also can be replicated many times, which is better than the original card itself. Just having the chip there can shut this down. You don't have to have the pin. thus card+signature is just as good as chip and pin for practical purposes. The pin just shuts down people using the original stolen card which is a small slice of the problem.

    So no this isn't going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn't help much.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  4. Re:Only if you use App Cards with APPS! by EndlessNameless · · Score: 4, Insightful

    The US went chip & signature instead of chip & PIN, so the entire change is basically meaningless.

    The US chips will be cracked in a matter of a months, maybe a more, and we gain almost nothing.

    The chip & PIN system uses PKI and only communicates with the payment transaction system when the authorized user provides the PIN. Sure, you could have a rogue retailer push transactions in excess of what the buyer thought he was paying, but that will be caught and prosecuted swiftly.

    The US system has no real authentication of the card user since (a) no one checks the signature to begin with, (b) most users leave an unintelligible scrawl, and (c) no retailer has a full-time handwriting expert on staff.

    We finally had a good push to revamp the payment card infrastructure, and they totally blew it.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  5. Re:Only if you use App Cards with APPS! by mind21_98 · · Score: 4, Insightful

    It's basically the same thing as a magstripe

    Other than the unique one time code that's generated for every chip transaction, of course. And the extreme difficulty of retrieving the private encryption keys needed to generate those codes from the chip itself.

    --
    US businesses that currently accept chip and PIN/signature
  6. Re: None of my cards have a chip! by Harlequin80 · · Score: 4, Insightful

    Given Australia is 100% chip & pin with signatures not accepted since august last year I would hope the system manufacturers have the bugs ironed out.