Slashdot Mirror
Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video)
The answer seems to be: sort of, a little, but not a whole lot, according to Jerry Irvine, who is a member of the U.S. Chamber of Commerce Cybersecurity Leadership Council and CIO of Chicago-based Prescient Solutions. More security theater? It sounds that way when Jerry starts reeling off the kinds of attacks the new cards will do nothing to prevent. Even so, October 1 is the date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
It's the date after which merchants are supposed to be liable for fraudulent purchase made with New-style chip and PIN cards which are made as signature transactions (e.g. with an old terminal).
Their idea is: The bank will be liable for a fraudulent charge if the original bank/card doesn't support Chip and Pin but the merchant does, AND the Merchant will be liable if the Bank's issued card supports chip and pin, but the merchant doesn't support the feature.
...that's not the system we're getting in the US, at least for the time being and at most retailers. We're getting Chip and Signature, which is much less secure. We're just calling it Chip and PIN, but most retailers aren't actually using PIN numbers to complete transactions...
Good luck with that. No major retailer is going to stick with swipe cards only for any length of time, because they are now liable for any fraudulent transactions on swipe cards, rather than the credit card companies bearing the liability.
I've had most of my cards replacements come with a chip, but I've certainly not been offered or required to do any type of PIN number for it...I just call and activate it on the phone the usual way.
I think it is only Europe mostly that does the PIN part too?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Despite the physical similarity to the European chip&pin system, the US one is different. It's basically the same thing as a magstripe, but different form factor. It's security through obsurity, in that the fraudsters haven't figured it out yet and the equipment to skim and clone a chip card is not yet common. It's a jump ahead in the race, but does nothing to stop the race.
Punching in a four digit PIN is slowing things down?
I weep for humanity.
Faster! Faster! Faster would be better!
Studies in europe showed that when chip and pin nearly eliminated point-of-sale (in store) fraud, that within a year or so the fraud moved to card-not-present sales (that is, the fraud occured by european cards used on the internet, phone, and also countries where the Pin network was not integrated back to europes clearinghouses like brazil, the US, and off-the-grid stores). The total amount of fraud was roughly the same as it had been (one can argue about details or if it's less than it would have been).
For in-store (card present) sales, It isn't lost cards that are the biggest problem. It's stolen card numbers being either cloned onto forged plastic. Stolen card numbers are easily transmitted faster and also can be replicated many times, which is better than the original card itself. Just having the chip there can shut this down. You don't have to have the pin. thus card+signature is just as good as chip and pin for practical purposes. The pin just shuts down people using the original stolen card which is a small slice of the problem.
So no this isn't going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn't help much.
Some drink at the fountain of knowledge. Others just gargle.
Merchants are on the hook when a fraudulent purchase is made, with a NEW style card, but the merchant hasn't updated to a new style reader. Issuers are on the hook when a fraudulent purchase is made with an OLD style card.
(If at first you don't succeed, do it different next time!)
When I write anything recognizable at all, I put "Zaphod B". No one even looks at it.
Faster! Faster! Faster would be better!
Isn't eliminating some of the hassle of "oh I lost my card, someone can be charging on it right now" a good reason?
I know the consumer isn't responsible (directly) for the fraud, but we all are, in higher prices, even if one is smart and fully pays off credit cards and thus pays no interest. So preventing fraud is useful.
Vaguely similar to how the Apple ID lock on iPhones supposedly has lowered theft rates.
They're only liable for magstripe transactions on cards that have a chip.
Magstripe-only cards still work the same way they always did, legally and functionally.
So basically his local Home Depot is just being a panicky bunch of dicks.
Despite the physical similarity to the European chip&pin system, the US one is different. It's basically the same thing as a magstripe, but different form factor. It's security through obsurity, in that the fraudsters haven't figured it out yet and the equipment to skim and clone a chip card is not yet common. It's a jump ahead in the race, but does nothing to stop the race.
Not exactly. The new US cards use a one time token for the transaction like other PIN and chip cards, but MC/Visa have not required issuers to force PINs. So no 2-factor but still much safer for physical transactions than magstripe, provided you don't lose the card itself. Doesn't do shit if the card itself is stolen or for online transactions though.
I browse on +1 so AC's need not respond, I won't see it.
The US went chip & signature instead of chip & PIN, so the entire change is basically meaningless.
The US chips will be cracked in a matter of a months, maybe a more, and we gain almost nothing.
The chip & PIN system uses PKI and only communicates with the payment transaction system when the authorized user provides the PIN. Sure, you could have a rogue retailer push transactions in excess of what the buyer thought he was paying, but that will be caught and prosecuted swiftly.
The US system has no real authentication of the card user since (a) no one checks the signature to begin with, (b) most users leave an unintelligible scrawl, and (c) no retailer has a full-time handwriting expert on staff.
We finally had a good push to revamp the payment card infrastructure, and they totally blew it.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
US chipped (credit) cards generally don't have a PIN, or it's prioritized so low that it's never going to be used domestically. OP is likely referring to having to keep the card in the slot for multiple seconds vs. being able to put it away immediately after swiping.
US businesses that currently accept chip and PIN/signature
The data on the chip is a signed certificate; but its not encrypted. So if you can do a bit for bit copy of the data to a new chip, viola the card is cloned and useable. IF the data was encrypted and required a pin to unlock, THEN you would have a little security because even if you clone the data, you don't have the key to unlock it to allow the transaction. HOWEVER the spec doesn't allow for that, the spec is basically half of Private Key cryptography.
his bank has already sent him a new card with a chip in july, august, or september
if he didn't activate the new card, some time in october he'll go to lowe's, try to use his old card, and his transaction will be declined
he'll call the bank and raise hell and they'll say "sir, we sent you a new card and you did not activate it"
he won't be able to use magstripe-only for very long because all major banks have replaced them or are replacing them
he may have a card with some oddball institution that continues with magstripe only. that institution will be pressured by continuing changes in technology and standards, or they will raise their eyebrows at the fraud they have to cover, then they will go to chips too
and this is all a good thing, increased security
is there some valid reason why top comment doesn't want the chip?
or is it "receiving the mark of the beast" level low intelligence paranoid mental vomit?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
It's basically the same thing as a magstripe
Other than the unique one time code that's generated for every chip transaction, of course. And the extreme difficulty of retrieving the private encryption keys needed to generate those codes from the chip itself.
US businesses that currently accept chip and PIN/signature
CVS told me they have to do it for HIPAA reasons in their pharmacy.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
While the PIN is stored on the card it cannot be read externally since you cannot read that part of memory using the pins on the card. AFAIK when you enter the pin on the terminal it sends it to the card together with the amount and then the card creates a one time key for that amount signed with the cards internal secret key if the pin matches what it has stored inside and this one time key is what it sends to the terminal and which it in turn sends to VISA/Mastercard/... so yes the chip+pin is way more secure than the old magstripe and the chip+signature.
.. so, if there are some disputed charges on your account, the bank can either 1) chase the retailer to get the lost money back - assuming the retailer has not given you the opportunity to use Chip and PIN or 2) chase you, since clearly if there is a transaction on your account, and your card is a Chip and PIN card, either you have given someone your card and PIN (in which case it's your fault) or someone has stolen your card, and found out your PIN (in which case you failed to keep it secure, and bugger me, it's YOUR FAULT again).
I was a victim of an early fraud about five years ago, at a coffee shop at Paddington Station. I bought a coffee using my chip and pin from my business account (well, there were lots of us having coffee, and I decided for once it was a business expense). A few days later, I noticed some charges on my account I couldn't identify, and I contacted the bank. Their immediate reaction was that I must have let someone have my PIN. It took six weeks to have the money returned to me by the bank - and then only when they could displace the blame on to the retailer (apparently I wasn't alone, and an investigation by the police turned up a hacked card reader which stored PINs on an SD card).
It certainly won't eliminate the swipe cards for a long, long time. They've had chip and pin in Europe for a decade, and you can still swipe.
Expect that to change.
Swipe readers have been absent in Europe on unsupervised machines (e.g. buying a train ticket) for years, and aren't available at some smaller shops — unless they expect American trade, it's not useful. Even if it does exist, the cashier would often be reluctant to use it.
The US went chip & signature instead of chip & PIN, so the entire change is basically meaningless.
The US chips will be cracked in a matter of a months, maybe a more, and we gain almost nothing.
The chip & PIN system uses PKI and only communicates with the payment transaction system when the authorized user provides the PIN. Sure, you could have a rogue retailer push transactions in excess of what the buyer thought he was paying, but that will be caught and prosecuted swiftly.
The US system has no real authentication of the card user since (a) no one checks the signature to begin with, (b) most users leave an unintelligible scrawl, and (c) no retailer has a full-time handwriting expert on staff.
We finally had a good push to revamp the payment card infrastructure, and they totally blew it.
Not only that, if I put my card in the chip reader rather than just swiping it, seems to take 10 seconds longer. Or twenty seconds, or thirty.... I think in many cases convenience will trump security.
Problem is that the readers which support the chip will also detect that the card has a chip and force it to use the chip. Ran into that already; the mag stripe won't work with them - it's chip only. Or at least, retailers can configure it that way, which I'm pretty sure they'd be required to do under the mentioned requirements by MC/Visa/AMEX
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
You've clearly never worked in retail. There are rules. If the merchant follows the rules, they are protected, and either the merchant service or the issuing bank eats the loss.
(Online companies, mail order companies, and other "card no present" merchants cannot follow the rules, so, yeah, they're hosed.)
EMV means the rules are changing, and they're more complicated, but if the car has no chip, the old rules still apply, and the merchant is protected if they follow the rules.
Different banks are taking different approaches, with some proactively sending out new cards, most at minimum accepting a request for a new card with a chip, and some waiting until cards expire before sending out new chip cards. Stores like Home Depot will continue to accept your valid magnetic stripe card; the only time they'll decline the swipe is if you swipe a chip card, it will prompt you to insert the card into the chip reader.
End of Line.
Australia no longer accepts signatures at all. August last year it became chip & pin only
Given Australia is 100% chip & pin with signatures not accepted since august last year I would hope the system manufacturers have the bugs ironed out.
The data on the chip is a signed certificate; but its not encrypted.
Most certificates aren't encrypted.
IF the data was encrypted and required a pin to unlock, THEN you would have a little security because even if you clone the data, you don't have the key to unlock it to allow the transaction. HOWEVER the spec doesn't allow for that, the spec is basically half of Private Key cryptography.
That wouldn't be private key cryptography, that would be shared secret cryptography.
In EMV theres a couple of modes, modern cards use what is called DDA. in DDA the card provides the unencrypted public certificate to the terminal, the terminal then provides 'random' data (and this is where the few attacks on emv happen if the terminal is broken and provides not truly random data). The emv chip in the card then uses its own internal private key to sign that random data and returns the signed random data. The terminal then uses the cards certificate it received earlier to validate the signature, then forwards the information on to the processing company. at no time does the private key ever leave the chip and touch the terminal.
Now some earlier chips did do SDA where it just had a pre-signed set of data on the card, that has not been the use case in EMV for about 5 years now. I just checked every card in my wallet and all of them in fact do use DDA.
The whole point of the chip is that you can't skim it (e.g. you can't simply read the information and make a fake card that outputs the same info).
Sure there is no law of physics that says you can't copy the chip in theory, compared to magnetic stripes which are designed to be read to even work, their is currently no easy way to copy a computer chip.
Comparing the security of a magnetic stripe to a smart chip is like comparing the security of a paper document folded in half to an encrypted digital file. Sure there is no guarantee that the encryption can't be broken at some point in the future, but it is almost incalculably more secure than hoping no one unfolds the document and reads it.
Better than magstrip and signature.
When I worked in retail 15 years ago I had someone pay with a credit card, and while checking the signature, which matched perfectly, I saw the card number on the receipt didn't match the card. I only paid attention because they were suspiciously easy to up-sell to.
They had written someone else's magstrip data on to their own card.
All you need to do is buy a $100 device from ebay, sneakily swipe customer cards while you're working your low paying gas station job and write the data to your own card.
You can then go on a spending spree, writing a new stolen card number for every purchase so the automated fraud detection algorithms don't catch you and block the stolen card.
You can't do that with a chip card, since you can't clone the card.
It's even harder with NFC, since the customer never lets go of their card.
...It's basically the same thing as a magstripe, but different form factor....
I'm 99.9999% sure you are absolutely wrong!
Granted, the chip&signature that the US is adopting is far weaker than the chip+pin used elsewhere (the pin is "something you know" which prevents the card from being used by others, whereas the signature is just a scribble of anything you want and doesn't technically lock/unlock anything).
However, you can swipe a mag stripe and read all the info from it via VERY cheap hardware (for example, a free square reader). Doing so will give you every piece of info that is printed on the front of the card. It's the same info you'd get if you did an old style carbon copy rubbing of the card like gas stations used to use, and that's the same info you'll get off the new chip+sig mag stripes and imprints. The chip isn't there to prevent theft of the physical card.
If, however, you use the chip, then the merchant does not get the actual card number. There's a two way communication from your card, to the terminal, to the bank, and back, all using crypto. You can think of it like an SSL handshake. Once that handshake is complete, the merchant has a one time use token to use for the purchase.
What does this solve? It ensures that the merchant can't log your card number and store it in their insecure database for thieves to later take, ala the Target breach**, because they'll never have that number. More importantly for the banks, it's "proof" that the card was there, and not some cheap copy.
** I think that's what happened at Target, but there have been mixed stories, and I'm not 100% certain... maybe it involved data they got from the web instead, but I doubt that. I'm pretty sure it was card numbers scanned locally.
So I steal your card and use it, scribbling a sig if needed.
My bank will reverse the charges provided I report it stolen and the card will stop working at that point. Thats how it works with both mag and chips, no difference there. What does change is you have to actually steal my card, whereas before all you had to do was get ahold of it for a few seconds to scan the mag strip so you could clone it later.
What sort of disability must one have to not be capable of pressing some buttons on a keypad, but still be capable of signing your name?
In the US, table service restaurants virtually NEVER have customer-facing credit card readers.
Bars don't either.
In both you give them your card.
Really the places that do reliably have them facing customers are retail checkouts and anything with a self-serve kiosk.
http://lkml.org/lkml/2005/8/20/95
The UK has the same. It's now implemented on London underground so you can use your credit card like an Oyster card and it will open the gates. (Apple Pay also works)
Contactless is actually superconvenient, given a limit on the maximum amount for which it works. Over here that maximum is EUR 25, which allows you to be really fast for all small purchases (which are generally the purchases where that really matters).
I would support a system where you could authorize it to work for higher amounts at certain vendors (supermarkets, for instance).
I'm hoping it will be faster eventually, but right now it is slowing things down (American perspective, for other countries this might not be the case).
Almost all of the terminals I see now have both a slot of swiping and for the chip. Except some stores require you to swipe, the chip part doesn't work yet. And some stores require you to use the chip if your card has it. So you never know which one to use.
With swiping, you can usually do it while the cashier is scanning your items, which means my wallet is already back in my pocket and I just have to sign when they are done scanning. With chip, you have to insert your card and leave it there until the transaction is complete. The processing time before the card has been accepted is also noticeably longer than when swiping.
Most importantly though, I have never actually been prompted for a PIN when using the chip. It's always chip and sign.