Slashdot Mirror
Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video)
The answer seems to be: sort of, a little, but not a whole lot, according to Jerry Irvine, who is a member of the U.S. Chamber of Commerce Cybersecurity Leadership Council and CIO of Chicago-based Prescient Solutions. More security theater? It sounds that way when Jerry starts reeling off the kinds of attacks the new cards will do nothing to prevent. Even so, October 1 is the date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
It's the date after which merchants are supposed to be liable for fraudulent purchase made with New-style chip and PIN cards which are made as signature transactions (e.g. with an old terminal).
Their idea is: The bank will be liable for a fraudulent charge if the original bank/card doesn't support Chip and Pin but the merchant does, AND the Merchant will be liable if the Bank's issued card supports chip and pin, but the merchant doesn't support the feature.
...that's not the system we're getting in the US, at least for the time being and at most retailers. We're getting Chip and Signature, which is much less secure. We're just calling it Chip and PIN, but most retailers aren't actually using PIN numbers to complete transactions...
Studies in europe showed that when chip and pin nearly eliminated point-of-sale (in store) fraud, that within a year or so the fraud moved to card-not-present sales (that is, the fraud occured by european cards used on the internet, phone, and also countries where the Pin network was not integrated back to europes clearinghouses like brazil, the US, and off-the-grid stores). The total amount of fraud was roughly the same as it had been (one can argue about details or if it's less than it would have been).
For in-store (card present) sales, It isn't lost cards that are the biggest problem. It's stolen card numbers being either cloned onto forged plastic. Stolen card numbers are easily transmitted faster and also can be replicated many times, which is better than the original card itself. Just having the chip there can shut this down. You don't have to have the pin. thus card+signature is just as good as chip and pin for practical purposes. The pin just shuts down people using the original stolen card which is a small slice of the problem.
So no this isn't going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn't help much.
Some drink at the fountain of knowledge. Others just gargle.
Despite the physical similarity to the European chip&pin system, the US one is different. It's basically the same thing as a magstripe, but different form factor. It's security through obsurity, in that the fraudsters haven't figured it out yet and the equipment to skim and clone a chip card is not yet common. It's a jump ahead in the race, but does nothing to stop the race.
Not exactly. The new US cards use a one time token for the transaction like other PIN and chip cards, but MC/Visa have not required issuers to force PINs. So no 2-factor but still much safer for physical transactions than magstripe, provided you don't lose the card itself. Doesn't do shit if the card itself is stolen or for online transactions though.
I browse on +1 so AC's need not respond, I won't see it.
The US went chip & signature instead of chip & PIN, so the entire change is basically meaningless.
The US chips will be cracked in a matter of a months, maybe a more, and we gain almost nothing.
The chip & PIN system uses PKI and only communicates with the payment transaction system when the authorized user provides the PIN. Sure, you could have a rogue retailer push transactions in excess of what the buyer thought he was paying, but that will be caught and prosecuted swiftly.
The US system has no real authentication of the card user since (a) no one checks the signature to begin with, (b) most users leave an unintelligible scrawl, and (c) no retailer has a full-time handwriting expert on staff.
We finally had a good push to revamp the payment card infrastructure, and they totally blew it.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
It's basically the same thing as a magstripe
Other than the unique one time code that's generated for every chip transaction, of course. And the extreme difficulty of retrieving the private encryption keys needed to generate those codes from the chip itself.
US businesses that currently accept chip and PIN/signature
You've clearly never worked in retail. There are rules. If the merchant follows the rules, they are protected, and either the merchant service or the issuing bank eats the loss.
(Online companies, mail order companies, and other "card no present" merchants cannot follow the rules, so, yeah, they're hosed.)
EMV means the rules are changing, and they're more complicated, but if the car has no chip, the old rules still apply, and the merchant is protected if they follow the rules.
Given Australia is 100% chip & pin with signatures not accepted since august last year I would hope the system manufacturers have the bugs ironed out.
The whole point of the chip is that you can't skim it (e.g. you can't simply read the information and make a fake card that outputs the same info).
Sure there is no law of physics that says you can't copy the chip in theory, compared to magnetic stripes which are designed to be read to even work, their is currently no easy way to copy a computer chip.
Comparing the security of a magnetic stripe to a smart chip is like comparing the security of a paper document folded in half to an encrypted digital file. Sure there is no guarantee that the encryption can't be broken at some point in the future, but it is almost incalculably more secure than hoping no one unfolds the document and reads it.
...It's basically the same thing as a magstripe, but different form factor....
I'm 99.9999% sure you are absolutely wrong!
Granted, the chip&signature that the US is adopting is far weaker than the chip+pin used elsewhere (the pin is "something you know" which prevents the card from being used by others, whereas the signature is just a scribble of anything you want and doesn't technically lock/unlock anything).
However, you can swipe a mag stripe and read all the info from it via VERY cheap hardware (for example, a free square reader). Doing so will give you every piece of info that is printed on the front of the card. It's the same info you'd get if you did an old style carbon copy rubbing of the card like gas stations used to use, and that's the same info you'll get off the new chip+sig mag stripes and imprints. The chip isn't there to prevent theft of the physical card.
If, however, you use the chip, then the merchant does not get the actual card number. There's a two way communication from your card, to the terminal, to the bank, and back, all using crypto. You can think of it like an SSL handshake. Once that handshake is complete, the merchant has a one time use token to use for the purchase.
What does this solve? It ensures that the merchant can't log your card number and store it in their insecure database for thieves to later take, ala the Target breach**, because they'll never have that number. More importantly for the banks, it's "proof" that the card was there, and not some cheap copy.
** I think that's what happened at Target, but there have been mixed stories, and I'm not 100% certain... maybe it involved data they got from the web instead, but I doubt that. I'm pretty sure it was card numbers scanned locally.
Which is another reason why restaurants in the UK feel a shitload more secure than in the US....here, the waiters bring a wireless card reader over to the table. They don't wander off with your card to some back room where they can copy down the details. (It also speeds things up, as it involves fewer waiter back-and-forths)