To Secure ATM Transactions: Ditch the Card

chicksdaddy writes: Security Ledger has a piece that looks at the efforts of a string of startups to secure ATM transactions from skimmers and malware-based attacks. Step 1: get rid of the ATM card. The article profiles a couple different companies. One, Trusona, has technology that can uniquely identify standard issue ATM cards by analyzing the unique distribution of Barium Ferrite particles on their magnetic strips and using it to connect the card to the customer. The company combines that with card swipe biometrics to thwart malware-based replay attacks. The article also mentions upgrades that will allow banking customers in the U.S. to use a mobile application to withdraw cash from ATMs without a card or PIN, and a prototype from Diebold that combines proximity based sensing (via NFC) with iris scans to authenticate customers and authorize transactions. Cool as it sounds, its worth remembering that most ATM attacks are decidedly "low tech." A survey by the ATM Industry Association in 2015 listed "physical attacks" and those using "explosives" as the second and third most common type of ATM attack after card skimming.

actually it is really easy

You just have to choose. You can have any 2 of these 3:
Secure
Convenient
Cheap

You just have to make up your mind.

Re:actually it is really easy

Ditch the card. Bitcoins.

Re:actually it is really easy

[Z00L00K]

Use Bitcoins and get tagged by the FBI and all other three letter agencies you can think of.

Re:actually it is really easy

[dissy]

Use Bitcoins and get tagged by the FBI and all other three letter agencies you can think of.

If you're an American and not working for the authorities, you're already "tagged" by the government for observation as a suspected criminal.
No action is required on your part for this, so there is little point in letting it stop you from using bitcoin.

Re:actually it is really easy

Who cares anymore? Those 'holes are tagging everybody and anybody these days anyways. If you live in fear of them all of the time, you live as a slave.

Re:actually it is really easy

[Cajun+Hell]

In a world where everyone is tagged, is there a downside to being tagged?

Re:actually it is really easy

[BarbaraHudson]

People are still using cards with a mag strip?

What 3rd world country is this?

Re:actually it is really easy

[Z00L00K]

Well, you get tagged on a scale, so you may get a higher priority on your tags if you stand out using bitcoins.

Re:actually it is really easy

[Cro+Magnon]

If you're an American and not working for the authorities, you're already "tagged" by the government for observation as a suspected criminal.
No action is required on your part for this, so there is little point in letting it stop you from using bitcoin.

I don't believe that's true. I'm pretty sure that even if you ARE working for the authorities, you're under suspicion by our beloved government.

Re:actually it is really easy

[Darinbob]

Use a bitcoin and contribute to criminal agencies and support its pyramid scheme. Bitcoin was not designed to be an independent secure alternative to cash or it would have been designed differently.

Re:actually it is really easy

[Darinbob]

I used a mag strip ATM card in Europe quite easily.

Re:actually it is really easy

Indeed, the begin with childhood personality profiles built through standardized testing and placed into a federal database. Vid from the 90's. This has been going on for quite some time, and Common Core is only the latest iteration.

Example: A group of your fellow students does something wrong. The group decides to keep the secret. Should you:
A. tell a teacher
B. tell your parent or guardian
C. keep the secret.

The correct answer is C. They want to foster group think. Natural free thinkers, Anti-authoritarians, and others who don't fit into the system are flagged as children to watch out for. If the non-conformist becomes politically active their chances of being singled out for COINTELPRO increase greatly, especially if they are mentally "gifted". In the extreme case where the individual is on a path to being influential or contributing technology that might disrupt the oppressive system, then their lives will be ruined through false rumors, group harassment and other elements of psychological warfare possibly including covert use of directed energy weapons (effects partially declassified via FOIA request).

Protip: The real reason that "conspiracy theorist" is associated with "tinfoil hat" is because since the 1970's people who uncover corruption have been attacked with directed energy weapons, including but not limited to projection of voice or audio into the person's head using microwaves.

In the soviet and communist regimes censorship is used to silence people. In the free and open societies, free speech is used against people: You are encouraged to speak your mind openly so the powers that be can identify you as a potential dissident and preemptively attack you.

Who is still using mag stripes on ATM cards?

You can't skim a chip. Well, not with something that you can disguise on an ATM.

Re:Who is still using mag stripes on ATM cards?

[fraxinus-tree]

You are from Europe, right? US still use mostly the strip. And while the chip is good, it only offers protection from skimming. Other vectors (theft, burglary and likes) still exist.

Re:Who is still using mag stripes on ATM cards?

[dwsobw]

Not sure how theft, burglary, etc are a problem if you do not write down your pin? Sure robberies are different but I rather lose my money/pin then my eyes ...

Re:Who is still using mag stripes on ATM cards?

[slashping]

US still use mostly the strip

But the article is talking about upgrading the ATM to do a barium analysis on the cards. That seems idiotic if you can also upgrade it with a chip reader which is standard, and much more reliable.

Re:Who is still using mag stripes on ATM cards?

[CanadianMacFan]

Canada has had chips on the bank cards for quite a while too. Not as long as Europe but probably around a decade.

Re:Who is still using mag stripes on ATM cards?

[Alwin+Henseler]

Not sure how theft, burglary, etc are a problem if you do not write down your pin?

Common method is to look over victims' shoulder when the PIN is used in a legitimate transaction. Often at supermarkets: just think about how 'hard' it is to see what PIN a customer in front of you enters on the keypad.
Then card is stolen / pickpocketed to be used immediately with the just-obtained PIN. Happens regularly, especially with elderly people as victims. But normally unless customer is clearly to blame, card issuer will compensate the damage (well okay... somehow spread out over all customers, that is).

But overall incidence is not that high. So in terms of cost to the average user, chip + PIN is a pretty good system. As a bonus, often the perps are caught on cam when they (try to) use the card at an ATM, retail store etc.

In some European countries (like mine) processing this type of payment has become so efficient, that (per transaction) it's as cheap if not cheaper than exchanging a few coins & bills. And of course store owners love it as it makes for less cash in house & thus less incentive for robbers.

Recently they've introduced the option of PIN-less payments for low-amount transactions (so there's less need to use your PIN 'everywhere'). And/or combined with some kind of electronic wallet that holds a limited amount (up to ~150 Eur or thereabouts). We'll see how that goes.

Re:Who is still using mag stripes on ATM cards?

[slashping]

A suitably strong encryption would be enough to prevent skimming attacks, even assuming that the perps could insert a man in the middle.

Re:Who is still using mag stripes on ATM cards?

[TheRaven64]

You might want to take a look at some of the known attacks against EMV.

Re:Who is still using mag stripes on ATM cards?

[fraxinus-tree]

Canada is european in lot of senses, anyway.

Re:Who is still using mag stripes on ATM cards?

In what way? That they aren't US?
The US is the odd kid in the Americas. To consider Canada to be European requires a very US-centric world view.

Re:Who is still using mag stripes on ATM cards?

[Z00L00K]

You can skim them, but it's a lot harder than the magnetic strip.

Re:Who is still using mag stripes on ATM cards?

[IamTheRealMike]

EMV isn't a European thing, even though that's where deployment first started. EMV is an "everywhere but the USA" thing.

The bizarre insistence of American financial providers on trying everything except just rolling out EMV is really amazing. At some point I start to wonder if it's a subtle form of protectionism.

Re: Who is still using mag stripes on ATM cards?

"To consider Canada to be European requires a very US-centric world view." Only if you don't consider the Americas to be European (other than the US, which revolting -- um, I mean, revolted).

Re:Who is still using mag stripes on ATM cards?

[wardrich86]

God damn USA! Get with the times. Still using Imperial, still using mag stripes... Your neighbours to the north are disappointed in you. You guys are better than this!

Re:Who is still using mag stripes on ATM cards?

They are part of the British Commonwealth... Why would it be US-Centric to consider it so?

Re:Who is still using mag stripes on ATM cards?

[gmack]

In Spain, I had to show ID with every card based purchase in a store even if it was chip and pin. I can only imagine it reduced a lot of thefts like this.

Re:Who is still using mag stripes on ATM cards?

[gmack]

American cards have chips but it's chip + signature and they don't use it. Last summer my friend came to visit me in Canada and I had to explain to him how to use the chip portion of his card,

Re:Who is still using mag stripes on ATM cards?

[houghi]

You could also look at the US being the UK of the Americas. I propose a trade: The UK goes to North America and Europe gets Canada. Everybody wins. (Sort of)

Re:Who is still using mag stripes on ATM cards?

[houghi]

being in Belgium, I was amazed when I had to walk to the counter in Amsterdam to do my payment. In Belgium all restaurants that I know of have a cardreader they take to the table. You put in your card. You put in your code. The thing beeps. You take out your card and that way the card never leaves your sight and you do not need to walk to the counter to do the payment.

In the US I was confused by the number of papers I got. First the bill, then several papers with the same amount on it. You need to sign it and write the tip on it and put it away and the rest in your wallet.

As I never saw a waiter after they left the bill, I noticed when I came home that I had several papers with signature and tip on it. So not only did they not get a tip, they never even came by to verify the signature or if there WAS a signature.

And sorry for the not tipping. I do think that it is a stupid custom, but that is NOT the reason they did not get a tip. Others where I left the correct papers, I tipped.

Another thing is that it is so much harder to verify. In Europe the money I said OK to will be billed and I can follow it electronically. With the tips, I need to write it twice and then verify if they did not add some amount or if the writing was clear or not.

It is an ancient system and the sole reason they kept it so long is, I think, investing 25USD now in a machine that is able to do it is not interesting, even if the gain over a period is great.
Also: we have pre-paid cards that do not even have a strip and several banks have blocked credit cards for use in the US by default. If you go there, you must ask to activate it. All because the security is non-exitend.

Re:Who is still using mag stripes on ATM cards?

So are Botswana, Mozambique, Zambia, and Uganda. You don't see many people suggesting they act like European countries because of it, though.

Having spent a lot of time in the UK, the only resemblances to it that Canada has that I can think of are we still have a Queen (though she can no longer make laws here), kept some British spellings, and that's pretty much it. Canadian grocery stores (that aren't bottom tier) bag stuff for you, we mostly have intersections with lights (not roundabouts), police carry guns and are not considered friendly neighbours, most British language and British slang is either not understood or is just plain odd (nobody calls it a lift, being pissed means angry, chips are thin round crunchy discs, and you don't have flats not let them). If you want classic British cuisine you'll have to seek out the rare British pub and they will do a very bad impression of it. Pickup trucks are still the best selling vehicles and Canadian cars are closer to US size. Homes are some of the largest in the world here. Taxes are closer to US level than UK level. Canada is 12th on the gun ownership list, the UK is at 82.

Canada is neither the US nor Europe nor Britain. However, between all those, Canada is closest to the US, physically and by attitudes/preferences as well. Now, if you focus on Quebec, things change a bit, but for the odd rather than closer to Europe (France is not fond of Quebec). Quebec is far away from being similar to the US and yet also very far away from being similar to anything European.

Actually, suggesting Canada is like other countries in the Americas might possibly be the most interesting comparison I've heard. The problem is the rest of the Americas outside of Canada and the US are doing poorly economically. I wonder if those other countries would end up similar to Canada given a solid economy and lower corruption levels?

Re:Who is still using mag stripes on ATM cards?

All of my cards have chips, and I'm even finally starting to see stores that use the chip. Granted my grocery store has readers that can read both strip and chip, but the chip portion isn't activated. Put my card in there and it didn't recognize a card had been inserted.

Re:Who is still using mag stripes on ATM cards?

[dwsobw]

Thanks! Fair points.

Also our pin readers usually have a screen to prevent to easy spying. Something at least like this which is usually sufficient.

Re:Who is still using mag stripes on ATM cards?

[dwsobw]

In Germany we used to have a "moduliertes Merkmal" which is essentially a dielectric code that the machine could verify with a capacitive sensor. So even with a strip there was never a problem inside Germany. All the fakes had to use a ATM outside Germany that did not check the dielectric code ...

Re:Who is still using mag stripes on ATM cards?

[dwsobw]

Thanks that looks interesting, but apparently only effects some (Visa-style?) EMV standards.
The German SECCOS EMV standard (used for debitcards) seems to require the verifications (since before 2005) that were/are missing in the British standard.

Re:Who is still using mag stripes on ATM cards?

[Outta_the_way_peck!]

Chips have been rolling out pretty aggressively in the USA over the past few months from all institutions, major banks to local credit unions. Stores may still be using the mag stripe to authorize, but it means they are accepting the liability for fraudulent transactions.

Re:Who is still using mag stripes on ATM cards?

[ShanghaiBill]

Canada has had chips on the bank cards for quite a while too.

America has also had them for quite a while, we just don't actually use them. When we do use them, we do chip+signature instead of chip+PIN, so we get all the hassle of using a chip, with none of the benefits!!!

Re:Who is still using mag stripes on ATM cards?

[Salgak1]

I've only recently started getting Chipped cards, and in any case not all merchants have enabled their readers to use chip-based cards.

Reports I've seen combined blaming the Christmas shopping season (i.e. don't slow down the cash flow), engineering issues, and MasterCard and Visa reportedly being late in publishing at least SOME of the documentation.

http://www.nbcnews.com/busines...

Re:Who is still using mag stripes on ATM cards?

[Woldscum]

They do now. Walmart started Jan 1st. No more swipe or signature for credit cards. Just stick the chip end of your card in the reader. Debit cards are chip + pin. Sometime this year all stores are going to be 100% responsible for fraud if they do not use the new chip readers.

Re:Who is still using mag stripes on ATM cards?

[BarbaraHudson]

Canada moved to chip and pin long ago. Last I looked, we're not in Europe. And without the pin, it can't be used. 3 wrong tries and it's killed.

Re:Who is still using mag stripes on ATM cards?

[BarbaraHudson]

It's more polite to leave the tip in cash, unless you're tipping at least 25%.

Re:Who is still using mag stripes on ATM cards?

[BarbaraHudson]

God damn USA! Get with the times. Still using Imperial, still using mag stripes... Your neighbours to the north are disappointed in you. You guys are better than this!

Apparently not. Kind of embarrassing when the only other countries that don't use metric are Liberia and Myanmar.

It's a form of protectionism, since things like 4 liters of milk are not the same as a gallon, so exporting to the US requires different, non-standard sizes.

Re:Who is still using mag stripes on ATM cards?

[I-am-a-Banana]

Sorry to say but I have been contacted by my bank 3 times because there was a potential my chip card was skimmed. They cancelled the card and I had to get a new one each time.

Re:Who is still using mag stripes on ATM cards?

I had my chip skimmed once in SA, Johanesburg. The waitress at the Hard Rock Cafe used a fake "credit card machine" to get the chip data and pin.

Re:Who is still using mag stripes on ATM cards?

[Applehu+Akbar]

Our credit cards have the EMV chip now, but most of the stores whose POS terminals have an EMV slot are not using it. It's an even more confusing maze than before.

Re:Who is still using mag stripes on ATM cards?

[swb]

Who does this? The reason I pay a $250 dinner tab with a credit card is so I don't have to carry much cash with me, a $50 tip is nearly as bad from a carrying cash perspective.

The whole social construct of tipping aside, I always wonder about tip fraud. It's just too easy to cheat on tips when they get manually entered into the credit processing system. You'd have to be supremely detail oriented to track the meal cost + tip as it shows up on your credit card. I think amex might detail it, but it's not hard to see how this could get gamed by a few percentage points without anyone ever detecting it.

Re:Who is still using mag stripes on ATM cards?

chip reader which is standard, and much more reliable.

BULLSHIT! I'm on my 3rd card in 2 years because the fucking chip stopped working, then the ATMs and POS machines won't accept the card even if the magnetic strip still works. Meanwhile I've got magnetic only cards that still work after 5 years.

Re:Who is still using mag stripes on ATM cards?

[ewibble]

For the purpose of this discussion Canada could be considered more European because the don't seem to be as opposed to change as the US. (Although I have never been to Canada). They use the metric system, (although not really European but every other country in the world except (Burma, Liberia, USA)). They have dropped their 1 cent coin, they their 1 and 2 dollar note a coin. When I visited the US, it amazed me how may places seemed not to accept EFTPOS, for what considered the most technologically advanced country in the world. Where Europe did not have this problem.

Let me be clear I have never been to Canada and this is only my opinion, gathered from media, not personal experience.

Re:Who is still using mag stripes on ATM cards?

[wardrich86]

We should just ship things th the US in same size as everywhere else, but with ugly sizes printed on the container.

Re:Who is still using mag stripes on ATM cards?

So are Botswana, Mozambique, Zambia, and Uganda.

Botswana, Zambia, and Uganda were part of the British Empire (under different names) and remain parts of the British Commonwealth. However, Mozambique was never a member of the British Commonwealth, as it belonged to Portugal from 1505 to independence in 1975. Mozambique has Portuguese as its official language.

Re:Who is still using mag stripes on ATM cards?

[gmack]

This is why I prefer the chip and pin terminals that ask you to input the tip. Some of the newer ones allow you an enter an amount or a percentage.

Re:Who is still using mag stripes on ATM cards?

>For the purpose of this discussion Canada could be considered more European because the don't seem to be as opposed to change as the US.

When it came here for a few months people complained about it, especially older people who had no idea about what their PIN would be and had to go to their CC company to get it straightened out. People screwed up entering stuff on the the terminals, even though it wasn't really different from using their debit cards, which they should have been used to. Though certainly people were nowhere near as angry as the US is about it. I was one of the complainers since I noticed at the time in Europe it had been hacked and banks were claiming that because C+P was used, they wouldn't refund money against fraudulent transactions. In Canada the banks still accept liability, so I stopped complaining once I found that out.

>They use the metric system

Yes, although interestingly enough, Europe doesn't use it the same way we do. For example, at least in the UK, speed limits are in mph, and cars have odometers in miles. In Canada, that's all metric. However, unless you're under 25, you measure your height and weight in feet/inches + pounds. Most all construction is done in imperial, though the codes are written in metric (with a lot of decimal points, since they just convert the feet/inches to meters). Babies are measured in kilograms, but parents are told the weight in pounds and ounces. And shoe sizes are (indirectly) imperial. We also use US clothing sizes.

>They have dropped their 1 cent coin, they their 1 and 2 dollar note a coin.

That is very true. The coins are actually pretty convenient. There was a lot of bitching about each one going away, though. A *lot*. Now nobody cares.

>When I visited the US, it amazed me how may places seemed not to accept EFTPOS, for what considered the most technologically advanced country in the world. Where Europe did not have this problem.

I imagine that EFTPOS is similar to Canada's interac/debit system whereby you let a store take the payment directly from your bank account. That is wildly popular here. Maybe even more so than in Europe! So popular people commonly use it to buy stuff for a dollar or two, which means retailers that sell stuff at that price point (convenience stores, though oddly enough not dollar stores) charge a small fee as the 15 cents transaction fee they pay on a $1 sale sucks the profit out of it.

Canada is just... Canada. It's definitely not the US, and I think people from Europe visiting Canada would also say it doesn't have much in common with Europe *except* when you compare it against the US. But then again, the colour red has nothing to do with the colour blue until you compare them both against black. Then they're both not black, and they're both actually a colour. Without the contrast, though, few would compare them.

That's just my opinion based on living in Canada and visiting the US a lot. My last trips to Europe were over a decade ago so I admit I'm out of touch on how stuff is there. :)

Re:Who is still using mag stripes on ATM cards?

[swb]

I have a hard time seeing this being adopted in the US, so long as we don't use the pin.

I seem to remember eating at a restaurant where the servers used iPads for order taking and they had Square-style card readers to do the charges, but it was a pretty casual, small place so far all I know it WAS Square they were using.

Re:Who is still using mag stripes on ATM cards?

[Viewsonic]

In the US, the new chip thing that rolled out has been met with..issues. I've been declined at least three times now, they had to manually put my card in. One place it hung the entire system, and they had to call their payment vendor who rebooted it, and told them to swipe until told otherwise. That is about after 12 times of having to slide it in. The chip also looks like it's halfway worn off the card already. It simply takes too long to use as well, you can't just stick the card in and out and be on your way. You have to stick it in and wait for her to finish. Then pull it out.

I have a feeling this chip thing will be gone by next year and we will be back to swiping.

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

The chip and pin system can and has been hacked. Use cash when you can.

Re:Who is still using mag stripes on ATM cards?

[nukenerd]

Who does this [tip in cash]? ............ a $50 tip is nearly as bad from a carrying cash perspective.

You give $50 tips? Must be a very wealthy man.

The reason for tipping in cash is so that the particular waiter gets it. If you tip with a credit card, you don't know that the restaurant owner might get it. Is it really that hard to carry some coins for a tip? (Oh, forgot, the USA does not have any coin worth more than a peanut).

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

Chip and pin suffers from a flawed assumption common in many systems. The assumption that breaking it is too costly for the average person and that any remaining losses will be handled as a cost of business.

For the mag strip credit cards the banks actually do assume a percentage of loss rather than fix the flaws. For chip and pin they assume that hacking it is too difficult for the average corner shop or quickie mart, except that once someone figures out how that information is easily spread and replicated. Start with a reader with a poor design, figure out its schematics and software, find the hole, and exploit it (some have been hacked unobstrusively by drilling through the potting material from the to reach test points which is not detectable by the customer). Chip and pin systems also rely on an approach used by a lot of smart cards in where they assume it is better to provide absolute physical security rather than improve the cryptography, so you can get buggy algorithms at the same time that there are features to thwart physical tampering.

Re:Who is still using mag stripes on ATM cards?

[swb]

$50 is 20% on a $250 tab.

Since there's no rule book on tipping, I kind of follow my own.

In any low-end table service place, I figure the person working there isn't making much money to begin with, so if the service was good, I tip 20%.

At a higher end place, I will adjust the percentage down closer to 15% by default unless the server provided extraordinary service, especially if there are only two people being served because there's just not enough service taking place to warrant that much add on. In larger groups with attentive service, I think more is warranted.

At a lot of high end places, they have dedicated staff for delivering the food, clearing the plates, sometimes even for delivering cocktails from the bar, which complicates the tip as a "reward".

I do assume that most of these places the tips are pooled and divided among all the service staff, which complicates your rationale for ensuring the staff gets the money. It'd be easy for the server to skim the cash tips for themselves.

I don't worry about the owner withholding tips, at least not in my town. Attracting competent wait staff is difficult, and most people I know will avoid a place with good food and shitty service. Owners who withhold tips from servers will not attract any but the worst wait staff and basically slit their own throats.

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

But what if the shop keeper is skimming off your card? How does the customer know that the chip reader has not been hacked? And yes, this situation has happened.

Consider the example of the Target stores. The machines were hacked to intercept customer information. The machines did use mag stripes and have since become slightly more secure (Target today does not use the chip reader even though the reason my card was exchanged to have a chip was because of Target!). However the core cause of the breach was not the machines themselves or the magnetic strips but the transfer of the data from end point to back office and on to the credit card company. Customers are given false assurances that they've "fixed" things because they see new machines and have been issued new cards.

Good security is damned expensive. So businesses only want to deal with "good enough for now" security. The losses due to poor security are smaller than the cost of implementing proper security. The two problems with this thinking is that encourages criminals and when a flaw is discovered it be exploited on a large scale, and the ability to steal from the system become much easier over time as technology changes (mag stripe readers used to be extremely expensive but now are quite affordable).

Re:Who is still using mag stripes on ATM cards?

[slashping]

LOL. I have a chip card for a few years now, and never had problems. In fact, the only time there's an issue is when a vending machine doesn't accept the chip and tries to read the magstrip (which is severly damaged on my card) instead. In your case, I don't think you'd have better luck if the ATM was trying to do a finely tuned analysis of the barium signature in the magstrip.

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

Part of the US bag groceries for you, and much of Europe will not bag groceries and think you're some sort of elitist by wanting such service. There are some European countries with high gun ownership. The stop light and stop sign are extremely common in mainland Europe.

I think there's a disconnect in assuming that teh UK is a typical European country.

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

The signature is supposed to be important. It makes the transaction somewhat legal and a way to detect fraud or mistakes (find a mistake on your monthly bill you can complain to the restaurant and ask them to find your signature, though these days it's easier to just dispute charges with the credit card issuer).

Personally I have little problem with cash. People hate it because they want everything to be electronic, thus it's more cool.

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

I don't even know what my PIN is with my card. It was assigned to me a couple decades ago and I've never needed it on a credit card. I got a reissued card a couple years with a chip but it did not come with any separate mail telling me what my PIN was...

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

I've only done it once, and it was at my optometrist and only a few months ago. No where else did it, not even Target which was the damn store with the break in (unrelated to magnetic stripes) that encouraged banks to start re-issuing cards with chips.

Re:Who is still using mag stripes on ATM cards?

You are from Europe, right? US still use mostly the strip. And while the chip is good, it only offers protection from skimming. Other vectors (theft, burglary and likes) still exist.

Skimming seems to be uncommon in Europe, probably because chip cards make it too difficult to be practical. Robberies in Europe, from what I've observed in the news over the years, tend to be more direct and low-tech. For example, the jewel thieves who drive a car through the shop front, smash and grab and then get away in a second car or the "ploof-crack" (it's from a Dutch word) gangs that use explosive gas to blow apart the ATM and get at the cash.

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

Technically we're still supposed to be migrating to metric, as I think that law is still on the books. The snag is that Reagan stopped funding some of the programs. Everyone learns metric in school though, all science here is done in metric, even the UK (technically a part of Europe if you squint) still uses miles, etc. We are not ignorant troglodytes even though it's the current elitist fashion in Europe to laugh at everything in America.

(seriously, they're going to put up a wall Europe to keep out immigrants before the US does, all the while claiming that the US is full of bigots :-)

Re:Who is still using mag stripes on ATM cards?

Knives and guns still work on all technology. When you have all your monetary assets in your phone you will be a prime candidate for kidnapping. They could even make you take out a loan and send the money in an untraceable way to a third party. I uninstalled the bank app from my phone when the bank gave me full access to all banking services and all my money/stock through it. To install it I must use my bank-fob which I have in a safe at home. At least they have to drag me there to get my money or see if I am worth the trouble.

"Login to your bank app or your life!"

Re:Who is still using mag stripes on ATM cards?

[gmack]

Considering I met a consultant who had to deal with Target.. They didn't even bother with any security let alone "good enough for now" security but that's beside the point..

In most of the rest of the world, if they skim the card info from the payment system they can't just throw it onto a new card since chip and pin cards are much more difficult to duplicate. In the one successful replay attack I've managed to find out about the stolen info could only be used on hacked chip and pin terminals making the thief pretty easy for the banks to find after.

Mag stripes on the other hand, can be duplicated using less than $5 worth of equipment, in fact I had a friend in high school duplicate his ATM card onto his library card because he was bored.

Re: Who is still using mag stripes on ATM cards?

[fraxinus-tree]

errr,... cash has much longer history of vulnerabilities

Re:Who is still using mag stripes on ATM cards?

[david_thornley]

Tips are usually based on the food price, so they go way up in really expensive restaurants. There's a lot of social and legal structure in the US built around the tip as a percentage of the bill. Also, if I can afford an occasional $250 restaurant bill, I can afford a slightly more occasional $300 one, despite not being "very wealthy" (I'm well-off, but not wealthy).

There are differences between tipping in cash and putting it on the card, and I don't see one as necessarily superior to the other. If I tip cash, the server need not report it. It does get to the server, but not necessarily anywhere else, and it helps the server cheat on income taxes. If I put it on the card, it doesn't go directly to the server, which may be good or bad, and it's more likely to be recorded income. In some restaurants, the tips should all go to the server, and in some they should be pooled in some fashion. I don't know what any individual restaurant does about tips, and it's really not any of my business.

Re:Who is still using mag stripes on ATM cards?

Which banks issued them?

Re:Who is still using mag stripes on ATM cards?

[Kjella]

But what if the shop keeper is skimming off your card? How does the customer know that the chip reader has not been hacked? And yes, this situation has happened.

At least here in Norway, if the customer is not at fault for losing either the card or the PIN then it's the card company/merchant's problem. The consumer authorities have made it quite clear that the individual customer has no power to introduce extra security measures, so if they're insufficient it's the card company's loss and the card company's choice whether or not to improve security. One of the ways they've ensured big roll-outs is to shift blame to the merchant if they stay on old technology, like for example offline terminals. If the merchant doesn't have an online terminal, it has to cover any fraud themselves. So it's almost hopeless to exploit stolen cards here, almost always they try using them abroad. Which is why the cards typically have regional blocks, try "using" my card outside Scandinavia and it's going to get blocked and flagged immidiately. I can of course go in my online bank and turn regions back on if I'm travelling.

Re:Who is still using mag stripes on ATM cards?

Chip and pin is broken, research from Camebridge.

Re:Who is still using mag stripes on ATM cards?

In Australia at least there are both swipe machines (usually in 7/11s and similar) and machines where you put your card into the machine itself. I think that latter are also swipe based on the methods that I've seen reported for skimming these (typically a legit looking overlay on the card slot to skim the mag-stripe combined with a tiny camera focused on the keypad to capture the PIN), but I'm not 100% sure.

Re: Who is still using mag stripes on ATM cards?

[Darinbob]

Right but I can't hand over $20 in cash and then when my bill comes find out that $40 are withdrawn from my account. Cash is vulnerable to physical security, but so are chip and pin cards (because you can't keep that PIN secret if you're entering it in public). I can worry about some thug taking my money, but I generally don't have to worry about the money secretly vanishing while inside a store and wondering where it went. There is a limit to the amount of cash I can lose also, only what I have in my wallet at the time.

And the smart card makers in the past have not necessarily spent the proper amount of time to ensure it is really secure given how easy some of the hacks have been. It's slightly better thean feel-good security though but it's not great security.

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

The skimming systems are added as extra transactions to the store in the cases I've read about. Thus the store gets paid back by the banks for more than the customer wanted to pay. It's not a third party that is skimming, but the actual store itself.

Re:Who is still using mag stripes on ATM cards?

"And of course store owners love it as it makes for less cash in house & thus less incentive for robbers."

Yes and no.

The bank is anally raping the merchant with their merchant services fee.

It can be guaranteed that this fee (which is only based on market, not true cost) will rise to match the cost to the merchant of handling cash, and maybe even a bit higher due to "convenience".

I assure you that when you buy a pack of gum with your card, you're being an asshole.

Re:Who is still using mag stripes on ATM cards?

At my local Target, I swiped my debit card and it refused to take it, and flashed on the screen that I needed to put it in the chip slot.

Re:Who is still using mag stripes on ATM cards?

[BarbaraHudson]

Many restaurants tack on all sorts of "fees" before they pay the staff the tips they earned. Some even keep the entire "service charge" for themselves.

Another restaurant chain in London, Gaucho, which serves steak dishes that cost up to £99, takes 16% of staff tips and puts part of this towards 'staff incentives and competitions'. It also takes a further 2.3% each month from sales generated by each waiter, which is shared among non-waiting staff.

A Gaucho employee told the Observer that in one month they earned close to £500 in tips but, because of a combination of the two deductions, more than £400 of that was retained by the company.

Last week a further tipping scandal came to light when the London Evening Standard reported that a French restaurant chain, Côte, retains the entire 12.5% service charge that it adds to customers’ bills rather than giving it to their staff .

Tipping in cash is a good way for the wait staff to remember you the next time that the manager wants them to push the fish, so they'll tell you "avoid the fish."

Re:Who is still using mag stripes on ATM cards?

[BarbaraHudson]

That would just give them more of an excuse to add to the "contents may settle during shipping" for all those half-full boxes of cereal.

Re:Who is still using mag stripes on ATM cards?

[fraxinus-tree]

As an european, I would sign right now.

Re:Who is still using mag stripes on ATM cards?

Those same problems and worse may happen with the magnetic strip analyzer as well, especially as it's configured to block the transaction. The only reason magstripe works well everywhere is because of the same old technology. Adding anything else to it will make it just as unreliable as the new tech, probably worse because it's all hacks from here on.

Re:Who is still using mag stripes on ATM cards?

[peawormsworth]

But what if the shop keeper is skimming off your card? How does the customer know that the chip reader has not been hacked?

The chip on your card cannot be read from a skimmer. The shop keeper does not gather enough information to repeat a transaction or request a new payment. Each transaction requires the chip which is embedded in the card. The shop keeper would require your PIN and also to steal your physical card.

Good security is damned expensive.

I think bad security is more expensive. And no... this form of security it is not expensive. It only becomes expensive when security has been ignored for a long time while it should have been slowly upgraded, as was done in the rest of the world. But now, the US is in poor shape for in personal digital payment technology and yes, it will be very expensive to update what has been neglected for so long.

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

But the cards can be skimmed, and they have been! Getting the PIN is extremely simple, so don't even count on that as security. So it's just a matter of intercepting the data going to the bank as a man-in-the-middle, replicating even temporarily a card, predicting the upcoming "random" number, and so forth.

I'm not saying chip and pin is worse than mag stripe, but they are not so completely secure as the marketing would have you believe. Don't trust the banks or others when they say the cards "cannot be read". They have the same sorts of vulnerabilities as ATM in many cases; relying on cheap manufacturers who don't follow best practices on security, over confidence of the security, assuming a PIN is private, or willingness to accept a certain level of loss.

https://en.wikipedia.org/wiki/...
https://people.csail.mit.edu/r...
http://www.theregister.co.uk/2...
http://arstechnica.co.uk/tech-...
http://krebsonsecurity.com/201...
http://phys.org/news/2015-03-b...
http://www.thisismoney.co.uk/m...

kiss the cook

plenty of countries/companies provide ways of getting cash from an ATM without a card already.

chip ?

[slashping]

Why not use a chip card instead ?

Re:chip ?

[Alumoi]

I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head.
Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited.
No more muggins as it's quite hard to carry 2-3 severed head with you.

Re:chip ?

[slashping]

You don't think the tattoo is easily duplicated ?

Re:chip ?

[thegarbz]

Because you can't use fancy sounding science to scam investors who don't realise Chip+Pin is the solution to replay attacks.

Re: chip ?

Because it's America, they try everything before doing the right thing.

Re:chip ?

Because americans are luddites. Just mention "electronic voting machines" here on Slashdot and you'll see.

Just because sofware and chips can be hacked in theory, they prefer to stick with the unhackable and perfect paper ballots and magnetic strips, as if they weren't even more succeptible to tampering.

Re:chip ?

[Alumoi]

Note the AND between tatoo and chip. You must have tem both in order to work. It's not called 2 factor authentication for nothing.

Re:chip ?

[AmiMoJo]

Chips aren't all that great for security... Better than mag strips, but far from perfect as anyone living in a country with the chip+PIN system will tell you. In fact in some ways it's worse, because when first introduced in the UK the banks tried to blame all fraud on the customer because the system was supposed to be immune to fraud.

Phone is a pretty good option. You need the phone and you need a way to unlock it (fingerprint, PIN or 97 character password if you prefer). That's already at least as good as a chip, and potentially better since the current crop of fingerprint readers are much harder to fool with copies. You can have a >4 digit PIN too.

Re:chip ?

[slashping]

anyone living in a country with the chip+PIN system will tell you

I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect, but at least they can be made to prevent skimming, which is what the article is about. And it's a much better solution than chemical analysis of the mag strip.

Phone is a pretty good option. You need the phone and you need a way to unlock it

Except that not everybody has a (smart) phone. Also, it's easy to see what PIN people use when you sit next to them, or guess it from the fingerprints they've left on the touch screen. Or you can just wait for them to unlock the phone and then grab it out of their hands. Phones can also be infected with malware much easier than ATMs or chip cards.

Re:chip ?

[bev_tech_rob]

That would never fly in 'Merica, because the bible belt folks would then bray about the mark of the beast and the Book of Revelation.

Re:chip ?

[AmiMoJo]

far from perfect as anyone living in a country with the chip+PIN system will tell you

I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect

Uh...

Re:chip ?

[Nyder]

I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head.
Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited.
No more muggins as it's quite hard to carry 2-3 severed head with you.

Pretty sure the xians will say this is the Mark of the Beast. But if it will bother them, then I am down.

Re:chip ?

[slashping]

Why even respond if you can only grunt ? The chip+pin cards are a lot better than the magstripe cards, and the remaining problems can be solved without having to introduce radical new technology. They just need an upgrade to the protocol to remove the flaws.

Re:chip ?

[AmiMoJo]

far from perfect as anyone living in a country with the chip+PIN system will tell you

I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect

Uh...

Re:chip ?

[drinkypoo]

Phone is a pretty good option. You need the phone and you need a way to unlock it

And you need a power bank in case it gets run down and you need a backup phone in case it fails. What is needed is an end to the race to the bottom, so that employers are hiring people smart and scrupulous enough to check for credit card fraud instead of engaging in it.

Re:chip ?

[operagost]

Well, they'd be correct, wouldn't they? "And he causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or the name of the beast, or the number of his name."

Re:chip ?

or maybe pay people enough to remove motivation?

Re:chip ?

The solution to skimming is to not use the card as proof of identity.

The card identifies the account you want to charge, it's essentially a user name. What you need to authenticate is either a password or a combination of password authenticator artifact or biometrics.

A solution that ditches the card altogether and just requires you identify the account (card) number to let the merchant know what account to request, then the bank contacts you with a one time code to validate the transaction would be better by far that trying to make the card harder to duplicate. This could be done with a card and phone (they SMS you the code) but would be better managed by a a smartphone app, which can require you to log in with a comparatively strong password. If your phone has strong security built in you can make it more convenient with things like using a fingerprint to authorize the phone to use your stored password to log into the app or having a weaker PIN for the phone and relying on the retry limit to brick the device in a brute force attack.

Re:chip ?

[AmiMoJo]

Millions of people use their phones for payment already, not bothering to carry backup phones/cards/batteries etc. It's been working well for over a decade. Maybe your problem is you buy crap phones where the battery doesn't last three days on a charge.

Re:chip ?

[BarbaraHudson]

I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head. Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited. No more muggins as it's quite hard to carry 2-3 severed head with you.

Joe Pesci would like a word with you. "Only 3? What a piker. Try 8."

Re:chip ?

[BarbaraHudson]

So you're in a large store and you don't have reception - no purchase for YOU!

Re: chip ?

[nehumanuscrede]

Yet, they all willingly carry a cell phone.

The " Mark of the Beast " is easily the Mac address or ipv6 address of your phone. :|

Re:chip ?

[rowls66]

The phone is also a really bad option in other ways. It is a multi-function device running all kinds of software from many sources. Some of that software could be malicious. Securing a phone is potentially very difficult. A card is a single function device devoted to authenticating the card hold for financial transactions. I think that from a security standpoint, a chip card is a better option. For convenience, the phone might win.

Re: chip ?

[aristotle-dude]

Yet, they all willingly carry a cell phone.

The " Mark of the Beast " is easily the Mac address or ipv6 address of your phone. :|

Sorry but I am not seeing the connection. You do not have to have a cellphone and it is not required to buy or sell things. It is a tool of for communication and not identification. The IP or MAC address is tied to the device, not you.

Re:chip ?

[aristotle-dude]

I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head. Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited. No more muggins as it's quite hard to carry 2-3 severed head with you.

Pretty sure the xians will say this is the Mark of the Beast. But if it will bother them, then I am down.

A couple of points. 1. What is an xian? If you are going to talk about a group, try to use the correct terminology. 2. Why do you have such a low self worth that you would want to be branded as a slave because you think it might piss some other people off? Have some self respect. You are a human being not cattle.

Re:chip ?

[Darinbob]

Because it's not a perfect solution either. Chips are feel good solutions though, let the customer think that they have security.

Re:chip ?

[Darinbob]

The mark of the beast, but with a CRC at the end!

Re:chip ?

[Darinbob]

"X" has been a shortcut symbol for "Christ" for a thousand years. So saying "Xmas" is not an attack on Christmas like some want to claim.

Re: chip ?

[qbast]

No sell for the store you mean.

Re:chip ?

We've been moving that way in the US. Over the last 6 months to a year, vendors have been upgrading their payment systems to handle chip cards. At first you could use the mag stripe or the chip, but now the system can tell if your card has a chip when you swipe it and if so requires you to enter it into the card reader. Over the next year or two I imagine we'll finally be rid of any cards that are mag stripe only and everyone will be using chip & pin.

I'm not entirely sure about ATMs as I have not used one in years that doesn't suck in your entire card and spit it back out.

Re: chip ?

[david_thornley]

The " Mark of the Beast " is easily the Mac address or ipv666 address of your phone. :|

FTFY.

Re:chip ?

[vandamme]

That's a Greek letter Chi, first letter in Christ.

Re:chip ?

They aren't a "feel good" solution. They may not be perfectly secure, but they are much better than magstrip.

Mah.....Murica is so backward

Seriously......

No chip and pin

No Paywave

No cardless ATM

It really surprises me..... I mean..you'd think they'd be on the ball..

They STILL write cheques for fucks sake !

Financially they're stuck in the early 90's.

Seriously, it's really surprising.........

Re: Mah.....Murica is so backward

Maybe because we stick with what works, we don't go "look shiny new. the higher ups are saying it's so good for us, let's switch now. "

We like to make sure shit works for a while and in the financial sector if it's not broke why fix it?

Diebold

The same guys who did the awesome voting machines? I'd trust my cash in their hands no questions asked! Or really not.

Re:Diebold

[Z00L00K]

I agree there - as soon as I saw Diebold and NFC I realized that this is going to be really bad.

Not that magnetic strips are good either, they should have been killed a decade ago. All cards I have are chip cards, and any point of sale here in Sweden have a chip reader.

For Iris scan, just watch this scene from the movie Demolition Man.

Re:Diebold

[tetraverse]

@Zoolook: "Not that magnetic strips are good either"

The original idea of using credit card numbers embedded in a magnetic strip for online financial transaction - the dumbest dumb idea ever. No doubt, done this way to save on money. Greed is good !

As for biometrics and iris scan, once these are hacked you're in an even worse situation. As you can't get re-issued new irises or fingerprints. ref

'Merica land of the free to skim

Chip and pin already solves this, it has been around for over a decade in Europe. No need to ditch the card.

Thanks but no thanks

I don't want my bank to have my "biometric data" or install spyware on my phone in order to be able to simply use my money as I see fit.
It doesn't sound cool. It sounds creepy. They should abandon their fascist dreams of controlling every aspect of life of their customers and get back to what we're paying them to do, keeping our cash securely and giving it to us when we request it.
Let's face it, ATM attacks are rare and most people are not affected by them. While obviously biometric data and whatever can be gathered from a mobile phone with a bank program would be sold to third parties because they see you as a resource to be exploited without bounds. Globalists should fuck right off and go die in a fire.

Ditch the card and use your phone...

that's right, use your potentially malware-infested and backdoor-laden phone for controlling access to your money.

Sigh.

[Erik+Hensema]

You guys at that side of the pond still use magnetic strips?

Just use standard PKI. It's secure, it's easy and it's standard.

Create a key pair for each customer. The private key is protected by a pass phrase (also known as a PIN code). Distribute the key pairs along with the bank's public key on a chip which does the encryption/signing.

Now go the the ATM or POS. Enter the card with the chip. Unlock the private key with the PIN. Let the card encrypt a message to the bank using the bank's public key and signed by the customers private key.

It's not rocket science. And to the end user it works exactly the same as before. It's cheap too.

Re:Sigh.

[wardrich86]

Canadian here - we've been using Chip since at least 2008/2009. USA is still stuck in their old ways. I assume they'll start using chip when they start using the metric system.

Re:Sigh.

[slashping]

At the same time, maybe they'll do electronic bank transfers and git rid of personal cheques.

Re:Sigh.

[LMariachi]

We're in the midst of transitioning right now.

Re: Sigh.

American here. We've had the chip for some time and readers capable of chip+pin are now standard. Nobody requires the PIN though, and I used the card in Europe with no PIN last summer-by inserting it to be chip-read, not by swiping. No PIN needed. Apparently the chip is nothing more than a glorified magnetic stripe, and nothing is "guarded" by the PIN as the poster above thought. Enjoy your false sense of security.

Re: Sigh.

You do realize America is the extreme capitalist scenario? Obviously the cost of implementing new card readers outweighs the savings on fraud. Duh!

We aren't Luddites, we are run by companies for profit.

Re: Sigh.

[illogict]

That’s because cards delivered in the USA are set to prefer chip + signature instead of chip + PIN.

Re: Sigh.

Prefer? The bank that issues my credit card has never asked me for a PIN. They have no PIN on file, so they could never have encoded the chip. There's no "prefer": they don't have the information necessary to encode anything with a PIN, so it's chip-and-signature only.

The PIN number you think is encrypting your keys isn't. That wouldn't be secure in the least: the PIN could easily be captured and logged en route to the ICC on the card. Actually, what's happening is that the terminal passes the PIN on to the ICC on the card to encrypt (with some random challenge thrown in), and the PIN now encrypted by the ICC's keypair gets sent off to the credit card company for validation. The PIN does NOT encrypt your keys: your keys encrypt your PIN in transit to the credit card company. Otherwise, every scammer still working POS-fraud in Europe would be skimming your PIN off the terminals, because it's all they'd need to unlock your keys.

Furthermore, chip-and-PIN doesn't do anything about online fraud, which already makes up the biggest chunk of fraudulent transactions.

Re: Sigh.

But chip and PIN does do two things: Takes a lot less time than chip and signature, and takes the pressure off retailers to store a pile of little tiny bits of paper for 6+ months (Yes, I'm aware American terminals have expensive screens that record the signature on them. Elsewhere terminals are often 1/3 the size and some don't have any any touchscreen at all).

Since signatures are hilariously easy to fake, at least to the satisfaction of a credit card company (their standards are very low), the PIN is a decent replacement.

I expect your card has the PIN option disabled. That's unfortunate. You'll never be able to use your card at a gas station outside of the US (at least at night when the attendant is locked in the booth and can't hand you the CC terminal), and merchants that don't have receipt paper handy will refuse your transaction. Oh well! At least you can feel the way Canadians feel when faced with your terrible gas pumps that don't recognize foreign cards. Enter a zip? Okay, where's the letters? Only one I know of is YKK. Give up. Walk in. Pre-pay with CC. Pump. Walk back in. Get refund on CC. Who the hell came up with that system? (Yes, I'm aware that most Canadian CC companies accept fake zipcodes now, sadly, some US pumps don't).

Oh, yeah. Signature.

Re: Sigh.

I live in the UK. I've only been able to use my card in a reader without a PIN exactly once. That was in a parking garage and I stopped using the card machine there after that incident.

Everywhere else, without exception, has required my PIN. Even on mainland Europe. I think the security issue is down to your card, not to the chip and pin system.

Re: Sigh.

Would it be better if fraud were kept closer to zero, but at a much greater overall cost?

While we're at it, we can reduce terrorism by extreme fiscal outlay and widespread abrogation of civil rights. Is that worthwhile?

It's easier in the case of fraud: there's an expected monetary loss that is to be balanced against a capital outlay for new technology. A smart company and a smart society minimizes the overall cost by finding the right balance between security and expense instead of trying to bend over backwards to eliminate all risk.

Re:Sigh.

[Darinbob]

But it's not as secure as you think. There are currently ways to hack those systems around the world. You still have the physical security problem though as it's too difficult to hide your PIN from spying. There's a lot of smug elitism to be had though by accusing Americans of being ignorant savages.

Stuff biometrics

[TractorBarry]

There is no way in hell I'm having biometric identification for anything. I'm not about to have my fingers cut off or eyeball pulled out so some some crook can make off with my stuff.

http://www.theregister.co.uk/2...

Damn fool idea and probably being pushed more for the use of such data to build a huge database by ye olde 3 letter agencies than for any "security" reasons..

Re:Stuff biometrics

[david_thornley]

Not to mention that you can't revoke more than two retinas in the key repository, or that you can't get your money when you desperately need to pay for retinal detachment surgery.

DIEBOLD ???

[rickyslashdot]

ummmm, I seem to remember something about this company's decidedly insecure attempt to make voting machines.

Re:DIEBOLD ???

Or maybe was it an attempt to make insecure voting machines?

Yesterday tech coming real soon...

[Macfox]

All this is pretty much available today outside the USA. Mobile or web App generates code. Anyone with the code and the value can visit the participating ATM and withdraw the cash within a few hours. The app even gives you the option to SMS the code. Same apps even support NFC, so the phone acts as the card.

The majority of the big banks in Australia have been offering these facilities or similar for 2+ years

Given the popularity of the Magstripe in the US, even after all these years, any advancement seems revolutionary I guess. One would think a possible reduction in fraud would drive even modest initiatives, like Chip+PIN adoption.

Re:Yesterday tech coming real soon...

Chip+PIN costs money and doesn't reduce fraud claims in the US due to the way the laws are written. There's no incentive for any US-based card issuer to bother with Chip+PIN.

Chip+sign is finally happening. It can't happen soon enough for gas purchases, which are probably the number one skimmer target anymore. For this, chip+whatever is good enough. Really, we just need the chip to replace the old magstripe's CVV1 for card-present verification. That's it.

ATM cards with chips will have Chip+PIN, but only because ATM cards are "supposed" to use the PIN. The PIN still won't be enforceable as a consent mechanism like it is in Europe. A stolen card with a stolen PIN won't imply consent even a tiny bit. And any change to the laws around that would be welcome to the issuing banks, but not to the card processors, the merchants, or the cardholders. Visa has tons of money to lobby with. The Chamber of Commerce is a huge lobbying group. And cardholder revolt has broken banks in the past. So changes are unlikely, making Chip+PIN credit cards equally unlikely.

Re:Yesterday tech coming real soon...

I think just like how it became harder to steal cars due to new technology with chipped keys, and then carjackings when up, we'll see the same with ATMs. If crooks can't use a skimmer, they will just result to forcing you to withdraw money by force. It's been a common problem in Atlanta where crooks follow someone with a nice car home, then jump them and kidnap them in their driveway, take them to an ATM and empty their account.

Re:Yesterday tech coming real soon...

[Nidi62]

It's been a common problem in Atlanta where crooks follow someone with a nice car home, then jump them and kidnap them in their driveway, take them to an ATM and empty their account.

Things like that have been happening here for years. I remember about 8 years or so ago they arrested a bunch of kids right before school in the parking lot of the high school I used to go to. They would watch people at ATMs withdraw money then follow them and hold them up (believe they were using a BB gun though) and rob them. This wasn't even in Atlanta, it was in East Cobb (admittedly I went to school on the border of East Cobb so we had plenty of rougher, poorer areas in our district too).

Re:Yesterday tech coming real soon...

[Darinbob]

I would not trust a phone to handle anything to do with money, ever. When I see a vendor with an iPad with a credit card reader, I pull out cash instead and use that.

Re:Yesterday tech coming real soon...

[Darinbob]

Chip+pin doens't reduce fraud claims because it doesn't reduce fraud.

Re:Yesterday tech coming real soon...

What's your fail-safe method of payment when the net connection does down or your battery dies? With standard cards you can take a carbon copy. With chipped or code based cards you can do??

Coming soon to a chip-n-pin card new you...

With the increased deprecation of strips, attacks on the chip and pin cards will become much more economically viable. This will culminate in a breach at any number of firms and the leaking of assorted keying material that will put entire SWATHS of customers at risk all at once even if they never used their card in public.

See also; SSL/TLS, HD-DVD, Divx, Sat/Cable TV, Hardware OEMs, etc

Requires mobile app, geolocation data sent to bank

The risk managers for one of the largest banks have decided that for this to work, your banking mobile app needs to track your location to know where you are and where you will go to prevent any ATM outside your immediate vicinity from using the code to withdraw money. Sure, it means no one on the other side of the country can make a withdrawal from your hacked account. But the USA PATRIOT Act also requires banks to spy on customers for the government (aka "Know Your Customer" provisions), so in addition to datamining your transactions for the government, do you really want them datamining your geolocation data too?

I'm working on the project, and I would never use this app.

Seriously?

[moforw]

You seriously think this is about preventing fraud? What are you, stupid? Look around you, our controllers are pissing their pants at the moment; desperate for more leverage before the shit hits the fan. I'll stuff their fucking gadgets down their throats and water board them until they swallow, any day now....

More secure?

Step 1: get rid of the ATM. There, fixed that for you.

How Bout No

Ditch the card and use a buggy app on a phone susceptible to phishing, rooting, and wireless interception? How bout NO, you crazy Dutch bastard.

I know I'm old and a luddite and all the other pejorative labels of inexperienced youthful ignorance. But, I'm not ever going to bank by smartphone, or email. I'm also not going to pay by mobile. Its a pointless security risk that I'll never expose myself to because of laziness or susceptibility to the marketing of those that want to skim a percent or two form every transaction.

I have a discrete card, connected to a single account, with a password(pin) for certain transactions and it comes with legal liability limits against fraudulent use. Beyond the temporary inconvenience of losing my wallet, something that has yet to happen in 40 years and a risk that is shared by the smartphone solutions, my risk is compartmentalized to that card/account and not my everything.

Re:How Bout No

[Darinbob]

But, but... using smart phones is cool! You can pay your bill and update your Instagram at the same time! I can hardly believe how uncool old people are.

Diebold? Smartphones?

As others already said: Diebold? WTF?

I don't know what to distrust more wrt security: Diebold or smartphones.

Actually yes: Diebold. But by a small margin.

Nice try...

[shellster_dude]

It'll be a cold day in hell before I willingly give my biometrics to my bank, my government, or a private agency. For one thing, I can't change them if they get stolen.

Secure payments is a very solve-able problem. The only reason it hasn't been solved yet is the reliance on old technology and infrastructure. The two primary problems are a lack of instance validation, and static card information.

Here's one answer:

Bank issues card with a chip. The chip has the bank's public key and a unique private key that the bank installs on the card, then keeps the associated public key. Encrypt the chip key with a 4 digit pin, or a real password. Now the payment process is a public / private key asymmetric encryption process. The card chip encrypts the transaction details, and a nonce that the bank sends (encrypted). If you need to support offline card use, then every time the card is plugged in to an online system, have the bank send down 50 or so nonces that are encrypted and have the card chip store them encrypted locally. That way, if the terminal doesn't have direct network access, the card just uses and burns the next stored nonce. If the terminal needs to store information, it can wrap the card's encrypted information in it's own public/private key encryption that it passes to the banks.

The biggest remaining issue is key exchange, but in the case of the end user, that only needs to happen when they request a new card. For the the merchants, this can happen in the same process that handles reconciliation with the banks. They can exchange a list of merchant public-private keys as an extension of those protocols.

Re:Nice try...

[Darinbob]

As you say the network is often down or not present. The nonces don't help because the stores themselves are not to be trusted. Stores have hacked the chip+pin systems and skimmed from customers. So nothing has really changed here: in the past the banks have accepted as certain percentage of loss from fraud credit cards, and today the banks accept a certain percentage of loss from chip+pin. You're also assuming, possibly naively, that the crypto systems are written to the highest level of security possible, that the machines are designed to the highest standards with respect to security, and so forth. In practice that is too expensive so short cuts are taken as long as the marketing claims otherwise.

In Soviet Russia ...

[maestroX]

You give money to ATM.

Re:In Soviet Russia ...

In Canada too. It's called a transaction fee. If you use an ATM that is not from your bank, there is a $1.50 - $3.00 transaction fee. All Canadian banks (except maybe one) charge a monthly $6 - $15 fee just to have a bank account as well, and depending on how much you pay that might give you x number of withdraws from bank machines at other banks without charging you the $1.50 - $3.00 transaction fee. Any retailer who receives a payment using a debit or credit card also pays transaction fees. That's the beauty of getting rid of all cash. The banks can be guaranteed to make a profit on every single transaction ever made.

Re:In Soviet Russia ...

[BarbaraHudson]

TD Bank, basic chequing account, $3.95 a month, if you have a $1,500 balance the fee is waived. 4 cheques and 10 debit / atm transactions included at no extra charge (or no charge w. the $1,500 balance). If you need more transactions, just carry around cash - it's still accepted pretty much everywhere.

Chip

[Nukenbar]

While chips have been standard in Europe for some time, I'm starting to see more and more US businesses starting to use the chip in cards over the past 6 months, especially drug stores.

It is interesting though that many people do not have a PIN associated with these chip cards in the US, so it is still "authenticated" with a signature.

Retinal

Sorry but I'd rather have my card stolen than some asshole gouge out my eyes just so he can civil-assets-forfeiture my bloody fifty bucks.

Stupidest idea I've heard all week!

[kheldan]

Get rid of the card

What if I don't have and don't want a smartphone?

Also, hasn't it occurred to anyone that this will actually make a 'cyber'-based attack easier?

Here's a better idea: How about you train banking personnel to be proficient at inspecting automatic teller machines for card skimmers and other physical exploits, and have them do it every time they service or reload the machine? In other words: How about better security? Also, how about multi-factor authentication at ATM machines?

Come on, people; every other day I read about some new exploit or security vulnerability on any type of smartphone you care to name, and now they want us to entrust access to the cash in our bank accounts to them? Really? Seriously?

Riiiight

[s.petry]

The only reason people could possibly disagree with Electronic voting machines is because "Luddite", and not because there has been a long history of corruption made-easy by these devices.

Since this is the 2nd article in as many days on the same subject, basic math shows that there is no benefit in safety using a Phone vs. an ATM card. Both are a single point of failure, protected by a simple PIN (and last I checked Phones don't require PIN numbers). TFA hints at it: The majority of theft from ATM is by physical attack. It is not easy to install skimmers in reputable places, but it's pretty easy to stick a gun in someone's back and tell them to make a cash withdrawal. You won't hear much about the robbery stuff, small does not generate ratings or help the narrative along.

You increase security by distributing the attack surface and minimizing exposure. Using a phone to generate/receive a timed PIN for your ATM card would be more secure.

I would rather not tie bio metric data to the verification, and, it can not be checked effectively (consider how your body changes every time you eat something different, or use a different soap, etc..etc..). Too many things can go wrong with that, and again you are only changing the surface not extending the surface. "I have, I know" simply becomes "I have, I am".

Re:Riiiight

The solution is fixing the machines and the associated protocols. The protocols used with the paper ballots are also full of holes.

The debate here is not Phone vs. ATM card, it's about Magnetic Strip vs. Chip. In what world is using a PIN-less magnetic strip safer than a card with a chip and a PIN?

Besides, using a phone increases the attack surface exponentially compared to using a credit card.

Trust

[nehumanuscrede]

I trust my debit card far more than I trust a mobile software application to interface with my financial accounts.

Under no circumstances will I use a mobile platform ( regardless of vendor, MS / Google, Apple ) to access my bank accounts.

Financial transaction alerts are pushed to the phone based on triggers I have setup, but I would never use a smartphone platform to log into nor perform a financial transaction.

Already in Mexico

In Mexico my bank already uses a mobile app to withdraw money from the ATM without the card, in the app you set the amount to withdraw and it generates a pin that is valid for 24Hrs.
Bad thing is that criminals spy on you and when you finish withdrawing your money they follow you and stole your money, no need for low/high tech only the good old fire arm.

chip/signature

In the US people are not used to PINs for credit cards. They have been present for years (tend to get used for cash advances
sometimes) but the situation is customers forget the PINs.
The reason for chip/signature is that it is believed customers will not remember their PIN and won't be able to use
a chip/pin card.

Remember too that EMV has all the complexity it has in the chip protocol due to a phone system that could not be used
to let the issuer verify a transaction. EMV dealt with that by allowing the card and POS system verify locally. That is
not needed in North America (at least in US/Canada). As for making cards hard to clone, the RFIDs used for nearfield
cards (e.g. Chase "Blink") are difficult to clone.

Neither is useful for e-commerce (yes there are major kludges that can in principle be used with an EMV card, but
with much inconvenience in use.)

So e-commerce is served not at all, and the EMV card is mostly useless where good phone or net service is universal.

Re:chip/signature

[ShanghaiBill]

The reason for chip/signature is that it is believed customers will not remember their PIN and won't be able to use
a chip/pin card.

That is silly. People use PINs all the time with debit cards. An interim solution would be to allow individuals to enable/disable PINs on their account. I would certainly enable it, for the extra security. My PIN is my wife's birthday, so I have plenty of incentive to not forget it.

Re:chip/signature

[nukenerd]

That is silly. People use PINs all the time with debit cards.... My PIN is my wife's birthday, so I have plenty of incentive to not forget it.

It certainly is silly; so silly that I wonder if you are not allowed in the US to change the PIN to something easier to remember. The date idea, being four digits, is a good one. I might use dates of battles; a pickpocket, or even someone who knows me, is hardly likely to derive it because (1) He won't know that I use dates of battles and (2) Even if he did he won't know which battle.

So my HSBC card might be the Battle of Blenheim, and my Lloyds card the Battle of Borodino. Actually, they are not.

Re:chip/signature

[Larry+Lightbulb]

It is silly, but it's also the line that many of the US card issuers are saying publicly - that it's a bonus because it's not yet another PIN to remember.

Re:chip/signature

[ShanghaiBill]

that it's a bonus because it's not yet another PIN to remember.

I just use the same PIN for all my cards. This might be trivially less secure, but I don't have to write anything down.

Using microstructure of magstripe is useless

The microdomain structure of a magstripe is indeed unique, but that does not make it impossible to clone, or even hard.
Remember, to read a magstripe, there needs to be a read head with a gap that reads the field. That is not infinitely
small...far from it.
If I want to read and duplicate microstructure, all I need is a read head that is narrow, and a medium that can record such
more-narrow patterns.

What prevents me from using a narrow read head derived from a video recorder (remember the old 8mm ones, for
example?) and maybe using videotape (again, how about the 8mm media?) to record the high frequency patterns?

This will not give exactly what the magstripe might have had, but will get it right for the part of the
signal that a reader can read. The video tape has smaller domains so it can replay the signal
pretty accurately.

If videotape technology did not exist, maybe a fine detail reader head could discern individual cards, but since
it does, it looks to me like cloning cards to forge details of magnetic domains would be fairly trivial technically.

So go ahead and invest many millions in that system, and watch it be massively forged anyway in
maybe 6 months.

Took me only a few minutes to see this. Why are these things again being proposed (I saw the proposal
maybe 10 years back)? Are they planning some radically different signal reading techniques?

Ditch the Diebold

[dcw3]

Great idea, but not with that company.

Get rid of the card

In Poland we have system where you can use your banking app to withdraw money from ATM.
You launch the app, generate code and enter it into ATM. If entered code is correct your banking app will display name and amount of transaction and ask for confirmation. After confirming you can withdraw your cash.
Banking apps are protected by PIN or password and most people locks their phones. Code is single use and transaction has to be confirmed, so it's pretty safe.
Usually it's possible to configure banking app so it doesn't have to be unlocked for small amounts if you like.
This method can be also used to make payments in shops but it's more convenient to use paypass/paywave (contactless payment).
There are also some ATMs accepting contactless payments, so card cannot be skimmed.

Re:Get rid of the card

[OrangeTide]

What I would like to see is a banking app that would run on a phone or on a durable card sized device.
I'm really not comfortable tying everything to my phone, which is easily hacked or frequently runs out of power on extended trips.

NOTE: some contactless payment technologies today can be skimmed without contact, using a radio antenna designed for the purpose. (ex: EMV)

Cheap is not so much a factor

[OrangeTide]

A card sized microprocessor that does two factor authentication is a relatively reasonable cost. Interfacing them to existing machines could be done through the mag reader as an interface, or through a new interface. The problem with a new interface is replacing all the terminals to support the new interface, this is the problem that the chip based credit cards are facing.
Today the cards themselves are replaced so infrequently that I can't imagine cost being the driving force.

What we already know is that the chip based cards are really slow to authorize. There are other ways to design the architecture so that it can be secure without requiring a constant connection to a central database. For example if banks were to sign my credentials and public key that is present on my card, and the microprocessor internally holds my private key used to challenge and authenticate transactions, then the system would only need to refresh a database of all of the public keys for all of the banks it needs. Realistically that's less than 10,000 banks, and would easily fit in the storage available in a modern card reader.

(sorry for the armchair architect post - I originally intended to only show that there are many ways to solve a problem)

Re:Cheap is not so much a factor

[peawormsworth]

...could be done through the mag reader as an interface, or through a new interface...

No new standard is required. Many exist. There are standards used throughout the world. Most involve a chip and a pin pad entry. Your bank or banking group simply picks one if it does not already have a proprietary solution.

..we already know is that the chip based cards are really slow to authorize.

That is not my experience at all. Please provide a link to the data you are referencing. Because I think maybe you are just expressing your personal experiences. Perhaps your bank or merchant has installed slow products or uses slow network connections.

I am guessing that maybe you are from the United States. It is my experience that consumer banking technology in that country is easily 10 years behind the others. I don't know why that is, but I speculate that either the banking cartels in the US are too competitive to come to a single standard that they are have access to, or more likely, the banking system depends on fraud in order to profit from the consumers and businesses who are forced to insurance against it.

In my personal experience, credit/bank card with chip is the faster than a cash payment. The new swipe technology is fastest. Your suggestion that it is slow or requires new technology is incorrect and I would be suspicious of the source of your information.

Simple solution...

The solution seems obvious, why use ATMs at all? Go all digital or credit card.
Privacy is an illusion anyway in today's society.

Easy ATM opening

[etudiant]

Card skimming is much too piecemeal an approach.
The preferred technique (well over 100 uses in 2015) in Germany is to hook the ATM to a cylinder of ethylene, add a spark, collect the cash and scram.
This takes about 2 minutes and produces about 10,000E per application, with about 100,000E collateral damage.
Best of all, it is not vulnerable to changes in the card technology