The Chip Card Transition In the US Has Been a Disaster

Ian Kar, writing for Quartz: Over the last year or so in the U.S., a lot of the plastic credit cards we carry around every day have been replaced by new one with chips embedded in them. The chips are supposed to make your credit and debit cards more secure -- a good thing! -- but there's one little secret no one wants to admit: The U.S.'s transition to chip cards has been an utter disaster. They're confusing to use, painstakingly slow, less secure than the alternatives, and aren't even the best solution for consumers. If you've shopped in a store and used a credit card, you've noticed the change. Retailers have likely asked you to insert the chip into the card reader, instead of swiping. But reading the chip seems to take much longer than just swiping. And on top of that, even though many retailers now have chip reading machines, some of them ask us just the opposite -- they say not to insert the card, and just swipe. It seems like there's no rhyme or reason to the whole thing.

Re:What's the big problem?

[DarkOx]

What people mean when they say worst of both worlds is that it does not solve the entirety of the problem where card present transactions are concerned and chip and pin easily could have.

Implementation issues aside the mechanical action of swipe is always going to be faster than insert, wait, remove; pretty much no matter how small you make the value of wait. That said plain text mag strips with no 'real' client authentication was not a realistic security model for 21st century.

Yes its beyond the reach of most attackers to clone a chip card. Stolen card is still a problem though. It might take me hours to notice my entire wallet is missing, could be a day or more before I realize a single credit card is gone AWOL. There is plenty of time for someone to run up a lot of charges there, and cause me a real headache even if I won't ultimately be liable. Chip + PIN would have made it nearly perfect. Sure steal the card from my back pocket, now what? Go get the account locked for exceeding the number of allowed invalid PIN entries?

As a consumer I am getting a lot of new inconvenience ( which I would have found acceptable otherwise ) for a far less than ideal security solution. I could probably bang in a 4, 5, or 6 digit PIN faster than scrawling something on those signature pads anyway.