Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Chip Card Transition In the US Has Been a Disaster (qz.com)

Posted by msmash on from the ramification dept.

Ian Kar, writing for Quartz: Over the last year or so in the U.S., a lot of the plastic credit cards we carry around every day have been replaced by new one with chips embedded in them. The chips are supposed to make your credit and debit cards more secure -- a good thing! -- but there's one little secret no one wants to admit: The U.S.'s transition to chip cards has been an utter disaster. They're confusing to use, painstakingly slow, less secure than the alternatives, and aren't even the best solution for consumers. If you've shopped in a store and used a credit card, you've noticed the change. Retailers have likely asked you to insert the chip into the card reader, instead of swiping. But reading the chip seems to take much longer than just swiping. And on top of that, even though many retailers now have chip reading machines, some of them ask us just the opposite -- they say not to insert the card, and just swipe. It seems like there's no rhyme or reason to the whole thing.

22 of 675 comments (clear)

  1. What's the big problem? by Anrego · · Score: 5, Insightful

    As a Canadian I really don't get this. We've had chip and pin here for awhile, and while the initial adoption was a bit rough, it generally works fine.

    Confusing

    Reader says "insert chip in the bottom".
    You insert chip in the bottom.
    Reader says "enter pin".
    You enter pin.

    Painstakingly slow

    I've noticed some readers are slow, but this probably has nothing to do with the chip, the merchant just has a shitty system. If you're talking about the process being slower, ok yeah, by about 10 to 15 seconds or so.

    Less secure than the alternatives

    What alternatives? Getting a signature that no teller ever verifies or checking the name against your ID (which again, never actually happens)?

    Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".

    1. Re:What's the big problem? by Anonymous Coward · · Score: 4, Informative

      Because here in the USA it's Chip and Signature, not Chip and Pin.

    2. Re:What's the big problem? by jittles · · Score: 5, Informative

      Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".

      Editor is obviously using hyperbole. I just got a replacement card with a chip from my credit union. I went grocery shopping, and 2 of the stores had me swipe, the 3rd had me insert the card. It did take significantly longer, and you need to remove it at a specific time in the process or else the transaction will fail. That store also has Apple Pay, so I think I'll just use that at that particular store in the future. Other stores have told me that the chip reader on their unit doesn't work.

      As someone who writes software dealing with those sorts of terminals and transactions for many many banks I can tell you that the problem with Chip and PIN (or Signature) is not the technology itself, but a lack of understanding of the people implementing it in the US. First of all, removing the card before the second application cryptogram (this is after your issuing bank authorizes the transaction and the card sees this auth) ALWAYS results in an automatic decline and reversal generated by the terminal. You could leave the card in the terminal forever after that and the transaction would still be authorized. If you see anything else, it's (again) due to someone not understanding how the process works!

      The reason it's slow is probably due to the way the processing bank configured its terminal. I worked with one bank who wanted the terminal configured with every single possible application ID under the sun - even though there are brand specific applications you can use to say "I want to support all VISA". Instead they added over 10 different VISA applications that are region specific in addition to the global VISA application. So what happens when you dip the card? The terminal (usually) asks the card one by one "Hey do you support this application ID?" and it takes a long time to do this. You spend 30-45 seconds waiting for the card and the terminal to agree on what type of card will be presented for payment. I've seen MANY banks do this and its entirely unnecessary unless you want to exclude certain regions. Even then, it would be faster to accept the global AID at the start of the transaction and have the POS application decide that it didn't like your card due to the issuer country code or the application of the card rather than list the dozens of applications that can be available for each card brand.

      And for those above who say that Chip and Signature is the worst of both worlds - you're entirely wrong! I can easily clone your mag stripe card and use it to my heart's content. I know of no current attacks against EMV that allow you to clone a chip and use it for online transactions. Since the US requires ALL transactions to go online (floor limit of 0), you cannot effectively use a cloned chip card in the United States. Furthermore, the chip card dynamically generates certain card information at the time of each transaction. This makes it very difficult to steal the track data from an EMV card and turn it into a cloned mag stripe card.

    3. Re:What's the big problem? by Z00L00K · · Score: 4, Insightful

      Which is really seriously stupid since almost anyone can fake a signature.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    4. Re:What's the big problem? by ShanghaiBill · · Score: 5, Informative

      Which is really seriously stupid since almost anyone can fake a signature.

      There is no need to "fake" a signature. Any scribble will suffice. No one, absolutely no one, checks the signature for anything. Just drag the stylus across the screen in a straight line, and it will say "accepted".

    5. Re:What's the big problem? by fahrbot-bot · · Score: 4, Informative

      No one reads the signatures. I would guess they're stored for possible use in court in fraud cases.

      It's pointless anyway. My signature looks completely different (and worse) when I try to sign on those stupid little pads then when on paper. Granted, my handwriting is terrible, but I can imagine the same for others.

      --
      It must have been something you assimilated. . . .
    6. Re:What's the big problem? by AikonMGB · · Score: 4, Interesting

      As a Canadian that recently moved the US, the system here is utterly ridiculous and broken. I never know when I should swipe vs insert the chip, I have never been asked for a pin, sometimes I have to sign and sometimes I don't (there doesn't seem to be a clear limit), and there's no tap-to-pay. It's that last part that was killer; I used tap-to-pay for 90% of purchases in Canada, with chip+pin being the remaining 10% of larger purchases like electronics.

      There's also an obsession with literal cash, here. People see it as the default, whereas in Canada, cash tended to be a fall-back for most people.

      It's truly bizarre. I find it much more annoying to pay for things here.

    7. Re:What's the big problem? by DarkOx · · Score: 5, Interesting

      What people mean when they say worst of both worlds is that it does not solve the entirety of the problem where card present transactions are concerned and chip and pin easily could have.

      Implementation issues aside the mechanical action of swipe is always going to be faster than insert, wait, remove; pretty much no matter how small you make the value of wait. That said plain text mag strips with no 'real' client authentication was not a realistic security model for 21st century.

      Yes its beyond the reach of most attackers to clone a chip card. Stolen card is still a problem though. It might take me hours to notice my entire wallet is missing, could be a day or more before I realize a single credit card is gone AWOL. There is plenty of time for someone to run up a lot of charges there, and cause me a real headache even if I won't ultimately be liable. Chip + PIN would have made it nearly perfect. Sure steal the card from my back pocket, now what? Go get the account locked for exceeding the number of allowed invalid PIN entries?

      As a consumer I am getting a lot of new inconvenience ( which I would have found acceptable otherwise ) for a far less than ideal security solution. I could probably bang in a 4, 5, or 6 digit PIN faster than scrawling something on those signature pads anyway.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    8. Re:What's the big problem? by caseih · · Score: 4, Interesting

      As I understand it, this is not the point of the chip and signature system. The point of the chip is to make it much much harder to clone the card. With the old non-chip system, all someone needs is your CC number. They can program that into the magnetic strip and start using it. Many places like fast food never even required signatures. Gas stations only required zip codes, and then only sometimes.

      My biggest problem with chip and pin is that banks disclaim themselves of all liability for transactions that go through with a valid PIN, as they feel the chip is secure enough to prove that the card must have been real and if the pin was used, that's because you intended to do it. Nevermind that cards can still be cloned and pin numbers skimmed. This is also a problem if someone steels your card and knows your pin, you're on the hook for everything. Happened to a guy here in Canada when his ex girlfriend stole his card. Back when they were dating he shared his pin with her (big mistake... but what about marriages that end in divorce?).

    9. Re: What's the big problem? by Yvan256 · · Score: 4, Funny

      Is your family name "Matrix", by any chance?

    10. Re:What's the big problem? by beanpoppa · · Score: 4, Informative

      Debit is chip and pin. Credit is chip and signature. Throughout the US.

    11. Re:What's the big problem? by Teckla · · Score: 4, Interesting

      What is needed is decent 2 factor authentication.

      Isn't that what chip and PIN was supposed to bring us? Something you have (the card) and something you know (the PIN)?

      Why the hell did the U.S. adopt chip and signature? I was excited for my new chip and PIN credit card until I realized it was chip and signature.

  2. This disaster is entirely of your own making by Nemyst · · Score: 5, Insightful

    First of all, "But reading the chip seems to take much longer than just swiping." Big fucking whoop? That's the time it takes for the card to obtain authentication from the bank server instead of the terminal just blindly accepting the transaction. That's already more secure, so stop whining.

    But more importantly, chip and PIN is known to be more secure than swipe and sign. That's not up for debate, it's a fact. Unfortunately, the US, in their wise ways, decided to bastardize the system into chip and sign, removing the vast majority of the additional security for no real benefit. Oh, you can't remember a 4-digit PIN? Tough fucking luck. Instead, you'll probably have to switch to chip and PIN at some point in the future, causing another confusing transition.

    Furthermore, the partial transition, various fuckups and all have largely been isolated to the US. Sure, Europe, Canada and others have also had a few hiccups when moving to the new system, but they had clear, strict deadlines that all providers followed. The US basically let the monkeys run the show, and so it's been a mess of delays.

    You guys fucked up, now you get to live with the consequences. This isn't a failing of the chip system, it's a failing of the US thinking they could half-adopt it. That entire article sounds like entitled whining.

  3. Nope by fireylord · · Score: 5, Insightful

    The whole article just smacks of fear of change frankly. We in the 21st century part of the Western hemisphere have long since done this, and reaped the fraud prevention benefits (read: no significant retail chip and pin fraud, fraudsters forced to try Cardholder not Present fraud, to which there are also pretty effective countermeasures).
        I suspect those retailers still asking for magswipe will be transitioned to chip usage by their card service provider as the fraudsters will increasingly target those that still insist on swipe. The money will talk in this case, however the idea of chip and sign is a bit silly in that it will only stop coounterfeit cards, not stolen cards.

    1. Re: Nope by Anonymous Coward · · Score: 5, Insightful

      Yeah, there are places in the world where "disaster" means something more than just a few seconds of inconvenience at the supermarket.

    2. Re:Nope by Anonymous Coward · · Score: 5, Informative

      There are several issues here in the US with this conversion. Many retailers have the new machines, new POS software, etc. and are waiting and waiting for the card industry to certify them. So they have to tape over the chip readers and tell people to keep swiping. AND the card industry puts fraud on the retailer because they dared to still use swipe with a card capable of chip. But it is the card industry themselves who are delaying the certifications. That's one issue. Another is this whole "chip and signature". With no PIN, there is really no major advantage. Steal a card, forge a signature. Not hard. I know large retailers like Wal-Mart are suing the card industry over that one. Apparently the claim is that it has nothing to do with what the card industry claims (they claim that US people are too stupid to move directly from swipe to chip and PIN) and has something to do with the card industry making more profit if they go to chip and signature. Lots of problems - many of them apparently politically and financially motivated by awful companies.

    3. Re:Nope by NicBenjamin · · Score: 4, Informative

      This isn't Ars. There is no real "downvote to oblivion" level because that little slider at the top let you set the score of posts you want to see. Some folks put up with the spam/juvenile bullshit/etc. that appears at -1, others refuse to even see shit that's as high as +2.

      In this case there's no downvoting at all. He posted it anonymously, and Anonymous posts start at 0.

    4. Re:Nope by aix+tom · · Score: 4, Informative

      Seems it's the other way around in Europe. We run a retail with several outlets. When we do "Chip/Mag + Signature" we pay for what fraud we get, when we do "Chip + Pin" the bank is responsible. *But* since Chip+Pin has a "higher transaction cost", we basically do Signature, and only when the fraud happening in that area rises above the cost of the higher pin transaction cost we switch to pin.

      ( Then again, most of those are direct debit cards which is a whole other beast than the US credit cards )

    5. Re:Nope by Dahan · · Score: 5, Insightful

      With no PIN, there is really no major advantage. Steal a card, forge a signature.

      The advantage is that you now have to steal a card, rather than just skimming the magstripe of one. The idea is that the chip ensures that you have the actual card, and the PIN (mostly) ensures that you are an authorized user of the card. In the US, with chip and signature, we don't have that second assurance, but having the first is better than nothing.

  4. The fault lies.... by Lumpy · · Score: 5, Insightful

    Completely at the feet of the banks. They needed to get off their asses and spend a tiny bit of their immense profits to fucking switch over. The banks could send every retailler a new chip reader for every register for free and STILL make record profits every quarter.

    So blame the Banks and the Greedy assholes that run those banks.

    I'm for bringing back all the heavy handed bank regulation from before 1980. Fuck the bankers.

    --
    Do not look at laser with remaining good eye.
  5. They don't make disasters like they used to by taustin · · Score: 5, Informative

    For a disaster, it's been pretty mild for my employer.

    Several points to consider, from my personal observations (as the IT guy in charge of deploying and training on this):

    1) Chip & PIN vs. Chip & signature. Yeah, chip and PIN is more secure for the consumer, but EMV isn't about security for the consumer. That's not at all the point of EMV. The point of EMV is to protect the banks, who eat the loss, when somebody breaks into a big retailer and steals 120 million credit card numbers at the same time, because PCI compliance hasn't been enough, and never could be. EMV is the half of the new system that gets the news coverage, but the other half, point-to-point encryption, is more important. The transaction gets encrypted in the credit card pad, and the merchant never sees the card information. So if you break into their network, there's nothing there to steal. The benefit to the merchant is that PCI compliance is a hell of a lot easier (and less expensive). The benefit to the consumer is that their cards are, in fact, less likely to be compromised (because that kind of break-in is a huge part of credit card fraud these days), so less hassle waiting for a new card.

    But in the US, the consumer isn't protected by the technology, they're protected by the law. If your card is stolen, you're never responsible for more than the first $50 (and if you're bank gives you static about that, file a complaint and open an account with a bank that isn't crooked).

    2)It's not confusing, it's just different. The process isn't any more complicated, it's just a different process. So the cashiers need about one minute of training, mainly by me buying a soft drink so they could see the new screens, and then they had it down (because we don't hire idiots as cashiers, and we train them), and the customers will need a few reminders for a while. The only two actual issues we've had (both very minor) are that we used to not need a signature for transactions under a certain amount, and we need a signature on every transaction now (because it's chip & signature, not chip & sometimes signature - but I expect that to be relaxed very soon), and we have to remind the customers to remove the card when it's all done (and our system actually helps on that, because it won't let them sign until the card is removed, which reminds the cashier to remind the customer). The pads could beep a little louder, but it's not a problem.

    3) It's only slower if you bought shitty equipment. I've seen very slow chip card transactions. They're pretty much always the cheap-ass little standalone terminals that small merchants get on a lease from their merchant service (who don't care how slow it is). The reason for this is that the pad is doing the encryption, and that requires a certain amount of processing horsepower. Ours are new, expensive, and high quality. The difference in time processing a chip card and a mag strip card is less than one second. Barely enough to notice. Other big chain stores I've been in that do EMV also have new, expensive, high quality pads, and they, too, are basically just as fast either way.

    So no, it's not the end of the world. Just more hysteria mongering from somebody who has a book to sell, or just hates all change, even for the better. In other words, it's a day that ends in "y."

  6. yo playa by lucm · · Score: 5, Funny

    My bank recently replaced its ATM cards with chip/pin. Where I used to step up to an ATM, swipe the card, and put it and my wallet away while the machine woke up. The rest of the transaction, I have my hands free, and I'm gone in 30 seconds.

    if you put your wallet away after swiping your card, what did you do with the cash (which certainly doesn't come out before "the machine wakes up")? Put it in a gold clip so you can stylishly flip out one bill at a time at the strip club?

    --
    lucm, indeed.