Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Video Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video) 317

The answer seems to be: sort of, a little, but not a whole lot, according to Jerry Irvine, who is a member of the U.S. Chamber of Commerce Cybersecurity Leadership Council and CIO of Chicago-based Prescient Solutions. More security theater? It sounds that way when Jerry starts reeling off the kinds of attacks the new cards will do nothing to prevent. Even so, October 1 is the date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.

Robin Miller for Slashdot: Okay. So I’m going to start off by saying, today we have Jerry Irvine with us. He is a member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council and he is the CIO of Pre-scient Solutions in Chicago. Now, Jerry, did I pronounce that company name right?

Jerry Irvine: It’s actually Press-cient.

Slashdot: Oh, okay, Prescient.

Jerry Irvine: Yeah.

Slashdot: Chicago. At least we got the right city, right?

Jerry Irvine: That’s correct.

Slashdot: Okay. So we were talking about credit cards which have been a problem -- as you may know if you or anyone you know has been a Home Depot or Target customer. But you know we've heard this before. Over and over again. ‘This is going to be secure blah blah blah.’ So how is this new technology different from what has gone before, what makes it better?

Jerry Irvine: Well, the existingtechnology is that magnetic strip on the back of your credit card.

Slashdot: Yeah.

Jerry Irvine: That magnetic strip has been around since the 1950s and contains all of your personally identifiable information for that credit card in an unencrypted manner. So if anybody gets a copy of your credit card, they can swipe it into a device and they can read your name, your information, the bank account number, all of that information on that credit card and create another one for you.

Slashdot: Oh good.

Jerry Irvine: Now the new chip, what that does is it encrypts that information so all of that information is still on the card, but it's in the chip as opposed to being available unencrypted on a magnetic strip. So it's encoded, so that even if somebody had a reader, they wouldn't be able to decrypt that information. The other thing that occurs is rather than having a credit card that is an unlimited number of transactions, you know, if somebody gets your credit card, they can go on and buy different things at different stores.

Slashdot: Yes.

Jerry Irvine: If they get information that's on that chip, every purchase creates a separate token. It doesn't actually have the credit card information on there. So it's all tokenized. Every time it gets used, it goes to the bank and a separate token is created that then it is allowed for you to make a purchase. So if anybody stole that information, they would only be able to use it that one time for that one purchase, and actually, they wouldn’t even be able to use it as that; the purchase would already be null and void.

Actually, if they had the credit card itself and were going in and using it, they could probably still do the same thing. There are going to be methods that would keep that from happening. So all of this really comes down to multiple form factors of authentication right. So right now that chip is a single form of identification where you put it in at Target or you put it in at another store, it's not asking you for a pin number or anything like that right or a fingerprint or any other type of authentication. The next step will be to add a secondary form of authentication so that would either be some type of a biometric, a PIN or something like that. So once the technology is in place and moving forward, the idea would be they'd have to have the card with the chip in it, so something you HAVE. They would also have to have either something you KNOW like a user ID or PIN and then finally they could have something you ARE, which is a third form of authentication and that could be a biometric facial recognition and things like that.

Slashdot: So if they know things, I have this vision of people with guns standing in front of ATM saying, “What's your PIN?”

Jerry Irvine: Right.

Slashdot: “Give me your PIN, or I will do blah, blah, blah,” and it could be on my mother's maiden name too.

Jerry Irvine: That's correct, that’s correct. So you will have to make it complex, a four-digit PIN really isn't the most secure method even for bank cards and things of that nature. So having some type of biometric facial recognition or something like that in addition to a smart card like the chip would be a better means of authentication.

Slashdot: So basically this is something that the encrypted information on a chip, rather than on a magnetic strip, this is something that it won’t care. That's still going to be there. And something else: are they new? This is a real question: Are there new and exciting security flaws coming in with the chip cards?

Jerry Irvine: Well, so we’re going from 1950s technology with a magnetic strip to 1970s technology with the chip. It's been around since the 70s and so there are, you know there are some forms that can be used. So while the tokenization does help for people stealing information from point-of-sale systems directly, the theft of the card really doesn't help. I mean, if you leave your card at the table, I can walk away with it and I can still use it until you turn it off. There is still the ability for hackers to get into the point-of-sale systems or into the databases in the back and grab all the information. You know that Target incident wouldn’t have been helped with this new chip, because they actually stole user names, passwords, credit card information, social security numbers directly from the database server, not from the individual cards. So while the cards will help for an individual device they are not really going to help for back-end security.

Slashdot: I PR email from companies that make secure wallet so that RFID readers can’t grab the info on your RFID credit cards, you have a tempested wallet. By the way, I could make one with a little bit of foil but I'm not going to tell these people who want $20 for special wallets. They don't want to hear that, do they?

Jerry Irvine: You can go to Best Buy or Staples or OfficeMax, any of the Office stores, and you can buy the RFID sleeves – just a little packet that you put your credit card in, you put it in your wallet, you don't need the whole wallet, just a little sleeve

Now the back-end attacks obviously are more difficult. Hackers generally don't go in and attack directly to a server or directly to a firewall or some type of authentication device.

Slashdot: Right.

Jerry Irvine: What they do is they hack the users, right, so they send a phishing scam that then gives them a valid user ID and password, now they're able to get into the system as a person and they can copy the information, totally unencrypted and unscathed from any type of security detection device. Hacking the individual boxes, while you see that on TV and it's really cool, you get the hacker with the little zeros and ones going on the screen--that really doesn't happen that often. Not that it’s impossible, but it's a lot harder. And just like everybody else, the hackers want to do the things the easy way.

Jerry Irvine: Well, the biggest one right out the gate with the new introduction of the chip on all our credit cards is the fact that all of these credit cards that you are getting still have the magnetic strip on them. So it’s ridiculous. You have this really cool encrypted chip that's going to save all your information back anyway just – you know, so you have it in case you need it, so until that strip is gone, these credit cards are worthless, they really are.

Slashdot: So, we could use the title for this video, “Security Theater”, just like TSA. Just to use language, Security Theater, it makes everybody feel good, but as long as a magnetic strip is there.

Jerry Irvine: Yeah, it just doesn't matter, and today I went to the drugstore and got my meds and everything and my card has a chip on it, but it's got the stripe as well, so I swiped it because I didn't know they had the reader and it came up and said, “No, you've got to use your chip.” So then I go and use the chip. Well, evidently the chip on my card is bad, right? So now I can’t even use my credit card because you've got to do, it senses that you've got a chip on the card you won’t use it. So there's a lot of snags and snafus going on, the whole idea of companies now having to go in and buy this new equipment. They are spending millions of dollars to retrofit their point-of-sale systems with these EC chip readers. And it's okay. But there are other ways to do it. I mean the UPC codes that you can get on your phone. Apple Pay or Google Pay, or now Mastercard is coming up with a Mastercard Pass and all of these different things. There's going to be a number of different technologies out there. The EC is better than the magnetic strip, but electronic payment within your cards or Apple or your phone rather your Apple Pay and Google Pay and things... those can actually provide higher levels of security than the chip.

This discussion has been archived. No new comments can be posted.

Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video)

Comments Filter:
  • No.... (Score:5, Insightful)

    by mysidia ( 191772 ) on Wednesday September 30, 2015 @04:18PM (#50630885)

    date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.

    It's the date after which merchants are supposed to be liable for fraudulent purchase made with New-style chip and PIN cards which are made as signature transactions (e.g. with an old terminal).

    Their idea is: The bank will be liable for a fraudulent charge if the original bank/card doesn't support Chip and Pin but the merchant does, AND the Merchant will be liable if the Bank's issued card supports chip and pin, but the merchant doesn't support the feature.

    • by mark-t ( 151149 )
      And who is responsible for a fraudulent charge if both support chip and pin?
      • The bank/card issuer. If both support EMV, then fraudulent transactions are handled the same way as they are under Mag-Stripe.
      • Re:No.... (Score:4, Informative)

        by LessThanObvious ( 3671949 ) on Wednesday September 30, 2015 @06:15PM (#50631871)

        We are going Chip-and-Signature in the U.S., but if we were going Chip-and-PIN it could shift liability to the cardholder. Chip-and-PIN is thought to be secure, so the presumption of innocence may not hold as it does today.

        See quote below from Jonathan E. Jaffe posted on Krebsonsecurity.com:
        "Take a look under the May 2014 section of http://nc3.mobi/references/emv... [nc3.mobi] on what is happening in Europe under EMV. That page has lots of links, but here is the relevant text.
        Change in Presumption of Innocence
        An article in The Register (whose slogan is Biting the hand that feeds IT) is rather critical of chip-and-pin citing established weaknesses and some new ones referred to in the new paper Chip and Skim: cloning EMV cards with the pre-play attack from the Computer Laboratory, University of Cambridge, UK (16 page PDF) presented at the 2014 IEEE Symposium on Security and Privacy in San Jose, California 5/19/2014.
        In this paper paper it is worth looking at the change in what we call presumption of innocence as it describes the case of a Mr Gambin, "who was refused a refund for a series of transactions that were billed to his card and which HSBC [ his bank ] claimed must have been made with his card and PIN at an ATM in Palma, Majorca on the 29th June 2011. In such cases we advise the fraud victim to demand the transaction logs from the bank. In many cases the banks refuse, or even delete logs during the dispute process, leaving customers to argue about generalities." [ The bank deleted the evidence that would have shown the fraud. highlighting ours, see right column page one of the 16 page PDF -ed]"

    • by EvilSS ( 557649 )

      date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.

      It's the date after which merchants are supposed to be liable for fraudulent purchase made with New-style chip and Signature cards which are made as swipe transactions (e.g. with an old terminal).

      TFIFY. The new US cards are chip and signature, not chip and PIN. At least, they are not required to be chip and PIN. Which is very unfortunate.

      • My Visa card's got a chip, so I called the issuer regarding a PIN - no PIN available
        • by taustin ( 171655 )

          Retailers are remarkably resistant to chip & PIN in the US, out of a (probably misguided) perception that consumers will be resistant. Merchant services are very, very practical, and are not going to shut down their bread and butter over the issue.

          US banks have extremely sophisticated algorithms to spot fraudulent transactions (which is why we're a decade behind Europe on this), and those won't be going away. Fraud rates are about 1/10th of 1 percent overall, which isn't exactly the end of the world to

    • From an article I read earlier, the best part is the manufacturers haven't been able to keep up with the demand for the new readers. So, many smaller retailers are going to be potentially on the hook for a couple of months for any card fraud while they wait for their machine.
  • by gweilo8888 ( 921799 ) on Wednesday September 30, 2015 @04:18PM (#50630887)
    ...that's not the system we're getting in the US, at least for the time being and at most retailers. We're getting Chip and Signature, which is much less secure. We're just calling it Chip and PIN, but most retailers aren't actually using PIN numbers to complete transactions...
    • US chip cards are set to "prefer signature". Many of them don't have PINs at all.

      It's less secure, but likely it doesn't matter. Part of chip and PIN was designed to blame the customer for all in-person fraudulent charges on the idea that if your PIN was entered, you must have been there (and not just your card). This does not pass muster with US consumer protection laws, so there isn't a lot of reason to go to chip and PIN in the US.

      Not that chip and PIN wouldn't work, I think the retailers just saw it as

      • so there isn't a lot of reason to go to chip and PIN in the US.

        Isn't eliminating some of the hassle of "oh I lost my card, someone can be charging on it right now" a good reason?

        I know the consumer isn't responsible (directly) for the fraud, but we all are, in higher prices, even if one is smart and fully pays off credit cards and thus pays no interest. So preventing fraud is useful.

        Vaguely similar to how the Apple ID lock on iPhones supposedly has lowered theft rates.

      • I think the retailers just saw it as too much hassle to make all merchants put in card readers which face the customer instead of the employees.

        Nearly every retailer I use has a customer-facing credit card reader. At least that's been the case for the past decade or so anyway.

    • by goombah99 ( 560566 ) on Wednesday September 30, 2015 @04:36PM (#50631109)

      Studies in europe showed that when chip and pin nearly eliminated point-of-sale (in store) fraud, that within a year or so the fraud moved to card-not-present sales (that is, the fraud occured by european cards used on the internet, phone, and also countries where the Pin network was not integrated back to europes clearinghouses like brazil, the US, and off-the-grid stores). The total amount of fraud was roughly the same as it had been (one can argue about details or if it's less than it would have been).

      For in-store (card present) sales, It isn't lost cards that are the biggest problem. It's stolen card numbers being either cloned onto forged plastic. Stolen card numbers are easily transmitted faster and also can be replicated many times, which is better than the original card itself. Just having the chip there can shut this down. You don't have to have the pin. thus card+signature is just as good as chip and pin for practical purposes. The pin just shuts down people using the original stolen card which is a small slice of the problem.

      So no this isn't going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn't help much.

      • So following up my own post, notice that paypal and apple pay both have the means to verify the user of the transaction for card-not-present transactions. Other card methods like say samsung-pay are just wrappers around the card right now and emulate the old swipe system. Thus samsung pay is actually obsolete before it even happened. Chip and Pin now forces you to carry your credit card not just the credit card number. Thus you will already have the credit card in your wallet making samsung pay replace

        • Samsung Pay still provides a virtual card number, so there's some benefit to it. And it can be used now, unlike Apple/Android Pay (which may very well never have anywhere near 100% acceptance if most retailers choose to keep NFC support on their brand new terminals turned off).

          • Samsung Pay still provides a virtual card number, so there's some benefit to it. And it can be used now, unlike Apple/Android Pay (which may very well never have anywhere near 100% acceptance if most retailers choose to keep NFC support on their brand new terminals turned off).

            Why would they turn it off?

            • by PRMan ( 959735 )
              CVS told me they have to do it for HIPAA reasons in their pharmacy.
            • A large number of US retailers actually rely on non-consensual tracking/data mining as part of their business models. NFC would really interfere with that. Not to mention there are a few (like Walmart) who really hate Visa/MC and at best want all of the benefits card acceptance brings without paying anything.

      • by Kjella ( 173770 )

        So no this isn't going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn't help much.

        Is that still a big thing? All my online purchases I get a text from "Verified by VISA" with a one-time authentication code. So it's no good online, in stores I use a PIN so it's no good offline either. My impression was that almost all the fraud was either theft of card + PIN (camera, shoulder surfing) alternatively card + cell phone if it will display texts on screen or duplicating the magnetic strip and using it in backwards countries. Either that or somebody got my info on file for recurring/convenient

        • Verified by Visa isn't widely used among US online merchants. The only time I can recall running into it was with Ticketmaster, and at the time it was a hassle (some redirect to my bank's web site, not a code via text) such that I cancelled out of it, let the authorization decline, and tried again using Amex which didn't have an equivalent to Verified by Visa.

      • I'm afraid you're *very* misinformed. That might possibly have been the case for a short time after the cards were introduced, however for over a decade now online purchases have required part of an online password that is processed & authorised through a direct connection with your bank. If you don't know the requested characters of your online password, you can't complete the transaction.
        South America has also had support for the system for the best part of a decade - even fucking Bolivia has it as st

    • We're getting Chip and Signature, which is much less secure.

      No it isn't. The "chip" part is what provides most of the security. Pins are easy to skim or eyeball. Yes chip & pin is more secure than chip & signature.... but not by much.

      Banks in US looked at the pros and cons, and decided that the slight additional security provided by a PIN was not worth the inconvenience to the customer and also the fact that a whole lot of merchants who do not have PIN pads will have to buy one. It was not a stupid decision, it was quite logical.

  • How does this work for online retailers? How do I get my own time pin out of the card? Does this mean you can't save a credit card anymore?

    • This isn't chip and pin. It's a Different Magstripe. Online retialers will do a card-not-present transaction the same way they always have.

      • Actually in europe we have 2FA for online banking and payment with online retailers. Everybody has got a little card reader which is required for signing transactions.
      • We're getting every other part of the EMV system, just not the PIN part. That is a far cry from your characterization of chip and signature as a "different form of magstripe".

    • Re: (Score:2, Informative)

      by Ash Vince ( 602485 ) *

      How does this work for online retailers? How do I get my own time pin out of the card? Does this mean you can't save a credit card anymore?

      As someone in the UK where we have had chip and pin for years it does not change online purchases one little bit.

      All chip and pin does is replace the bullshit signature with entering a pin. This is important because it prevents two types of attacks that used to be commonplace:

      1) Have a friendly guy in the shop who didn't look too closely at your signature in return for a couple of quid.

      2) Have a moron in the shop who didn't look too closely at your signature.

      Both of these are pretty common place when you re

      • I did or witnessed a signature transaction exactly once in my life, and that was for buying duty-free in the small moutain nation. The cashier didn't have a list of 50 million printed signatures to check against or something. It was funny and unexpected.
        Here in France you now have adults that only know chip and pin for a good reason : there was chip and pin before they were born.

        In fact if you're writing a signature and relying on that, why not write a cheque. That used to be very common, requires a pen but

      • Re:Online retailers (Score:4, Interesting)

        by F.Ultra ( 1673484 ) on Wednesday September 30, 2015 @05:12PM (#50631443)
        While the PIN is stored on the card it cannot be read externally since you cannot read that part of memory using the pins on the card. AFAIK when you enter the pin on the terminal it sends it to the card together with the amount and then the card creates a one time key for that amount signed with the cards internal secret key if the pin matches what it has stored inside and this one time key is what it sends to the terminal and which it in turn sends to VISA/Mastercard/... so yes the chip+pin is way more secure than the old magstripe and the chip+signature.
      • The reality is that you guys in the states have to start using chip and pin, or you can forget ever travelling to Europe where most of our terminals and moving to PIN only. Within a few years most retailers over here will have blanket bans on signature transactions, quite a few do already.

        Considering that Visa and MasterCard regulations (and the UK's own laws) require that merchants still accept signatures, I don't see that going too well.

        • by xaxa ( 988988 )

          Considering that Visa and MasterCard regulations (and the UK's own laws) require that merchants still accept signatures, I don't see that going too well.

          Isn't that only for special circumstances, e.g. a person with a disability that means they can't use a PIN?

          Many merchants don't accept signatures: train ticket machines, cinema ticket machines, self-checkout at supermarkets, etc.

          • They're supposed to accept cards requiring signatures regardless of where the card's from. The disability requirement is to get such a card issued by a UK bank. Oh, and the Visa/MC rules also say that ticket machines, etc. are supposed to accept cards that don't a PIN. (Self-checkouts are considered "attended" so the person watching them still needs to get a signature.)

            • by jrumney ( 197329 )
              What sort of disability must one have to not be capable of pressing some buttons on a keypad, but still be capable of signing your name?
    • In Europe, cards also have a CVV2 (or CIC, CID, CSC, CVC2, might be named differently in other countries).
      That's what you use to pay online.
      Example: https://www.coastpavementservi... [coastpavem...rvices.com]

  • It does increase security a little bit. Don't forget: What really protects you, the consumer, is that fact that you're almost never responsible for fraudulent charges on your card unless you were grossly negligent.

    The credit card companies don't want to (and cannot) completely prevent fraud. All they need is something to keep it at a manageable level so their high profits remain high. And chip-and-PIN is a little better than mag-stripe.

  • The problem is that there are six million merchants out there with mag stripe readers, and nobody can force them all to change to EMV overnight. It took Europe four years to get even to 90% adoption rates. Until such time as most all retailers take them, the crappy mag stripes are required for backward compatibility. And if we say "this does nothing", that's wrong. It takes us one step further down a path we need to fully traverse.

    • by hawguy ( 1600213 )

      The problem is that there are six million merchants out there with mag stripe readers, and nobody can force them all to change to EMV overnight. It took Europe four years to get even to 90% adoption rates. Until such time as most all retailers take them, the crappy mag stripes are required for backward compatibility. And if we say "this does nothing", that's wrong. It takes us one step further down a path we need to fully traverse.

      The big credit card companies announced their migration plans 3 years ago, that's hardly overnight.

      But no merchant will be forced to accept chip cards, they will just have to accept liability for any fraud that results from transactions on systems that are not EMV capable.

      • Unfortunately a lot of retailers bet wrongly that Visa and MasterCard would change their minds and now everyone's rushing.

    • by emj ( 15659 )

      The merchants here change readers every three years or so.

    • that the right thing is hard to do is no argument against doing the right thing

      that it takes a long time to drain the swamp is no argument against doing the right thing and draining the fucking swamp

      (metaphorically speaking of course, actual wetlands are vital aspects of the ecosystem)

  • Outside of the US, everyone already has it.

    • Outside of the US, everyone already has it.

      These new cards are obviously some sort of "metric" credit cards hence the hold up here in 'Merica.

  • Merchants are on the hook when a fraudulent purchase is made, with a NEW style card, but the merchant hasn't updated to a new style reader. Issuers are on the hook when a fraudulent purchase is made with an OLD style card.
  • It hasn't stopped my boss from cracking the whip the last three months to get us to get EMV implemented.

  • by niks42 ( 768188 ) on Wednesday September 30, 2015 @05:23PM (#50631521)
    .. so, if there are some disputed charges on your account, the bank can either 1) chase the retailer to get the lost money back - assuming the retailer has not given you the opportunity to use Chip and PIN or 2) chase you, since clearly if there is a transaction on your account, and your card is a Chip and PIN card, either you have given someone your card and PIN (in which case it's your fault) or someone has stolen your card, and found out your PIN (in which case you failed to keep it secure, and bugger me, it's YOUR FAULT again).

    I was a victim of an early fraud about five years ago, at a coffee shop at Paddington Station. I bought a coffee using my chip and pin from my business account (well, there were lots of us having coffee, and I decided for once it was a business expense). A few days later, I noticed some charges on my account I couldn't identify, and I contacted the bank. Their immediate reaction was that I must have let someone have my PIN. It took six weeks to have the money returned to me by the bank - and then only when they could displace the blame on to the retailer (apparently I wasn't alone, and an investigation by the police turned up a hacked card reader which stored PINs on an SD card).
  • For online purchased why doesn't the bank issue two factor codes like I use to log into AWS?

  • While the USA are getting on board with Chip and Pin, the rest of the world has already moved on to NFC.

    I don't recall the last time I used a magnetic strip.

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...