Video Will 'Chip and Pin' Credit Card Technology Really Increase Security? (Video) 317
Robin Miller for Slashdot: Okay. So I’m going to start off by saying, today we have Jerry Irvine with us. He is a member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council and he is the CIO of Pre-scient Solutions in Chicago. Now, Jerry, did I pronounce that company name right?
Jerry Irvine: It’s actually Press-cient.
Slashdot: Oh, okay, Prescient.
Jerry Irvine: Yeah.
Slashdot: Chicago. At least we got the right city, right?
Jerry Irvine: That’s correct.
Slashdot: Okay. So we were talking about credit cards which have been a problem -- as you may know if you or anyone you know has been a Home Depot or Target customer. But you know we've heard this before. Over and over again. ‘This is going to be secure blah blah blah.’ So how is this new technology different from what has gone before, what makes it better?
Jerry Irvine: Well, the existingtechnology is that magnetic strip on the back of your credit card.
Slashdot: Yeah.
Jerry Irvine: That magnetic strip has been around since the 1950s and contains all of your personally identifiable information for that credit card in an unencrypted manner. So if anybody gets a copy of your credit card, they can swipe it into a device and they can read your name, your information, the bank account number, all of that information on that credit card and create another one for you.
Slashdot: Oh good.
Jerry Irvine: Now the new chip, what that does is it encrypts that information so all of that information is still on the card, but it's in the chip as opposed to being available unencrypted on a magnetic strip. So it's encoded, so that even if somebody had a reader, they wouldn't be able to decrypt that information. The other thing that occurs is rather than having a credit card that is an unlimited number of transactions, you know, if somebody gets your credit card, they can go on and buy different things at different stores.
Slashdot: Yes.
Jerry Irvine: If they get information that's on that chip, every purchase creates a separate token. It doesn't actually have the credit card information on there. So it's all tokenized. Every time it gets used, it goes to the bank and a separate token is created that then it is allowed for you to make a purchase. So if anybody stole that information, they would only be able to use it that one time for that one purchase, and actually, they wouldn’t even be able to use it as that; the purchase would already be null and void.
Actually, if they had the credit card itself and were going in and using it, they could probably still do the same thing. There are going to be methods that would keep that from happening. So all of this really comes down to multiple form factors of authentication right. So right now that chip is a single form of identification where you put it in at Target or you put it in at another store, it's not asking you for a pin number or anything like that right or a fingerprint or any other type of authentication. The next step will be to add a secondary form of authentication so that would either be some type of a biometric, a PIN or something like that. So once the technology is in place and moving forward, the idea would be they'd have to have the card with the chip in it, so something you HAVE. They would also have to have either something you KNOW like a user ID or PIN and then finally they could have something you ARE, which is a third form of authentication and that could be a biometric facial recognition and things like that.
Slashdot: So if they know things, I have this vision of people with guns standing in front of ATM saying, “What's your PIN?”
Jerry Irvine: Right.
Slashdot: “Give me your PIN, or I will do blah, blah, blah,” and it could be on my mother's maiden name too.
Jerry Irvine: That's correct, that’s correct. So you will have to make it complex, a four-digit PIN really isn't the most secure method even for bank cards and things of that nature. So having some type of biometric facial recognition or something like that in addition to a smart card like the chip would be a better means of authentication.
Slashdot: So basically this is something that the encrypted information on a chip, rather than on a magnetic strip, this is something that it won’t care. That's still going to be there. And something else: are they new? This is a real question: Are there new and exciting security flaws coming in with the chip cards?
Jerry Irvine: Well, so we’re going from 1950s technology with a magnetic strip to 1970s technology with the chip. It's been around since the 70s and so there are, you know there are some forms that can be used. So while the tokenization does help for people stealing information from point-of-sale systems directly, the theft of the card really doesn't help. I mean, if you leave your card at the table, I can walk away with it and I can still use it until you turn it off. There is still the ability for hackers to get into the point-of-sale systems or into the databases in the back and grab all the information. You know that Target incident wouldn’t have been helped with this new chip, because they actually stole user names, passwords, credit card information, social security numbers directly from the database server, not from the individual cards. So while the cards will help for an individual device they are not really going to help for back-end security.
Slashdot: I PR email from companies that make secure wallet so that RFID readers can’t grab the info on your RFID credit cards, you have a tempested wallet. By the way, I could make one with a little bit of foil but I'm not going to tell these people who want $20 for special wallets. They don't want to hear that, do they?
Jerry Irvine: You can go to Best Buy or Staples or OfficeMax, any of the Office stores, and you can buy the RFID sleeves – just a little packet that you put your credit card in, you put it in your wallet, you don't need the whole wallet, just a little sleeve
Now the back-end attacks obviously are more difficult. Hackers generally don't go in and attack directly to a server or directly to a firewall or some type of authentication device.
Slashdot: Right.
Jerry Irvine: What they do is they hack the users, right, so they send a phishing scam that then gives them a valid user ID and password, now they're able to get into the system as a person and they can copy the information, totally unencrypted and unscathed from any type of security detection device. Hacking the individual boxes, while you see that on TV and it's really cool, you get the hacker with the little zeros and ones going on the screen--that really doesn't happen that often. Not that it’s impossible, but it's a lot harder. And just like everybody else, the hackers want to do the things the easy way.
Jerry Irvine: Well, the biggest one right out the gate with the new introduction of the chip on all our credit cards is the fact that all of these credit cards that you are getting still have the magnetic strip on them. So it’s ridiculous. You have this really cool encrypted chip that's going to save all your information back anyway just – you know, so you have it in case you need it, so until that strip is gone, these credit cards are worthless, they really are.
Slashdot: So, we could use the title for this video, “Security Theater”, just like TSA. Just to use language, Security Theater, it makes everybody feel good, but as long as a magnetic strip is there.
Jerry Irvine: Yeah, it just doesn't matter, and today I went to the drugstore and got my meds and everything and my card has a chip on it, but it's got the stripe as well, so I swiped it because I didn't know they had the reader and it came up and said, “No, you've got to use your chip.” So then I go and use the chip. Well, evidently the chip on my card is bad, right? So now I can’t even use my credit card because you've got to do, it senses that you've got a chip on the card you won’t use it. So there's a lot of snags and snafus going on, the whole idea of companies now having to go in and buy this new equipment. They are spending millions of dollars to retrofit their point-of-sale systems with these EC chip readers. And it's okay. But there are other ways to do it. I mean the UPC codes that you can get on your phone. Apple Pay or Google Pay, or now Mastercard is coming up with a Mastercard Pass and all of these different things. There's going to be a number of different technologies out there. The EC is better than the magnetic strip, but electronic payment within your cards or Apple or your phone rather your Apple Pay and Google Pay and things... those can actually provide higher levels of security than the chip.
No.... (Score:5, Insightful)
date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
It's the date after which merchants are supposed to be liable for fraudulent purchase made with New-style chip and PIN cards which are made as signature transactions (e.g. with an old terminal).
Their idea is: The bank will be liable for a fraudulent charge if the original bank/card doesn't support Chip and Pin but the merchant does, AND the Merchant will be liable if the Bank's issued card supports chip and pin, but the merchant doesn't support the feature.
Re: (Score:2)
Re: (Score:3)
Re:No.... (Score:4, Informative)
We are going Chip-and-Signature in the U.S., but if we were going Chip-and-PIN it could shift liability to the cardholder. Chip-and-PIN is thought to be secure, so the presumption of innocence may not hold as it does today.
See quote below from Jonathan E. Jaffe posted on Krebsonsecurity.com:
"Take a look under the May 2014 section of http://nc3.mobi/references/emv... [nc3.mobi] on what is happening in Europe under EMV. That page has lots of links, but here is the relevant text.
Change in Presumption of Innocence
An article in The Register (whose slogan is Biting the hand that feeds IT) is rather critical of chip-and-pin citing established weaknesses and some new ones referred to in the new paper Chip and Skim: cloning EMV cards with the pre-play attack from the Computer Laboratory, University of Cambridge, UK (16 page PDF) presented at the 2014 IEEE Symposium on Security and Privacy in San Jose, California 5/19/2014.
In this paper paper it is worth looking at the change in what we call presumption of innocence as it describes the case of a Mr Gambin, "who was refused a refund for a series of transactions that were billed to his card and which HSBC [ his bank ] claimed must have been made with his card and PIN at an ATM in Palma, Majorca on the 29th June 2011. In such cases we advise the fraud victim to demand the transaction logs from the bank. In many cases the banks refuse, or even delete logs during the dispute process, leaving customers to argue about generalities." [ The bank deleted the evidence that would have shown the fraud. highlighting ours, see right column page one of the 16 page PDF -ed]"
Re: (Score:2)
Re: (Score:3)
Actually, cardholder rights aren't changing, and aren't technical, they're legal. No changes there at all.
If everybody follows the rules, either the merchant service or the issuing bank eat the loss. Same as it's always been.
Now adjust your tin foil hat. It's slipping down over your eyes.
Re: (Score:3)
date after which merchants are supposed to be liable for fraudulent purchases made with old-style cards, and are supposed to have point of sale terminals that accept "chip and PIN" cards.
It's the date after which merchants are supposed to be liable for fraudulent purchase made with New-style chip and Signature cards which are made as swipe transactions (e.g. with an old terminal).
TFIFY. The new US cards are chip and signature, not chip and PIN. At least, they are not required to be chip and PIN. Which is very unfortunate.
Re: (Score:2)
Re: (Score:2)
Retailers are remarkably resistant to chip & PIN in the US, out of a (probably misguided) perception that consumers will be resistant. Merchant services are very, very practical, and are not going to shut down their bread and butter over the issue.
US banks have extremely sophisticated algorithms to spot fraudulent transactions (which is why we're a decade behind Europe on this), and those won't be going away. Fraud rates are about 1/10th of 1 percent overall, which isn't exactly the end of the world to
Re: (Score:2)
Chip and PIN would, but... (Score:5, Informative)
it's not the retailers, it's the cards (Score:2)
US chip cards are set to "prefer signature". Many of them don't have PINs at all.
It's less secure, but likely it doesn't matter. Part of chip and PIN was designed to blame the customer for all in-person fraudulent charges on the idea that if your PIN was entered, you must have been there (and not just your card). This does not pass muster with US consumer protection laws, so there isn't a lot of reason to go to chip and PIN in the US.
Not that chip and PIN wouldn't work, I think the retailers just saw it as
Re: (Score:3)
Isn't eliminating some of the hassle of "oh I lost my card, someone can be charging on it right now" a good reason?
I know the consumer isn't responsible (directly) for the fraud, but we all are, in higher prices, even if one is smart and fully pays off credit cards and thus pays no interest. So preventing fraud is useful.
Vaguely similar to how the Apple ID lock on iPhones supposedly has lowered theft rates.
Re: (Score:2)
I think the retailers just saw it as too much hassle to make all merchants put in card readers which face the customer instead of the employees.
Nearly every retailer I use has a customer-facing credit card reader. At least that's been the case for the past decade or so anyway.
you never eat in restaurants? (Score:4, Informative)
In the US, table service restaurants virtually NEVER have customer-facing credit card readers.
Bars don't either.
In both you give them your card.
Really the places that do reliably have them facing customers are retail checkouts and anything with a self-serve kiosk.
Re:you never eat in restaurants? (Score:5, Informative)
Which is another reason why restaurants in the UK feel a shitload more secure than in the US....here, the waiters bring a wireless card reader over to the table. They don't wander off with your card to some back room where they can copy down the details. (It also speeds things up, as it involves fewer waiter back-and-forths)
You are right for the wrong reason (Score:5, Insightful)
Studies in europe showed that when chip and pin nearly eliminated point-of-sale (in store) fraud, that within a year or so the fraud moved to card-not-present sales (that is, the fraud occured by european cards used on the internet, phone, and also countries where the Pin network was not integrated back to europes clearinghouses like brazil, the US, and off-the-grid stores). The total amount of fraud was roughly the same as it had been (one can argue about details or if it's less than it would have been).
For in-store (card present) sales, It isn't lost cards that are the biggest problem. It's stolen card numbers being either cloned onto forged plastic. Stolen card numbers are easily transmitted faster and also can be replicated many times, which is better than the original card itself. Just having the chip there can shut this down. You don't have to have the pin. thus card+signature is just as good as chip and pin for practical purposes. The pin just shuts down people using the original stolen card which is a small slice of the problem.
So no this isn't going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn't help much.
apple pay and paypal versus samsung pay (Score:2)
So following up my own post, notice that paypal and apple pay both have the means to verify the user of the transaction for card-not-present transactions. Other card methods like say samsung-pay are just wrappers around the card right now and emulate the old swipe system. Thus samsung pay is actually obsolete before it even happened. Chip and Pin now forces you to carry your credit card not just the credit card number. Thus you will already have the credit card in your wallet making samsung pay replace
Re: (Score:2)
Samsung Pay still provides a virtual card number, so there's some benefit to it. And it can be used now, unlike Apple/Android Pay (which may very well never have anywhere near 100% acceptance if most retailers choose to keep NFC support on their brand new terminals turned off).
Re: (Score:2)
Samsung Pay still provides a virtual card number, so there's some benefit to it. And it can be used now, unlike Apple/Android Pay (which may very well never have anywhere near 100% acceptance if most retailers choose to keep NFC support on their brand new terminals turned off).
Why would they turn it off?
Re: (Score:3)
Re: (Score:2)
interesting. News reports said CVS and Walmart didn't do it because they are launching a competitor.
Re: (Score:2)
Yep, CurrentC. Which is basically a usability and security/privacy disaster [techcrunch.com]. It'll probably fail (and some retailers such as Best Buy already have abandoned it), but there will still be holdouts.
Re: (Score:2)
A large number of US retailers actually rely on non-consensual tracking/data mining as part of their business models. NFC would really interfere with that. Not to mention there are a few (like Walmart) who really hate Visa/MC and at best want all of the benefits card acceptance brings without paying anything.
Re: (Score:2)
So no this isn't going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn't help much.
Is that still a big thing? All my online purchases I get a text from "Verified by VISA" with a one-time authentication code. So it's no good online, in stores I use a PIN so it's no good offline either. My impression was that almost all the fraud was either theft of card + PIN (camera, shoulder surfing) alternatively card + cell phone if it will display texts on screen or duplicating the magnetic strip and using it in backwards countries. Either that or somebody got my info on file for recurring/convenient
Re: (Score:2)
Verified by Visa isn't widely used among US online merchants. The only time I can recall running into it was with Ticketmaster, and at the time it was a hassle (some redirect to my bank's web site, not a code via text) such that I cancelled out of it, let the authorization decline, and tried again using Amex which didn't have an equivalent to Verified by Visa.
Re: (Score:2)
I'm afraid you're *very* misinformed. That might possibly have been the case for a short time after the cards were introduced, however for over a decade now online purchases have required part of an online password that is processed & authorised through a direct connection with your bank. If you don't know the requested characters of your online password, you can't complete the transaction.
South America has also had support for the system for the best part of a decade - even fucking Bolivia has it as st
Re: (Score:3)
So no this isn't going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn't help much.
Not always true. With the heavy use of digipasses in which you insert your (European-issue) cards when you shop online, this becomes a card-is-present transaction.
The digipass validates it with an extra online handshake with the bank servers or payment processors -- and prompts for your PIN, which the CHIP on the card verifies, and generates a signature challenge, which the bank servers verify. This is card-is-present and bank-is-present-too.
My expectation is that merchants are not going limit themselves to only the few customers with a card reader. On the otherhand, they obviously could limit themselves to customers with internet so apple-pay or similar to generate a transaction token would be easy
Re: (Score:2)
Re: (Score:2)
We're getting Chip and Signature, which is much less secure.
No it isn't. The "chip" part is what provides most of the security. Pins are easy to skim or eyeball. Yes chip & pin is more secure than chip & signature.... but not by much.
Banks in US looked at the pros and cons, and decided that the slight additional security provided by a PIN was not worth the inconvenience to the customer and also the fact that a whole lot of merchants who do not have PIN pads will have to buy one. It was not a stupid decision, it was quite logical.
Online retailers (Score:2)
How does this work for online retailers? How do I get my own time pin out of the card? Does this mean you can't save a credit card anymore?
Re: (Score:2)
This isn't chip and pin. It's a Different Magstripe. Online retialers will do a card-not-present transaction the same way they always have.
Re: (Score:2)
Re: (Score:2)
We're getting every other part of the EMV system, just not the PIN part. That is a far cry from your characterization of chip and signature as a "different form of magstripe".
Re: (Score:2, Informative)
How does this work for online retailers? How do I get my own time pin out of the card? Does this mean you can't save a credit card anymore?
As someone in the UK where we have had chip and pin for years it does not change online purchases one little bit.
All chip and pin does is replace the bullshit signature with entering a pin. This is important because it prevents two types of attacks that used to be commonplace:
1) Have a friendly guy in the shop who didn't look too closely at your signature in return for a couple of quid.
2) Have a moron in the shop who didn't look too closely at your signature.
Both of these are pretty common place when you re
Re: (Score:2)
I did or witnessed a signature transaction exactly once in my life, and that was for buying duty-free in the small moutain nation. The cashier didn't have a list of 50 million printed signatures to check against or something. It was funny and unexpected.
Here in France you now have adults that only know chip and pin for a good reason : there was chip and pin before they were born.
In fact if you're writing a signature and relying on that, why not write a cheque. That used to be very common, requires a pen but
Re:Online retailers (Score:4, Interesting)
Re: (Score:2)
The reality is that you guys in the states have to start using chip and pin, or you can forget ever travelling to Europe where most of our terminals and moving to PIN only. Within a few years most retailers over here will have blanket bans on signature transactions, quite a few do already.
Considering that Visa and MasterCard regulations (and the UK's own laws) require that merchants still accept signatures, I don't see that going too well.
Re: (Score:2)
Considering that Visa and MasterCard regulations (and the UK's own laws) require that merchants still accept signatures, I don't see that going too well.
Isn't that only for special circumstances, e.g. a person with a disability that means they can't use a PIN?
Many merchants don't accept signatures: train ticket machines, cinema ticket machines, self-checkout at supermarkets, etc.
Re: (Score:2)
They're supposed to accept cards requiring signatures regardless of where the card's from. The disability requirement is to get such a card issued by a UK bank. Oh, and the Visa/MC rules also say that ticket machines, etc. are supposed to accept cards that don't a PIN. (Self-checkouts are considered "attended" so the person watching them still needs to get a signature.)
Re: (Score:3)
Re: (Score:2)
In Europe, cards also have a CVV2 (or CIC, CID, CSC, CVC2, might be named differently in other countries).
That's what you use to pay online.
Example: https://www.coastpavementservi... [coastpavem...rvices.com]
It does increase security a bit if used correctly (Score:2)
It does increase security a little bit. Don't forget: What really protects you, the consumer, is that fact that you're almost never responsible for fraudulent charges on your card unless you were grossly negligent.
The credit card companies don't want to (and cannot) completely prevent fraud. All they need is something to keep it at a manageable level so their high profits remain high. And chip-and-PIN is a little better than mag-stripe.
Short sighted and wrong. (Score:2)
The problem is that there are six million merchants out there with mag stripe readers, and nobody can force them all to change to EMV overnight. It took Europe four years to get even to 90% adoption rates. Until such time as most all retailers take them, the crappy mag stripes are required for backward compatibility. And if we say "this does nothing", that's wrong. It takes us one step further down a path we need to fully traverse.
Re: (Score:2)
The problem is that there are six million merchants out there with mag stripe readers, and nobody can force them all to change to EMV overnight. It took Europe four years to get even to 90% adoption rates. Until such time as most all retailers take them, the crappy mag stripes are required for backward compatibility. And if we say "this does nothing", that's wrong. It takes us one step further down a path we need to fully traverse.
The big credit card companies announced their migration plans 3 years ago, that's hardly overnight.
But no merchant will be forced to accept chip cards, they will just have to accept liability for any fraud that results from transactions on systems that are not EMV capable.
Re: (Score:2)
Unfortunately a lot of retailers bet wrongly that Visa and MasterCard would change their minds and now everyone's rushing.
Re: (Score:2)
The merchants here change readers every three years or so.
Re: (Score:2)
that the right thing is hard to do is no argument against doing the right thing
that it takes a long time to drain the swamp is no argument against doing the right thing and draining the fucking swamp
(metaphorically speaking of course, actual wetlands are vital aspects of the ecosystem)
Will? (Score:2)
Outside of the US, everyone already has it.
Re: (Score:2)
Outside of the US, everyone already has it.
These new cards are obviously some sort of "metric" credit cards hence the hold up here in 'Merica.
The description isn't quite right reg old cards (Score:3)
So tired (Score:2)
It hasn't stopped my boss from cracking the whip the last three months to get us to get EMV implemented.
Banks want to give anyone else the costs of fraud (Score:3)
I was a victim of an early fraud about five years ago, at a coffee shop at Paddington Station. I bought a coffee using my chip and pin from my business account (well, there were lots of us having coffee, and I decided for once it was a business expense). A few days later, I noticed some charges on my account I couldn't identify, and I contacted the bank. Their immediate reaction was that I must have let someone have my PIN. It took six weeks to have the money returned to me by the bank - and then only when they could displace the blame on to the retailer (apparently I wasn't alone, and an investigation by the police turned up a hacked card reader which stored PINs on an SD card).
two factor (Score:2)
For online purchased why doesn't the bank issue two factor codes like I use to log into AWS?
Meanwhile... (Score:2)
While the USA are getting on board with Chip and Pin, the rest of the world has already moved on to NFC.
I don't recall the last time I used a magnetic strip.
Re:None of my cards have a chip! (Score:4, Insightful)
Re: (Score:2, Informative)
They're only liable for magstripe transactions on cards that have a chip.
Magstripe-only cards still work the same way they always did, legally and functionally.
So basically his local Home Depot is just being a panicky bunch of dicks.
Re:None of my cards have a chip! (Score:4, Interesting)
his bank has already sent him a new card with a chip in july, august, or september
if he didn't activate the new card, some time in october he'll go to lowe's, try to use his old card, and his transaction will be declined
he'll call the bank and raise hell and they'll say "sir, we sent you a new card and you did not activate it"
he won't be able to use magstripe-only for very long because all major banks have replaced them or are replacing them
he may have a card with some oddball institution that continues with magstripe only. that institution will be pressured by continuing changes in technology and standards, or they will raise their eyebrows at the fraud they have to cover, then they will go to chips too
and this is all a good thing, increased security
is there some valid reason why top comment doesn't want the chip?
or is it "receiving the mark of the beast" level low intelligence paranoid mental vomit?
Re: (Score:2)
his bank has already sent him a new card with a chip in july, august, or september
Of my 5 cards (2 business, 3 personal), only 2 (1 business, 1 personal) have chips in them. one is chip+pin, and the other is chip+signature.
Re: (Score:2)
the rest will probably be coming soon
the changeover is industry wide
Re: (Score:2)
they will give you a new card soon or you missed it in the mail (which should concern you). check with your bank
Re: (Score:3)
Different banks are taking different approaches, with some proactively sending out new cards, most at minimum accepting a request for a new card with a chip, and some waiting until cards expire before sending out new chip cards. Stores like Home Depot will continue to accept your valid magnetic stripe card; the only time they'll decline the swipe is if you swipe a chip card, it will prompt you to insert the card into the chip reader.
Re:None of my cards have a chip! (Score:5, Informative)
You've clearly never worked in retail. There are rules. If the merchant follows the rules, they are protected, and either the merchant service or the issuing bank eats the loss.
(Online companies, mail order companies, and other "card no present" merchants cannot follow the rules, so, yeah, they're hosed.)
EMV means the rules are changing, and they're more complicated, but if the car has no chip, the old rules still apply, and the merchant is protected if they follow the rules.
Retailers can ignore chip and sig completely (Score:2)
That liability will shift temporarily to the bank, IF the merchant has the new technology, AND the bank does not. Once both have the tech, the liability falls back on the merchant, because anybody with a stolen card, has also stolen the chip.
This is primarily a stick for the banks, since they wil
Re: (Score:3)
It certainly won't eliminate the swipe cards for a long, long time. They've had chip and pin in Europe for a decade, and you can still swipe.
Expect that to change.
Swipe readers have been absent in Europe on unsupervised machines (e.g. buying a train ticket) for years, and aren't available at some smaller shops — unless they expect American trade, it's not useful. Even if it does exist, the cashier would often be reluctant to use it.
Re: (Score:2)
The specs not only allow but require that merchants still be able to process mag strip only cards. If your card doesn't have a chip, they'll still accept it.
Only 70% of credit cards (and 25% of debit cards) in the US will be chip cards by the end of this year. Banks do not like losing money. It'll be a decade or more before mag strips are no longer usable.
Re: (Score:2)
Walmart is doing it here as of the last few weeks, as well as Dollar General.
The supermarket that I shop at (BI-LO) was doing it two weeks ago but I'm guessing someone complained because the machines weren't asking you to insert chipped cards anymore as of a few days ago.
Personally I don't find the process THAT bad, but until everyone gets used to it it certainly does slow the line down.
Re: (Score:3, Funny)
Punching in a four digit PIN is slowing things down?
I weep for humanity.
Re: (Score:3)
US chipped (credit) cards generally don't have a PIN, or it's prioritized so low that it's never going to be used domestically. OP is likely referring to having to keep the card in the slot for multiple seconds vs. being able to put it away immediately after swiping.
Re: (Score:3)
Contactless is actually superconvenient, given a limit on the maximum amount for which it works. Over here that maximum is EUR 25, which allows you to be really fast for all small purchases (which are generally the purchases where that really matters).
I would support a system where you could authorize it to work for higher amounts at certain vendors (supermarkets, for instance).
Re: (Score:2)
Walmart's been doing it for a while, actually. Close to a year at this point.
Re: Dollar General--I'll see if I can confirm whether any other of their stores have support turned on (none in my area) and if so, add them to the site in my signature. Do you know if they have NFC turned on as well?
Re: (Score:2)
I've asked dozens of stores in the last couple of months if I can use the chip reader, and they all say that they haven't enabled them (and some have said they don't have plans to enable them) because of problems with the activation of the chip readers. Two 7-Elevens told me that they had problems with double-charges, a big-box store (I don't remember which) said the cards didn't read properly all the time in tests, and several others have said as recently as last week that the required software hadn't bee
Re: (Score:2)
I don't think the low level cashiers, etc. at major retailers really know much other than any training materials they received from corporate. But it is looking like a lot fewer than everyone thought will be ready in time.
Re: (Score:2)
No more a disaster than the last few years have been. Very few POS software vendors are actually ready, and at least some have delayed releasing EMV packages because of it. They'd be fools to release software that isn't ready just as the holiday shopping season starts, and the retailers would be fools to accept it.
So things continue the way they have, with the liability for that 1/10th of 1% of transactions that are fraudulent (or, more likely, half that, unless you sell consumer electronics) shifting, in s
Re: None of my cards have a chip! (Score:5, Insightful)
Given Australia is 100% chip & pin with signatures not accepted since august last year I would hope the system manufacturers have the bugs ironed out.
Re: (Score:3)
The UK has the same. It's now implemented on London underground so you can use your credit card like an Oyster card and it will open the gates. (Apple Pay also works)
Re: (Score:2)
Re: (Score:2)
It depends on one's bank. Most are going with chip and signature, but some (Barclay's comes to mind, and some banks that cater heavily to international travelers) are issuing chip and PIN cards.
Re: (Score:2)
Actually, Barclay's cards are still Chip and Signature, in that they are programmed to prefer the signature and will only prompt you for a PIN if the location is unable to accept a signature (like a European train ticket kiosk). But that's still better than some issuers (like Chase and Capital One), which don't support PIN at all (other than for cash advances like they always have).
There are a couple credit unions at least that are issuing PIN-peferring cards.
Re: (Score:2)
Debit cards will ask for a PIN but only at places that have already accepted debit. And it's still optional, just like magstripe. Too bad I don't see that changing any time soon; might as well just never ask for a PIN on debit as well except for cash back if it's not going to be made mandatory.
Re: (Score:3)
I've had most of my cards replacements come with a chip, but I've certainly not been offered or required to do any type of PIN number for it...I just call and activate it on the phone the usual way.
I think it is only Europe mostly that does the PIN part too?
Re: (Score:3)
Despite the physical similarity to the European chip&pin system, the US one is different. It's basically the same thing as a magstripe, but different form factor. It's security through obsurity, in that the fraudsters haven't figured it out yet and the equipment to skim and clone a chip card is not yet common. It's a jump ahead in the race, but does nothing to stop the race.
Re:Only if you use App Cards with APPS! (Score:5, Informative)
Despite the physical similarity to the European chip&pin system, the US one is different. It's basically the same thing as a magstripe, but different form factor. It's security through obsurity, in that the fraudsters haven't figured it out yet and the equipment to skim and clone a chip card is not yet common. It's a jump ahead in the race, but does nothing to stop the race.
Not exactly. The new US cards use a one time token for the transaction like other PIN and chip cards, but MC/Visa have not required issuers to force PINs. So no 2-factor but still much safer for physical transactions than magstripe, provided you don't lose the card itself. Doesn't do shit if the card itself is stolen or for online transactions though.
Re:Only if you use App Cards with APPS! (Score:4, Informative)
Re: (Score:3, Informative)
The data on the chip is a signed certificate; but its not encrypted.
Most certificates aren't encrypted.
IF the data was encrypted and required a pin to unlock, THEN you would have a little security because even if you clone the data, you don't have the key to unlock it to allow the transaction. HOWEVER the spec doesn't allow for that, the spec is basically half of Private Key cryptography.
That wouldn't be private key cryptography, that would be shared secret cryptography.
In EMV theres a couple of modes, modern cards use what is called DDA. in DDA the card provides the unencrypted public certificate to the terminal, the terminal then provides 'random' data (and this is where the few attacks on emv happen if the terminal is broken and provides not truly random data). The emv chip in the card then uses its own internal private key to sign that random data an
Re:Only if you use App Cards with APPS! (Score:5, Insightful)
It's basically the same thing as a magstripe
Other than the unique one time code that's generated for every chip transaction, of course. And the extreme difficulty of retrieving the private encryption keys needed to generate those codes from the chip itself.
Re:Only if you use App Cards with APPS! (Score:5, Informative)
The whole point of the chip is that you can't skim it (e.g. you can't simply read the information and make a fake card that outputs the same info).
Sure there is no law of physics that says you can't copy the chip in theory, compared to magnetic stripes which are designed to be read to even work, their is currently no easy way to copy a computer chip.
Comparing the security of a magnetic stripe to a smart chip is like comparing the security of a paper document folded in half to an encrypted digital file. Sure there is no guarantee that the encryption can't be broken at some point in the future, but it is almost incalculably more secure than hoping no one unfolds the document and reads it.
Re:Only if you use App Cards with APPS! (Score:5, Informative)
...It's basically the same thing as a magstripe, but different form factor....
I'm 99.9999% sure you are absolutely wrong!
Granted, the chip&signature that the US is adopting is far weaker than the chip+pin used elsewhere (the pin is "something you know" which prevents the card from being used by others, whereas the signature is just a scribble of anything you want and doesn't technically lock/unlock anything).
However, you can swipe a mag stripe and read all the info from it via VERY cheap hardware (for example, a free square reader). Doing so will give you every piece of info that is printed on the front of the card. It's the same info you'd get if you did an old style carbon copy rubbing of the card like gas stations used to use, and that's the same info you'll get off the new chip+sig mag stripes and imprints. The chip isn't there to prevent theft of the physical card.
If, however, you use the chip, then the merchant does not get the actual card number. There's a two way communication from your card, to the terminal, to the bank, and back, all using crypto. You can think of it like an SSL handshake. Once that handshake is complete, the merchant has a one time use token to use for the purchase.
What does this solve? It ensures that the merchant can't log your card number and store it in their insecure database for thieves to later take, ala the Target breach**, because they'll never have that number. More importantly for the banks, it's "proof" that the card was there, and not some cheap copy.
** I think that's what happened at Target, but there have been mixed stories, and I'm not 100% certain... maybe it involved data they got from the web instead, but I doubt that. I'm pretty sure it was card numbers scanned locally.
Re: (Score:2)
Re:Only if you use App Cards with APPS! (Score:5, Insightful)
The US went chip & signature instead of chip & PIN, so the entire change is basically meaningless.
The US chips will be cracked in a matter of a months, maybe a more, and we gain almost nothing.
The chip & PIN system uses PKI and only communicates with the payment transaction system when the authorized user provides the PIN. Sure, you could have a rogue retailer push transactions in excess of what the buyer thought he was paying, but that will be caught and prosecuted swiftly.
The US system has no real authentication of the card user since (a) no one checks the signature to begin with, (b) most users leave an unintelligible scrawl, and (c) no retailer has a full-time handwriting expert on staff.
We finally had a good push to revamp the payment card infrastructure, and they totally blew it.
Re: (Score:3)
Australia no longer accepts signatures at all. August last year it became chip & pin only
Re: (Score:3)
The US went chip & signature instead of chip & PIN, so the entire change is basically meaningless.
The US chips will be cracked in a matter of a months, maybe a more, and we gain almost nothing.
The chip & PIN system uses PKI and only communicates with the payment transaction system when the authorized user provides the PIN. Sure, you could have a rogue retailer push transactions in excess of what the buyer thought he was paying, but that will be caught and prosecuted swiftly.
The US system has no real authentication of the card user since (a) no one checks the signature to begin with, (b) most users leave an unintelligible scrawl, and (c) no retailer has a full-time handwriting expert on staff.
We finally had a good push to revamp the payment card infrastructure, and they totally blew it.
Not only that, if I put my card in the chip reader rather than just swiping it, seems to take 10 seconds longer. Or twenty seconds, or thirty.... I think in many cases convenience will trump security.
Problem is that the readers which support the chip will also detect that the card has a chip and force it to use the chip. Ran into that already; the mag stripe won't work with them - it's chip only. Or at least, retailers can configure it that way, which I'm pretty sure they'd be required to do under the mentioned requirements by MC/Visa/AMEX
Re: (Score:2)
Fun fact the signature is not checked by anyone and it does not have to match as most of the pos card readers are worn and do not correctly record the signature.
Re: (Score:3)
When I write anything recognizable at all, I put "Zaphod B". No one even looks at it.
Re: (Score:2)
It's a rationalization made by some in the media. While it might have a bit of basis in fact, the real reason is that banks don't really consider PIN a worthwhile investment of time or money.
Re:It's Chip and Signature, Not Chip and PIN? (Score:4, Informative)
Better than magstrip and signature.
When I worked in retail 15 years ago I had someone pay with a credit card, and while checking the signature, which matched perfectly, I saw the card number on the receipt didn't match the card. I only paid attention because they were suspiciously easy to up-sell to.
They had written someone else's magstrip data on to their own card.
All you need to do is buy a $100 device from ebay, sneakily swipe customer cards while you're working your low paying gas station job and write the data to your own card.
You can then go on a spending spree, writing a new stolen card number for every purchase so the automated fraud detection algorithms don't catch you and block the stolen card.
You can't do that with a chip card, since you can't clone the card.
It's even harder with NFC, since the customer never lets go of their card.
Re: (Score:2)
Re: (Score:2)
It's because we have the best banking system money can buy (aka the banks want to spend as little money as possible). That's why PIN's not being bothered with, even though retailers basically have to buy terminals that support it anyway.
Done with e-banking (Score:2)
The way the system should work is every user's card should have a number pad on it where they enter there pin. It should display the merchant's name, an amount of the transaction, and a transaction ID (ie the receipt). The card should then encrypt a message with GPG that is then transmitted to the card holders bank authorizing the bank to release the funds to the merchant.
...and that's how it works with lots of European banks' e-banking interface:
a completely offline device (either chip-card in a small calculator-like device, or card with keypad directly on them) are used to sign transaction (or simply the numbers they display. But you get to see the numbers).
European banks do it because:
- it's really the best possible security at this level of conveniance, thus less risk for their customer and thus less possible liabilities for the banks themselves.
- it's their own e-bankin
Re: (Score:2)
Contactless has been widespread in London for about three years, and very common in the last 18 months (since it became possible to pay for buses and the tube with it).
It's only for transactions under £20 (and transport), and if you do too many in a row you need to enter a PIN.