[elecengin]

Interesting - I was suspicious that this "Quick Chip" process they refer is less secure, but apparently it is just a matter of poor implementations requiring the card for the entire authorization process:

"According to Ericksen, the ability for EMV transactions to continue as usual without the card remaining dipped after the creation of the cryptogram is actually already an existing EMV process, but it is just not widely used. With the implementation of Quick Chip, no additional testing or certification is needed from a Visa or EMVCo point of view, there are no changes to the process and the technology is inherently EMV compliant."

http://www.pymnts.com/news/emv/2016/visa-puts-the-quick-into...

[praseodym]

I've been wondering about that for a while now. In Europe (The Netherlands for me), it seems like paying with NFC is a lot faster than paying with regular 'chip and pin' where the card needs to stay in the reader for ~5 seconds after entering the PIN. Since both use the EMV protocol and the same chip (just contact vs. contactless), I'm not sure why the contact method is so much slower.

[ultrafez]

I believe it's down to how your bank sets up your card, and how the retailer's set up. In the UK, when I pay with my debit card at Tesco, after entering my PIN it instantly says I can remove my card. Apparently it's because the card reader skips communicating with my bank until they cash up at the end of the day (the "available balance" of my card doesn't reduce after shopping there until the next day). Tesco is the only retailer where I've seen the card work almost instantaneously, but I expect that NFC payments work that way every time.

[brianwawok]

How do they detect invalid or cards with no balance? Seems you have to round trip to the bank at least once or you would be no better off than checks.

[the_mitsuhiko]

It's why I pay with NFC everywhere now in Austria. The terminals are much quicker that way.

[kbenson]

You might call it poorly implemented. The companies dealing with fraud in the EU because scammers found they could physically insert a chip form one card into another[1], and the chips didn't actually authorize the card with the bank fully, just the pin used, might beg to differ.

1: https://news.ycombinator.com/item?id=10414375

[scott_s]

I read through some of the discussion, and some of the article that you linked. Based on what you said, I was expecting to read that the hack depended on taking out the card "early", but that does not seem to be the case. I thought you were saying taking out the card early lead to this particular vulnerability. Were you instead saying this vulnerability existed because of poor implementation in general, and that has no direct relationship to removing the card early?

[kbenson]

This thread[1] is the one you want. The EU allowed "offline" transactions, where the chip was used only to verify the pin. The "quick chip" method you describe may be secure, but I have very little faith that these companies can architect a lasting secure solution, the incentives just aren't aligned in our favor.

Simply put, requiring the authorization token (card, phone, etc) be present and accessible for the entire transaction is not a bug, it's a feature. I surely do not want transactions happening after I've left the store, and while you can sign a verified transaction request with everything needed to process the transaction on okay from the bank, that's an extra level of complexity on top of a system I already don't trust them to get right.

1: https://news.ycombinator.com/item?id=10414994