[disappearance]

Thanks.

In europe we use chip and pin, so a fake app could collect the pin directly. If someone was to harvest 30 cards with pin, could they then visit an atm directly? Perhaps I'm underestimating the difficulty of cloning cards. If that is possible, CVV2 would be unnecessary.

I hear your point about normal credit card terminals being available. As a european I wouldn't expect to see one on a stall by the side of a road though, and would normally be suspicious of anyone suggesting that they accept credit cards under these conditions.

[icebraining]

Perhaps I'm underestimating the difficulty of cloning cards.

I don't know how the bank cards work, but here in Portugal we now have a citizen's ID card that looks much like a bank card and can actually do cryptographic operations itself - it has a private RSA key that it can use to sign and encrypt data by request of the card reader. It's essentially impossible to clone the card, at least without breaking it.

EDIT: According to this article[1], PIN-and-chip bank cards are similar to what I'm describing.

[1]: http://www.creditcards.com/credit-card-news/outdated-smart-c...

[urbanjunkie]

And that's why you need a separate terminal to enter your PIN (at least here in the UK, although I'm fairly sure that also applied in Europe), and the PIN number is never transmitted to the actual POS application, just a token indicating success or failure.

[disappearance]

Right, but in this instance the 'terminal' to confirm your pin and POS application are one and the same, and ultimately just replaceable software on an iOS device.