chip and fucking pin. sigh This problem is solved, yet practically nobody in the US is demanding the established solution. Until we do, this is only going to continue.
In the UK and EU, chip and pin carry with it some nasty liability problems. That is, the consumer is now de facto liable for all fraud that happens, in spite of the statute.[1] A significant amount of skimming still occurs in the EU.[2] The protocol, just like the traditional charge card method, used is considered insecure.[3]
The U.S. method, where the low-security retailer is liable, is the most fair. The current charge back system works. Retailers that use inventory control, secure systems, and require ID with large purchases receive few legitimate charge backs. [4]
I work in the industry. Chip and pin is not statistically safer (fraud rates in Spain, UK, and US are all the same despite having very different payment landscapes). The fundamental problem is that in traditional chip-and-pin setups you also type the pin into the same machine... so adding a skimmer + video camera OR adding a skimmer that records pin is marginally possible and not that hard.
The real security would come with a second factor that the user controls, either by approving on your phone or by using one-time-numbers for each transaction. The reason why these do not exist yet is because they would impede transaction flow, and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.
"fraud rates in Spain, UK," for what? Credit cards? Debit? There's always going to be fraud one way or another.
"you also type the pin into the same machine... so adding a skimmer..."
There's no copying of SIM Cards.
Yes, you can still copy the magnetic stripe that's there for backwards compatibility. So, yes, it's not going to be safer while there's support for old technology.
My (European) bank issued me a chip-and-pin card without the mag stripe, good for travels, where I won't risk getting my card skimmed again.
I would be careful with such statement :-) Security usually maters on type of card, but top range is pretty expensive. There are number of ways howto 'debug' chip using power consumption, xrays etc...
It is easy to copy GSM SIM card. Also operators usually give replacement SIM ( if original gets lost) to anyone with photo id. There were number of frauds in Europe.
"There are number of ways howto 'debug' chip using power consumption, xrays etc..."
The circuit on the chip is known, that's not important. The important thing is the information in rom. Difficult, but certainly not readable through x-ray.
"It is easy to copy GSM SIM card. Also operators usually give replacement SIM"
Of course they can give you a replacement SIM, they can reconfigure their systems to point the customer to the new SIM. That's not copying.
>and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.
I seem to recall reading a while back that the overall credit card fraud rate is at the level of single-digit basis points. Is that really true? (I can't seem to find a good link.)
The US is getting chip cards in 2015 [0], although it looks to be chip and signature.
As another poster pointed out, chip and pin is not foolproof and may present a nasty liability shift to consumers when it comes to fraud.
There are also more practical issues with chip cards. First, merchants will be requires to buy new chip capable card readers. They will not be happy about it, but they'll be forced into it by their merchant agreements. Second, chip transactions take noticeably longer to process. From my casual observation a swipe takes 1-3 seconds, but chip readers took at least twice as long. Sounds silly, but it can really add up if there is a long line.
The idea is to use chip and pin for high value (>$50) purchases and PayPass/PayWave for amounts under that. That way you can pay for small purchases faster than cash while making large purchases more secure.
Unfortunately, at least in Canada, it seems like merchants were only obligated to buy the chip terminal so a lot of smaller businesses didn't bother with the wireless payments and force you to type in your pin for a $7 pita.
I usually swipe my card while items are still being scanned. Most card readers allow this. Would this not be possible with a chip card reader? i.e., does it use a private key on the card to sign the whole transaction (including final dollar amount)?
No, on legitimate ones. You put the chip in the reader, it tells you the total amount, you hit OK, then it asks for your PIN, then the transaction goes through, then you take the card out of the reader. I don't think there's any way to pay before the reader knows the final amount.
Sounds like it depends more on how sophisticated the readers are. The current ones are apparently pretty dumb, and just pretend to be a PS2 keyboard and send the info as keypresses, since the guys in the article just used a off-the-shelf keylogger to steal the data. You could easily make a chip and pin pad that did the same thing and was just as easy to compromise.
For real security, you'd need to do something like have the reader internally encrypt the data with the card processor's public key and only send an encrypted blob out of the device. If you're doing that, then anything's secure against this kind of attack. But the readers would have to cost like 10x more, and it probably isn't enough of a problem to bother replacing them all.
It's ridiculous how such an important infrastructure is so vulnerable. Magnetic stripes are easily copiable and without any other "authentication method" it's a done deal.
The U.S. method, where the low-security retailer is liable, is the most fair. The current charge back system works. Retailers that use inventory control, secure systems, and require ID with large purchases receive few legitimate charge backs. [4]
[1] http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf
[2] http://www.telegraph.co.uk/news/uknews/law-and-order/3173346...
[3] http://www.techrepublic.com/blog/it-security/chip-and-pin-th...
[4] http://www.internetretailer.com/2012/10/31/how-karmaloop-cle...