Hacker News new | ask | show | jobs
by yajoe 4626 days ago
I work in the industry. Chip and pin is not statistically safer (fraud rates in Spain, UK, and US are all the same despite having very different payment landscapes). The fundamental problem is that in traditional chip-and-pin setups you also type the pin into the same machine... so adding a skimmer + video camera OR adding a skimmer that records pin is marginally possible and not that hard.

The real security would come with a second factor that the user controls, either by approving on your phone or by using one-time-numbers for each transaction. The reason why these do not exist yet is because they would impede transaction flow, and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.
3 comments
raverbashing 4626 days ago
"fraud rates in Spain, UK," for what? Credit cards? Debit? There's always going to be fraud one way or another.

"you also type the pin into the same machine... so adding a skimmer..."

There's no copying of SIM Cards.

Yes, you can still copy the magnetic stripe that's there for backwards compatibility. So, yes, it's not going to be safer while there's support for old technology.

My (European) bank issued me a chip-and-pin card without the mag stripe, good for travels, where I won't risk getting my card skimmed again.

link
qwerta 4626 days ago
>There's no copying of SIM Cards.

I would be careful with such statement :-) Security usually maters on type of card, but top range is pretty expensive. There are number of ways howto 'debug' chip using power consumption, xrays etc...

It is easy to copy GSM SIM card. Also operators usually give replacement SIM ( if original gets lost) to anyone with photo id. There were number of frauds in Europe.

link
raverbashing 4626 days ago
"There are number of ways howto 'debug' chip using power consumption, xrays etc..."

The circuit on the chip is known, that's not important. The important thing is the information in rom. Difficult, but certainly not readable through x-ray.

"It is easy to copy GSM SIM card. Also operators usually give replacement SIM"

Of course they can give you a replacement SIM, they can reconfigure their systems to point the customer to the new SIM. That's not copying.

Actual copying would be more difficult.

link
willvarfar 4625 days ago
I watch the industry and my understanding is that, in practice, chip & pin is not safer, the attacks just change. As does the liability.
link
crazygringo 4626 days ago
Not good for travels to the US! :)
link
raverbashing 4626 days ago
Yes, I'm not sure about the US, but it worked like a charm in Canadian ATMs
link
eps 4626 days ago
You don't seem to know what a chip card is.

It is the second factor in a two-factor authentication scheme.

link
willvarfar 4625 days ago
The attack just changes. That you are attacked doesn't.
link
cynwoody 4626 days ago
>and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.

I seem to recall reading a while back that the overall credit card fraud rate is at the level of single-digit basis points. Is that really true? (I can't seem to find a good link.)

link