Chip Cards Fail to Reduce Credit Card Fraud in the US

A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals.

The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the most critical security benefit of the chip. And two, US merchants still accept magnetic stripe cards, meaning that thieves can steal credentials from a chip card and create a working cloned mag stripe card.

Boing Boing post.

Tags: , , , ,

Posted on November 15, 2018 at 6:24 AM48 Comments

Comments

Tyler B. November 15, 2018 7:04 AM

I was under the impression that the current generation of cards was primarily a transitory tech given that the magstripe is still present. Until we remove that magstripe I’d think the chip’d cards were only marginally more secure, but for sure chip+pin is the way to go.

Igor November 15, 2018 7:21 AM

Well, if it is chip-and-signature, it sounds like they just move the medium of information storage. Why then anyone would except any improvement?

JO November 15, 2018 7:22 AM

@Tyler B

Ugh, I worry about that because I’ve had a much higher rate of failure reading the chips at stores than I used to with stripes. Maybe they’ll improve the durability of the readers, which seem to usually be at fault as I haven’t had to replace a chip card due to malfunction yet. Physical contact with a device does seem old fashioned though. Maybe more qr-code/crypto-currency type transactions will be the future anyway.

austin November 15, 2018 7:33 AM

The numbers aren’t a surprise. Over the years cc fraud has migrated with each new techical improvement designed to reduce fraud. It’s no surprise that the numbers haven’t gone down that much… the fraud has just changed locations. I suspect if you dig into the numbers you will find that most of the cc fraud moved on-line or to merchants without chip readers.

the PIN idea runs into several practical issues…..

PINs sound like a good solution but the US financial processing system and banking system are not like european system which is the implicit comparison you are making.

there will be resistance to chip and pin unless the current law holding card members not liable for fraud charges on credit cards is kept intact. Presently PIN’s used with debit cards do not enjoy the same protections, i,e. banks can still charge your account for a compromised card and PIN.

The banks will not be inclined to implement PIN’s for all cc transactions as implementing and managing a PIN system is a non-revenue pain in the backside not to mention the push back from consumers.

Lastly there’s the issue that there is no case law in the US that says a PIN means the true user has control of the transaction and is therefor liable..that battle got fought years ago with off line debit transactions.

Stick and carrot…..

Having spent a number of years running global POS systems for a major financial institution the first step is for the bank associations to require chip reads for all merchants and heavily surcharge and charge back transactions from merchants that haven’t converted.

The merchant and acceptance side of the business will always complain but until the risk owner, i.e. issuing banks get serious all we will see is noise.

In addition pushing hard for on-line merchants to adopt apple pay or it’s ilk to secure on-line transaction will help tremendously.

Austin

Erik November 15, 2018 7:42 AM

Having worked on credit card authorization software, I disagree. The PIN is not the most critical security benefit, the chip is.

Too many merchants (e.g., gas pumps) aren’t upgraded yet and will accept a cloned mag stripe. In general, you can’t clone the chip. The fraud is (a) at gas stations, (b) at merchants who allow mag stripe reads on cards with a chip, and most of all (c) card not present transactions, where the chip isn’t in play.

The weakest component in the US credit card industry used to be the fact that most cards were mag stripe only. Now the weakest component is the merchant network. Beating fraud is a cat and mouse game. The US was late to the game, but our issuers will get better (they eat the cost of most fraud).

There is no silver bullet, only iterative incremental improvement.

@Tyler – The physical contact makes it easier to power the computer on the chip that performs the cryptographic exchange with the card reader.

K.S. November 15, 2018 8:33 AM

Contactless smart cards manage to power chip via NFC. If you are not going to bother with PIN, there is no reason to even bother with an “insert card” physical reader.

Sam November 15, 2018 8:47 AM

In the UK they require chip & pin already about 7 years ago, I have no idea why the reluctance to change there is here in the US.

sophia November 15, 2018 8:51 AM

We should be clear about card theft vs. copying. The Fortune story starts out talking about stolen cards, but then refers to general fraud including copying/skimming when it gives statistics.

Can one demagnetize one’s card to prevent such attacks? Do any issuers let people enable chip+PIN on an opt-in basis? Can card processors reject swipes from chip-capable terminals, and do they?

I’m shocked that there’s not a “three” in your list: because anyone with your card number and CVV code, meaning anyone who’s handled your card, can use it online. One would think they’d mail that code to you and not print it on the card… but is there really no significant fraud from this? (The story says card-not-present fraud is on the rise but doesn’t give stats on the vectors, e.g. server breaches via simple in-person copying.)

Me November 15, 2018 8:59 AM

@K.S.

The thing is all the NFC cards I have had (employee ID cards) have been 50-100% thicker than a CC. The chip adds no appreciable thickness.

This is an important distinction as wallets can only become so thick before they are too much effort, and many people have more than one CC/Debit Card.

I do agree than an NFC would likely be more durable, however, I am not sure the trade-offs work. Perhaps the solution is switching to a “press when card inserted” rather than a “brush” model on readers.

scot November 15, 2018 9:03 AM

@Erik, you are right insofar as it’s impossible to extract the data to clone the chip; DDA cards are even partially immune to skimmers since the ICC contains a unique RSA key pair (signed by the issuer, with a chain of trust going up to the CA) which can be used to transmit the PIN from the keypad to the ICC in encrypted form. However, this only prevents cloning if you enforce a chip-only policy, and does not prevent against fraud at chip terminals if the card is stolen, but the terminal or CVM doesn’t require a PIN.

I’ve seen DDA EMV cards get hit by fraud a hemisphere away within hours of being issued to the cardholders by completely bypassing the chip security. They were payroll cards, and someone with access to the cards and PIN mailers was cloning the magnetic stripe and copying the PIN, transmitting the information from Europe to the US, creating mag-stripe only clones, and using the cloned card and PIN to extract funds from mag-stripe ATMs in the US, where they are still prevalent.

scot November 15, 2018 9:12 AM

@Me, contactless credit cards are no thicker than normal cards–at least the ones I have are not. There is an embedded antenna that is powered up by the terminal, and that activates the chip. The transaction itself can use mag-stripe data, or be a full EMV transaction. With Visa contactless EMV cards, there are two applications installed on the chip, the standard VSDC for contact, and the “quick” qVSDC for contactless “tap and go” transactions. The qVSDC application is geared towards low value transactions, and uses offline authentication and authorization, where the transaction can be completed in a few milliseconds. High value transactions will still go online, which takes longer and may require PIN entry. I’m seeing this from the issuer side, not the user side, so I’m not sure if you can do a PIN transaction with a contactless card or not, but there’s no technical reason why you couldn’t, as long as you kept the card in range during the transaction.

MB Walker November 15, 2018 9:19 AM

@Sam Not really. When I visited the UK earlier this year I had no trouble using my US-based Chip and Signature Visa card at UK merchants.

Erik November 15, 2018 10:13 AM

@Sophia – I didn’t look up the stats, but the overwhelming majority (think 95%+) of credit card fraud is through creating counterfeit cards made from data taken from merchants. Stolen cards are a tiny fraction.

Credit card fraud is a huge industry, staffed with clever, full-time professionals. They’re criminals, to be sure, but nevertheless. These professionals want to maximize their revenue, and that’s through volume.

If I steal your wallet, I get one card. If I compromise a POS, I get the cards that visit that exact terminal. If I compromise a merchant, I get every card that visits the merchant.

The CVV on the mag stripe is different from the one stamped on the card, so a CVV captured from a merchant terminal won’t work on the internet.

CallMeLateForSupper November 15, 2018 10:14 AM

@sophia
“Can one demagnetize one’s card to prevent such attacks?”

I want to say yes, but my two attempts failed. (Some day I gotta try a horseshoe magnet from a magnetron (microwave generator) tube.)

“Do any issuers let people enable chip+PIN on an opt-in basis?”

I don’t know anything about that.

“Can card processors reject swipes from chip-capable terminals, and do they?”

They certainly can detect that a swiped card is chipped – the stripe data contains that factoid – but no transaction of mine was denied based on a swipe in lieu of a dip. And why would a processor do that; they make no $$ on denied transactions.

“[…] anyone with your card number and CVV code, [can clone the card]”

Correctamente! 🙂 In my opinion you should deface or obscure your cards’ CVV. You can’t use e.g. an ink eraser, because the CVV is /engraved/.

Before you deface a CVV, write it prominently on a document associated with the card that you keep in your files. I also write it /somewhere amongst OTHER digits/, on a slip of paper that I stash in my wallet. That is, the paper does NOT contain only the CVV digits (nor does it contain e.g. “CVV: 123”).

taw6 November 15, 2018 10:33 AM

By Ross Anderson “The USA is starting to introduce EMV, the Europay-Mastercard-Visa system for making payments using chip cards instead of the old mag strip variety. EMV is already in wide use in Europe, and has started to appear in countries from Canada to India. In theory, smartcards should have reduced fraud by making bankcards much harder to copy and by enabling banks to authenticate users at the point of sale using PINs rather than signatures. The practice has been different. In Britain, for example, fraud first went up, then down, and is now headed upwards again. There have been many fascinating attacks, which I’ll describe. The certification system wasn’t fit for purpose, so terminals that were certified as tamper-resistant turned out not to be. We even saw Trojans inserted in the supply chain. A protocol flaw meant that a crook could use a stolen card without knowing the PIN; he could use a man-in-the-middle device to persuade the terminal that the card had accepted the PIN, while the card was told to do a signature-only transaction. Merchant refunds were not authenticated, so a crook could pretend to the bank that he was a merchant, and credit his card back after making a purchase. The most recent series of attacks exploit the freshness mechanisms in the EMV protocol. To prevent transaction replay, the terminal generates an “”unpredictable number”” while the card supplies an “”application transaction counter”” or ATC that is supposed to increase monotonically and never repeat. Yet the unpredictable numbers often aren’t (in many of the terminals we looked at, they seem to be just counters) while many banks don’t bother to check the ATC, as writing code to deal with out-of-order offline transactions is too much bother. As a result, we’ve seen some interesting attacks where cardholders unlucky enough to shop at a dishonest merchant find themselves dunned for a lot of large transactions later. In fact these “”preplay”” attacks behave just like card cloning, and make all the fancy tamper-resistant electronics almost irrelevant. At heart these are problems of governance and regulation. The vendors sell what they can get away with; the acquiring banks dump liability on merchants and card-issuing banks; they in turn dump it on the cardholder where they can; and the regulators just don’t want to know as it’s all too difficult. This wonderful system is now being rolled out at scale in the USA.”

Petre Peter November 15, 2018 10:45 AM

Once we figure out that sign-and-fax doesn’t provide any real security, we will start using chip-and-pin.

Gunter Königsmann November 15, 2018 11:00 AM

In germany new credit cards normally come with a letter telling that this card is chip+pin-only. For RFID payments they only ask for the PIN in seemingly random intervals, though, if you pay <30€. In fact my new credit card resulted in an “unsupported credit card” when trying to swipe it through a terminal that worked fine with the old credit card one day earlier.

But I guess I could use the old swipe method in old terminals (seem like in germany, france, austria and italy they are extinct by now, though). And most new terminals have a magnetic reader holders of old cards can use with the notable exception of many ticket vending machines in france.

Gunter Königsmann November 15, 2018 11:05 AM

Wow… seems like you can use html tags here the “less than 30 Euros” in my last comment was removed by the html parser.

@Petre: “Sign and Fax” or a “hold your passport in front of the webcam in order to open a bank account/get a credit/get access to this lottery” don’t prove your identity. But the other extreme: “Your passport is the only signing chip you’ll ever need” had many privacy and security issues, as well, when the german government tried to introduce it. Things like “Who needs a PIN if you can crank up the signal strength” or “how random is a random number?”. Estonia might have better solutions now, though.

uh, Mike November 15, 2018 12:12 PM

I get a text for every charge to my credit card.
Coupled with U.S. consumer protection law about credit card fraud (that don’t apply to debit cards), I think that’s pretty good protection.

sophia November 15, 2018 12:23 PM

Erik re: “the overwhelming majority (think 95%+) of credit card fraud is through creating counterfeit cards made from data taken from merchants”—what’s the benefit of making counterfeit cards rather than spending online? Just because the terminals themselves are the usual data source and lack the CVV as you say? (I’d have though backend-hacking would be most common by far.)

“The CVV on the mag stripe is different from the one stamped on the card, so a CVV captured from a merchant terminal won’t work on the internet”—the CVV is in plain view. If you hand your card to someone at a restaurant, they just need to snap a quick covert photograph to shop online. And if you’re spending at a site which has some “extra” Javascript added—which happens—your CVV leaks with the card number.

CallMeLateForSupper re: “They certainly can detect that a swiped card is chipped – the stripe data contains that factoid”—hmm, what stops the criminals from just changing that bit to “no chip” when copying the stripe?

Adrian November 15, 2018 12:30 PM

The chips seem horribly unreliable. I don’t understand how they work elsewhere. Every chipped card I have is a replacement for an earlier one where the chip failed (years before the card expiration date). Some of them always get “Chip Malfunction.” Others get “Chip Malfunction” at certain merchants but not others. In one case, the chip fell out of the card (while being swiped at a Starbucks that didn’t yet have a chip reader), apparently they’re just wedged in and held with friction rather than adhesive.

Foots November 15, 2018 12:37 PM

Living in Europe I never use a card. Fingerprint reader enabling my phone to turn on nfc for Google pay only when I enable it.

Nfc cards are everywhere…not thicker than a credit card. There are limits on nfc xactions (dollar amount and number without a pin xaction). It is like the dark ages in credit cards when I come back to the States.

Erik November 15, 2018 1:11 PM

@Sophia – Every card has two CVVs. One is on the mag stripe, and the other is physically imprinted on the card. They have different values, and are not interchangeable. So the code in the POS can only capture the one on the mag stripe, which won’t work on the web.

If you have the magstripe CVV, you can only use it by creating a counterfeit magstripe. Fraudsters need to convert a compromised card to something untraceable like gift cards. So they create a counterfeit card, then go buy a bunch of gift cards with it.

I’m not sure what you mean by backend hacking. Once the message gets to the acquiring processor (the merchant’s bank or a third party acting on their behalf), you’re talking about pretty secure systems. It’s much easier to compromise a merchant.

The CVV is calculated based on data which includes whether the card has a chip. You can’t just change that byte because then the CVV won’t match. I’m simplifying the process a bit, but the bottom line is that they can’t just change the byte. Same with the expiration date, so they can’t just find expired cards and move the expiration date forward.

sophia November 15, 2018 3:15 PM

Erik- “I’m not sure what you mean by backend hacking.”

The type of thing that got hacked at Home Depot. Not the terminals/pinpads themselves (which I assume are locked down, not network-updatable, and not running the merchant’s software) but whatever system they were feeding into. Still on the merchant side.

SpaceLifeForm November 15, 2018 4:57 PM

The main problem really is that the payment processors still do not support chip cards.

Some do (Ex: Heartland), but many never upgraded their infrastucture to properly support chip.

PIN is only for consumer security. The banks and payment processors really only care about their side of transactions.

Pablo November 15, 2018 5:31 PM

What exactly makes people think that the chip is primarily about security?
Credit card providers make money by charging a small fee for every transaction. Making more money just needs more transactions to take place using card.
There is a psychological sense of ease and security using a chip, “tap-and-pay” etc. and people will use their card for more transactions, thus making the CC provider more revenue.
Fraud is going to occur no matter what medium is used for financial transactions, that is factored into the transaction charge, as well as losses for the providers.
The real money for providers is getting people to simply use their credit card for everything. If that takes putting a chip in the card and messaging it as infinity more secure, then it will be done.

Sancho_P November 15, 2018 6:06 PM

@Gunter Königsmann
”In germany new credit cards normally come with a letter telling that this card is chip+pin-only.”
This is true for Germany and most (all?) EU countries because their POS / merchant system is chip + pin ready (no fallback required). With the same card you may pay e.g. at an US gas pump using swipe (YMMV depending on the merchant’s system).

American customers could pay by swipe in the EU, only if … the POS still had a reader.

AFAIK the RFID “random” here is a limit of 20€ (25US$) where the (EU) card will insist on seeing the PIN. However, some (also EU) merchants will require PIN validation regardless of the total.

Sancho_P November 15, 2018 6:09 PM

@sophia re online fraud

Right, CVV and card face photo is easy, but it’s difficult to get (physical) objects online without leaving traces.
Also, most online payment providers contact the card issuer, the card issuer will text a 5 minute valid code to my phone which I have to enter online together with my personal pwd to validate the online purchase – bad luck for fraudsters until they sit at the payment provider.
Then it’s similar to “backend hacking”, these guys and gals are easy to find, at least their office.

Theo November 15, 2018 10:51 PM

For those who think the existence of a magnetic stripe is a security risk I will point out that all the cards I’ve seen have embossed numbers, and the old ka-thunk on carbon paper is still a legitimate way to make a transaction.

As above the problem is not the existence of the magnetic stripe, it’s merchants that use the magnetic stripe.

Chips were not introduced to reduce fraud. The levels of fraud at the time they were introduced did not justify the expense. Chips were introduced to forestall a predicted (or perhaps indicated) increase in future fraud. So if there has been no change in fraud: MISSION ACCOMPLISHED.

Finally contact chips at least require certain bad guys to learn pickpocketting or mugging skills and avoid the need for my wallet to wear a tinfoil hat.

Jonathan Rosenne November 16, 2018 2:28 AM

Each EMV card has three CVVs: one on the card for Card Not Present transactions, one on the magnetic stripe and one in the chip. The merchant data from an EMV card cannot be used to clone a magnetic card, as long as the issuer implements a different chip CVV and also checks it.

Jonathan Rosenne November 16, 2018 2:32 AM

Additionally, the magnetic CVV protects the indication that the card includes a chip, so that a magnetically cloned card would not be usable on a properly configured POS terminal or ATM.

Evan November 16, 2018 3:50 AM

@Gunter Königsmann

Maybe it’s just because I’m a Sparkasse-using bum but my German credit cards are all chip+sign only by default, PINs must be requested separately.

Nicolai Plum November 16, 2018 9:08 AM

The card terminals commonly deployed in the US at the moment, with a display, keypad, card slot below keypad, and magstripe slot on one side, will usually do chip+pin transaction authentication if presented with a chip+pin card (my experience on a recent visit to the USA was more than 95% of retail transactions). All my payment cards are issued in Europe where chip+pin is the default, and it is most pleasing that US card are now advanced enough to do the strongest form of authentication for purchases. It greatly decreases the amount of problems I get with my card issuers being concerned at a high volume of magstripe purchases and their fraud mitigation kicking into action to phone me. So, plenty of issuers worldwide will issue chip+pin cards, and even some in the USA will do so – which is required for most unattended kiosk purchases in Europe, even for travellers from the USA.

The security issue here is that of allowing the older, insecure authentication channel alongside the secure one. This is the same problem that happened when Windows NT permitted use of Windows Workgroups authentication using a weak password hash and bad secret sharing, as well as the far more secure NT Domain authentication. The new Domain could, and often was, attacked via the older Workgroups method.

In Europe, magstripe transactions are almost dead, and treated with quite some suspicion. This keeps the fraud rate due to cloned cards much lower. Of course, other attacks happen, but the USA is not only subject to all the same chip card attacks as in Europe but also to magstripe attacks – the worst of both worlds.

Clive Robinson November 16, 2018 9:12 AM

@ Sancho_P,

Isn’t it funny, different experts, different “facts”:

Ask your self a question about each party, So,

1, How does an independent researcher earn a living?

2, How does a corporate entity keep the profits flowing into director and shareholder pockets?

The other thing is the old “There are lies, dam lies and statistics”. In nature you rarely get a smoth curve, it wiggles around a trend. Thus you can pick wiggles to favour your view point.

There are also “lead in trends”, but simply all “new security” items work for a while untill the attackers learn the weaknesses and exploit them. We saw this with CCTV, with glowing early reports but dismal longterm results. All static security systems are destined to fail this way as the attacker learns.

Thus, Chip-n-Pin would work untill someone found flaws –which they did– then they started to fail. Even with known flaws Chip-n-Spin would work untill the local attackers imported and learned the attacks…

All static and the majority dynamic real physical world security systems are destined to fail. However in physical world security both can always be used as “delay methods” thus an alarm gets triggered early on, and the delaying tactics slow the attacker, hopefully long enough for an active human response to arrive and overwhelm the attackers.

In “card fraud” delay methods are inappropriate as they upset customers and clue up all but the dummest of attackers.

Worse perhaps, many places would rather take the loss “safely” than have an attacker “go postal”. Because history shows in the bulk of cases the Lawful Authorities are mainly quite inept, and will opt to keep a hostile situation “bottled up” going for the potential longterm gain of a quiet ending. If it goes postal meantime the lawful authorities are safely out of range and won’t get blaimed for doing so they more or less win what ever they do. The merchant however is going to loose every time the lawful authorities get involved during an attack. Thus they want the attack to end then maybe get the authorities involved if and only if there is some potential extra “loss stopping” involved, usually only at the behest of an insurance provider.

Interesting side story. In the UK there was a substabtial amount of gold stolen and the insurance company paid out. Eventually the police found what they believed was the gold. Not according to the original company… Of course it would have nothing to do with the fact that the gold price had dropped substantially in that time so if company claimed it they would have to pay considerably more than the gold was now worth back to the insurance company… So the police ended up with a load of gold they had to keep as aleged evidence…

Similar things have happened when safety box repositaries and depots have been robbed. Those with losses either swallow them or make private claims through other insurance, rather than face the prospect of having to explain to the authorities where what has actually been stolen originally came from… Such as claiming for gold coins, that infact they had long ago converted at a very very favourable rate into what we now call “blood diamonds” etc.

Larry November 16, 2018 11:41 AM

So is a chip better or not?
Some here seem to be saying it’s not.
I’m not an “expert” so I don’t know.

Men in Black November 16, 2018 12:51 PM

The chip-and-PIN cards are vulnerable to the shoulder-surf and pickpocket attack, if the store’s surveillance cameras aren’t hacked or misused to collect the PIN.

I have yet to hear of a store’s surveillance video being used to prosecute the pickpocketing of one customer by another.

Rach El November 16, 2018 2:43 PM

What I rarely see acknowledged is the CC companies profit from fraud. They want it to be easy for cards to be used in such a manner. Hence not implementing security features that can adequately prevent it. Like, not encrypting the info in the chip!! (they may do, now, only because researchers made it public to force their hand)

In Australia whats called Paywave – NFC – allows for up to $100 transaction without a pin. So, anyone can do this, with anyones card. No ID, no signature, nothing. Just grab the card. And it invariably gets triggered before someone has a chance to do a proper authenticated transaction. In some instances the NFC goes off just pulling the purse out of the handbag.
‘Oh, but it’s okay – if its fraud we’ll refund the transaction’
They make it so easy because they are okay with misuse – profit all round

For those that missed it. Samy Kamkar demonstrates his Mag Spooof here. 5 minutes
(magnetic stipe spoofing)

https://www.youtube.com/watch?v=UHSFf0Lz1qc

last time I checked the major point of vulnerability is the coax running out of the POS terminals, not encrypted just raw transactions.

(Australia also has NFC on ATM’s, which left me a bit speechless on first encounter)

David Gamey November 18, 2018 12:15 PM

Unfortunately, this study conflates a number of issues and has a number of basic facts wrong. They still have a point and it shouldn’t be ignored but they would have been better to have made that point without the errors. It comes off as alarmist and undermines their credibility. The evidence from countries that have already moved to CHIP is that it does work. The US as the last major country to go to chip got hit by all the card present fraud. This was predicted.

  1. The statement “The inherent security of EMV technology in chip-enabled cards provides end-to-end encryption during card-present transactions, and effectively prevents payment card counterfeiting.” is just wrong. CHIP doesn’t provide end-to-end encryption of the transaction. There is still data that looks like a magnetic stripe, it just changes every transaction. The account number and expiry date are still there. CHIP prevents cloning the card which. For transaction encryption there is a standard called P2PE.
  2. Just because US issuers have got chip cards out to their cardholders doesn’t mean that CHIP is implemented. Merchants and their banks must be capable of reading the CHIPS. Until then CHIP is in transition.
  3. While chip readers don’t see the magnetic stripe, fallback to magnetic stripe is still a problem. But during transition, the problem and liability fall to the party not supporting the chip. That could be the merchant (no chip terminals or allowing fallback when they shouldn’t), the merchant’s bank (not properly supporting chip terminals/transactions), or the issuer (not properly validating the dynamic aspects of chip transactions). POS malware which grabs the card number and magnetic stripe is becoming less effective because they can’t make a magstripe card from a CHIP card’s equivalent of the stripe data. They’d need to get the actual magnetic stripe from the CHIP card. That should only be present if the transaction was a fallback to stripe or the card was physically skimmed with a stripe reader.
  4. Other types of transactions have different protections such as online. The card number, expiry, and the printed security code. CHIP was never intended to fix this. There are other controls meant to address them. These are also being improved.

  5. There has been a predicted shift to card not present fraud, online in particular. Just look up Magecart, Ticketmaster, British Airways.

Fraud will still happen, it’s just that a huge volume of it will be cut off at the knees and the loss prevention teams can focus on a much smaller number of transactions. It’s likely that criminals will find merchants, merchant banks, and issuers that aren’t properly supporting chip and exploit those situations. Those organizations will feel the impact of the liability. One way or another this will self-correct. And when this kind of fraud becomes too difficult the criminals will change tactics as they always do.

There are a lot of moving parts in the payment security systems that all need to work together against fraud. It can be confusing. Further confusing people really doesn’t help anyone.

cmurf November 18, 2018 12:24 PM

About 8-10 years ago, all of my cards had contactless capability. Of course only a few merchants supported it, but that included the NYC Metro through a partnership with Citi. Then EMV chip arrived and the issuers ripped out all the RFID capabilities, and kept the 1960’s magnetic stripe. We were ahead at one time, and then regression.

I wish they had skipped EMV chip for EMV RFID/contactless. And now most of the rest of the world has passed us as I seen Canadians tap to pay everywhere including even on mass transit without needing a transit specific card. It’s like Americans come up with a good idea and then through legacy and laziness just accept the worst combination possible: chip plus sign, where signing without a pen on a horizontal surface isn’t even a legal signature (just scribble and end it with a smiley face – there is no good reason for me to allow even an approximation of my actual signature on a digital signature system that itself might get hacked on day).

TCB13 November 20, 2018 3:15 AM

Really it failed. How come nobody was expecting this. There is no point in having the chip if you don’t force the chip+pin operation. Thats the way Europe got it working and that is the only way to have a simple system that actually ensures security and prevents fraud.

All those comments on “oh but this is a burden” really? Is it that hard for the people to get a 4 digit code in their brain? NO. Is it that hard for the banking system to implement it? Maybe… but it is cheaper than dealing with the fall back of card fraud.

John Davis November 20, 2018 11:07 AM

Until credit card security-related losses impact the C-level employees compensation, the causes will not be addressed. Losses are simply passed to consumers. Financial losses must be recovered from corporate leadership assets, including the real consequence of incarceration. Until that happens, there will be no incentive to solve the underlying problems.

Mind Games November 22, 2018 6:11 PM

Financial institutions in USA don’t want their costumers to have any friction howsoever!
They want people to use it all the times in all possible situations no matter what.

If financial institutions really wanted to reduce fraud they would remove magnetic stripe and NFC enabled cards from the market. And only provide CHIP + PIN debit and credit cards. Probably it would reduce debit card fraud in 70% or more. Credit card fraud would probably fall 30% maybe more. If financial institutions stopped accepting the card numbers, year and month and security code present in the cards for commercial transactions (online and offline) the credit card fraud probably could be reduce also in 70%.

Would still be the problem of compromised card read machines/ point-of-sale machines that may make the user pay more that what is being displayed for example… but at least would be easier to spot the place of compromise and end it. If the Chip doesn’t allow any machine to extract the private key and only allows it to digitally sign the payment operation! This also doesn’t prevent people from stolen the card and if they know the code [or somehow find out without locking the chip (some security flaw)] to use it until the person contacts the bank to cancel it.

For online use financial institutions may either produce one time/ several times in the same place use, of the credit card data generated just for that… or make a better system.

brian beuning December 16, 2018 7:41 AM

This line from the article is false “But while the EMV standard is supposed to ensure the card data cannot be captured”.

With EMV the card number is still present in the clear.

Clive Robinson May 23, 2019 8:39 AM

@ Will,

Most vulnerabilities are not in the chips themselves

Payment cards are not secure for many reasons mostly because they have been badly designed from the security asspect.

In essence they have been designed as “parts” and things like the intercommunications security between those parts has been woefully ignored as a “Somebody Elses Problem” SEP issue[1].

SEP is part of a psychological syndrome known as “Perception Blindness”, that can be either intentional (Nelson and “I see no ships”) or unintentional for many reasons. What there is little doubt of is that it is endemic in many fields of endevor, Information Privacy / Security being one of the more obvious and nearly all fields of security suffer from it badly.

Our host @Bruce saw the same problem as SEP but described it as the inability of “thinking hinky”. As a matter of history most wars are lost because of the inability to see the oppositions behaviour, and thus act acordingly in advance of them. It is one of the major but unstated reasons asymetric warfare is not just as devistating as it is, but also why what our host has also noticed and named “Security Theatre” exists.

If you prefere “Security Theatre” is a variation on “headless chicken” syndrome. As once noted “The people demand action, any action” almost invariably the result is either totally inefective, totally invasive/totalitarian or more often both, as a long standing example “Marshall Law” achieves little other than destroying the ecconomy where it is put in place. Similar is the US invention of “A war on XXX” where XXX is of total unimportance compared to the resources expended to little effect against XXX (what it does to the populous by unscrupulous Agencies and Entities is what is the real lasting effect).

People in security frequently misunderstand the notion of “segregation” thus go about it often in quite a perverse fashion.

On it’s own segregation is of less use than the old joke about securing a computer[2]. To be of use a computer has to be able to get data from outside into it process it and send it outside again. Thus without communications a computer of any form is effectively usless. Which means you can not have total segregation, you have to have carefully enumerated and controled communications. Compared to implementating such communications segregating of function is extreamly trivial on the scale of what has to be done.

In the commercial environment which is what the payment card industry is, there is actually little understanding of security as a whole. In essence they buy in what they think they need and don’t bother to check if what they are doing is sufficient, effective or as is usually the case compleatly ovetboard in limited places with nothing joining them.

The clasic example being that electronic communication could be protected by very inexpensive physical barriers and security seals. There is a big long list of deficiences in that reasoning.

The root of just one area of those deficiencies is “mechanical slop”. Most mechanical devices suffer from some form of expansion with their molecular vibration caused by thermal energy. The most obvious example that most people get told about at school and often shown is the “bi-metalic strip” when heated it bends quite a noticeable distance. Well this principle applies to all things mechanical, thus as part of the design process to stop failure in operation by “bind” or similar you put in “clearance distances” which are a form of mechanical slop. This can often easily exceed a millimeter or two when you also alow for the build up of dirt and other detritus.

The problem is that you can now easily get flexible doublesided printed circuit material in fractions of a millimeter thicknesses… So it’s not all that difficult to place a “shim” between the card and the reader and intercept the communications.

When added to another very common security failing of “authenticating the channel not the transaction and it’s parts” breaking the system was inevitable.

The SEP by the chip and protocol people that assumed the physical mechanics would give security, gave rise to incorrect thinking about what the chip and the protocol actually had to do to achive security…

As I’ve said just one of many security issues you will find in commercial environments, that have been known about since the 1950’s on other environments and could also be worked out with a little high school science knowledge.

If you want a “golden rule” as consultants etc love to quote as it makes them appear enigmatic / clever you could try “If the laws of physics alow, it will happen sooner than the technology develops.”. The point being crooks and criminals livelyhood is dependent on pushing the envelope, thus leadibg edge research. The security practicioners especially the consultants are not and rarely if ever do original research.

But there is another very real issue with commercial security it is almost always dependent on “manufacturing margins” thus require such large numbers to be deployed that the systems are not dynamicaly defended, they are at best statically defended, usually with long out of date thinking. I made this point in one of my comments above with,

    All static security systems are destined to fail this way as the attacker learns.

It’s a point I’ve made frequently, but few either want to believe it let alone act on it. Thus they are often quite deliberately “Perceptionaly blind”, because if you examin the process in it’s entirety you will usually find they “extetnalize the risk” by “blaiming the victim” or someone else who can not adiquately defend themselves, both of which the Banking Industry and Payment Card Industry are well versed in…

[1] See the ScFi author Douglas Adams written work for an original definition of “SEP” and how it makes things ignored thus invisable.

https://en.m.wikipedia.org/wiki/Somebody_Else%27s_Problem

[2] The best way to make a computer secure is to turn it off unplug it drop it in a ton of reinforced concreat and when hard drop in the deepest trench in the ocean of Guam.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.