Last month I explained why I don’t like credit card chip and PIN technology, which are all the rage in Europe and which many consumers in the U.S. are anxious to get their hands on either because it will help them at unmanned kiosks across the Pond or because they’re just so darned cool.
Today Bruce Schneier notes the security vulnerabilities.
You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip. It’s called a “pre-play” attack. Just like most vulnerabilities we find these days some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation.
For those so inclined, I list four cards you can get as CHIP and PIN. They’re not great otherwise, however.
In my own case, I have a Diners Club card which is now chip and PIN. But they aren’t currently taking applications for new cardmembers.
I think you’re doing yourself a disservice by trying to insinuate that the only reason people want these cards are “because they are cool”. I have to say that is a remarkably shallow criticism for someone usually as detailed as you Gary.
While I don’t think anyone argues that chip and pin cards still have vulnerabilities it’s pointless to talk about these in a vacuum. The fact is that chip and pin cards are still far safer than regular cards.
I couldn’t care less if my card is safe or not. My issuers don’t hold me liable anyway and I prefer to have one less PIN to remember. From a bank’s perspective it’s different as they want to “pretend” that they’re reducing their risk (even if they aren’t) so that they lower their insurance (since it costs them to go after fraudulent charges). But as a consumer, the argument that “it’s safer for me” is irrelevant — I just don’t care. I’ve been a victim of fraud several times and it never cost me a penny. Just a couple of days to get a new card in each instance.
A better article to reference from today is this:
http://krebsonsecurity.com/2012/09/researchers-chip-and-pin-enables-chip-and-skim/
@A.S. read the above and then decide that you don’t care…
@A.S. a point I’ve made elsewhere is that card issuers are looking to chip and PIN technology as a reason to change liability laws for fraudulent charges… with the claim that fraud must be consumer’s fault for failure to safeguard PIN.
@Gary And your point has been repeatedly refuted by Canadians and Britons who’ve seen no change in their nations’ liability laws with the move to EMV.
Backing up JacobGBG on this one. It’s not all the rage, it’s just a fact of life. Source: I live on the other side of the pond.
Both sides of the security and liability arguments seem pretty weak. Liability laws generally treat the technologies the same (insinuating otherwise is unfounded FUD) and Americans are already subject to worse liability situations if their ATM cards are stolen, but on the other hand the security benefits of chip+PIN cards are minor when they can still be used without PINs for online purchases.
The main issue I see is convenience. Having to sign for a purchase is slower, clunkier, and (in countries where it is no longer the norm) downright embarrassing. This is especially so when dealing with automated or semi-automated merchants where paying by signature, if it’s possible at all, involves long queues or waits for an employee to come over.
This argument strikes me as akin to that supporting pagers against using text messages. Having properties both sides of the pond, I live with both Chip and PIN and signature cards. Chip & PIN is certainly faster, easier and more convenient than signature and it seems safer to me – first, the cardinal rule is that no one ever handles my card and it NEVER leaves my sight, so little chance for it to get cloned in, for example, a restaurant. Second, in the US, no one ever checks the signature so a stolen card could be used easily and immediately.
As to remembering another PIN, that’s nonsense – just change it to something you already use.
Be that as it may – CC fraud is rampant in the US compared to Europe, which is why they introduced the chip scheme. It makes it harder for US based thiefs to copy the cards. It might not be perfect, but it’s worked.
@Mitch I have spoken with credit card companies who are looking to lobby for changes in liability laws on the basis of chip and pin
@Gary Of course they’ll try. I imagine they tried in Canada and tried in the UK, too. Right now the public mood is not much in the direction of regulatory changes that help big banks and provide no benefit to the consumer.