Hard Light Productions Forums
Off-Topic Discussion => General Discussion => Topic started by: est1895 on October 10, 2015, 12:39:13 am
-
Some article here about Microchips on the new Credit Cards.
http://pro.whitepages.com/blog/fraud-train-is-coming/?utm_source=outbrain&utm_medium=cpc&utm_campaign=ecomm-q4-15&utm_term=promoted-content&utm_content=pro-ecom-infographic
-
Hm? the chips have been around for quite some time (since '94 or so), its that shiny brass looking stamp on the face of the card. EMV standard (https://en.wikipedia.org/wiki/EMV)
What's more interesting is the card spoofing fraud.
-
yeah, I'm not a fan of this technology. It's user experience has much to be desired.
-
Learn how Whitepages Pro can help you process orders faster while helping to fight the rise in fraud.
I think that pretty much sums this article up.
On a more general note, I don't really get the point of chips. So I insert the card instead of sliding it. How does that help prevent anyone other than me using it? Is it supposed to be more resistant to skimming? If so, that's probably only because it's newer and tools aren't readily available. Yet. That will change.
-
Wait, is this article actually predicting calamity because you're switching to chip and PIN? Jesus christ, those have been standard in the UK for a decade and we haven't been swept away by a tide of fraud.
The major benefit, AIUI, is that you can't use the card at all without knowing the PIN; so if you keep it safe, skimming is outright impossible.
-
Wait, is this article actually predicting calamity because you're switching to chip and PIN? Jesus christ, those have been standard in the UK for a decade and we haven't been swept away by a tide of fraud.
The major benefit, AIUI, is that you can't use the card at all without knowing the PIN; so if you keep it safe, skimming is outright impossible.
Lordy. Canada has also been on this tech for years; it's not even remotely inconvenient and it greatly enhances security. I cannot fathom why the US has not seen widespread adoption ages ago.
-
I'd imagine the simple reason we took so long is because money, i.e. no one wanted to pay to update all of their card-reading equipment.
-
It's just chip. There is no PIN involved, at least as it stands now. The new card they sent me can function either identically to 'normal' credit cards with the swipe, or insert it into the machine, sign the pad, and take it out. That's why I said insert instead of swipe. And no, not a single cashier in the history of EVER has asked to compare signatures. Hell I haven't even signed any of my cards since the very first one.
-
I don't actually know how EMVs work but you could make an unskimmable bank card quite easily by putting a cryptographic key on the chip and having it sign any transactions passed to it. You can't do that with a magnetic strip.
e: yeah that's pretty much how EMVs work.
-
I remember my father actually had a card with a chip for some time in the early '90s. He was annoyed when it went away because the crypto did too.
I'd imagine the simple reason we took so long is because money, i.e. no one wanted to pay to update all of their card-reading equipment.
Pretty much. Only when the fraud cut too high into the profits did things change.
And no, not a single cashier in the history of EVER has asked to compare signatures. Hell I haven't even signed any of my cards since the very first one.
I have a friend who was only ever asked about a signature when he drew a penis for one.
Breasts and butts were okay, though.
-
It's just chip. There is no PIN involved, at least as it stands now. The new card they sent me can function either identically to 'normal' credit cards with the swipe, or insert it into the machine, sign the pad, and take it out. That's why I said insert instead of swipe.
I'm supposed to be getting one of these things on my next card(s) as well. Seriously debating taking a razor to it to try and disable/kill the pad. If I was interested in something like this, I'd be using the NFC function on my phone with google wallet.
And no, not a single cashier in the history of EVER has asked to compare signatures. Hell I haven't even signed any of my cards since the very first one.
I rarely have cashiers ask to check mine, even tho I have written in caps next to my signature *CHECK ID*.
Some of the reasons for this, I think:
- The cashier simply doesn't care
- There is a rule in the US that retailers don't have to get a signature/check for anything under $AMOUNT, which is think is around 25-30 (I don't recall the exact amount)
- Many people seem to be annoyed by being 'challenged' and 'delayed' by the check
Hell, even tho the rules allow a cashier to reject a card that doesn't have a signature, it seems a lot of them only care that something is there, and even then some cashiers don't even care that much. :blah:
-
It's just chip. There is no PIN involved, at least as it stands now. The new card they sent me can function either identically to 'normal' credit cards with the swipe, or insert it into the machine, sign the pad, and take it out. That's why I said insert instead of swipe.
I'm supposed to be getting one of these things on my next card(s) as well. Seriously debating taking a razor to it to try and disable/kill the pad. If I was interested in something like this, I'd be using the NFC function on my phone with google wallet.
why
what the hell is it about a ****ing microchip that terrifies you so deeply
-
Hell, even tho the rules allow a cashier to reject a card that doesn't have a signature, it seems a lot of them only care that something is there, and even then some cashiers don't even care that much. :blah:
As a cashier, it's not that we don't care, it's that while you may not be upset by it, there are people who will pitch fits and it's simply not worth the headache. Especially since we don't get to see what you wrote in the first place. The signature is more useful to your issuing company than it is to a POC purchase site.
-
what the hell is it about a ****ing microchip that terrifies you so deeply
Nothing about the chip itself 'terrifies' me.
The ability of the various corporations that are more concerned about short term cost savings when it comes to developing these things than actually providing decent to good security, that's what worries me.
I don't really trust the CC companies to put my best interests first. You can have it done quickly, cheaply, or correctly, pick two. History tends to show that the various companies will take quickly and cheaply over any other choice that has correctly as one of the two options.
[/quote]As a cashier, it's not that we don't care, it's that while you may not be upset by it, there are people who will pitch fits and it's simply not worth the headache. Especially since we don't get to see what you wrote in the first place. The signature is more useful to your issuing company than it is to a POC purchase site.
I figured this was one of the reasons, thanks for validating that it's a current thing. I did retail for around 5+ years, and I remember that the number of people that were actually thankful that I payed attention to it was minuscule, most just rolled their eyes or acted like I was insulting them.
-
Signature on the card is there because, in the event that electronic devices fail, a retail chain may still accept a credit card as payment by using the card number and comparing the card holder's signature on paper against the signature that's on the card.
From what I know, we cannot accept a credit card whose written signature doesn't match to that on the signature on the card, nor can we accept a card from somebody who isn't the card owner.
...But then again I don't think many people bother with a bunch of that stuff. Identify fraud only happens in the movies, right? </sarcasm>
-
what the hell is it about a ****ing microchip that terrifies you so deeply
Nothing about the chip itself 'terrifies' me.
The ability of the various corporations that are more concerned about short term cost savings when it comes to developing these things than actually providing decent to good security, that's what worries me.
I don't really trust the CC companies to put my best interests first. You can have it done quickly, cheaply, or correctly, pick two. History tends to show that the various companies will take quickly and cheaply over any other choice that has correctly as one of the two options.
Then why trust them with your money at all? Why are you so keen on having your transactions done with an easily-skimmed magnetic strip and so violently opposed to using a far more secure chip?
-
what the hell is it about a ****ing microchip that terrifies you so deeply
Nothing about the chip itself 'terrifies' me.
The ability of the various corporations that are more concerned about short term cost savings when it comes to developing these things than actually providing decent to good security, that's what worries me.
I don't really trust the CC companies to put my best interests first. You can have it done quickly, cheaply, or correctly, pick two. History tends to show that the various companies will take quickly and cheaply over any other choice that has correctly as one of the two options.
Then why trust them with your money at all? Why are you so keen on having your transactions done with an easily-skimmed magnetic strip and so violently opposed to using a far more secure chip?
I think PH is trying to say the 'quickly and cheaply' option was the magnetic strip, which is now being (slowly, haltingly) replaced by a better option.
-
Then why trust them with your money at all? Why are you so keen on having your transactions done with an easily-skimmed magnetic strip and so violently opposed to using a far more secure chip?
I wouldn't say that I'm 'violently opposed' to them, but no, I don't fully trust them with my money.
I have a debit card, yes, it's a near necessity in the states, and I try to watch for readers that look 'odd'. I have notifications set up for any transactions that are submitted, no one has access to my account except for my employer for payroll deposits (didn't have too much of a choice on that one), and of the CC accounts I have, only two are 'activated'/signed and on my person when I am out doing things. They do not leave my sight.
I fully admit that it may seem paranoid. Heck, my refusal to allow auto-withdrawal from my account(s) has seemingly broken a few brains along the way. But thus far, I have not had my ID stolen or any unauthorized attempts on my accounts, unlike my mother who has had it happen at least twice.
I also remember when bluetooth first came out, and how a lot of proof of concepts were shown 'in the wild' allowing for eavesdropping and such, well past the specified range and what most people thought was possible. If it uses RF...
It's also basic computer security. If you don't have a need for it, turn it off/disable it.
I think PH is trying to say the 'quickly and cheaply' option was the magnetic strip, which is now being (slowly, haltingly) replaced by a better option.
Oh, I get that. I just have little faith that the companies will implement said chip in a way that will make it a better/safer option.
-
This isn't new, untested technology or anything, it's been the standard for up to a decade in other countries and it's passed the test of time. Can you not even see why it's in your interest, as a security-conscious consumer, to use a payment method that can't be skimmed?
-
But what stops it from being skimmed? Just the fact that there aren't easily obtained devices to do it yet? What stops someone from creating a reader that reads the exact same info as the payment processor and copying it to be loaded onto another chip?
-
There's already devices that swipe card info without you knowing it. I'm not sure if it swipes from the mag strip or from certain chips.
-
But what stops it from being skimmed?
I don't actually know how EMVs work but you could make an unskimmable bank card quite easily by putting a cryptographic key on the chip and having it sign any transactions passed to it. You can't do that with a magnetic strip.
e: yeah that's pretty much how EMVs work.
-
This isn't new, untested technology or anything, it's been the standard for up to a decade in other countries and it's passed the test of time. Can you not even see why it's in your interest, as a security-conscious consumer, to use a payment method that can't be skimmed?
You seem to misunderstand.
I'm not against it, full stop, I just don't trust it... yet.
Yes, it may be a tried and tested technology... in your area of the world. I don't trust the companies here in the US not to unintentionally weaken or otherwise compromise it's security in an effort to save a half cent per card.
But what stops it from being skimmed? Just the fact that there aren't easily obtained devices to do it yet? What stops someone from creating a reader that reads the exact same info as the payment processor and copying it to be loaded onto another chip?
This exactly.
There is no shortage of info online showing how to build and use long distance RFID and bluetooth sniffers, and more than ample examples of companies using the bare minimum or ineffective encryption (WEP anyone?), either due to negligence or cost savings (her, crypto experts are not cheap, nor it the hardware on a large scale rollout when dealing with better encryption).
This is why I'm considering disabling the chip on mine when it arrives, I do not trust the various companies to 'get it right' on the first try.
-
But what stops it from being skimmed? Just the fact that there aren't easily obtained devices to do it yet? What stops someone from creating a reader that reads the exact same info as the payment processor and copying it to be loaded onto another chip?
The reader never sees the credentials on the chip, it just gives the chip a description of a transaction; the chip then signs that using cryptomagic and sends the reader an authenticated transaction to send to the payment processor. You'd have to dissect the chip to be able to copy it.
EMV chips don't use RFID at all so would you please stop bringing it up, rev?
-
EMV chips don't use RFID at all so would you please stop bringing it up, rev?
You sure about that? Might want to double check...
Banking card reader NFC (EMV)
https://play.google.com/store/apps/details?id=com.github.devnied.emvnfccard
EMV Decoder
https://play.google.com/store/apps/details?id=cz.valda.EMVDecoder
Smart Cards EMV Tags List
https://play.google.com/store/apps/details?id=ru.rodin.denis.emvtags
Smart Card Toolkit
https://play.google.com/store/apps/details?id=sasc.android.smartcard
How does NFC mobile payments relate to EMV?
"With the anticipated growth in the use of Near Field Communication (NFC)-enabled mobile devices for mobile contactless payments and other mobile applications (such as coupons and loyalty), EMVCo has been active in defining the architecture, specifications, requirements and type approval processes for supporting EMV mobile contactless payments. This effort has been critical in supporting the launch of NFC mobile contactless payment in Europe, which uses an EMV-based payments infrastructure."
http://www.emv-connection.com/emv-faq/#q18
8 FAQs about EMV credit cards
"3. Is card dipping the only option?
Not necessarily. EMV cards can also support contactless card reading, also known as near field communication."
http://www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php
No, it's not standard across the board, but it's available.
And for full disclosure, my current paypal card (that I don't use it out in the Big Blue Room) has a chip but doesn't support NFC, which I did test last night.
-
OK, let me correct myself: EMV doesn't generally include RFID. Unless your card supports contactless payments you don't need to worry about RFID skimming, so your plan to destroy your card's EMV chip is still counterproductive cargo-cult security. And I really don't get why you think this is a new, untested technology. In other parts of the world it's been standard for years and has proven itself secure.
-
OK, let me correct myself: EMV doesn't generally include RFID. Unless your card supports contactless payments you don't need to worry about RFID skimming, so your plan to destroy your card's EMV chip is still counterproductive cargo-cult security. And I really don't get why you think this is a new, untested technology. In other parts of the world it's been standard for years and has proven itself secure.
You seem to not be fully comprehending my posts. To reiterate:
Yes, it may be a tried and tested technology... in your area of the world. I don't trust the companies here in the US not to unintentionally weaken or otherwise compromise it's security in an effort to save a half cent per card.
As the spec does seem to give options on how it's implemented, it remains to be seen if the companies here won't 'go cheap' and break it's security.
I do admit that I originally thought that it was all done by NFC, which thanks to your comment, I now understand that it's an option, not 'baked in', which does change my viewpoint somewhat for non-RFID cards.
However, my points still stand, companies in the states are infamous for cutting corners in the name of saving fractions of a cent in regards to virtually everything, and since large portions of the US populous appear to be willing to give up things such as security measures in the name of convenience, I have little faith that said companies won't do the same for the 'smart card' roll-out.
Remember, the CC companies don't generally loose money in regards to fraud here, the retailer who accepted the fraudulent transaction (online or otherwise), or the card holder, is the one stuck with the bill, making the CC company even less worried about investing in the 'proper' security measures to prevent fraud. Whats a few hundred people getting screwed over in the grand scheme of things?
Until the roll-out is done and proven that it wasn't screwed over by some bean counter wanting to save money by opting for the minimum necessary, I'm not going to fully trust it.
I do hope I'm wrong as card fraud is a rather large problem on this side of the pond, and I'd love to not have to watch my accounts like a hawk for attempts of using my accounts fraudulently.
-
Even if the implementation is flawed it can't possibly be any less secure than a magnetic strip.
-
Even if the implementation is flawed it can't possibly be any less secure than a magnetic strip.
Matter of opinion. But we will see once the roll-out is 'done' and becomes common on this side of the pond.
It's the small mom and pop shops that will probably be the last to get the new terminals due to the cost.
-
I think you grossly underestimate the amount of money that passes hands in even the smallest business.
-
Even if the implementation is flawed it can't possibly be any less secure than a magnetic strip.
Matter of opinion. But we will see once the roll-out is 'done' and becomes common on this side of the pond.
No, it's not a 'matter of opinion'. Magnetic strips expose all your card's credentials whenever you make a transaction. This is the worst case failure state of an EMV chip. You have nothing to lose by using the chip no matter how badly it's implemented, and stand to gain a lot of security if it's implemented well.
-
I think you grossly underestimate the amount of money that passes hands in even the smallest business.
I very well could be. But after seeing many small shops with hand written signs asking to use cash of debit over credit becasue of the costs associated with those transactions, or using the really old terminals that have a modem built-in that dials out to the transaction processor, I don't think I'm that far off the mark.
No, it's not a 'matter of opinion'. Magnetic strips expose all your card's credentials whenever you make a transaction. This is the worst case failure state of an EMV chip. You have nothing to lose by using the chip no matter how badly it's implemented, and stand to gain a lot of security if it's implemented well.
Emphasis added as that is my entire point. If it's done right, yes it will. If it's not, it remains to be seen how much extra security it will add.
By it's nature and design, yes, it is a much more secure way to handle transactions. However, I've seen too many 'good/secure' standards broken by someone trying to save money during the roll-out to believe that someone won't cut a corner somewhere and inadvertently compromise it.
Then again, part of my day job is to be paranoid about this kind of stuff, so there is that. :p
-
I think you grossly underestimate the amount of money that passes hands in even the smallest business.
I very well could be. But after seeing many small shops with hand written signs asking to use cash of debit over credit becasue of the costs associated with those transactions, or using the really old terminals that have a modem built-in that dials out to the transaction processor, I don't think I'm that far off the mark.
Yeah, a lot of money might pass hands, but the amount of profit left at the end of the year to re-invest in the business after payroll, taxes, etc. might surprise you the other way...
-
No, it's not a 'matter of opinion'. Magnetic strips expose all your card's credentials whenever you make a transaction. This is the worst case failure state of an EMV chip. You have nothing to lose by using the chip no matter how badly it's implemented, and stand to gain a lot of security if it's implemented well.
Emphasis added as that is my entire point. If it's done right, yes it will. If it's not, it remains to be seen how much extra security it will add.
By it's nature and design, yes, it is a much more secure way to handle transactions. However, I've seen too many 'good/secure' standards broken by someone trying to save money during the roll-out to believe that someone won't cut a corner somewhere and inadvertently compromise it.
Okay, but even a "compromised" EMV chip is basically equivalent to a magnetic strip, so what do you have to lose, exactly...?
-
By it's nature and design, yes, it is a much more secure way to handle transactions. However, I've seen too many 'good/secure' standards broken by someone trying to save money during the roll-out to believe that someone won't cut a corner somewhere and inadvertently compromise it.
Okay, but even a "compromised" EMV chip is basically equivalent to a magnetic strip, so what do you have to lose, exactly...?
Um, nothing? Not sure what your point is as I already said that my viewpoint on the cards has changed a bit (i.e. not planning on disabling mine when it arrives) already since finding out that the no contact cards is an option, not baked in.
I also did a bit more reading on it and it does appear to be a much better system than what we have now, with the public key and encryption built into the spec.
Still doesn't change my viewpoint that I'm not going to jump right in and start singing it's praises until the roll-out here in the states is in progress and shown that the various companies over here are actually following the best practices and not cutting corners.