[z64555]

There's already devices that swipe card info without you knowing it. I'm not sure if it swipes from the mag strip or from certain chips.

[AdmiralRalwood]

But what stops it from being skimmed?

I don't actually know how EMVs work but you could make an unskimmable bank card quite easily by putting a cryptographic key on the chip and having it sign any transactions passed to it. You can't do that with a magnetic strip.

e: yeah that's pretty much how EMVs work.

[rev_posix]

This isn't new, untested technology or anything, it's been the standard for up to a decade in other countries and it's passed the test of time. Can you not even see why it's in your interest, as a security-conscious consumer, to use a payment method that can't be skimmed?

You seem to misunderstand.

I'm not against it, full stop, I just don't trust it... yet.

Yes, it may be a tried and tested technology...  in your area of the world.  I don't trust the companies here in the US not to unintentionally weaken or otherwise compromise it's security in an effort to save a half cent per card.

But what stops it from being skimmed?  Just the fact that there aren't easily obtained devices to do it yet?  What stops someone from creating a reader that reads the exact same info as the payment processor and copying it to be loaded onto another chip?

This exactly.

There is no shortage of info online showing how to build and use long distance RFID and bluetooth sniffers, and more than ample examples of companies using the bare minimum or ineffective encryption (WEP anyone?), either due to negligence or cost savings (her, crypto experts are not cheap, nor it the hardware on a large scale rollout when dealing with better encryption).

This is why I'm considering disabling the chip on mine when it arrives, I do not trust the various companies to 'get it right' on the first try.

[Phantom Hoover]

But what stops it from being skimmed?  Just the fact that there aren't easily obtained devices to do it yet?  What stops someone from creating a reader that reads the exact same info as the payment processor and copying it to be loaded onto another chip?

The reader never sees the credentials on the chip, it just gives the chip a description of a transaction; the chip then signs that using cryptomagic and sends the reader an authenticated transaction to send to the payment processor. You'd have to dissect the chip to be able to copy it.

EMV chips don't use RFID at all so would you please stop bringing it up, rev?

[rev_posix]

EMV chips don't use RFID at all so would you please stop bringing it up, rev?

You sure about that?  Might want to double check...

Banking card reader NFC (EMV)
https://play.google.com/store/apps/details?id=com.github.devnied.emvnfccard

EMV Decoder
https://play.google.com/store/apps/details?id=cz.valda.EMVDecoder

Smart Cards EMV Tags List
https://play.google.com/store/apps/details?id=ru.rodin.denis.emvtags

Smart Card Toolkit
https://play.google.com/store/apps/details?id=sasc.android.smartcard

How does NFC mobile payments relate to EMV?
"With the anticipated growth in the use of Near Field Communication (NFC)-enabled mobile devices for mobile contactless payments and other mobile applications (such as coupons and loyalty), EMVCo has been active in defining the architecture, specifications, requirements and type approval processes for supporting EMV mobile contactless payments. This effort has been critical in supporting the launch of NFC mobile contactless payment in Europe, which uses an EMV-based payments infrastructure."
http://www.emv-connection.com/emv-faq/#q18

8 FAQs about EMV credit cards
"3. Is card dipping the only option?

Not necessarily. EMV cards can also support contactless card reading, also known as near field communication."
http://www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php

No, it's not standard across the board, but it's available.

And for full disclosure, my current paypal card (that I don't use it out in the Big Blue Room) has a chip but doesn't support NFC, which I did test last night.

[Phantom Hoover]

OK, let me correct myself: EMV doesn't generally include RFID. Unless your card supports contactless payments you don't need to worry about RFID skimming, so your plan to destroy your card's EMV chip is still counterproductive cargo-cult security. And I really don't get why you think this is a new, untested technology. In other parts of the world it's been standard for years and has proven itself secure.

[rev_posix]

OK, let me correct myself: EMV doesn't generally include RFID. Unless your card supports contactless payments you don't need to worry about RFID skimming, so your plan to destroy your card's EMV chip is still counterproductive cargo-cult security. And I really don't get why you think this is a new, untested technology. In other parts of the world it's been standard for years and has proven itself secure.

You seem to not be fully comprehending my posts.  To reiterate:

Yes, it may be a tried and tested technology...  in your area of the world.  I don't trust the  companies here in the US not to unintentionally weaken or otherwise compromise it's security in an effort to save a half cent per card.

As the spec does seem to give options on how it's implemented, it remains to be seen if the companies here won't 'go cheap' and break it's security.

I do admit that I originally thought that it was all done by NFC, which thanks to your comment, I now understand that it's an option, not 'baked in', which does change my viewpoint somewhat for non-RFID cards.

However, my points still stand, companies in the states are infamous for cutting corners in the name of saving fractions of a cent in regards to virtually everything, and since large portions of the US populous appear to be willing to give up things such as security measures in the name of convenience, I have little faith that said companies won't do the same for the 'smart card' roll-out.

Remember, the CC companies don't generally loose money in regards to fraud here, the retailer who accepted the fraudulent transaction (online or otherwise), or the card holder, is the one stuck with the bill, making the CC company even less worried about investing in the 'proper' security measures to prevent fraud.  Whats a few hundred people getting screwed over in the grand scheme of things?

Until the roll-out is done and proven that it wasn't screwed over by some bean counter wanting to save money by opting for the minimum necessary, I'm not going to fully trust it.

I do hope I'm wrong as card fraud is a rather large problem on this side of the pond, and I'd love to not have to watch my accounts like a hawk for attempts of using my accounts fraudulently.

[Phantom Hoover]

Even if the implementation is flawed it can't possibly be any less secure than a magnetic strip.

[rev_posix]

Even if the implementation is flawed it can't possibly be any less secure than a magnetic strip.

Matter of opinion.  But we will see once the roll-out is 'done' and becomes common on this side of the pond.

It's the small mom and pop shops that will probably be the last to get the new terminals due to the cost.

[Scotty]

I think you grossly underestimate the amount of money that passes hands in even the smallest business.

[Phantom Hoover]

Even if the implementation is flawed it can't possibly be any less secure than a magnetic strip.

Matter of opinion.  But we will see once the roll-out is 'done' and becomes common on this side of the pond.

No, it's not a 'matter of opinion'. Magnetic strips expose all your card's credentials whenever you make a transaction. This is the worst case failure state of an EMV chip. You have nothing to lose by using the chip no matter how badly it's implemented, and stand to gain a lot of security if it's implemented well.

[rev_posix]

I think you grossly underestimate the amount of money that passes hands in even the smallest business.

I very well could be.  But after seeing many small shops with hand written signs asking to use cash of debit over credit becasue of the costs associated with those transactions, or using the really old terminals that have a modem built-in that dials out to the transaction processor, I don't think I'm that far off the mark.

No, it's not a 'matter of opinion'. Magnetic strips expose all your card's credentials whenever you make a transaction. This is the worst case failure state of an EMV chip. You have nothing to lose by using the chip no matter how badly it's implemented, and stand to gain a lot of security if it's implemented well.

Emphasis added as that is my entire point.  If it's done right, yes it will.  If it's not, it remains to be seen how much extra security it will add.

By it's nature and design, yes, it is a much more secure way to handle transactions.  However, I've seen too many 'good/secure' standards broken by someone trying to save money during the roll-out to believe that someone won't cut a corner somewhere and inadvertently compromise it.

Then again, part of my day job is to be paranoid about this kind of stuff, so there is that.   

[jr2]

I think you grossly underestimate the amount of money that passes hands in even the smallest business.

I very well could be.  But after seeing many small shops with hand written signs asking to use cash of debit over credit becasue of the costs associated with those transactions, or using the really old terminals that have a modem built-in that dials out to the transaction processor, I don't think I'm that far off the mark.

Yeah, a lot of money might pass hands, but the amount of profit left at the end of the year to re-invest in the business after payroll, taxes, etc. might surprise you the other way...

[AdmiralRalwood]

No, it's not a 'matter of opinion'. Magnetic strips expose all your card's credentials whenever you make a transaction. This is the worst case failure state of an EMV chip. You have nothing to lose by using the chip no matter how badly it's implemented, and stand to gain a lot of security if it's implemented well.

Emphasis added as that is my entire point.  If it's done right, yes it will.  If it's not, it remains to be seen how much extra security it will add.

By it's nature and design, yes, it is a much more secure way to handle transactions.  However, I've seen too many 'good/secure' standards broken by someone trying to save money during the roll-out to believe that someone won't cut a corner somewhere and inadvertently compromise it.

Okay, but even a "compromised" EMV chip is basically equivalent to a magnetic strip, so what do you have to lose, exactly...?

[rev_posix]

By it's nature and design, yes, it is a much more secure way to handle transactions.  However, I've seen too many 'good/secure' standards broken by someone trying to save money during the roll-out to believe that someone won't cut a corner somewhere and inadvertently compromise it.

Okay, but even a "compromised" EMV chip is basically equivalent to a magnetic strip, so what do you have to lose, exactly...?

Um, nothing?  Not sure what your point is as I already said that my viewpoint on the cards has changed a bit (i.e. not planning on disabling mine when it arrives) already since finding out that the no contact cards is an option, not baked in.

I also did a bit more reading on it and it does appear to be a much better system than what we have now, with the public key and encryption built into the spec.

Still doesn't change my viewpoint that I'm not going to jump right in and start singing it's praises until the roll-out here in the states is in progress and shown that the various companies over here are actually following the best practices and not cutting corners.