
Is your chip card secure? Much depends on where you bank - MindGods
https://krebsonsecurity.com/2020/07/is-your-chip-card-secure-much-depends-on-where-you-bank/
======
Nursie
So this effectively lets you use chip data to recreate a magnetic stripe,
which passes validation when the banks don't check against the right CVV.

Yeah, not great. OTOH I worked on an early EMV implementation almost 20 years
ago now, and it was obvious even then that mag stripe was a huge security
problem. I'm amazed we're _still_ talking about mag stripes and issuing cards
with them in 2020.

They should have been retired over a decade ago.

~~~
Mandatum
They _were_ retired over a decade ago (in all main use-cases except where
connectivity goes down - magstripe is the backup, but thoroughly validated
option).. except in the US where there's this idea that implementing chip &
pin is a barrier for sales and hurt small business because "upgrading the
terminal is expensive" (no it's not - if you can't account for $150 every 10
years on taking payment, you shouldn't be in business - or just use cash).

My guess is lobbying by insurance and reinsurance drove most of that
conversation, because the only downside I've seen from chip & pin
implementation is that you have to touch the terminal. Paywave and contactless
are now mainstream, so this is a non-issue.

~~~
reaperducer
_upgrading the terminal is expensive_

It's not the terminal upgrade that's the barrier. At many businesses, if you
upgrade the terminal you also have to replace the point-of-sale system. Then
you have to integrate it with your existing backend sales system, fulfillment
system, inventory system, and more. And you're lucky if all of that can then
be integrated into your accounting system. Then you have to retrain all of the
people who will ever touch any part of the entire process.

You see it as upgrading the terminal because that's all you see. But that is
the very small tip of a very large iceberg.

~~~
ulfw
Weird how the whole globe managed that, from small city states over third
world nations to old established countries. And yet...

~~~
knolax
A lot of the third world leapfrogged to mobile payments and never had
widespread credit card adoption. So it's more like 4% of the world hasn't done
a thing the 10% of the world that HN perceives as "rest of the world" has
done.

~~~
Mandatum
Yeah, no. Europe and Asia-Pacific all adopted chip and pin just fine (minus
China).

~~~
knolax
> Europe and Asia Pacific (minus the majority of Asia Pacific),

so 4% of the world hasn't done something ~15% of the world has done in a
situation that isn't even relevant to at least 18% of the world.

~~~
Mandatum
There was literally nothing stopping the US from following suit apart from
culture and lobbying. You're the richest country in the world, it'd be a
rounding error.

~~~
knolax
Other commenters have given plenty of reasons. I never understand the
obsession Europeans have with getting other parts of the world to be identical
to them. Worst part is when we do adopt your practices you start whining about
how we copied you.

------
the_mitsuhiko
I will never understand why magstripe is still used in the US. Even after EMV
became “mandatory” there are still magstripe transactions happening and when
you are presented sith a chip reader it’s slow and awkward. Why is it such an
inferior experience compared to Europe?

~~~
abrowne
My understanding for part of it is that magstip readers were much more common
in the US, and businesses (a) didn't want to pay to upgrade all their
terminals and (b) don't want to turn away a purchase because a customer
doesn't have a chip or the chip isn't working.

~~~
lsllc
That may have been the case, but pretty much everywhere I go stores have newer
EMV capable terminals (e.g Ingenico etc). The only place I really use mag
swipe now is a gas station pump (who have no excuse not to switch to
contactless EMV).

You'd think with COVID-19, there'd be a rush to move to contactless payments.

~~~
blahyawnblah
Lots of gas stations do use the chip, but it's the same process of inserting
the card.

~~~
lsllc
In New England, I've never seen anything other than a magstripe insert-remove
type reader in a gas pump (although I think some do contactless EMV).

FWIW, At least in MA, it's rare to see a gas pump older than 10 years -- I
think due to both Federal and MA State UST laws that require fairly recent
(e.g. 2019) minimum standards such as double walled, properly cathodized, leak
detecting tanks along with subsidies for tank replacement that have resulted
in pretty much every gas station around here being totally renovated in the
past 5 years or so.

[https://www.mass.gov/guides/massdep-underground-storage-
tank...](https://www.mass.gov/guides/massdep-underground-storage-tank-ust-
program)

------
castratikron
Guessing Visa can "fix" this problem in the same way they fix the fallback to
magstripe: make the vendor pay a fee for noncompliance.

[https://www.cardfellow.com/blog/emv-fallback-fees-
definition...](https://www.cardfellow.com/blog/emv-fallback-fees-definitions/)

~~~
aerostable_slug
They absolutely could, but I was told by folks there that the merchants were
pushing back extremely heavily, hence the moving deadline to get rid of
stripes.

They were pretty clear that gas pump readers were the biggest issue, as
customers dislike centralized outdoor readers or having to go into the
establishment, stand in line, and use their counter POS system.

------
lmilcin
Hi. I have worked for one of the acquirers (card acceptors) for couple of
years, designing and implementing credit card terminals and security
infrastructure. I was also security officer.

Basically, credit cards can be very secure. But it also costs. Banks do simple
cost/benefit decisions and may in many cases significantly lag behind in
technology for various reasons. They get away with this because consumers have
absolutely no idea how cards differ and what the options are.

~~~
rblatz
But also banks take on all the liability for misuse. Customers aren’t liable
for fraudulent charges, that’s why America has lagged behind Europe on rolling
out chip cards, customers don’t demand it because they don’t pay the price for
card fraud.

~~~
hocuspocus
European customers aren't liable for fraudulent charges either, I don't really
understand your logic here.

Everyone pays the price of fraud and it's probably one major reason that
explains high interchange fees in the US.

~~~
tialaramex
No, US interchange fees pay for "reward" cards. You charge everybody 5% extra,
you give Karen 5% cashback, she thinks you're "rewarding" her and everybody
else get screwed, the payment network keeps the difference.

The EU caps the interchange fee, does that mean the networks exit the business
because they can't make money? No. Does it mean they've eliminated fraud? No.
But it does mean they can't pay Karen 5% "reward" so they don't. There aren't
any cards like that in Europe. For everybody else it makes the system cheaper.

~~~
quickthrowman
I can assure you they use part of the interchange fee to cover fraudulent
transactions or they offload the risk via insurance covering fraudulent
transactions. There’s no way the issuing banks or Visa/MC just eat the fraud
charges, we all pay for it.

Yes, rewards cards are paid for with interchange fees, but that doesn’t mean
that’s the only thing they pay for. Most people pay more interest than they
earn in fees per year anyways _shrug_

------
bryanthompson
On this topic, if anyone can point me toward a US-based issuer where I can
open an account and get a card that supports credit pin (not pin for cash
advance on a credit card), I'll happily venmo you a pizza or something. The
issuers I have spoken to[1] all tell me it is impossible to get such a card in
the US, which seems ridiculous.

[1]: [https://wallethub.com/credit-cards/chip-and-
pin/](https://wallethub.com/credit-cards/chip-and-pin/) I discussed each of
the cards noted here with the issuers, not one is actually chip+pin credit.

~~~
lotsofpulp
I have inquired about this also and found no solution. If I use my US based
credit cards abroad where chip and pin is the norm, I end up getting asked to
sign a printed receipt.

I imagine the card networks just don’t want to spend money to change the
infrastructure to support chip and pin because the merchant pays for most the
losses in the US?

~~~
xenospn
Had many arguments with cashiers in Europe who refused to let me sign receipts
and insisted I just enter a pin.

~~~
bryanthompson
Also interesting how there are such specific requirements at grocery stories.
None of my US-based cards could be used in several grocery stores in the
Netherlands. When the cashier looked at my cards, they immediately knew it was
because I didn't support whatever networks they expect.

~~~
thesimon
Maestro or VPay they expected, the european old-school debit brands.

------
tzs
OK, so if I grasp this, the problem is that an EMV skimmer gets the card
number and an iCVV. The bad guys make a stripe card with that number and the
iCVV.

That should not work because banks are supposed to look for the iCVV only on
dipped transactions, and look for the CVV on swiped transactions (and the CSC
for online/telephone transactions).

Some banks apparently left out the logic of matching the type of code to the
transaction method, and so using iCVV in place of CVV works for them.

Even if all banks got this right, though, it seems to me you could still get
fraud. The CVV is only three digits. Once you've got the card number just make
a stripe card and guess the CVV. If it fails, try another CVV. As long as you
don't do too many guesses too close together and cause the bank to lock out
the card, you should eventually find the right CVV.

Even if the bank is very trigger happy on fraud lockouts, if your skimmers got
several thousand card numbers you are going to have many CVV guesses turn out
to be right the first time.

Instead of the stripe on cards that have both EMV and stripe being just a copy
of the same card that is in the EMV side of things, shouldn't they be
separate? The issuing bank should issue two logical cards for the underlying
account, with one being EMV only and one being stripe/online only.

~~~
kergonath
I would hope that a card would be flagged as suspicious before a hundred
tries. They’d still could get some transactions through, but that would cut
the success rate by a couple of orders of magnitude compared to just hoping
that the bank won’t check.

What really needs to be done is letting go of the magnetic stripe.

------
Deathmax
A Monzo engineer describes nonconformance with specs which might lead some
card issuers to be more liberal with what they accept:
[https://twitter.com/erincandescent/status/128153445694436147...](https://twitter.com/erincandescent/status/1281534456944361472)

~~~
Fiveplus
That was interesting, thanks for sharing it here.

------
donarb
I use my chipped card frequently when going to the grocery store. Pretty much
20% of the time, it won't read the chip, reporting "Chip Malfunction". Even
wiping any sort of gunk off the chip contacts doesn't fix it. So you have to
go through 3 failed read cycles before it will let you use the mag strip on
the back.

Going back to the store a few days later and the same machine will work, I
wonder how often the machine's readers are cleaned.

~~~
meragrin_
A cashier gave me a tip once. Try pushing on the face of the card so the chip
end is levered up against the machine tighter. It seems like there is
something wrong with the contacts in the reader and do not make appropriate
contact with the chip.

------
im3w1l
What if you sidestepped all the chip cleverness and just put cameras to
capture the name, CC number, expiration and 3 digits? You'd still need a
billing address I guess, but you might be able to get that by looking up the
name and disambiguating using the location of the terminal.

~~~
ceejayoz
> What if you sidestepped all the chip cleverness and just put cameras to
> capture the name, CC number, expiration and 3 digits?

Apple Cards have just the name on them, which is a nice step in the right
direction. (No contactless, though, which is weird.)

~~~
Nursie
Why would you need it, you've got an iPhone right?

(semi serious here - I'm sure they want you to use Apple Pay)

~~~
SomeHacker44
There is a little thing called COVID. All my main payment cards are
contactless now. I am not an Apple card customer.

~~~
Nursie
Sure, but if you have an Apple card you're going to have an Apple phone, most
probably, and that can do the contactless bit for you. Not sure if apple cards
and android phones work, but android-pay is the other option for most cards.

Both are more secure than using the card directly with contactless - you have
verified to your phone that it is you using it, by logging in with face ID,
touch ID, passcode, PIN, whatever. It's a form of cardholder verification that
is missing when you use the card.

That was my (slightly snarky) point - you don't need contactless on the card
when you have a smart device that does it better.

------
toolslive
Hold on. PIN is not secure either. With the card reader, you can verify the
pin locally: You don't need anything but the card and a card reader. No
internet, no nothing.

Since the verification can be done on the client side entirely it's subject to
hacking. You can freeze the chip, slowing it down so you can actually see it
run under a microscope. You can make it read-only (so the pin miss is not
recorded on the chip, aso aso).

There are recorded cases where the card also held a digital wallet and
students made it read only so they had an infinite wallet for small expenses
...

~~~
imtringued
Most credit card fraud happens by cloning an existing card because the victim
will stay unaware of the crime. If you physically steal a card it will be
frozen by its owner who will also pay close attention to suspicious
transactions.

------
samblogs
Does anyone have a good detailed article on the crypto behind iCVV/dynamic
CVV? This article summarizes how it works, but I haven't found a good detailed
article after much googling

~~~
bob1029
I found this from a public FirstData document:

"Codes written on the track with equivalent data stored on the chip to prevent
fraud. All chip cards are issued with the card security code on the track data
stored on the magnetic stripe and chip card security code stored on the chip.
Calculated with the same DES key but with a ‘999’ service code"

[https://www.firstdata.com/downloads/marketing-
merchant/EMV-A...](https://www.firstdata.com/downloads/marketing-merchant/EMV-
A-toZ.pdf)

------
homero
Hard to read this site when it's not responsive and the one time I want chrome
to offer reader mode, it doesn't.

------
afrcnc
Can we link to the actual research instead of this people-doxing clown's
article?

Source: [https://geminiadvisory.io/cybercriminals-deploy-emv-
bypass-c...](https://geminiadvisory.io/cybercriminals-deploy-emv-bypass-
cloning/)

