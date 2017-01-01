If the answer is yes, secret keys that never leave the chip are used to sign each transaction and the signature is verified by the bank, I'm not sure how these "shimmers" would be useful, since the secret key would presumably not be compromised and so the shimmer may obtain some data identifying the card and transaction but not the ability to sign new transactions. If the answer is no, none of this is happening, then I'm not sure what the point of the switch was in the first place.
Maybe the answer is something in between? Banks suck, so they've implemented chip cards in a half-assed way with gaping security holes?
Also, more frequently than I would wish banks or payment processors ask payment terminal operators for a "simpler", meaning less secure, transaction protocol. Most often it's for compatibility with some legacy system from the 80's somewhere in their payment validation backend.
From my experience in the industry, this happened very rarely in Europe but considerably more often in the Americas and Middle East.
If the incoming transaction lists that the terminal is chip&pin capable, so you'd simply automatically reject a magstripe transaction with a code that should result in POS showing "please insert card in the chip reader";
If the incoming transaction lists that the terminal is not chip&pin capable, the merchant has chosen to be liable for all fraud cases themselves, so it can't cause a loss for you and your customers. It is an inconvenience, but as all the fraud in the country concentrates on the (fewer and fewer) merchants accepting these transactions, it causes an increasing financial pressure on them to switch.
Not all of it - the chip has a dynamic CVV that differs from the one on the magstripe. This only works if the bank isn't checking CVVs.
Only for countries like USA which have not completed the move from magnetic readers.
This is the problem. Some banks don't verify the signature/iCVV.
Funny as it may be my debit card for some reason has a $500 (unmodifiable) limit on chip&pin purchases, but it has no such limit for swipe purchases. When I asked them how is that more secure, I got a verbal shoulder shrug.
Banks are in the business of underwriting. I believe at least on the corporate level they probably don't like the idea of fully secure, verifiable payments, because that would mean you don't need them anymore.
These devices read the data between the chip and the terminal. This would be fine, if payment processing consistently used iCVV/EMV, but it turns out they don't.
https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip...
“The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction,”
1) 'Two factor auth is on, you have to answer two security questions to access your account!'
2) 'Your password is limited to exactly 8 characters ... for security'
3) 'Oh, we now support SMS two factor auth' -- 4 months in, I've received 1 SMS challenge
4) 'You don't want a chip card, they are more hassle'
5) 'We allow systems like Mint to access your account when you have 2 factor auth on. No, you cannot opt out.'
Yeah, don't have the highest confidence that my bank(s) actually understand how to keep things safe.
Why would they do this? The assumption is that the thieves plan to use the chip data to create fake magstripe card or make online purchases somewhere that the CVV is not checked. Not checking the CVV is a complete failure, and apparently for once it's not a US failure (unless the thieves are targeting tourists??).
So one possibility is that they're stealing magstripe data off the chips for cloning and use in the US banking system.
So shouldn't it be called a sLimmer?
