Hacker News new | past | comments | ask | show | jobs | submit login
Gas Pump Skimmers (sparkfun.com)
657 points by whalesalad on Sept 19, 2017 | hide | past | web | favorite | 335 comments

Chips aren't anymore secure, I can read the data off my card with a standard chip reader, and I have. The same data on the chip is on the mag strip.

Just because you are using the chip doesn't mean you are doing an EMV transaction. The unique transaction codes only happen with and EMV transaction, almost every time you dip your card it's a regular old card transaction, just as if you swiped the card. Why?

Getting EMV certified requires every part of the transaction chain to go through unified system testing, for each combination of hardware, software, card type, processor, issuing bank.

I've been eyeballs deep in this nonsense for the last year or so. We just can't justify the expense of getting EMV certified, so we just accept the chip and do a regular transaction.

As a consumer you have no way of knowing if your transaction is and EMV transaction or just a chip enabled regular transaction.

Hi! I have implement a complete payment terminal application with magstripe, chip and contactless capabilities.

I have also designed security protocols to keep the data and keys from the bad guys, including things like Key Injection Facility, loading and exchange protocols, etc.

These things (terminals, cards, HSMs) can be extremely safe. Not only there are protocols available that in my knowledge have never been breached but also the devices themselves are built in secure manner to prevent any physical attacks. The entire infrastructure can be made so that no single employee can get hold of any secret material.

The truth is, that there is a range of solutions and the secure ones cost. It costs to set them up and use correctly. It costs to produce chip card that can dynamically sign and encrypt the data. It is up to the issuer (bank) how much they pay for the security of their card and typically banks are not too eager to overpay. Rather, they take calculated risk.

Another problem is that North America is particularly behind in security standards. I remember, while working on this application (10 years ago) there was much more leniency for US users (issuers, acquirers) than the rest of the world.

Sorry I am probably ignorant here but, don't these guys just use mag stripe reader? They often just ask to see your credit card, lean down, swipe on their own device.

They aren't 'cracking' Key Injection Facility or messing with protocols. They just add a simple card reader? The reason they hit gas machines is the volume and most don't take chips (US).


Let's assume you swiped my card and now you have full contents of my credit card.

For the fraudster to receive any funds from my account they would have to go with that data somehow to my issuing bank and have their transaction request accepted.

My bank will never do this because my card is a secure one. They expect it to generate a signed document listing the details of my transaction along with the name (ID) of the merchant and terminal performing the transaction. The message also certifies that the PIN I entered was successfully verified by my card. The message can only be created by the card using my PIN. This requires the card to be stolen along with the PIN.

The only money I can loose in case my card is stolen without the PIN is up to a floor limit for offline transactions. It's peanuts but it allows for quick transactions for example from vending machines.

The gist of the story is to move to a bank that cares for security.

> The message also certifies that the PIN I entered was successfully verified by my card. The message can only be created by the card using my PIN. This requires the card to be stolen along with the PIN.

Forgive my ignorance, but aren't most sellers in America willing to process transactions (even large ones) without PIN entry?

I realize pin-and-chip is a largely secure scheme, but the chip rollout in the US hasn't actually implemented a two-factor system.

Credit card payment organization will hold merchants, acquirers, issuers liable for fraund if the party is lagging behind in security even if it can't be shown directly that the fraud was their fault. This is called liability shift.


The page you linked to says that gas pumps ("Automatic Fuel Dispensers") are exempted from liability shift until October of this year. But that's actually out of date information: the exemption for ATMs has been pushed to October 2017 (from the original date of October 2015), but gas pumps aren't required to go that route until October 2020:


While I don't doubt they're already out there, I don't recall ever seeing a gas pump in the US with a chip reader.

Also, it's at leas worth noting that technology for skimming chip-based transactions already exists in the wild:


The "shimmers" take advantage of poor implementations of the EMV standard, but the chances strike me as fairly high that there's going to be a lot of poor implementations of EMV out there in the wild. (Not only is the less secure "chip and signature" approach common in the US, I've made more than one purchase with what could be described as "chip and nothing": put my card in a chip reader and make a purchase without being asked for either a PIN or a signature.)

There was a presentation at either the latest Black Hat or Defcon (forget which, been watching presentations from both the past few weeks) with a live demo of a really nifty EMV fraud system. Rather than stealing card info, you'd install shimmers in a bunch of ATMs or other such places, then run a system where people could pay for access to the card at a certain location at a certain time. Walk up to the ATM and money comes out. The money comes from an account which (I believe) was being used at the time (or within a few minutes of it) on one of the far-away bugged machines.

Correct - we only have chip, not chip + pin in the US. Sometimes the chip requires a signature and the merchant sets their own threshold.

I think you're correct. I have a credit card from a major bank here and there's no pin associated with it. It does have a chip though.

>up to a floor limit for offline transactions.

Buy stolen CCs without pin in large volume

Set up online merchant account (eBay is common), use software to scrape and copy listings for popular products that cost less than the floor amount but more than your costs. When someone orders a product and the payment clears automatically put in an order for the product on a different website (preferably one that allows a guest checkout). Automate more and more parts of the process as time goes on (e.g. using a different card when one is declined)

Keep the transaction volume low and you're basically printing money at the rate of the difference between card info cost and item cost.

This is a pretty common tactic to monetize large volumes of CC#s.

It doesn't help that most merchants don't cross reference billing address with the bank and some don't require the security code.

Clever, but how do you receive money in that scheme? You need an account under a fake name, right? That seems really hard to get (as it is a prerequisite for all kinds of crimes).

Stolen CC numbers sound like hard things to get in the first place, but they're available online. Fullz (identity-stealing kits w/ SSN and driver license info) and bank drops are similarly available, for a higher fee, as well as aged accounts for many sites.

So the skimmers in the article are pretty basic, but there are more advanced ones that have pin hole cameras to record pins too. You could also mitm the keypad too with another patch line.

Two years ago at defcon, someone presented on advanced skimmers that could read chips too. He claimed they need a network connection to work, as there's only a two minute window to reuse the same token.

> You could also mitm the keypad too with another patch line.

This was noted in the article. There appears to be availability on the board for an extra connection.

it seems like the pin entry has to be associated with the card

> For the fraudster to receive any funds from my account they would have to go with that data somehow to my issuing bank and have their transaction request accepted.

Not quite. The one who gets your card info probably won't use it. They will more likely sell it. If the person who buys it can't use it, whoops, too bad.

How do large online purchases work with your card?

what bank?

> Rather, they take calculated risk.

And credit-cards are a testament to that.

You can't tell from the receipt? Home depot is well known for doing EMV, and the result I see on the receipt is a lot more detailed, with listings for AID, TVR, IAD, TSI and ARC. Chip-enabled regular transactions just seem to list the AID, an Approval #, and a Transaction ID.

I don't know about US, but over here with my Polish bank I have 100% control over the limits for each type of transaction possible with my card, I can set them myself through the web portal of my bank - the types are:

1) transactions with card present(chip+pin or signature)

2) transactions with card not present(someone types in your card number into the terminal)

3) internet transactions(card number + CVV from the back).

I can set any of them to zero, effectively blocking the transaction type completely. So yes, while you can read the card number and exp date from the chip, you can't get the CVV number from the back of the card, which means it's only useful for the second type of transactions - and I don't see any reason to ever change the limit on that to anything other than zero - so any information gained from just skimming the chip/magstripe is effectively useless without the CVV written on the back.

Setting limits to zero is kind of defeating the purpose of having a card in the first place.

The better solution is to have a bank with good reputation that expends effort in making your transactions safer.

My bank:

- has their cards well issued (and I know this since I have worked as credit card terminal developer for many years and I know every detail of how cards are personalized and designed actual security systems),

- sends me a code to verify my internet transactions (remember not to use your phone to do internet transactions!),

- processes chargebacks without fuss unless there is a reason to suspect cardholder is trying to defraud the merchant.

> remember not to use your phone to do internet transactions!

Do you have time to explain?

I'm aware of the problems with using sms as 2FA but if I understand you correctly you mean something else?

(Around here most banks demand we use BankID which is typically downloaded to the sim card in the phone.)

You should never use the same device to perform transactions and receive your codes. The security of the scheme lies on using two separate devices under your control.

If you were to enter your credit card details on the same device you use to receive codes (most likely your only mobile phone), the attacker having some kind of malware code could first steal your card information and then use your phone to receive the codes to complete the transaction.

This requires infecting just one device, so basically as a fraudster you create a malware and wait for people to have their phones infected. Then you defraud those that use phones for credit card transactions and either don't need separate codes to complete the transaction or use the phone for this.

It is much more difficult to get two devices infected that are used by the same user. This only typically happens in case of targeted attacks and is rarely seen.

My colleague at one of the companies I worked for lost the money he saved to buy a flat this way. He got his phone infected with malware and then over few days he got all his money sucked out of his account in a series of increasing transactions.

Many banks supply you with a hardware security token.

But also, I don't care as a consumer. Because I don't have any liability. In fact, I prefer the swipe as it is a few seconds faster.

Except getting skimmed and disputing charges is annoying, not something I care to deal with. I'd rather we have more secure infrastructure that doesn't sustain criminal activity.

I've been skimmed twice, and both times the (major US) banks made it super easy to dispute and I had my money back in a matter of minutes.

Now I keep a low-limit branded gas card that can only be used at gas stations. Go ahead and skim me. All they can do is charge $30 worth of Munchos and beef jerky.

It takes 5 minutes and a few clicks on a web site now a days. I'm all for more security too but like OP it isn't really my responsibility nor my liability so I have little care.

My last bank made that easy. But required a new card and a new PIN, and immediately and automatically cancelled the old one. As I was abroad at the time, this was not a fun process. Not that it's particularly fast even if you walk into a branch.

This is one of the reasons I think it's important to have more than one credit card when traveling (especially abroad). Redundancy in case one get shut down at an inconvenient time in an inconvenient place.

After having to replace a couple cards and update all the subscription services that were pulling from the old ones, I do care.

You could take the approach that my wife and I do. We both have 1 card each linked to our checking account. We have a 3rd card that is signed up to all of our reoccurring payments (electric, cable, water, sewage, trash, netflix, etc) that card is stored in a safe deposit box.

The thinking is if either one of our cards get compromised we will can just replace that card, the third card will remain safe while locked up. That is unless the company or payment processor gets breached which is a larger issue in itself.

One of my card issuers [1] has a feature called "ShopSafe". ShopSafe lets you create virtual credit cards on top of your real card. Each virtual card has a separate lifetime charge limit and expiration date. Once a charge is made against a given virtual card, future charges on that card can only be made from that merchant.

For recurring payments I make a ShopSafe card per merchant. If one merchant has a breach all I should have to do is make a new ShopSafe card for them. All of the others should be unaffected.

If the underlying card is compromised and replaced the ShopSafe cards should continue to work as long as the underlying account is not closed.

This has worked out quite well. There are only three annoyances.

1. The interface is annoying. It is a small Flash window.

2. The expiration date can only be up to one year out.

3. Some merchants, like Amazon, use a variety of merchant names depending on what you are buying. For example, the shoelaces I bought recently from Amazon show up on my credit card statement as "AMAZON MKTPLACE PMTS AMZN.COM/BILLWA". The Kindle book I bought recently comes from "Amazon Services-Kindle 866-321-8851 WA". My subscription to the Kindle edition of "Analog Science Fiction and Fact" comes from "KINDLE-AnalogScien 866-216-1072 WA". (A few months ago, Analog came from "AMAZON DIGITAL SVCS 866-2866-216-1072 WA"). I also see in my Amazon purchase history things from "Amazon.com AMZN.COM/BILLWA".

Dealing with that would require five ShopSafe cards, and picking the right one for a given purchase.

There is a workaround I've heard for this with Amazon, but have not gotten around to trying. Buy Amazon gift cards with a ShopSafe card, and use them to pay for everything else.

[1] Bank of America. I believe that Citi has a similar feature.

For those that aren't with Bank of America, https://getfinal.com/ offers a similar service for all. (no affiliation)

This is exactly what my wife and I do, we both have our primary spending cards (her Discover It, my Capital One QuickSilver) that get used for everyday purchases - but I've also got a very basic Wells Fargo Platinum card that gets used for recurring payments (car insurance, unlimited car wash pass, internet bill, utility bill, etc).

We don't touch the debit card attached to our checking account unless there's no choice, however - which is usually just WinCo when we can't get what we want (or get what we want for a reasonable price) at Fred Meyer or Albertson's. All of our credit cards have $0 liability, and worst case if someone skims them and maxes our limits we have to temporarily switch to a backup card while the charges are reversed and a new card is mailed - someone draining my checking account leaves me with the inability to pay rent, electricity and gas and Wells Fargo is happy to drag their ass on reversing unauthorized debit card payments.

I do the opposite: I try to limit recurring transactions to one or two per card.

My cards have been compromised by Target, Home Depot, and other vendors. I never know exactly who, just get the notice from the bank that I'm getting a new card.

The side benefit for me is that these small transactions keep the cards active with regular on-time payments.

If one of them is compromised, I only have one or two recurring payments instead of having to change all of Netflix, Ting, Comcast, Virgin Mobile, Google Play, Apple, NY Times, WSJ, etc.

My defense, however imperfect, against having to deal w/ having to update subscriptions is to have a card I only use for subscriptions, so there's a low chance it gets skimmed. I use Mr. Swipey swipe all day long without need to (excessively) worry that someone illicitly cloning Mr. Swipey will affect my relationship with Mr. Subscribey.

Pfft. My new Amazon CC got compromised the day I got it. I used it precisely once, for an Amazon transaction.

I've probably had 5 cards compromised in the past decade. The biggest hassle is changing recurring payments. I don't track them, I just do my best ten wait for the bills to fail. What's annoying is sometimes they keep successfully charging my account for 4-5 months before failing. How they're able to bill the old number I don't know.

But yeah, they just call you and send you a new card. No need to select which transactions are fraudulent typically -- or at best 2 mins on the phone. No big deal.

Sucks when you're overseas but google voice + headphones and then Apple Pay means your new card is active the minute it's issued, even if you won't get it in the mail for 2 weeks.

I recently had to get a card replaced and what was interesting was that some companies with recurring subscriptions automatically updated to the new card number without any input from me. Not everyone did this but it was about half of my recurring charges. They must have some way of updating the info via the card provider. The expiration date and CVV changed as well but they magically already had it.

Visa's product is called Account Updater[1] and MasterCard's is Billing Updater[2]. It allows previously approved billers to get updated card information when a card is replaced due to expiration, loss, fraud, upgrade, etc.

[1] https://usa.visa.com/dam/VCOM/download/merchants/visa-accoun...

[2] https://www.mastercard.com/us/wce/PDF/Billing%20Updater%20Br...

This happened to me, too.

It's a case of where consumer laws have been used against the overall public interest.

As a consumer using a debit card, you have lots of exposure. Bounced transactions, lots of paperwork and more bureaucratic pitfalls.

Credit cards with premium issuers are just a minor hassle. With Amex or Citi, you literally just need to click. With lousy issuers, you can be stuck dealing with a breach event for a long time.

This. And if these things happen to you with any frequency they aren't so friendly. I've gotten my debit card skimmed several times (I was able to determine through the process of elimination that my at the pump usage at the gas station was responsible). The last time, which of course happened to be the only time I got hit for any significant amount of money, the bank fought every step of the way and ended up ruling against me. I had to go back and forth with the BBB to finally get it sorted out. In the end, it was a months long process with lots of headaches.

With a debit card you have full liability if you don't report quickly vs $50 cap with a credit card. Not worth the risk of using a debit card ever IMO.

Agreed. Sadly, this is stuff I didn't know 5 years ago.

> Because I don't have any liability

Where do you think the cost of losses goes? To the consumer via higher prices...

You pay that whether or not your card info gets stolen

Sure, but if the industry, as a whole, is more secure, those operating costs go down, and, in theory, so do fees charged to consumers.

This is only true if you use a credit card. A debit card on the otherhand, carries a lot of liability.

Although you might not be affected directly, it's cost of doing business that affects all consumers.

> Just because you are using the chip doesn't mean you are doing an EMV transaction. The unique transaction codes only happen with and EMV transaction, almost every time you dip your card it's a regular old card transaction, just as if you swiped the card.

By the way, do you have any reference on this? Everywhere I've searched, chip seems synonymous with EMV.

For background, I was developing those types of applications few years ago, professionally.

Every chip or contactless transaction is an EMV transaction. This is by virtue of EMV being the protocol that terminal uses to communicate with the card.

EMV allows for different types of transactions with different level of security.

For example, if the transaction can be done offline (gas pump unattended terminal situation) AND executing CVM rules (both terminal and issuer have their own rules) points to the possibilty of exchanging encrypted PIN, the PIN can be sent safely encrypted to the card for verification.

If the card or the terminal does not support encrypted verification then the PIN can be sent in the clear and vulnerable to skimming.

Okay then I'm extremely confused. You say:

> Every chip or contactless transaction is an EMV transaction.

But the parent comment I was replying to says:

> Just because you are using the chip doesn't mean you are doing an EMV transaction.

I presume you're saying he's wrong in this? Or am I misunderstanding what you both mean?

I'm also confused by the PIN thing you mention. Why is there a PIN at all, and why is there an "encrypted PIN exchange"? We're talking about the US, right? The US is chip & signature, and there is no PIN involved. I thought it was supposed to be that the card generates a unique one-time authorization code (public-key signatures?) and the bank validates it? Where does a PIN come into play?

For each transaction a set of very flexible rules is being executed with the aim to perform a number of verifications.

Card Verification

- no verification (just read magstripe or magstripe equivalent from chip or contactless card that does not have any more advanced verification mechanism)

- static verification - for chip, card sends static signature along with the data so that the terminal can verify electronic signature

- dynamic verification - for chip, card accepts challenge and generate response so that the terminal can verify the signature. This also makes it much more difficult to copy the card because it is not enough to copy the available data, you also need to copy the key that is embedded in the card.

Cardholder Verification

- no verification -- sometimes no cardholder verification will be performed (for example contactless under certain limit, unattended terminals without PIN capability or on a plane when there is special rules for airline terminals because people are typically verified separately)

- Signature -- this is where US is stuck it seems

- offline plaintext PIN -- cardholder enters pin, terminal sends the pin to the card, card responds if the pin is correct -- this is the source of most of the skimming problem

- offline encrypted PIN -- same as above but the pin is being encrypted with a key established securely with the card. This is safe but the cards cost more.

- online PIN -- the PIN is never exchanged with the card, it is encrypted and sent to the bank and bank decides whether it likes it or not.

Transaction verification

- floor limit -- sometimes the transaction can be agreed between the terminal and the card. Typically there is some information stored on the card and set of rules that decide that this is possible. The card may be decreasing a limit of funds available offline and when it hits the limit it will force you to perform full chip transaction.

- online verification -- the message goes online to the bank and bank decides.

>- offline plaintext PIN -- cardholder enters pin, terminal sends the pin to the card, card responds if the pin is correct -- this is the source of most of the skimming problem

>- offline encrypted PIN -- same as above but the pin is being encrypted with a key established securely with the card. This is safe but the cards cost more.

what's the difference between the two? can't the attacker put a physical keylogger on the pin pad?

Honestly it doesn't make much of a difference when it comes to classic skimming, because, yes, as you say, you can put a keylogger on the pinpad.

The problem comes from physically stolen cards, if your card doesn't rely on cryptography to secure the request/response channel you can insert a shim between the reader and the card to fake acceptance of an arbitrary pin. This specific attack has already been demonstrated, and if my memory serves correctly it's already being used in the wild.

> The US is chip & signature, and there is no PIN involved.

I'm in the US and the credit card I have through my credit union requires a PIN on chip transactions.

He's mostly wrong. The entire point of moving to chip is because liability stops being on the retailer if they implement EMV. Chip and EMV go hand-in-hand. Why bother upgrading your terminals for chip and not do EMV? Might as well stick with swipe then, its the same liability agreement.

Its all a stopgap measure to chip and pin anyway. Once everyone is used to EMV and all the terminals have been replaced, we'll have a sunset on swipe and then move to chip and pin, which will be a minor upgrade. This will all take time. Lets remember the United States has a quarter of the world’s credit card transactions, but only 4.5% of its population. Its a very big cc market and change isn't going to come quickly.

Interesting, is this a U.S. thing? Because I remember reading about attacks on EMV in Europe and they all seemed to boil down to forcing a fallback to magstripe.

there is no magstripe fallback on chip and pin, there is offline mode fallback tho

I don't know about everywhere. But in my country, when the terminal fails to read the chip, it asks you to swipe the magstripe. Then it realises "oh this card should have a chip" and forces you to insert again.

After about 3 cycles, it gives up and accepts the magstripe (plus the pin)

In Norway, on the 3rd cycle, if it actually accepts more tries, you have to sign the receipt and if the purchase is more than 1000 NOK/130ish USD (might be higher) they have to phone the bank to verify/get a verification code to put on the shops receipt.

Often it will just deny the transaction completely and the shop queue grows _looong_

My understanding from working in a bank in the UK is that it is the shop's discretion to use signature instead of PIN with Chip & Pin however the bank does not refund/guarantee fraudulant signature transactions like it would a PIN code.

I've lived for long durations in the UK, France and Switzerland I've never seen this happen in any of them. However, I have seen it happen twice while traveling for a few days in Norway.

In the US, I have to try the chip and fail three times. Then it prompts me to use magstripe. My chip does not work, so have tested this a LOT.

Curious question: can you request a replacement card be issued? Broken chip sounds like something reasonable to replace for (insert mumbling about poor user experience and whatnot here).

I had this happen with American Express. Went to two stores in a row where the chip failed and I had to use a different card. Went online to request a new card and they sent one out immediately with no charge or really any questions (I think I did say that the chip stopped working, but that was it).

Later, before the new card arrived, I tried using the old one again and it worked, so I just chalked the whole thing up to those two stores likely using the same payment processor that was having issues that day or something.

Wow, that's crazy. My chip and PIN in Canada has a magstripe. Sometimes it'll fail and I'll have to swipe.

What do you do when the chip and PIN fails?

In the UK, it's never failed for me.

I've always found that cleaning the contacts fixes it

Most U.S. banks implement Chip and Sign, though, and enable the Magstripe fallback because retailers still haven't certified their systems end-to-end for Chip and PIN.

Thats basically two cards in one package linked to same account.

I need to look it up again, but I recall the fix was to deny fallback for readers that support a chip. So this was an issue before but they fixed it.

Wait so what's the point of an old-style chip transaction then? Isn't it just painfully slower?

I curious how much slower the chip (EMV, or or 'old-style) is than the magetic swipe? Here in EU there is not difference, the transaction is done in couple of seconds max and most of this is the time spent waiting for authorization response. The entry mode chip/magtripe/contactless doesn't make that much difference.

It definitely feels like it takes forever and completely disrupts the motion I'm in by making me wait around to do nothing. I've never timed it but the 10 extra seconds I read [1] sounds pretty accurate.

[1] https://www.cardfellow.com/quick-chip-slow-chip-card-transac...

Because it's a different experience in the US versus EU. I'm a US expat and my experience at registers abroad is way different with my PIN+Chip card -most of the time I use contactless, but for the few shops that have held-off upgrading their terminal, it's still pretty fast. I barely have enough time to put groceries in a bag before I feel my phone notify me of the transaction completion and the terminal tells me to remove my card.

It baffles me that the US is still struggling to get chip-and-pin working properly, when most of Europe has been using chip-and-pin for over a decade and is now transitioning to contactless. America seems weirdly bad at this sort of co-ordination problem.

Because the U.S. does not have chip-and-pin, we have chip-and-sign. The main reason is that federal law in the U.S. limits the credit-card holder fraud liability to $50, and does so with language around signatures. Those same laws also set out fraud penalties for people fraudulently signing.

Since all of the laws revolve around signing, we don't get PINs.

There is a second wrinkle to this for Europe: because there is no equivalent to these laws, in many cases Europeans are the ones completely on the hook for fraudulent transactions as the correct PIN number is seen as evidence the consumer having leaked it. So in cases of fraud the U.S. chip-and-signiture winds up protecting the consumer much more.

America doesn't even have chip-and-pin at all; we have ship and signature, which is a security joke (I've never seen anyone check the signature).

This is not true.

Maybe in your region of the USA chip and signature is prevalent but in my experience (SF bay area) every chip transaction has required a PIN.

Or perhaps it's your card-issuing bank?

Debit vs credit.

AFAIK ALMOST NO US-based banks issue chip+pin credit cards. Only chip+signature. Debit cards are indeed chip+pin, but in USA you'd have to be careless to ever use a debit card anywhere but an ATM.

This. I'd NEVER give thieves access to my bank account, that's what credit cards are for. Chip transactions take ~5 seconds, it just feels slow because with a swipe you can put the card away in your wallet while the processing is happening.

Chip+PIN doesn't really exist for US CCs. I've setup PINs on a few cards but they only work overseas where the terminal refuses signature.

Mastercard vs Visa. Visa issued cards do not typically support chip-and-pin. Mastercard issued credit cards often do.

In the UK at least, chip takes about 2 - 3 seconds. 4 or 5 would feel long. Contactless is usually instantaneous; I assume there's more caching involved somewhere.

I haven't seen anyone or myself swiped in about 10 years, and that was only because the chip reader wasn't working at the time.

Contactless transactions for smaller amounts are often offline approved without requesting approval from the bank/network. This takes off the 2-3 seconds of the transaction time.

Apparently, there's an optimization that needs to get done with the retailer's bank. Big retailers have this completed so their chip transactions are very fast. Smaller ones either don't or need to go through a middle-man servicer which adds time and god knows if the middle man has completed this optimization. Subway restaurants, which are individually franchised, are like this. They just have one of those cheap chip terminals and the transactions can take 30+ seconds. Meanwhile at Walgreens it only takes a few seconds.

A lot of this has to do with Quick Chip, which forgoes writing the host authorizer ID to the credit card's chip thus simplifying and shortening the transaction. QC rollouts happen at whatever pace retailers want, so you'll see some shops using QC and others that don't.


The end result in credit card fraud is purchasing something and using a mule to send the fraudulently purchased item to a fencer, who sells it for cash.

Having a requirement that all vendors use chip-enabled cards simply increases the cost of producing each cloned card; so the goal is to raise the cost of committing the fraud.

At least that is my understanding.

No, it's not just slower. It's also much more likely to fail. I don't know why anyone bothers except that the card networks forced the issue.

It depends on the issuer. Dutch banks by default block all transactions outside of the EU (specifically targeted at countries that still use swipe transactions). That pretty much completely eliminated skimming.

The point of the chip is to make it difficult to create a counterfeit card.

I recently traveled to the US, and stayed in a hotel of a major brand which had some outdated payment terminal that only used the magnetic strip of the card (without even a possibility to enter the PIN). The transaction was over a thousand USD. I had cards from two different banks: one failed because the PIN wasn't entered, and the second one got through. But after several months the second bank somehow freaked out and charged back about a third of the amount (probably flagging the transaction as fishy or something). I tried to contact the hotel to somehow return them the money that were mistakenly returned to me, but apparently there is no mechanism to do that.

To be fair, they're the ones that don't know how to conduct business transactions in the 21st century. Consider that they just paid a "you had better update your system" tax.

To be fair, there are vast swaths of America, larger than some European nations, where credit card transactions are necessarily done on carbon paper with the old imprinting machines. I was at a hotel that did it just last week.

Updating your POS system to chip-and-PIN doesn't help if there's no infrastructure (or reliable infrastructure) to plug it in to.

Why are they "necessarily done on carbon paper"? You would be hard-pressed to find locations in the US, where credit card holders generally wander, where there is no inet access..

I assume they're referring to national parks, Alaska, and so on.

Yellowstone is the size of Cyprus, and Death Valley is the size of Montenegro, to use two examples without much internet access. Alaska is three times the size of the Iberian peninsula and most of it does not have internet (though to be fair most of it has no population or tourism).

Satellite internet is cheap enough that I'd consider the only good excuse to be a complete lack of power. And even that is becoming less true as solar drops in price.

I live near the Adirondack mountains in New York, where internet access is still dial-up or satellite. In most places populated enough to have stores, however, there is 3G cell service and that allows for wireless POS terminals and ATMs.

The places I've seen either use that or accept cash only.

> some outdated payment terminal that only used the magnetic strip of the card

Sadly, this isn't all that "outdated" here. There are still lots of places in the U.S. that don't use the chip and basically none -- does anywhere? -- use a PIN with it. I don't even know if I have a PIN on any of my credit cards, much less what it is.

Your issuer can use a PIN in the US - my credit card through my credit union uses a PIN, which confuses the hell out of most clerks. Sometimes I have to walk around the counter to reach their machine and enter the PIN, sometimes they have me sign the receipt (just at the bottom, since it doesn't print a signature line) so they feel better.

I think Barclaycard is the only major CC issuer in the US to have actual PINs on their cards but it defaults to signature. Here's what they say about it:

>Your credit card is a chip and signature card with Personal Identification Number (PIN) capability. In most cases when you travel abroad, you'll be asked to sign for your transaction. However, at some unattended terminals, such as train ticket kiosks, you may be asked to enter your PIN instead of signing.

I applaud your sense of fairness -- wanting to pay the hotel for the chargeback.

But on the plus side, maybe it will motivate the hotel to implement a more secure payment system?

In addition to fairness, I also don't want to get on some anti-fraud black list, because it might look to them like I used their services and then avoided fully paying for them. And they have all my identity information (passport number, etc). It's a convenient hotel in which I may need to stay again in future, and I don't want to look like a fraudster in their CRM system.

Can a consumer even initiate a partial chargeback on their card without the original merchant being involved? I don't think they can, so you probably have nothing to worry about as far as fraud lists or something.

Can a consumer even initiate a partial chargeback on their card without the original merchant being involved? I don't think they can, so you probably have nothing to worry about as far as fraud lists or something.

edit: Didn't see other reply

They did a partial refund specifically for fraud? Not the whole amount? That is extremely strange.

I'm not sure what was the reason of the refund. It was a mistake of some kind. From what information I could get from the bank, they were trying to charge back the entire sum, but somehow got only part of it.

Maybe exchange rate movements? If you paid in USD the chargeback will only work for the USD amount which could be less at the time of the chargeback. If your card is in GBP and it was in 2016, a difference of 20-30% is easy to explain.

Doesn't look like that because exchange rate fluctuation was about 5%. I think it was some human factor issue - "hey, look at this screamingly insecure transaction for a large sum of money, it can't be right". The chargeback was initiated on my behalf, but they don't have any records of me requesting it. Basically, their response is something like "yes, we screwed up, but at least we screwed up in your favor, why should you worry".

I still don't get why all credit cards have magstripe when we have chip&pin for decades. Yes, I know it's required by a standard, but I see no justification for that. I have never used magstripe , but it's right there on my every card and there's no way to disable it (I've asked my bank for it), unless you deliberately destroy it (scratching or similar manner).

From the words in your comment, you don't live in the United States. The reason payment cards the world over still have a mag stripe is because, until a few years ago, chip cards were simply not a thing in the U.S. so the facilities for reading them simply didn't (widely) exist. Therefore, cards from other countries had to have magnetic stripes in order to work in the U.S.[0]

Even today, two years after the supposedly "drop dead date" for switching to chip cards, 40% of my transactions are by swiping.

0 - There are other reasons, like some ATMs reading the magstripe to ascertain whether a card has a chip and then prompting the user to leave the card in place. I've only encountered older ATMs that do this but it is another reason. But the most common one is that outside-the-U.S. issuers want their cards to work inside the U.S. if a customer of theirs travels there.

> so the facilities for reading them simply didn't (widely) exist

I live in San Diego, 8/10 places where I shop still have chip slot taped closed with a handwritten message "Does not work".

Which is problematic when you visit with a European card where only the chip works (swiping always gets declined). Luckily, some have contactless (mostly without the staff knowing about it) and for others it usually turns out that the chip reader does actually work.

I wonder how many of them actually work.

It wouldn't surprise me to learn that most of them work but that businesses want to avoid them because they slow down the checkout process.

Out of curiosity... Do these same places accept contactless payment, either by card, or e-wallet (Google/Apple Pay etc.) ?

when visiting Austin, US I went for a burger in Fridays near a highway and cashier was like "Oh my god, I have never seen this thing working!!!" after my contactless worked on their terminal :D Apparently it's too much magic and people just stopped trying to use chip, contactless or anything else. Just cash and swipe :)

Had the same at a McDonald's in Boston. They even called the manager to show him what happened. Turned out that no one working there was aware that they had contactless functions, despite the advertisement at the machine.

I even get that in Belgium. And the occasional cashier that double-checks the terminal's ticket/output because they suspect the transaction is invalid because "as far as they know contactless doesn't work".

I think McDonald's was the first time I ever encountered a contactless terminal. It goes much faster than inserting the chip for some reason.

I love the system and like that it's being used extensively in some countries (e.g. UK) and becoming more prevalent in others (e.g. Germany). What's annoying are the differences in rules. In the UK it only works up to £30 (but terminals show the logo for any amount), in Spain it will work but I'll have to enter a PIN for higher amounts, other countries have completely different rules around that.

Contactless was narrowly deployed in the US 10ish years ago. It never took off as too few vendors had the terminals to support it. I only ever used mine at the local grocery store. I don't think you can get an RFID card from a US bank any more.

Capital One has started issuing contactless credit cards. They began in late June, I think. I have one.

For those of us stuck in 2007. Can you briefly describe how the contactless payment works ?

You just hold the card over the screen and it reads (I believe) an RFID chip in the card. No swiping or card insertion required.

And it's much faster most of the time.

How do you know if your card supports it? Try it and see if it works?

I had no clue until a cashier did it for me in a European country. There may be a little logo like this either on your card or on the materials when you get your card: https://en.wikipedia.org/wiki/Contactless_smart_card#/media/....

Once it was demonstrated to me, I went back and found out the cards I've had since 2013 (pre-chip).

RFID Cards or NFC from your phone. Hold your payment method near the reader and it pulls the card info wirelessly.

The only place so far where I can safely use Apple Pay without causing any frustration from cashiers is Whole Foods, cashiers in the rest of the stores either have no idea if the Apple Pay is supported or the terminal itself is not "enabled" to support Apple Pay.

Interestingly, I have been traveling in Ireland recently, and well over 90% of my transactions are Apple Pay.

Some of the retailers in the States are protesting Apple Pay and disabling it on the terminals even though it would otherwise be fully supported. Home Depot did this awhile back, they were one of the first places where Apple Pay worked and then it stopped working due to some corporate hissy fit.

That's a political decision. Stores like you to use store cards wherever possible (where they get a profile of what you've bought). Banks have to share profits with Apple for Apple Pay which is why they try to avoid it.

"The reason payment cards the world over still have a mag stripe is because, until a few years ago, chip cards were simply not a thing in the U.S. "

So let them have it, why should I care and endure security risk? I've never been to USA nor I'm planning to (at least not unless they fix that gestapo-like border control), but still my every card has a magstripe waiting to get skimmed. If I ever need to go to USA, I'll get a suitable card.

> So let them have it, why should I care and endure security risk?

Because banks the world over are notoriously slow about doing anything that might nudge even a fraction of a percentage of customers over to a competitor. If they removed magnetic stripes (which, in the short run, would cost a bank money because that's a specialty card) and said "just contact us if you're going to the States and we'll overnight you a States-compatible card, no questions asked," nothing would stop a competitor from running adverts that say "why wait 24 hours and worry about not getting your card? We issue cards that work in the United States from day one!" Now the person who made the decision to delete the magstripe from cards issued by the first bank is out of a job and so now you see why his or her interests didn't line up with yours.

It's the same reason why chip-and-PIN isn't primary in the United States; chip-and-sign is. Over here, customers have been trained that entering a PIN means the money comes out of a checking (draft/demand/deposit) account while signing means it goes "on the card." Trying to get that mindset changed is more costly than just eating the potential stolen-card-being-used-before-being-shut-down fraud for most issuers.

(Some credit unions, primarily catering to people who travel overseas, and smaller banks that want to differentiate themselves are issuing PIN-primary cards but they are definitely in the minority. I happen to have cards from three of them--First Tech, Spokane Teacher's, and Target--for reasons of security and international use but I am also in the minority. Amusingly, it's large merchants who want PIN-based cards because it puts the onus on the cardholder, not the merchant.)

Because they could instead sell it as "an unskimmable card!". Many people I know have had their cards preemptively replaced by their bank because it was used at a store/ATM where other cards were skimmed. Avoiding worries/hassles like that could be a selling point.

Except some chip transactions are just the same data as mag swipe so even a chip only card isn't going to prevent skimming and subsequent fraud.

Get rid of the magstripe and bad actors will steal your card info using cameras (pretty much all the info in the magstripe is also printed on the card, that's how online shopping works).

It would be good to raise the bar, but it won't be an end-all solution.

At the end f the day, it's going to take quite some effort to move the entire payment industry to something more secure.

The current state of affaires is good enough in terms of cost for the banks vs loss from fraud.

3DSecure is also pretty widely deployed in my neck of Europe (Sweden).

EMV chip transactions and 3DSecure really ought to eliminate the vast majority of "card number stolen" fraud. Too bad it's all so poorly implemented.

"Get rid of the magstripe and bad actors will steal your card info using cameras"

Even if they see my PIN, they can't clone a chip, so what they are going to do with it?

Use it for online payments.

Wait, you guys don't use card readers for online payments? Edit: My bad, just realized you use credit cards instead of debit cards we use in europe. CC here also don't use ccard readers for online payment.

Wait. What? You have to have a card reader for online debit purchases?

You need a valid address for that too and it's not on a card.

To elaborate a bit on what amenghra said, the information you are asked for when you use your card for a "card not present" transaction (card number, card security code, name, billing address, expiration date) falls into three categories.

• information required by the bank,

• information that the bank will check if you supply it,

• information that is not checked by the bank.

The first category, required information, is just the card number for most banks (and the amount to charge, of course).

The second category, checked by the bank if supplied, is everything except for the card number and the expiration date and the amount. This information is used for fraud control. If a merchant supplies it, the bank tells the merchant if it was correct. With many banks the credit card fees are slightly lower if this information is supplied. Even if the merchant supplies this and the bank says it does not match the merchant can go ahead with the transaction, although such transactions have a higher risk of fraud (and therefore chargebacks).

The third category, information not checked by the bank, is the expiration date. The expiration date check is at the payment processor, and that check is simply:

  if expiration_date < current_date()
The expiration date on a card is just when that physical card is no longer supposed to be used. It is not an expiration date on the underlying account.

This is one reason why many people have gotten a surprise when they have had some kind of subscription they no longer wanted, and instead of actually cancelling it they just let their card expire and think the re-billing will then fail. There are three problems with that approach.

1. If the merchant marks a transaction as a recurring transaction some payment processors skip the expiration date check.

2. Some merchants include something like this in their re-billing code:

  if expiration_date < current_date()
    expiration_date = date_add(expiration_date, interval(3, 'years'))
3. Visa, Mastercard, and Discover (not sure about Amex) have updater services. Merchants can send a credit card number and expiration date to the updater service, and the service will tell them the current expiration date and the current card number for the underlying account. This one can be especially surprising to people because it can update both the expiration date and the card number.

Are you sure that the expiration date is not checked for any vendor? I recently paid online (Mastercard I think) and the transaction got declined because I entered the wrong expiration date. The date was in the future, I just entered a wrong month. So there must've been a check. But could be that they used 3D secure (or equivalent) and it got declined there, the check often happens too fast to notice.

I believe this comes down to the cardholder bank. My local credit union doesn't check expiration date of cards (I've tried as far out as 2029). CapitalOne does.

It's possible that some of the enhanced security systems, like 3D secure, do check more.

It's also possible that there is more checking for transactions that are not flagged as recurring payments.

Sadely not all banks validate the billing address. Some just check the zip code, others don't even do that.


Trying to use a non-US card in the USA is a pain: most online shops or machines (e.g. NYC Metrocard) require a 5 digit ZIP. Cards from elsewhere don't have a 5 digit ZIP to enter. So usually I can't use those websites, at least if it's a machine I can pay cash.

By choice, to make it easier for our customers to pay (we are saas) we only require the number and CVV.

Do you have a payment provider that verifies that card?

If you know the name of a person, finding their address is pretty easy.

The core of the problem is that visible info on the card is enough to authorise payment. Visible info is not secret. Info that you share with every seller is not secret. Public information should not be good enough to authorise payment.

Payment should require some kind of private information, either from the chip, or from the head of the owner (like a PIN), but preferably both.

    > Get rid of the magstripe and bad
    > actors will steal your card info
    > using cameras 
They probably won't though, they'll probably just skim people who don't do that.

I use a company called Revolut to manage a card of mine. One of the options in the app is to explicitly disabled Magstripe payments, so one wonders if you could ask your bank to disable it?

"one wonders if you could ask your bank to disable it?"

I've written in my other comment that I did ask. The answer was "it is not possible".

In the UK, I've recently had to swipe a card and sign the receipt as the card reader was misbehaving and that's what it wanted me to do. It's a reasonable backup. (I've also had to use a carbon-copy machine to print my card details onto a piece of paper to make a deposit a couple of years ago - now that was ancient tech!)

As the other replies allude to, the USA is extremely slow to adopt "new" things like chip&pin, and so in many, many places they still use swipe.

In so many ways going from Canada to the USA feels like going back in time, and swiping a credit card is always one of them.

"As the other replies allude to, the USA is extremely slow to adopt "new" things like chip&pin, and so in many, many places they still use swipe."

Well, we're relatively slow.

That is to say, after inventing credit cards we now have a lull in innovation and feature adoption.

Most of the time, the sentiment of non-US people is "What have you done for me lately?"

I catch myself falling into that trap.

At least we use credit cards at all. I was surprised to learn recently that buying things in Japan in still a largely cash-based experience. It's lead to some weird consequences, like a ridiculously high number of vending machines per capita (1 for every 23 people).

Germany, too. I've only been to 38 countries and in very few has even magstripe transactions been common. (But that may be the fault of the countries I choose to travel in.)

But since most internet commenters never go anywhere, they buy into the "US is old and backwards and dumb" cliche that makes them feel superior to everyone else.

> But since most internet commenters never go anywhere, they buy into the "US is old and backwards and dumb" cliche that makes them feel superior to everyone else.

Because I am the OP of this comment chain, I feel that is directed at me.

For reference, this is me - http://theroadchoseme.com

I like to think I have been a few places, lived a few lives.

Yeah, germany insists on eurocard, so often transactions for folks without one, you end up having to use cash. Really weird since credit cards are accepted most places on the continent EXCEPT germany.

Most large vendors will support it now, just small retailers don't. And then they complain that big companies push them out of business..

Waiting for capitalism to reveal a profitable hole in the market is sometimes slow.

I'd blame the 5 companies that control 50% of global credit card terminals that decided to keep things low cost in the US. Much of the blame probably also rests on the 5 banks that issue the majority of the credit & debit cards in the US.

In fact I believe the current chip rules are there just to hobble new entrants in the space. Probably 10-20 startups like Square built readers that they provided for free or nearly free and gave millions of units away. Many of these are garbage as a result, and all of the mag readers will be eventually.

The chip (with conspicuously missing PIN) legislation was a pretty expensive attack on all of those companies, intentional or not.

There's probably an order of magnitude or three more readers and POS systems to switch over in the United States vs. Canada.

Considering that Canada's GDP is a rounding error compared to the United States, it's going to take a while to any payment method change to spread nationwide.

That said, I've run into far more "cash only" situations in Canada than in the U.S.

chip & pin never caught on here because the liability for identity theft/fraud is on the bank rather than the individual. so consumer's dont really care

It's a backup. I've heard from retailers that the failure rate on the chips is much higher than it is for swiping.

In Australia you pay for fuel after filling up, and one fuel station owner is dealing with an average of a driver or two a day who is unable to pay for fuel.

They don't carry cash, the chip/EMV is failing and they don't have the mag stripe linked to a facility since they're often debit cards.

Apparently the failure rate on phone based payments is also high(er).

It's one of those issues I wouldn't have considered before speaking to retailers.

Those bloody drongos should switch to pre-paid then. The unattended stations are all pre-paid…

That's why I always carry at least two cards. Cards fail, get blocked because of leaked data, bank fraud systems produce a lot of false positives etc..

The problem with a cashless society really is that you assume the tech is reliable. Unfortunately, that's often not the case.

When gas hit $4 a gallon in the US (yes that was considered expensive here), many of the stations disabled the "pump then pay" feature because of all the drive-offs they were getting (petrol theft). So you'd have to go inside to get the clerk to enable the pump.

Yeah, the chips are nowhere near as reliable as the magstripe. It seems like a transitional technology only - NFC is fast and reliable.

> NFC is fast and reliable

I know you're speaking of NFC chips in cards, but you might know — Does the phone version (Apple Pay/Android Pay/Samsung Pay) still work when my phone's battery is dead?

It won't - one reason why I think NFC-enabled cards will be around for a long time even people only carry one as a backup for their phone.

Though theoretically your phone could have a RF-powered NFC chip in it that took over when the phone is off...

How do you deal with people pumping then just driving off?

Cameras, licence plate readers, and Police.

Gas pumps are going to be among the last places to use mag stripes because they might not have network connectivity. Pretty much everything else is moving to chip'n pin or tap.

I look forward to having banks issue cards without any mag stripe on them.

"Gas pumps are going to be among the last places to use mag stripes because they might not have network connectivity."

Again, that's US-centric thing. Here in Europe, there's >99% cellular coverage (the remaining 1% is usually deep woods and mountains), so it's not a problem. What I don't get is why the rest of the world must still have magstrip and be open to the related risks, when virtually nobody uses it. I've never seen anyone using magstripe over here or see a place accepting it, but I hear about skimmed/cloned cards and emptied banks accounts regularly.

I don't have an answer to that.

If you are really concerned about having your card skimmed, you can take any simple magnet and erase/scramble the data by waving it over the mag tape.

You can check that things worked by swiping before and after at some place where they'll let you swipe (or by making/buying a reader).

> What I don't get is why the rest of the world must still have magstrip and be open to the related risks

Because, like it or not, it doesn't make economic sense for the issuers to remove them.

The US is still a place where a lot of transactions are done, and despite the last 10-15 years of immigration bullshit, a ton of people still visit the US from abroad. A non-US card issuer isn't going to spend money to get a custom card without a mag stripe in the first place, and also then be at risk of losing customers who do travel to the US. Offering a special mag-stripe-free version of the card for an extra fee likely isn't worth it to them either, especially when they're fine eating the cost of fraud, and don't care that canceling your card is an inconvenience to you.

Again that Euro-centric thing. Remember that Europe is a very small place. There are gas stations in places with spotty or no cellular coverage not only in the United States, but all across Africa, Asia, Australia, and South America.

By all means, yes! That's where I'm getting -- there's no "one size fits all" solution and there's no point of carrying easily cloned magstripe in places where it is not used.

remote truck stops in some countries have been doing gprs transactions for years (maybe not for credit cards but certainly for fuel cards. )

Hmm, is there no offline mode at all for chip + PIN?

There is, but if amount is higher than certain threshold or online PIN wasn't used for certain number of transactions, an online PIN is requested.

Another reason is fallback transactions. I get these a lot with my card, I assume because the contacts aren't in great shape. I don't think any merchants have actually cared enough to check my card for intentional damage to the chip when processing a fallback transaction, but even with the magstrip I get asked for a pin (NZ). https://www.level2kernel.com/blog/index.html%3Fp=136.html

I have been developing credit card terminal applications and security systems professionally.

Magstripe is historically for fallback mechanism when the chip on the card or the reader in the terminal might be damaged.

There is also a class of terminals that may not have the chip reader altogether, for example airlines didn't bother with chip at all for very long time.

I don't know if this is why, but magnetic seems much faster than chip...

Because you don't need any checks. AFAIK, the PIN confirmation via chip takes at least a second. Online transactions take longer to confirm.

That's nicely solved with contactless. You get immediate confirmation that the card was accepted but the terminal still confirms online. The feedback comes 3-5 seconds later. That still allows the retailer to stop you if the card was declined but you can already use the time and don't have to wait until you can remove the card.

In addition to dx034’s answer, you put your card away right after swiping, but it’s still processing. With chip, you can’t remove it until it processes.

This is an awesome article breaking this down really well. So why are you all talking about Chip and PIN? Talk about the article and about the technology stop arguing politics of chip and pin.

Most interesting part is that they managed to get the hex dump of the software. Quick glance shows there are no copyright texts in it, bummer!

I'm not an expert in PIC assembly but it seems there is very little code and there are no obvious code paths, like a switch..case like construct for processing the serial commands. Lots of I/O and not much more. Most likely they are not decoding the magstripe data in PIC but just get the decoded data and store it.

I just tried disassembling the hex file. Unfortunately, the code protect bits are set (location 0x300008 is 0x00). This means that the ROM from 0x000800 to 0x007FFF will read as zero. And indeed, that entire space is filled with zero. So, I think we're missing much of the actual firmware.

Edit: And the reset vector begins with a branch to location 0x001ACA, which is all zeroes, so I'm pretty sure most of the firmware was not read out due to the code protection.

From a quick Google Search, a Russian company is offering microcontroller code-dumping services: https://russiansemiresearch.com/en/faq/

I have no idea if this is legit or not. I doubt your law enforcement would let you access their services anyway.

Edit: My guess would be they work with industrialized de-capping + software to dump the memory, like this: https://www.bunniestudios.com/blog/?page_id=40

There are other "chip intelligence" companies in the US, some of which probably have such services. At a different cost.

On some of these embedded chips there are methods to glitch the fuses for read protection by messing with the power (a form of fault injection attacks). These used to work a few years back but I haven't heard if they still do.

The first gas station chain that offers Apple Pay/Android Pay as a payment instrument gets 100% of my business. I'm really hoping Costco will enable the contactless payments on their pumps sooner rather than later.

I've noticed that Chevron is updating a lot of their pumps to have an Apple Pay/Android Pay option. In my experience with the two stations I use regularly is that the pump I choose has a 50% chance of working. But the annoyance is worth the security of not using my card.

The new gas station near my house does contactless. I think that now that the credit card networks are pushing liability onto the merchants we will start to see more and more of these popping up.

Heh unfortunately gas station pumps are exempt from the immediate liability shift and get an extension (https://usa.visa.com/visa-everywhere/security/emv-at-the-pum...) which means this will be a prime attack vector as the shift changes over the next few years.

A lot of the new Gilbarco 700 series are coming with them. We're looking at them now and are wanting to get them. Most of the Gilbarco 500 and series 700 can be updated to have them.

A lot of Exxon/Mobil stations do now.

IIRC, when I lived on the East Coast in the 90's, Exxon was a pioneer with contactless payments. They had a little round thing that looked like a quarter of a pencil that you could put on your keychain to make payments at the pump.

I also remember this in Canada in the late 90s. ESSO had such a device. I think other stations (Shell, Petro Canada) also did.

Tried this last month, and it totally didn't worked. Tried 3 times and even went in to the cashier twice, who tried to figure it out. Never got it working.

In the second image here [1] there's a security seal on the payment closure as a whole; I'd imagine a simple security seal along the side of the card scanner intake would thwart most would-be card skimmers, no?

At that point the employees could just make it part of the standard inspection and it'd be more obvious to customers if they were missing.

[1]: https://cdn.sparkfun.com/assets/learn_tutorials/6/9/4/Gas_Pu...

The caption right under that image is: "Front of a US Fuel Pump complete with extremely difficult to source security seal"

"extremely difficult to source" is a link to an ebay page with thousands of different security seals.

It seems to me that you could just put some kind of sensor on the inside of the gas pump access door that notifies someone as soon as the door is opened. If you know there is a maintenance guy scheduled for that day/time, then you just ignore the notification. If not, then you know that there has been unauthorized access to the pump.

That requires money and ongoing effort on the part of whoever monitors that system. As the article stated, there is not a monetary incentive to the responsible party (the station owner) to make this happen. Even with an incentive, it's still an arms race with the bad guys. Things will only get better when we have more secure payments.

Lots of people have access to gas pumps and their keys. Not just the station owners, but the managers. Also city/county/state weights and measures regulators, the guy who maintains the attached screen that shows the local news and weather loop, and probably more that I don't even know about.

From what I've seen about gas pump locks, they look about as "secure" as those round keys that came with every IBM AT-clone in the early 90's. They kept the weak and the ignorant out, but you could unlock your buddy's rig at will.

So... is the trick to have your own key so you can open these things and have a look inside before you swipe your card? If the store is not going to offer me security, I'm going to take care of it myself.

They also link to a page on ebay in the article where you can buy those seals.

Nice writeup. But in the article they write:

> Are you angry that your card has been stolen, again? Contact your local congress person or senator and ask them to pass legislation that fines gas stations $100 for every card that is discovered on a skimmer in one of their pumps. It’s ultimately up to the gas stations and pump manufacturers to secure their pumps.

Suggesting a solution like it's an easy fix always bugs me a bit. Would a 100USD fine actually work here? The issue seems more with the fact that the US hasn't upgraded to a chip&pin style system. You might end up just costing the gas stations more money, when they don't actually have the power to do much about the problem.

It feels a bit like victim blaming, when in this case the victim has little choice but to work with the system as they find it.

The deadline for retailers getting on board with chip readers was October 2015. Gas stations pushed back and got it moved to 2020 because of the high costs (according to them) associated with swapping out card readers attached to pumps.

The way I understand, after the 2020 deadline, gas stations will be liable for fraudulent charges (or at least associated fees).

Also, I've had my debit card skimmed twice in the past 3 years. A smart gas station (or chain) would pay to put chip readers in NOW and advertise that feature. I'd got there exclusively.

> I've had my debit card skimmed twice in the past 3 years.

Huh. I suppose that is the one advantage we have in Oregon where we are not allowed to pump our own gas.

Full service gas stations have a long history of "old fashioned" card skimming - at least from my experience in New Jersey. My mother uses a separate credit card explicitly for gas stations because her credit card has been skimmed at NJ gas stations a half dozen times over the years.

Full service stations don't preclude a lack of terminal tampering. If the gas station closes at some point in time anyone can tamper with it after hours when it is unstaffed. Additionally, tampering can occur by criminals paying off employees to install skimmers.

Or an employee who covertly swipes your card with a reader that fits in his pocket before putting it through the pump

Didn't that partly change recently? When we were up in Oregon for the eclipse, one of the folks told us that you can now self pump between....some hour in the evening I can't recall and closing time.

Yeah, I lived in Bend for 3 years and miss that (among other things).

>Would a 100USD fine actually work here?

Yeah. The number of cases being reported would go down when gas stations start throwing skimmers they find in the trash instead of calling the cops.

Right... this sounds like a really strong possibility. Why didn't I think of that. :)

It's not the gas stations that are committing the crime. Why should they be fined? It's the people breaking into the pumps and installing the skimmers.

Most stations do what they can with security seals, frequent inspections, I've even seen some that install hardware-store hasps and padlocks on the pumps.

I do wonder why they have not converted to chip cards though. Almost all other retailers have.

The article says that

> Essentially, the perpetrator opens a pump using one of a few master keys, unplugs the credit card reader from the main pump controller, plugs the card reader into the skimmer and plugs the skimmer back into the pump controller. This reportedly takes less than 30 seconds.

So I'd say that at least those stations whose pumps can be opened easily with a master key should be liable if their careless handling of customer data leaks credit card details to skimmers. A fine would put additional pressure on the pumps with the worst security and might eventually lead to widespread deployment of something like the alarm system proposed at the end of the article.

Right but we're working with incomplete information. Who mandates the use of those pumps? Are better, more secure pumps available? Do the gasoline suppliers mandate that certain pumps are used? etc. etc.

So it's not clear that these things are purely under the gas stations control and that a simple fine would solve the issue.

Alternative solutions might include:

1. Mandating stronger security certification of public facing card readers.

2. The police more aggressively prosecuting these offenses (raising the cost to criminals who are caught and making the offense less profitable).

I don't have complete information, so it's not clear to me which solution is best. But it doesn't seem obvious and simple.

Here in Oregon, it's state law that only gas station attendants can fill vehicles. It seems that this would prevent some of this, but of course it doesn't prevent the skimmer from being installed after hours or by the attendants themselves..

A gas station with a skimmer is like a gas station with a gas spill -- it's a hazard on their property that is open to the public. They have a responsibility to maintain a safe environment, or else close off the property.

I assume when a gas station operator becomes aware of either a skimmer or a gas spill they remove it.

I guess in both cases what they can do to prevent those things from occurring at all is limited. Is anyone arguing that they don't monitor for skimmers on a regular basis? It's just that the criminals keep putting them back.

Here is what Visa has to say about the matter: https://usa.visa.com/visa-everywhere/security/emv-at-the-pum...

Hardware changes are annoying and expensive. Here in Canada where gasoline crested over $1.00/L it took an incredible amount of time for vendors to upgrade their equipment to handle the extra digit. Many locations had numbers physically taped on to their pumps and signs.

Pretty much all US cardholders have chip+pin now. I’d say about 75% of retailers support it.

(Not sure if this is how it works outside of the US, but we currently have cards with both magstripes and chips. You use the chip where it’s supported, the stripe where it isn’t.)

I've never seen Chip+Pin on a Credit Card in the United States outside of Target Stores that uses it on their own store card.

Everywhere else is Chip+Signature.

Are you thinking of Debit Cards? (I won't use these. I got my bank, BOFA to issue me an ATM card that's not a debit card.)

Yeah, my debit is Chip+PIN. Curious, what do you have against debit cards?

Try getting your money back if it's stolen. (And try convincing the bank you didn't give someone your PIN!) With a credit card, it's the banks money.

Very few credit cards are chip and pin, they're mostly chip and sign. And I don't think I've ever seen a gas station with a chip reader, so the chip's not really doing you any good if you're just swiping anyway. I believe the gas stations were given a longer timeframe to convert.

Here in Australia its pretty much 100% chip and PIN or contactless payments (paypass). Has been for a number of years now.

I don't think anyone swipes cards unless there is something wrong with the payment terminal. Even vending machines are tap and go.

If you swipe an Australian-issued card in an Australian-issued payment terminal, it will insist that you use the chip instead. Only if there is a problem reading the chip are you permitted to use the magnetic strip. Either way, the correct PIN number is required.

I believe that the magnetic strip can still be used for certain low-value transactions by stable merchants (e.g. street parking meters) but such exceptions are rare. Certainly never the case in a normal retail situation.


Theres a loophole in Australian regs that I recently noticed. With a foreign card on credit, you can swipe and OK past the PIN prompt with no PIN. Most merchants don't know they are supposed to sign and verify after that.

Of the dozen times i've tried it i've been prompted once to sign - and in that case the card had no signature on it and the merchant waived it away.

I'm in the process of figuring out the scope of this issue and how to fix/report it - I think the solution will be for terminals to enforce prompting for ID/signature

> I'm in the process of figuring out the scope of this issue and how to fix/report it

Don't bother, the merchants and card issues are well-aware of this. You're supposed to reconcile your card statement with your expected transactions, and dispute irregularities. If you attempt to fraudulently claim that you didn't perform a transaction, the issuer goes to the merchant to get a copy of the signature & uses it as proof you authorized the transaction.

If a fraudster forged your signature, you simply assert that the signature is not yours. If you attempt fraud here (sign in an unrecognisable hand), the fraud investigations will try to put you at the scene with CC TV recordings/handwriting matching/etc. Hopefully you have not signed any affidavits that the signature is not yours, because then you'll be up for perjury as well as fraud.

pin-bypass is pain. until people are all moved to just be chip/pin or even just pin then the only way is to add a bunch of prompts to hopefully force the staff to check for signature or to add delays/confirmations to make the process too annoying and force the customer to change.

Same here in the UK - it's ALL Chip & PIN, I can't even recall the last time I had to swipe my card[1], and I use it a LOT (yay, Airmiles!).

If the payment is <= 30 GBP, it's an offline transaction as well. Anything over that amount triggers a round trip to the backend servers.

As an aside, it's now perfectly possible to live a cashless life in the UK if you wanted to.


[1] That said, I think ATMs read the mag-stripe... but I don't really use those either these days.

> If the payment is <= 30 GBP, it's an offline transaction as well

It's still online (card-present check), but skips authorisation (no PIN needed).

> it's now perfectly possible to live a cashless life in the UK if you wanted to

Perhaps in London. Try spending a long weekend in Torquay.

I'm sure the Tesco, Sainsbury, Co-Op, and Waitrose in Torquay can handle card payments if you were really stuck.

I haven't found a single place so far that supported the chip+pin transaction. Everyone has the terminals but they are either set to not do the pin transaction or they are tapped off with a "broken" sign.

Here in Washington the chip readers are sometimes taped over... nearly always in, you guessed it, gas stations. They have the hardware but it's disabled.

Yep, also in Washington, same here.

We do? I've seen chip + signature all over the place, but I don't think I have a single chip + pin credit card.

Target cards are chip + pin, IIRC

You can thank Russian hackers for that.

The chip was to avoid skimmers like this...

When implemented there was a liability shift. But as always the US is far behind the rest of the world.

In Denmark the chip was added in 2004, and fully adopted 4-6 years later.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact