How does chip technology make my credit card more secure?

Factual Questions
21

Like most of Europe, we in the UK have been using chip-and-pin cards for years. There is no doubt that it has reduced fraud overall, (by an estimated 45%) but a lot of people are still being ripped off. As said above, card not present fraud is the main problem, accounting for over half of the total 216.1GBP in 2013 . I buy a lot of stuff online and apart from the main 12 digit number on the front and my name and address, I have to enter the so called security number printed on the signature stip on the back. If someone else has my card, and knows where I live, they have all the information they need.

My main CC issuer has instituted a further layer of security: If their computer recognises a transaction as “unusual” (Naturally they won’t tell us anything about the algorithm that defines unusual) I am required to enter a password as well, before it clears. Other CCs will simply decline to process what they consider to be unusual transactions without a telephone conversation.

The four digit PIN is initially sent by post, separately to the card, and the user can then change it at any ATM. This is clearly a vulnerable system where letters are not secure. If a criminal gets both letters then they have free access to your credit until you get the card cancelled.

“Vishing” is another way to steal your money: A fraudster posing on the phone as someone from a bank or building society fraud investigation team, the police or another legitimate organisation such as a telecoms provider, clams an urgent need for their debit or credit card details. In a twist, this typically involves telling the bank customer their card has been cloned and fraud is about to be enacted on their account.

Of course, if a crook orders a digital camera on my card for delivery to somewhere else, I can generally recover the money from the CC issuer. Hassle I don’t need and a cost we all have to bear in the long run.

As well as CCs chip-and-pin is used on debit cards. These are far more vulnerable as anyone who has the card and knows the PIN can draw cash from any ATM, in my case, up to 500GBP a day until I report the loss of the card or my cash runs out. To counteract this, I, with the aid of online banking, never have more than a couple of hundred in my current account.

No one here would dream of letting some waiter go off with their CC. They either come to the table with a wireless reader or we pay at a register on the way out. Even MC Ds have them now.

22

Not sure what the problem is. Even Canada - just like the USA but with health care and much fewer guns - has had chip technology for a year or two, so it can work for Americans too. The problem is that Canada essentially has five big banks that dictate banking practices. The USA is nowhere near that simple.

Where my wife worked, it was a hassle for a while telling the old folks they needed to dig up their PIN to use credit or debit, but that has slowly stopped being a problem. You can still swipe the card if the chip does not work - a recent source of fraud - but some stores have a policy of requiring photo ID if the chip does not work, especially for big ticket items.

Chip technology does a handshake, using digital encryption. It’s not perfect, but imitating it and creating fake cards is a step beyond most criminal gangs’ abilities for now. It exchanges secure keys with the computer, thus proving it is the card it says it is, then verifying your pin with encrypted traffic. This is much harder to fake, it’s the same technology that makes it impossible for even the NSA to read encrypted traffic.

Mag stripe was just that - something recorded on a magnetic stripe. It is incredibly insecure. Thieves had all sorts of tricks for capturing the data - gimmicking card readers to copy the data, capturing the data elsewhere and composing it onto the card, reading it from databases in business hacker break-ins… Then they could record it onto any card; if they were using it in an automated vending machine or ATM, it did not even have to look like a credit card. Other tricks, like recording the debit card PIN with a camera in the ceiling were common tricks; sometimes an ATM was compromised this way. Knowing someone’s ATM magstripe details and PIN was the key to cleaning out their bank account.

My wife mentioned corporate memos warning of people distracting the clerk while the swipe unit was exchanged for one with extra circuitry that recorded any swiped card. there was even a new one, where chip terminal hand units were being swapped - the crooks substituted one that made the card go deeper to be used, which allowed a head to read the full mag stripe and also captured the PIN entered.

Of course, the modern “paywave” technology - just wave your card over the reader - defeats all this. It apparently (in the modern versions) still does the handshake, so needs to be an active chip with the secure authentication; and is limited to a “small” amount (typically up to $50 or $100). The idea is to make minor purchases like coffee or train tickets faster. It has its problems - if a crook gets your card, it’s open season until you report it and it’s turned off; half the fun will be convincing the bank that you did not make those purchases. I’ve used the trick of tracing the antenna loop embedded in the card and cutting across it into the card with a utility knife. That disables the function, but not the “insertable” chip. (The terminal uses induction on that loop to power the chip too). Banks won’t give you cards without paywave because they want their 3% from the merchant for what would otherwise be cash transactions.

Not sure if US bank paywave uses insecure data techniques. I heard of another complication - places like the Washington DC subway apparently use embedded chip cards to allow tap-and-go entry. People who tried this without taking their pass out of the wallet found that sometimes they were charged the higher cash fare on their bank card instead or also.

For internet transactions - well, sucks to be an internet merchant. The verification code on the card is an added feature. All those businesses who are hacked and the credit card numbers stolen - according to the merchant agreement, a merchant is FORBIDDEN from recording or storing the verification code, so in general, that’s one piece of data that should not be available to hackers, helping to limit damage. Plus, many businesses may be wary of shipping certain items to anywhere but the mailing address for the cardholder, also limiting damage that could be done. The hacker has to both know the address and intercept the shipment.

I suspect we are not far away from a USB Chip reader that you can use with your computer in conjunction with online purchasing.

23

I haven’t been to Europe since receiving the chipped platinum card. Maybe it does work, but the customer service rep made it seem that the chips weren’t set up at. As if there was no data or anything being put on those chips because they didn’t have the system in place yet.

24

If it does work, you will need that four figure PIN

25

Come to think of it, I never got the notice in the mail that the OP got. I got the card with no mention or recognition that it even had a chip. I bet I got my chipped card as the first started getting them in to be ready for the move to chip and signature in the US. I bet I got one before they had their system set up to start em embedding data on the chips. I guess I will find out in October.

26

In time I can see chip and pin coming to a computer near you for online transactions. Instead of typing in the credit card details along with the card security code, we will all end up inserting the card into a slot in the computer /tablet / phablet, and type in the pin to complete the transaction.

As to when, who knows.

Chip and pin? I prefer calling it Chip & Dip.

Think about it. :smiley:

27

Here’s the view from a small business. I currently have a swipe reader. I now have to purchase an entirely new system and train on it. I need one that can do both chip and swipe because I will need to take swipe cards until they are completely phased out. However, I still need to keep my old reader for check verification. Luckily, my billing service contracts with a credit card service so I don’t have much choice. I buy what they tell me to.

28

Heard on the radio that banks say US people don’t like PINs with credit cards. Which seems really dumb because we have PIN for our debit cards.

29

No you won’t. EMV terminals can recognize Chip & Signature cards and skip the PIN. You guys in the rest of the world are getting Chip & PIN cards which require a PIN. In the US, almost all cards are Chip & Signature and have no PINs.

There are some terminals that won’t accept Chip & Signature. People always point to the infamous unattended railroad station ticket machines as an example. But the US cards will work almost everywhere without a PIN.

30

Watch the people ahead of you in line at the grocery store. How many of them enter a PIN? Most people just press “credit” and make their purchase without a PIN.

And how many people own 5 or 10 debit cards? Owning that many credit cards in the US is not uncommon. People have a Target card because it gives them 5% off purchases, a Kohl’s card because it gives them all sorts of complicated goofy promotions, a JC Penney card because it gives them an extra 5%, a Macy’s card because it gives them Star Rewards, a Visa that gives 5% at gas stations, a Mastercard that gives them 10% off their AT&T bill, a Discover card that has some gimmick or other, and so on and so forth.

When Americans tell Europeans how many credit cards they have, they look at us like we are daft.

31

I’ve always been able to set whatever PIN I wanted. While it is very unwise from a security point of view (1 card compromised = all cards compromised) people carrying massive numbers of cards could always make all the PINs the same so that their poor little brains could manage to remember what to type.