Canadian have been using PINs for years, though, with our magstripe debit cards. That part won’t be new.
That’s probably the main overt reason for the change.
My guess is that MC/V have plans for the whole US to go chip & pin before 2015, rendering that problem moot. It also wouldn’t surprise me at all if canada starts to experience a surge of card fraud on foreign magstripe cards as all the card skimming/cloning gangs in canada are forced to switch their attention away from domestic cards - probably not enarly enough to make everyone decline magstripe cards, but possibly enough to put off some merchants, or force them into asking for supplementary ID.
This is to some extent a self-correcting problem. As more and more places enable their C&P readers (which have been included by default in most new terminals sold over the last few years) the remaining holdouts will experience higher and higher fraud rates, leading to punitive merchant fees - which will then prompt them to get on the C&P bandwagon whether they like it or not.
Like thirty million deaf dumb and blind people trying to form a conga line on a really big bouncy castle. A months-long information campaign culminated in Chip & PIN day (Valentine’s day, as I recall), with ever-increasing amounts of confusion and misapprehension reaching a joyous climax of locked-out cards, crashing POS systems, lenghty queues, weeping pensioners and hysterical shop assistants. Basically, everything you’d expect from trying to implement a relatively trivial change affecting an entire country. Made me glad I didn’t have to live through decimalisation.
To manufacture their own blank cards, fraudsters will have to source blank chips, pirate the operating system that goes on them, pirate the financial applications that run on that operating system, figure out how to laminate the chips into the cards and add the contact pads, and then do all the other things they already do with magstripes and embossers. It’d be an order of magnitude more difficult. Not saying it wouldn’t happen, but I bet stealing cards and/or chips will be much more popular than starting their own semiconductor fab.
More difficult, yes, but not impossible. Furthermore, I’m not sure what’s in those chips, but I doubt it’s anything so complex as an operating system. In all probability it’s just data that is more complex than can fit on a mag strip and probably includes heavy duty 256-bit AES encryption or something of the sort. It may include a unique pass key used to identify the cardholder and the information used to cross-verify the data on the mag strip.
The duplication of the chips would be the hardest part. Manufacturing, by comparison, would be pretty simple (though more complex than standard mag strip cards). A small IC on a flexboard covered in a blob of black epoxy, with traces leading out from the pins, coming out of it and over the top and widening into the open contacts that will be used to read the card. The card itself would be assembled in 3 layers: Bottom plastic layer with mag strip, circuit board layer, and top layer. Looking at my own card I can see the seam through the middle, and you can feel the rounded shape of the chip section, which would be the blob of epoxy under which the chip sits.
Difficult – far more so than normal mag strip cards – but not impossible for a sophisticated enough operation. It’ll take time, but thieves won’t much care. The real challenge will be breaking the encryption.
It’s an operating system. With applications. And that’s just one example OS. I strongly suspect that neither OS nor applications can be read of of a card; ISO 7816 defines the communications protocols, and I suspect that they simply didn’t include a protocol for reading out the contents of the chip.
Whoa.
These cardses is smart. I’d no idea they had that kind of tech on them. I’ll bet they can be backed though. There must be output as well as input pins or the applications within wouldn’t be able to send results/data back to the PIN pad, and where there are pipes leading into and out of a system, there are ways to get into it and hack it. The difficulty level is irrelevant; if it can be done, it will be.
I don’t think we’ll have anything to worry about for a while yet though.
I want to mention that I’ve had some unpleasant experiences with chipcards.
I’m a Canadian who lived in Europe for a little over a year; I just came back a couple of months ago. I had a Dutch bank account with a chip-and-PIN system on the card. It’s not a credit card; it’s more like Interac. Like Interac, it has two roles:as a debit card for direct-debit purchases (swipe the magstripe and enter the PIN), and for withdrawals from bank machines from any bank, by inserting the card and entering the PIN. It is also used, unlike Interac, for internet banking with an electronic security token (the one pictured here, in fact), on which compares a user-entered PIN with the one stored on the chip in coded form. Finally, this card can also be used as a pre-loaded debit card; you transfer a balance from your account onto the chip, and debit form this account at vendors, without using any PIN or security code. This is the “Chipknip” system, in the Netherlands.
I also had a chip-and-PIN credit card from this bank, which was no doubt similar to what Canadian banks are rolling out now.
My card was on one occasion stolen while I was traveling in Finland. Within a short time, the thieves managed to extract over 1,000 euros from my bank account. Since you supposedly need the PIN to do that, the bank’s response was to issue me a new card and tell me to accept the loss and take it as a lesson that I should be more careful with my PIN in the future.
Now, this is a card which I didn’t use during my entire stay in Finland (so no one obtained the PIN by observing me typing my PIN in someplace). In fact, the first two transactions were denied, based on incorrect PIN, prior to the two successful withdrawals. The retailer name printed on the bank statement was that of a company which no longer existed. Both its successor company and the former parent conglomerate confirmed afterward that they had made no sale with the listed details (location, amount, date). And the transactions occurred on the ground in Finland while I was over the Baltic sea on an airline flight. Even more, they were listed as occurring in a city to which I had not personally traveled.
So on the one hand it clearly wasn’t me who made the withdrawals, and they clearly weren’t made at a legitimate vendor, and there was no chance of the PIN having been leaked (unless you imagine I told it to random strangers in a foreign country in whose language I cannot count to ten).
On the other hand, the chip on the card contains the PIN, in some kind of coded form. And the Süddeutsche Zeitung ran a major story a few weeks later about rampant fraud involving stealing these very cards.
And what did the bank say in response to all of this? “We can conclude no differently than that you must have been irresponsible with you PIN.” And so I lost out on over a thousand euros.
So I have very little faith in the impenetrable security of the chip+PIN system. and I fully expect, as other posters have suggested, that this will be a way for the banks to transfer the costs of fraud and theft to the consumer.
(As an added bonus, the bank took forever to get the replacement card set up – the way it works is they give you the new card in person at the branch, and mail you the PIN to your home. Get this: they sent my new PIN to the wrong address. This took so long that I nearly ran out of money for groceries, and had to miss a rent payment. In the end, I have only the schadenfreude that this hateful bank had to be bought up by the Dutch government this fall due to its near-collapse in the Great Financial Crisis.)
PS, everything else about Finland was great, and those thieves in Turku remain the only blemish. I hope they got stampeded by reindeer.
One thing that annoys me as a retailer is people giving their chip-n-pin cards to others to use. Peoples’ children come in with their parents’ cards etc. I find that it is rather foolish of the cardholder to divulge the pin to anyone, even members of the family.
wolfstu:
I know it won’t be any comfort to you, but here in the UK, the card owner’s maximum liability is £50. So it must depend on the particular country’s regulations.
I don’t think there’s much manufacturing going on in the criminal world (although there have been instances of criminal gangs obtaining access to card production facilites in places like Thailand and using them to mass-clone card details obtained from western countries). Usually it’s more a case of repurposing card stock obtained from normal sources, whether bought or stolen.
A standard mag strip card is just a rectangle of plastic with a bit of glorified videotape glued to the back. Since they are manufactured in vast numbers for use as everything from gym membership cards to building security passes, it’s trivial to get hold of a small quantity (5,000 or so, at maybe 16.5 cents each), faff about with whatever you like on the front to make them look moderately legit, and then write stuff onto the magstripe. Tracing the cards back to whoever made them, and thence the buyer, is not easy.
Check out Bundle #6 here. World’s smallest portable magstripe reader, a stripe writer, 100 blank cards and software. Yours for $720, then all you need is a low-wage job in a restaurant/bar/shop where you will come into contact with lots of cards. You might not even need to bother with PC, since the card reader can download directly to the writer, although if you want to make full use of the 3000-card memory of the reader a PC might save you some hassle, and also let you make use of the $79 keylogger dongle they also sell. “These products are intended only for legal use” :dubious:
Chip cards are much much more expensive to buy and most likely easier to trace, since you can serialize the chips. They are also a bit more difficult to faff with and the equipment is commensurately less available and expensive. So mass cloning is a more complex operation, although doing small numbers is probably well within the abilities of a skilled bedrooom hacker.
As they become more common, and the technology becomes more obsolescent and more widely understood, the security will be more commonly penetrated and fraud will rise - all that’s happening is that the industry is jumping from a high and rising curve to another (much lower) rising curve, its not like any sane person would expect to beat the crims forever. Wolfstus experience is still relatively uncommon, but will become more widespread, and eventually banks will either end up having no customers or they will need to abandon the “it can’t be fraud, it must be your fault” line they like to parrot at the moment.
You’re right – it’s happening and will become more common. But already, according the the Süddeutsche Zeitung, thousands of these frauds are happening a year. From the articleI linked to above:
Which is roughly: “From January to the end of November, 10,400 EC-Cards (aka Maestro-Cards) were falsified in Germany, according to data from the company in charge of the system, Euro Kartensysteme GmbH of Frankfurt. This is nearly double the amount in the same period in the previous year.”.
So already, nearly a thousand cases of fraud occur on this system per month in Germany alone. That’s as of a year ago, and if the trend holds, it’s doubling again every year.
(The print version of this article was accompanied by a photo of a chip-card copying machine which had been seized by police – the photo is not included on the website).
We’re already getting chip-and-pin cards cloned here. Didn’t take long. Shell gas stations had a big scandal about employees doing it, and they reverted to swiping them for a while.
Bank ATMs get false fronts put on them so they can harvest the PIN and swallow the card.
Easiest is to learn what the PIN is and then steal the card, rather than get the card and then set about trying to guess the PIN.
Eh. It’s a question of proportions. I think Germany has been Chip & PIN for a while, so it may be that those 12000 incidents per year represent a significant proportion of total card fraud. If so, that’s a reasonably small amount - even if each incident netted €5,000 (unlikely) that’s €60 million. For the UK card counterfeiting losses were £88 million in the first half of this year alone. (See here). It’s hard to tell though, since Germany is a much less plastic-dependent culture than the UK, the size of the economy is different, and it’s not easy to get a breakdown of chip/magstripe fraud. In the grand scheme of things though, 1,000 incidents a month isn’t huge - a single well-organised gang could pull that off. Absolute fucking nightmare for the poor sods who are victimised of course, but it’s not like that’s top of mind for the industry.