why are chips better than stripes?

[Lare]

Understood, Mogle, I was providing the links in case you had any curiosity about them. Or wanted to apply for one!

[kombatminipig]

Rysto:

This is better than the stripe, but there are at least one vulnerability in this example. The reader gets to choose the challenge. A compromised reader could record the challenge and the response, and then an attacker could execute a replay attack:

*Fake Reader: Hey, Bank! I’ve got some dude here claiming to be kombatminipig. I said 4711 to him, and he replied 1337. Is that cool?
**Bank: **Yeah, cool.
Fake Reader: Okay, he told me to transfer his life savings into this account.
*Bank: ** Ok, the money is all yours

Well…no. The bank’s reply would be more in the style of the following:

***Bank: *Dude, your certificate doesn’t match up. I don’t know who the hell you are, but you’re not one of my certified readers. Anyway, 1337 might have been the correct reply some time yesterday, but seeing as how time or some non-repeating series of numbers might have been a factor in producing the reply 1337 from 4711, you’re obviously trying to screw with me. So screw you, dude.

Conversation would of course never have happened at all due to the broken certificate on the reader’s side, but I let it remain for illustrative purposes.

[kombatminipig]

Lare:

Pardon me for not getting it, but couldn’t this be duplicated as well? Pretend that instead of a stripe-reader-skimmer they have a chip-reader-skimmer. Then they have the physical card for the same amount of time as the authentic-chip-reader so why couldn’t they store the ask and response for later collection and misuse?

By requiring external factors that require more than a reader and the card. As I replied earlier, including such factors as one-of numbers (non-repeating series), the time and PIN codes, the sum involved, etc as part of the reply to the challenge makes sure that the reply is only valid there and then and for that transaction.