Originally Posted by
travisc
You are correct, the magstrip can still be skimmed. However, at least here in the UK (& at least my bank), your card will be flagged for fraud if you use it outside the country without notifying the bank first.
That's independent of the technology. Competent US banks do the same. In fact, they sometimes go further, and analyze whether someone residing in Chicago and recently vacationing in Europe would be buying a 1k EUR refrigerator in Czech. Transactions get suspended if they look suspicious. But this aspect is irrelevant - it's not a strength or a weakness of magstripe or CNP.
Originally Posted by
travisc
Please don't put words in my mouth. Unless I typed 'infallible' while day-dreaming, I said no such thing nor implied no such thing.
You certainly did imply it when you said "Hybrid cards are no less secure than magstrip cards." That's an exact quote. In order for that to be true, you would have to believe that adding the EMV chip does not introduce one single vulnerability.
Originally Posted by
travisc
Correct. Only once the US and other big holdouts provide EMV-capable terminals will we be able to make the switch.
That's not good enough. The US is not the only place Europeans travel to that uses magstripe. There are certainly tens, and probably hundreds of small countries that are still using magstripe.
Originally Posted by
travisc
This would be a significantly easier task if people in the US did not perpetuate the stigma about EMV, and rather spent time complaining to their banks (who are quite happy with the status quo as it is cheaper than moving to something securer).
The cost of moving to something
more secure shadows the cost of the less secure hybrid cards. And EMV-only cards won't cut it alone because Americans also want to be able to use their plastic in small third worlds. The only way to get a card that is more secure than the traditional magstripe, which will work in the boonies, is to go with a
card that dynamically populates the magstripe after the card authenticates the card holder. At the moment, that cost is on the order of $10 per card, but does not require replacing PoS terminals or ATMs.
Complaining to the banks would be foolish. At the moment, the banks are offering a product that comes with sufficient legal protections. First voters need to complain to their reps about updating the law to include sufficient protection from PIN forgery and PIN circumvention. Only after that would it make sense to complain to the banks to move to something more secure.
But even that approach is not ideal, because EMV is 20 years old, and requires account holders to carry a physical chip around, at an age when everyone has a mobile phone, and many are moving to smart phones. Why blow money on intermediate technologies? IMO, if money will be spent upgrading security, it makes more sense to make the full leap and skip the EMV. Go straight to something that doesn't eat wallet space. Have the bank authenticate users via their phone using 2 or 3 factors, and then have the bank securely authorize the transaction with the supplier.
Originally Posted by
travisc
This is incorrect. There are numerous situations where flaws in EMV can and are used to commit fraud, the banks know this, and if your bank thinks otherwise you need to call them out on this, or more likely ask to escalate to a higher level within their fraud department that knows a clue.
You're still talking UK law. The UK revised their laws in 2009 to add the needed protection from PIN forgery and PIN circumvention. US banks do not fall under UK law, and the US is legally behind the curve on this. In the US we're still limited to regulation E. No US laws have been introduced to counter the ease of showing that a forged PIN resembles the cardholder-entered PIN. US law still has the same hole that the UK had before 2009.