Should USA card issuers adopt EMV (Chip & PIN)? [Opinion discussion]
#31
Join Date: Aug 2010
Posts: 109
The level of security of any card-based system is directly proportional to the level of data storage in that system. "Data", remember, is also programming and encryption, which can allow the actual "data" (information) to be scrambled and hidden so completely that no one who isn't YOU can use your card. Given the vast increase in data storage provided by the chip, there is really no issue here besides "when will US banks start issuing chip-enhanced cards to their customers?"
The second issue is PIN-vs.-signature.
Using PINs to confirm transactions does put more of the onus on the customer to prove that a transaction was fraudulent, so always guard your PIN carefully, and cover the keypad even if no one is nearby (because there may be a micro-camera watching you).
Using PINs to confirm transactions does put more of the onus on the customer to prove that a transaction was fraudulent, so always guard your PIN carefully, and cover the keypad even if no one is nearby (because there may be a micro-camera watching you).
Yes, some engineering students did demonstrate a flaw in the card programming by using a device that intercepted the data passed from card to ATM, and gave a false "all clear" signal that the proper PIN had been received. Our thanks to these students for finding and demonstrating that security flaw, which I believe has now been fixed with additional programming that requires each card to send a unique PIN confirmation signal.
Exactly. The reason legal protection trumps all.
Last edited by EUnomad; Feb 26, 2011 at 3:26 pm
#32
Join Date: Feb 2011
Posts: 22
Nice try. Unfortunately, the consumer does not get the benefit of this theoretical hypothetical separation. The PIN is required to get usable unencrypted data from the chip. It's not incidental that "chip and pin" are used together. It's actually inherent in the design. Chip and sign would require leaving the contents of the chip unencrypted.
Fortunately, the very-large storage capacity of the chip HAS lots of room for improvement.
sdrawkcabtidaer,ecnetnessihtfoesnesekamot
that's data. And if I further write:
reverse the letters
that's also data. The first data is the encrypted content, and the second data is the decryption algorithm. Now, this algorithm is pretty simple, so it doesn't take up much space, but it's also fairly easy to break. Not good. More complicated algorithms are harder to break, but they take up more space.
So yes, more space to store "data" -- i.e., both content (for access to multiple accounts) and algorithms (for encryption, handshaking, multiple methods of confirmation, etc.) -- is a good thing for security.
Well, no, it doesn't. And the point would be moot even if the above were true, because using vastly superior technology doesn't automatically imply losing legal protections against fraud. Using vastly superior technology only implies that the occasions when we need recourse to those protections will be much, much rarer, because fraud will be much, much rarer.
What you and I are experiencing here is a breakdown in communication due to widely differing viewpoints and knowledge. You're a banker; I'm an engineer. Therefore you and I see (and seek to solve) entirely different facets of the same problem: changing technology and various reasons to embrace or resist it.
You see the legal and financial implications of changing technology in the banking world; I see the technological potential and its implications; but neither of us is considering fully the power of human needs and desires as a force for change.
The thing is, no matter how many posts you write trying to convince people that 1940's magnetic-stripe credit card technology is better than modern chip technology, the other 95% of the world has already switched or is in the process of switching to the new technology, and the US has long been left in the dust.
As long as it was only those who traveled to Europe and Asia who knew about the spread of new technology, US bankers could continue to sit on their hands and keep issuing us antique-technology credit cards. But now, with both Canada and Mexico switching over, the word is effectively out. You can't keep it secret any longer, and US citizens are too used to being the first to tolerate being the LAST.
Chip cards are coming, and they're coming soon.
So, rather than wasting your time trying to convince people why it's so much "better" to keep using ancient technology (that's literally rusty -- iron-oxide mag stripes), you could use your time and money more efficiently by considering the technology a "done deal", and determining how US banks could best adapt to it, to protect both user security and the banks' income streams. (Because we all need strong banks, and a profitable bank is a strong bank.)
For instance, if current algorithms require the user's PIN to decrypt their data, it would seem to me that US bankers should be hiring engineers ASAP to develop algorithms that require a "handshake" for decryption instead, allowing the user to sign for their purchases instead of using their PIN. (I've read enough posts on FT to know that most users here prefer signature confirmation even on their debit cards because it gives them free miles!)
See? If you plan for change instead of resisting it, you can make bundles more money than you already have!
;-D
-- Claudia
Last edited by francophiliac; Feb 28, 2011 at 12:45 pm
#33
Join Date: Aug 2010
Posts: 109
Certainly not. An algorithm is a *process*. The process makes use of the data, but the process itself is not data. The protocol is a set of rules, not data either.
The computers don't know what to do with the data until you tell them what to do with it; and the words "do this with the data" are also data. So if I write:
sdrawkcabtidaer,ecnetnessihtfoesnesekamot
that's data. And if I further write:
reverse the letters
that's also data.
sdrawkcabtidaer,ecnetnessihtfoesnesekamot
that's data. And if I further write:
reverse the letters
that's also data.
The first data is the encrypted content, and the second data is the decryption algorithm. Now, this algorithm is pretty simple, so it doesn't take up much space, but it's also fairly easy to break. Not good. More complicated algorithms are harder to break, but they take up more space.
Well, no, it doesn't. And the point would be moot even if the above were true, because using vastly superior technology doesn't automatically imply losing legal protections against fraud. Using vastly superior technology only implies that the occasions when we need recourse to those protections will be much, much rarer, because fraud will be much, much rarer.
Nonsense.
EE apparently isn't close enough to realize the relationship between complexity and software defects (although I would have thought otherwise). And it's not close enough to law either.
Therefore you and I see (and seek to solve) entirely different facets of the same problem: changing technology and various reasons to embrace or resist it. You see the legal and financial implications of changing technology in the banking world; I see the technological potential and its implications; but neither of us is considering fully the power of human needs and desires as a force for change.
The thing is, no matter how many posts you write trying to convince people that 1940's magnetic-stripe credit card technology is better than modern chip technology, the other 95% of the world has already switched or is in the process of switching to the new technology, and the US has long been left in the dust.
If you insist on technology for the sake of not feeling left in the dust, why not favor a dynamic magstripe? One that's blank, until the holder authenticates to the card. That's even newer than EMV -- you could then tell EMV card holders they're old, and simultaneously preserve your protection of the bank having to prove sig matching.
For instance, if current algorithms require the user's PIN to decrypt their data, it would seem to me that US bankers should be hiring engineers ASAP to develop algorithms that require a "handshake" for decryption instead, allowing the user to sign for their purchases instead of using their PIN. (I've read enough posts on FT to know that most users here prefer signature confirmation even on their debit cards because it gives them free miles!)
#34
Original Poster
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
The baseline question is: How should the US approach EMV when the rest of the world is starting to phase out the mag-stripe?
The rest of the world is not going to continue using mag-stripes because the US steadfastly refuses to make the switch, they have their own issues of skimming card fraud at hand that they’d like to get rid of by banning the mag-stripe altogether. Merchants overseas don’t want to keep paying annual PCI-DSS fees and they’re going to take advantage of VISA’s new promo of being exempt from said fees if more than 75% of their payments are done by EMV.
It may not be now, but within a few years, US credit cards will end up to be just useless plastic as everyone else has moved on to Chip & PIN. I’m sure that’s not going to earn lots of happy American travelers when they say, take a drive through Canada and find out their Chase VISA card is only good to scrape off the bugs off the frontshield.
While it may not have been invented as such, but credit cards today are defacto payment methods of travelers worldwide. If it says “accepted worldwide in millions of places where VISA/MC/AMEX logos are carried,” that’s what it should be and that's what cardholders expect them to be. Not a gotcha situation where the reality is “oops, forgot to mention that's with the exception of US issued cards which still relies on ancient magnetic stripe technology that no one else except the US uses anymore.” Frankly, that’s a pretty big question in itself right there that’s open to a huge class-action lawsuit for false advertisement.
Just like GSM has become the defacto global standard of cell phone, EMV is now practically a global standard of processing payment. The US can’t turn the tide of this; it’s alone among a 200+ other nations that already made the switch/in the process of doing so, and the number of cardholders/population combined in these nations outnumber Americans. The economies of scales are at work here; if the majority of cardholders in the world combined have EMV enabled cards, what do you think banks, merchants and suppliers of credit card processing machines are going to do?
So fine with the mumbo-jumbo of how mag-stripes still has its life left and such. But then, give me a practical approach to how the US should counter itself to an ever isolated world where it’s the lone standout in an EMV world?
Can the US re-introduce the mag-stripe to satisfy the hundreds and thousands of merchants overseas that it’s still good? Well clearly I’m not seeing that happening.
The rest of the world is not going to continue using mag-stripes because the US steadfastly refuses to make the switch, they have their own issues of skimming card fraud at hand that they’d like to get rid of by banning the mag-stripe altogether. Merchants overseas don’t want to keep paying annual PCI-DSS fees and they’re going to take advantage of VISA’s new promo of being exempt from said fees if more than 75% of their payments are done by EMV.
It may not be now, but within a few years, US credit cards will end up to be just useless plastic as everyone else has moved on to Chip & PIN. I’m sure that’s not going to earn lots of happy American travelers when they say, take a drive through Canada and find out their Chase VISA card is only good to scrape off the bugs off the frontshield.
While it may not have been invented as such, but credit cards today are defacto payment methods of travelers worldwide. If it says “accepted worldwide in millions of places where VISA/MC/AMEX logos are carried,” that’s what it should be and that's what cardholders expect them to be. Not a gotcha situation where the reality is “oops, forgot to mention that's with the exception of US issued cards which still relies on ancient magnetic stripe technology that no one else except the US uses anymore.” Frankly, that’s a pretty big question in itself right there that’s open to a huge class-action lawsuit for false advertisement.
Just like GSM has become the defacto global standard of cell phone, EMV is now practically a global standard of processing payment. The US can’t turn the tide of this; it’s alone among a 200+ other nations that already made the switch/in the process of doing so, and the number of cardholders/population combined in these nations outnumber Americans. The economies of scales are at work here; if the majority of cardholders in the world combined have EMV enabled cards, what do you think banks, merchants and suppliers of credit card processing machines are going to do?
So fine with the mumbo-jumbo of how mag-stripes still has its life left and such. But then, give me a practical approach to how the US should counter itself to an ever isolated world where it’s the lone standout in an EMV world?
Can the US re-introduce the mag-stripe to satisfy the hundreds and thousands of merchants overseas that it’s still good? Well clearly I’m not seeing that happening.
#35
Join Date: Feb 2011
Posts: 22
Computers in your wallet!
My local CU was hit last Fall to the tune of $400K on a total of nearly 300 skimmed cards. The thieves placed unobtrusive skimmers on the card readers, with tiny microcameras focused on the key pads.
If it says “accepted worldwide in millions of places where VISA/MC/AMEX logos are carried,” that’s what it should be and that's what cardholders expect them to be. Not a gotcha situation where the reality is “oops, forgot to mention that's with the exception of US issued cards which still relies on ancient magnetic stripe technology that no one else except the US uses anymore.” Frankly, that’s a pretty big question in itself right there that’s open to a huge class-action lawsuit for false advertisement.
... Not to mention, possible racketeering charges, since the big banks appear to be in collusion to prevent any one of them from independently introducing EMV cards as an incentive for people to switch banks?
So fine with the mumbo-jumbo of how mag-stripes still has its life left and such. But then, give me a practical approach to how the US should counter itself to an ever isolated world where it’s the lone standout in an EMV world?
Can the US re-introduce the mag-stripe to satisfy the hundreds and thousands of merchants overseas that it’s still good? Well clearly I’m not seeing that happening.
Not to mention the many, many cool advantages to having chips on board your credit card...
For instance, chips allow your credit card to hold not only data, but also data processors... and signal processors, too, if you're so inclined. In fact, your credit card can now hold a computer that's more powerful than the early personal computers were... a whole computer, not just a data strip! Imagine!
[Moderator edit] For myself, I can't wait to see the cool new stuff our credit cards will be able to do in the very near future!
-- C
Last edited by mia; Mar 1, 2011 at 5:22 am Reason: Remove personal characterization
#37
Join Date: Aug 2010
Posts: 109
While it may not have been invented as such, but credit cards today are defacto payment methods of travelers worldwide. If it says accepted worldwide in millions of places where VISA/MC/AMEX logos are carried, thats what it should be and that's what cardholders expect them to be. Not a gotcha situation where the reality is oops, forgot to mention that's with the exception of US issued cards which still relies on ancient magnetic stripe technology that no one else except the US uses anymore. Frankly, thats a pretty big question in itself right there thats open to a huge class-action lawsuit for false advertisement.
Just like GSM has become the defacto global standard of cell phone, EMV is now practically a global standard of processing payment. The US cant turn the tide of this; its alone among a 200+ other nations that already made the switch/in the process of doing so, and the number of cardholders/population combined in these nations outnumber Americans. The economies of scales are at work here; if the majority of cardholders in the world combined have EMV enabled cards, what do you think banks, merchants and suppliers of credit card processing machines are going to do?
You also must realize that there are a heck of a lot more swipe/sign-capable cards than EMV cards in the world. Every CAP card issued in europe also has a magstripe, but not every magstripe card has an EMV. EMV is the minority here, and business trumps. If you business owner in the tourism industry, you would be a fool to give up the magstripe reader.
There's no need to "re-introduce" it. Supply and demand has worked well. There are only some obscure corner cases of magstripes not working. Magstripe card holders automatically blame the magstripe for all card rejections, not realizing that some machines are just being extra selective about the place of issue, or the network. Try a non-Spanish CAP card in a Madrid metro station. It's hit or miss whether it gets accepted. Yet every magstripe cardholder believes their card was denied because of the magstripe.
Last edited by EUnomad; Mar 1, 2011 at 10:51 am
#38
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,799
Asia-Pacific perspective
I'm speaking as a card user in HK, mainland China (they are very different still) and Australia.
1. EMV /= PIN! In HK and Aus we can still have our cake and eat it. All Visas issued in the last three years in either market are EMV cards but retail transactions still have to be signed for.
We have PINs, but they are for cash withdrawal only. The general advice I've been getting from my banks is that if I ever go to Europe or Canada and be asked for a PIN, I should key in six zeroes. If it's an unmanned station then I'm stuffed.
If we dispute a transaction, we can easily ask for the card slip or (if CNP) the CNP data that's meant to be provided. No signature or dissimilar signature means chargeback can occur - slips are treated like bills of exchanges. In HK a police report has to be filed before we can ask for the slip/CNP data - this stops abuse.
2. US is not the only market moving from magstripe. China (China Unionpay) is too. China has more than 1.5B (1.5B is a 2008 figure) Unionpay cards in issue and only 9M have chips ("PBOC2.0").
Currently, chip acceptance is low. Magstripe is still the main means of authorising transactions. Tho PBOC2.0's only been out for a year and probably acceptance will improve over time.
Unionpay can run on debit and credit mode as well as ATM. [ need to write more about this later ]
3. I support EMV over magstripe. It even lasts longer
But I don't see a lot of benefits for the user for changing to UK/EU-style Chip and PIN. The only persons it'll benefit are merchants and banks. Whlist on the whole it may be better for the whole economy to move to Chip and PIN, but there's little benefit to me.
1. EMV /= PIN! In HK and Aus we can still have our cake and eat it. All Visas issued in the last three years in either market are EMV cards but retail transactions still have to be signed for.
We have PINs, but they are for cash withdrawal only. The general advice I've been getting from my banks is that if I ever go to Europe or Canada and be asked for a PIN, I should key in six zeroes. If it's an unmanned station then I'm stuffed.
If we dispute a transaction, we can easily ask for the card slip or (if CNP) the CNP data that's meant to be provided. No signature or dissimilar signature means chargeback can occur - slips are treated like bills of exchanges. In HK a police report has to be filed before we can ask for the slip/CNP data - this stops abuse.
2. US is not the only market moving from magstripe. China (China Unionpay) is too. China has more than 1.5B (1.5B is a 2008 figure) Unionpay cards in issue and only 9M have chips ("PBOC2.0").
Currently, chip acceptance is low. Magstripe is still the main means of authorising transactions. Tho PBOC2.0's only been out for a year and probably acceptance will improve over time.
Unionpay can run on debit and credit mode as well as ATM. [ need to write more about this later ]
3. I support EMV over magstripe. It even lasts longer
But I don't see a lot of benefits for the user for changing to UK/EU-style Chip and PIN. The only persons it'll benefit are merchants and banks. Whlist on the whole it may be better for the whole economy to move to Chip and PIN, but there's little benefit to me.
#39
Join Date: Aug 2010
Posts: 109
I've tried to get an EMV card swiped before (in Europe), but the machine was able to detect from the magstripe data that the card also had an EMV, so it rejected the transaction. So as an EMV/magstripe card holder, I was actually denied the protection of signing. Then I used a magstripe-only card on the same machine, and was able to sign.
Last edited by EUnomad; Mar 1, 2011 at 11:40 am
#40
Join Date: Feb 2011
Posts: 22
Computers in your wallet, cont'd...
Seriously, I have to remind myself that this is a public forum, and as such it isn't an appropriate arena for the discussion of specific patentable ideas. Once a specific idea is published, you see, it's no longer patentable. Like virginity, a good idea that has been given away becomes essentially worthless.
However, I can tell you that about 8 or 9 years ago Motorola introduced a chip, the MSC8101, that had all those components combined: it had a microprocessor, a dedicated signal processor, and on-chip memory all-in-one, and it measured about 1/2" square. With current micro-miniaturization trends, I would guess that nowadays an equivalent chip is, or would be, small enough to put into a credit card.
A signal receiver (an antenna) can be as simple as a fine wire inserted into the card material.
With a passive design that has no moving parts and no need for signal amplification, the smallest and thinnest of solar cells could provide ample power for the chip to respond to any signal received.
What I've described is NOT an "RFID" card -- it isn't designed to transmit its data or identity to other devices without actual contact. It does, however, have the ability to receive and respond to commands transmitted to it.
Speaking very generally, those commands could be received from other devices in the owner's possession, and they could be used to enhance the card's security and/or encryption protocols. The card's chip could be programmed to discriminate between signals, so that it only responds to signals sent to it by a specific device, appropriately encoded to avoid accidental responses to other devices with similar (or the same) frequencies. It could also be programmed to operate only when it is in the near vicinity of that device, and erases itself instantly if a particular "loss or theft" code is transmitted to it from that device.
... Are you beginning to imagine how useful such a card might be?
If your bank card could "listen" to you, what would you want to tell it to do? And if your bank card could also "talk", what would you want it to say?
-- C
#41
Join Date: Aug 2010
Posts: 109
I should add that halfbakery.com is a good way to publicize ideas that you don't want some company to come along and dominate.
Last edited by EUnomad; Mar 1, 2011 at 1:09 pm
#42
Join Date: Feb 2011
Posts: 22
Developing inventions costs money...
-- Claudia
#43
Original Poster
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
Well despite the saying that the mag-stripe still has its juice left, clearly it seems at least some of the US financial institutions are moving in the EMV direction.
From today's American Banker report: http://www.americanbanker.com/bulletins/-1033718-1.html
The quote:
Pretty much says it all. No one wants to get stuck with a bill for debit/credit card fraud, might as well just start implementing what has worked elsewhere and let the other guys that dilly-dally foot the bill.
I dunno about others, but I think it's an excellent way to attract more customers as well. If major bank A doesn't offer EMV but CU B does, heck I'd move my checking and savings accounts to CU B for sure. And if the day comes where a CU where I can join issues EMV, I will walk into my local BofA and tell them to cancel all of my accounts. When they ask for a reason, I can say "they have EMV on their debit cards."
From today's American Banker report: http://www.americanbanker.com/bulletins/-1033718-1.html
The quote:
“The U.S. is flanked by Canada and Mexico, which are adopting EMV technology. And since fraud always goes first to the weakest link, a number of issuers are concerned about the potential rise in card fraud, and they want to get out there ahead of others in preventing it,” Smith says.
I dunno about others, but I think it's an excellent way to attract more customers as well. If major bank A doesn't offer EMV but CU B does, heck I'd move my checking and savings accounts to CU B for sure. And if the day comes where a CU where I can join issues EMV, I will walk into my local BofA and tell them to cancel all of my accounts. When they ask for a reason, I can say "they have EMV on their debit cards."
Last edited by kebosabi; Mar 1, 2011 at 2:22 pm
#44
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,799
Interesting! Have you tried it? I'm wondering if the machine automatically responds properly, or if that just denies the transaction so the can be re-entered differently. In your case, what is used as a decryption key? I suspect it's unencrypted in your case. If there were some sophisticated key management going on, then the EU machines would have to have access to keys in HK.
2. My EMV slips have approval codes (issued by card issuer) and ARQCs (http://en.wikipedia.org/wiki/EMV#Fir...ction_analysis (Note)).
Here's a typical flow in a HK restaurant.
1. I present my card to merchant.
2. Merchant sticks it into his POS chip reader, keys in amount and waits for approval.
3. The POS tries to connect to acquirer - if our fixed line network is busy, sometimes multiple attempts is required.
4. The POS connects. If it's a large amount, my card issuer sends me a text message advising the amount (<-- from these texts I know my issuer is involved - only my card issuer has my mobile number on file).
5. POS acquires an approval code and ARQC and spews out a thermal or carbon slip for my signature.
Note: they are labelled as "TC" but given I also got an approval code and HK merchants always use EMV on EMV cards, this can't be offline approval.
I think the process of obtaining a ARQC can still be protected by key encryption (I assume static will do, no need for public key/private key even though it's possible):
1. Merchant POS generates transaction data based on card number and amount
2. Details are sent to my card and encrypted with encryption key
3. Merchant sends encrypted message to my card issuer via its acquirer
4. Issuer opens my message with the encryption key I have on file with them and sends my card number and amount back to merchant's acquirer via Visanet
5. If matched with card number and amount sent by the merchant then the acquirer informs the merchant POS the transaction has been approved.
A PIN can be included in (2) but not strictly necessary because the card number is already included. A PIN at this stage will only let the issuer and merchant know I am an authorised user of the card. A signature is better for that (from my perspective as cardholder)
I've tried to get an EMV card swiped before (in Europe), but the machine was able to detect from the magstripe data that the card also had an EMV, so it rejected the transaction. So as an EMV/magstripe card holder, I was actually denied the protection of signing. Then I used a magstripe-only card on the same machine, and was able to sign.
http://www.chipandspin.co.uk/problems.html#emv
http://www.chipandspin.co.uk/spin.pdf#page=8
Last edited by percysmith; Mar 1, 2011 at 6:04 pm
#45
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,799
Sure it is. Encryption requires a key. Without it, you're talking about something different. The key can be anything static, but if it's not a PIN, it won't work with the standard. If it doesn't work with the standard, it's a different system, with different vulnerabilities, and different exploits -- wholly irrelevant to a discussion on the wisdom of chip and PIN without statutory updates.
Of course not. As mentioned, in Asia Pacific a PIN is not required to run EMV transactions. The key you're thinking about is hard coded into the chip - we never see it. Bank server has the other copy.