cbn42

So you're basically saying that you heard this from some "unreliable source" that you can't even name, and yet you accepted it as fact because it made sense to you. Sorry, but that's not convincing. I just did a brief search of Federal Reserve regulations, and I couldn't find anything to support it either.

To me, the opposite is more reasonable. Since a PIN is harder to forge than a signature, there will be less fraud if more people use PINs. Therefore, banks would have an incentive to encourage the use of PINs, by providing better fraud protection. It makes no sense for banks to provide better protection for using the less secure method, because then they are providing an incentive that will result in more fraud (and more cost for them).

stifle

Not getting into the legal argument, but I would postulate that a PIN is far easier to forge than a signature, on the grounds that someone looking over your shoulder when you enter your PIN is rather likely to be able to enter it himself straight away.

headhunterke

I disagree with you on this one man. In Europe we also have chip & pin, and fraud with CC's is pretty rare. You make the pin as easy (or hard of course) as you want yourself. Because even when you have then pin, you still need the card to do any transaction. Where as in the US it's enough to just swipe a card and fake the signature, which is never inspected by the way in my experience.

garyschmitt

This is a true dichotomy. If the bank is not expected to prove the sigs match, then the only other option is to burden the account holder to prove that the sigs do not match. You are the first person to claim that in a dispute the account holder has the burden of proving that their signature does not match the transaction signature (which they don't have a record of). You are also an unreliable source. This claim is so profoundly absurd, it will need to come with substantial convincing evidence to sway anyone with a reasonable idea of how the US legal system operates.

So now I'm looking at claims from two unreliable sources, but your claim is the one that is highly inconsistent with US legal culture. The legal system in the US does not, as a rule, burden the defense to supply proof. Although there are some instances where the defense must submit proof, your claim is just too far fetched because the scenario does not have the characteristics of other cases where the defense must prove a negative. Unless you can miraculously come up with some very ironic solid evidence, you're not convincing anyone with this.

Difficulty of forgery is irrelevant because the premise assumes that a forgery happened. If you don't have a forgery, there is no case to speak of. There is no standard of evidence to compare. You're off in the woods, while the discussion you're replying to is comparing the legal protection behind victims of PIN forging to victims of sig forging. If one of the perps had to work harder to pull this off, it doesn't change the courts standard of evidence.

You're using circular logic. Your premise is broken because it assumes the cost of fraud by way of pin forgery is higher for the bank -- which would actually only be true if the bank failed to demonstrate that the pin entered matches the account holders pin. Yet it's actually trivially easy for the bank to prove that the pins match, which means costs you're assuming the banks absorb are incorrectly assigned.

garyschmitt

What european bank issues cards without a magstrip? Every European card I've seen has a magstrip (as will the emerging EMV cards in the US). These hybrid cards have all the same vulnerabilities of the magstrip card in addition to the vulnerabilities of the EMV cards.

Chip and pin/magstrip hybrid cards offer convenience, not security. Until the magstrip is removed, the hybrid cards are obviously less secure.

kebosabi

Verification by signature is a vestigial remnant of the bygone era when penmanship and graphology was the norm.

In this day and age, no one really bothers to check your signature. When was the last time a clerk actually bothered to check the back of your card against the crappy signature that you signed on the POS display?

Signature is by all means, dead. A crook can just as easily make a copy of a mag-stripe card, strike a line through it on the signature field, and 99% of the time, minimum wage cashiers wouldn't even bother to check the signature because they have to meet the quota of serving the next customer.

Compared to that, PIN is much more secure than relying on what was based on an outdated fifties-era pseudo-science.


It maybe in the contracts, but what action VISA/MC will take is up to them.

On one side would be a European mega-store similar to Walmart in the US. VISA/MC reaps in millions in transaction fees from them. Would VISA/MC really yank VISA/MC usage from this mega-store just because one American couldn't use his/her mag-stripe? Doubt it. Is it a breach of contract? Yes. But from VISA/MC POV, they're not going to be crazy enough to forgo millions in transaction fees.

Then there's your side. You're angry why an European mega-store would get away with such policies. From your POV, it's a breach of contract which VISA/MC should punish that store for not accepting mag-stripe. But it's a losing game. To them, you're just one person, an anomaly. Their response is "tough luck, use cash."

What do you do now? Class action.

travisc

Hybrid cards are no less secure than magstrip cards. In countries that mandate chip support (EU/UK), they provide greater security as the chip aspect significantly decreases the chance the transaction was conducted using the actual card (not a clone). Accepting a signature for a chip-and-pin card in these locations is a good indicator for fraud.

Once all cards are hybrids, and all terminals accept EMV/Chips, we can remove magstrips and everything becomes a lot more secure. No more cloning cards. This is a very long process, but it will pay off in the end.

It is still possible to physically copy all the important details and use for internet transactions, assuming we haven't smartened up by then and require additional checks for 'card-not-present' transactions (e.g. properly matching billing address, or some form of 2 factor authentication better than the 'verified by visa' passwords and 'mastercard mastercode' that we have now).

travisc

EMV/Chip cards require the physical card to authorise the transaction (assuming terminal is chip/EMV enabled, and the payment network will only accept transactions from terminals that use the chip/EMV). You would need to steal the card (not just clone it) to make the transaction. This is harder and more obvious than forging a signature.

garyschmitt

Nonsense. The hybrid cards inherit all the same vulnerabilities, plus they bring new vulnerabilities. The sum of two sets of vulnerabilities is obviously greater than each of the parts.

Nonsense. The hybrid cards still have a magstripe, and they are still skimmed (even in chip-only terminals!). In fact, skimming still happens in europe because there are still terminals that mechanically slide the whole card just to get the chip to the reader (which means the magstripe can still move over a maliciously installed magnetic read head).

From there, the illicitly obtained data can be used anywhere in the world, not just Europe. I know a European who was recently questioned at a police station because her chip and pin card was "used in Nigeria". Despite Nigeria being a typical hot spot for fraud, she was forced to prove that she did not make the transaction (because like you, many erroneously believe the addition of a chip makes the card infallible). She actually had to supply proof of where she was at the time to get off the hook.

Sure, but now you're talking a different card. After 20 years of EMV chips, Europeans are still today using hybrid cards. Europeans still want to be able to travel the third worlds and remote tropical islands without cash, so the magstripe still has utility for world travelers.

You're not only more vulnerable technologically with a hybrid card, you're also less safe legally (because you give up the otherwise legal advantage of the banks difficulty in proving that a fraudulent sig matches the card holders in cases of PIN forgery).

garyschmitt

No, you don't need to steal the card. The EMV card is vulnerable to MitM. You can put your card in a compromised terminal at McDonalds, enter your pin, and the whole transaction can be happening realtime somewhere else, buying a different product, for a different price. You would think you're buying a burger in london, but instead you're getting a free burger while buying diamonds for someone in Switzerland, for example.

EMV cards can also be cloned. It's much more difficult that cloning the magstripe of the card, but it's possible.

Additionally, there are cases where PINs are not entered at all, because thieves have been able to send a false signal that claims a PIN was correctly entered even if it was not. This attack works on wireless POS terminals.

travisc

Until we have a decent 2-factor authentication mechanism for card present transactions, all cards are vulnerable to MitM. It is not unique to EMV.

Source?

This is a flaw with the terminals, not with the EMV cards. Further, it has no impact on your liability. In fact, the existence of this problem (& one where the terminal accepted any PIN) has forced the UK banks to change their position away from customers having to prove they didn't make the transaction.

travisc

You are correct, the magstrip can still be skimmed. However, at least here in the UK (& at least my bank), your card will be flagged for fraud if you use it outside the country without notifying the bank first.

Please don't put words in my mouth. Unless I typed 'infallible' while day-dreaming, I said no such thing nor implied no such thing.

Correct. Only once the US and other big holdouts provide EMV-capable terminals will we be able to make the switch.

This would be a significantly easier task if people in the US did not perpetuate the stigma about EMV, and rather spent time complaining to their banks (who are quite happy with the status quo as it is cheaper than moving to something securer).

This is incorrect. There are numerous situations where flaws in EMV can and are used to commit fraud, the banks know this, and if your bank thinks otherwise you need to call them out on this, or more likely ask to escalate to a higher level within their fraud department that knows a clue. There is no silver bullet when it comes to credit card fraud, but if we could wave a hand and instantly replace all magstrips with EMV we would have significantly improved security (albeit still some flaws).

garyschmitt

First of all, claiming that MitM is universally applicable does not obviate my point. Go re-read what I was responding to. I was correcting your erroneous claim that fraud against EMV cards requires possession of the original card.

Moreover, your claim that magstripes are MitM vulnerable is laughable, because most swipe-sign transactions today still involve old-fashioned pen and paper, where the paper being signed physically shows the purchase price shop name. You cannot simply hack a PoS terminal for it to work. The logistics of pulling that off exceed the effort of the traditional magstripe attacks. At best, you could limit your options to stores with an electronic scratchpad. After that degree of effort, you still need to prove that the lowres garbage that these things produce represents an unmistakable match for the cardholders original signature. Why does the criminal care about this once the money has moved? It's feasible at best, but it's not actually a security threat to the card holder because the thief doesn't care who takes the hit. The threat profile doesn't support the idea that a thief would needlessly forge a signature to make sure that the card holder becomes the victim.

Before I answer that, I must first say that your approach to security analysis is backwards. You don't presume that a technology in inherently secure, and then only reverse that dangerous judgment after some damaging attack is implemented, exercised, and published. This mentality keeps consumers buying unproven security and then paying the price later when the real tests are actually performed by a malicious adversary. The competent approach is to presume, by default, that a technology is weak, and require proof to the contrary (that is, proof that a significant attack effort was in fact carried out, and that the results of that documented convincing effort demonstrate that the product actually meets the security standard that it claims). Now to answer your question, CNP cards have been cloned.

Why do you think this matters? The same vulnerable terminals that cause damage to chip-and-pin users will print paper when non-CNP cards are used, so swipe and sign card holders are protected. Whether the flaw is in the chip itself is immaterial.

The vulnerabilities I'm disclosing here are by no means a comprehensive list of all attacks. If for some strange reason you must see an attack that does not require the PIN or a particularly vulnerable terminal, read about Steven Murdoch's work at Cambridge University. He proved that it's possible to hack an EMV chip and submit a PIN of 0000, and have the transaction accepted.

Of course it does. When the banks simply tell the court that their equipment is designed to not accept mismatching PINs, the court knows full well that the bank can never prove with 100% certainty that there are no flaws (it's been proven that no complex software can be 100% bug free) -- and courts accept this. Card holders are then expected to prove that they did not enter the PIN.

You're talking UK law. UK law does not apply in the US, or even the rest of Europe. The UK is actually ahead of both continental Europe and the US on this (as of 2009). Note that the thread is about chip-and-pin in the US.

garyschmitt

That's independent of the technology. Competent US banks do the same. In fact, they sometimes go further, and analyze whether someone residing in Chicago and recently vacationing in Europe would be buying a 1k EUR refrigerator in Czech. Transactions get suspended if they look suspicious. But this aspect is irrelevant - it's not a strength or a weakness of magstripe or CNP.

You certainly did imply it when you said "Hybrid cards are no less secure than magstrip cards." That's an exact quote. In order for that to be true, you would have to believe that adding the EMV chip does not introduce one single vulnerability.

That's not good enough. The US is not the only place Europeans travel to that uses magstripe. There are certainly tens, and probably hundreds of small countries that are still using magstripe.

The cost of moving to something more secure shadows the cost of the less secure hybrid cards. And EMV-only cards won't cut it alone because Americans also want to be able to use their plastic in small third worlds. The only way to get a card that is more secure than the traditional magstripe, which will work in the boonies, is to go with a card that dynamically populates the magstripe after the card authenticates the card holder. At the moment, that cost is on the order of $10 per card, but does not require replacing PoS terminals or ATMs.

Complaining to the banks would be foolish. At the moment, the banks are offering a product that comes with sufficient legal protections. First voters need to complain to their reps about updating the law to include sufficient protection from PIN forgery and PIN circumvention. Only after that would it make sense to complain to the banks to move to something more secure.

But even that approach is not ideal, because EMV is 20 years old, and requires account holders to carry a physical chip around, at an age when everyone has a mobile phone, and many are moving to smart phones. Why blow money on intermediate technologies? IMO, if money will be spent upgrading security, it makes more sense to make the full leap and skip the EMV. Go straight to something that doesn't eat wallet space. Have the bank authenticate users via their phone using 2 or 3 factors, and then have the bank securely authorize the transaction with the supplier.

You're still talking UK law. The UK revised their laws in 2009 to add the needed protection from PIN forgery and PIN circumvention. US banks do not fall under UK law, and the US is legally behind the curve on this. In the US we're still limited to regulation E. No US laws have been introduced to counter the ease of showing that a forged PIN resembles the cardholder-entered PIN. US law still has the same hole that the UK had before 2009.

kebosabi

Just because there's already the "next big thing" on the horizon doesn't negate the defacto global standard issue.

The rest of the world is already using EMV except for Americans.

A French, German, British, Japanese and Canadian VISA/MC/AMEX cardholder will have no problems using his/her hybrid card anywhere in the world. If a French cardholder visits Montreal, he/she can use the chip at Tim Hortons. If a Japanese cardholder visits New York, that cardholder can use the mag-stripe portion of his/her hybrid card when paying for his/her subway ticket.

In contrast, an American cardholder using his/her mag-stripe only card would face problems once he steps outside of the US. Obviously the American cardholder would have no problem using his/her mag-strip only card at BestBuy or Walmart in the US. But once the same cardholder steps outside of the US, problem arises. Can an American with his/her mag-stripe only card buy a TGV train ticket from the automated machine in France? Nope, he needs to stand in line at the counter. Can an American fill up the tank at a petrol station in Italy? Nope, he'll need to pay cash. And good luck finding a petrol station in Italy that's actually staffed these days. What are you gonna do, yell at the machine?

So just because NFC "wave techonology via cell phones" is just around the corner, does that mean the US should just skip EMV, keep screwing American cardholders for a decade once he/she steps outside of the US, and wait another decade for the rest of the world to ditch EMV and start using NFC instead? Changing the number of terminals across the world across 180+ different countries to accept "cell phone waving technology" is not going to happen overnight ya' know.

As such it's understandable that VISA would mandate US issuers to start issuing EMV cards in the US. It's 180+ countries across the world vs. 1 America. It's cheaper for VISA to convince US banks to start issuing hybrid cards in one year than convincing the other 180+ countries to say "umm, we're really happy that you guys went to EMV as we supported, but now can you guys go onto NFC in one year, on your own dime?" Yeah, like that's gonna happen.

Even if VISA somehow managed to convince the rest of the world to ditch EMV and move to NFC because arrogant American banks don't want to issue costly EMV cards when "the next big thing" that's much more cheaper is around the corner, millions of merchants and retailers in 180+ countries around the world are never going to do it on their own dime. VISA would have to pony up the cost, and in that light, it'll just be passed onto us.


Pretty much it is a chicken-or-the-egg issue. Sure, NFC sounds great, it's cheaper and it's already the next biggest thing. But then there's the reality that 180+ countries around the world are not going to be installing NFC card readers or issuing NFC capable cards overnight either.

If NFC is just around the corner, the smarter way to go is to follow what US Bank did and issue multi-interface chip cards that has all three features built into one card. The US Bank Flex Perks has the mag-stripe, the chip AND the contactless built into one single card (technically four if one includes the embossed number for those carbon copy imprinters if anyone still uses them these days).