Chip and PIN, thatâs the future!
Not chip n pin. This is to do with contactless payments. If you have not got a contactless card, you have nothing to worry about to do with this issue.
The âpinâ part should basically protect against this.
In India, weâre basically phasing out the magnetic strip, and to date, all POS devices require you to insert the card fully and then key in your pin. This attack would only work if you had both a contactless card and the targetâs pin. Also, I get an SMS with each transaction, no matter how small, and I can call up and dispute it if necessaryâŚ
Pretty misleading article!
I have tried the contactless payment option on my bank cards and I cannot for the life of me figure out how it is more secure.
With Chip and PIN, if someone had my card they would still need my PIN. Now, if someone swipes my wallet, they get a Tappy Tappy spending spree one dime. It was so easy I was dumbstruck. I thought for sure there would be more to it.
I still am excited by Apple Pay, as I like the way they require a password, biometrics, and they anonymize the transaction with a random string.
I really want to deactivate it in my physical bank cards, though.
Did someone tell you that contactless payments are more secure? Than mag-stripe maybe. Than normal chip-and-pin? no way.
Anyway, when looking at this and considering the relative security of chip-and-pin vs. mag stripe, remember:
- This is an implementation flaw, rather than a fundamental design flaw. This can be fixed while there is no way to keep magstripe data secure.
- This is a flaw in a feature that deliberately bypasses the PIN part of chip-and-pin. We should be careful about bypassing security checks for convenience.
- You still canât skim the card info and reuse it later. This flaw requires the card be present at the time of the transaction. This makes fraud easier to detect and easier to catch.
- When we make simple devices like credit cards âsmartâ they can and will have software bugs. chip-and-pin reduces the risk of buggy POS and payment processing software, but adds complexity to the card itself.
Flashlight and a nail/punch to disable/remove the chip, if you donât mind a small hole in your card. Thereâs youtube vids on how to find it. Shouldnât affect the magnetic strip or the contact chip.
Thereâs so much confusion on this issue.
Chip and PIN, as pointed out by others, is not âpaywaveâ or âcontactlessâ payment. Chip and PIN refers to that little gold chip on the card and the PIN you use to authenticate yourself. Contactless, in Australia anyway, cannot be used for transactions over $100 so this whole post is moot. Iâd be blown away if itâs not a similar situation in the UK because itâs the simplest workaround solution ever. Cards with chip & PIN usually have contactless functions which is the basis of most of the confusion. Chip & PIN - Contactless - theyâre two different things put in the same card.
Also I believe you are able to ask your bank for cards without contactless payment features.
Chip and PIN is much better than the mag strip itâs replacing because itâs far far harder, if not next to impossible, to forge cards with a chip. Itâs not the triviality that writing othersâ CC details to a blank mag strip is.
From the article quote it sounds like the primary issue is that they found that in the UK, the security implementation fails to recognize non-UK foreign currencies, allowing the $100 (or whatever the setting is there) limit to be bypassed.
This was exactly my understanding of the issue.
New Zealand (where I am) is mostly run by Aussie banks, and we have the $100 no-pin limit (also, cash-out with the transaction triggers a PIN request). Itâs a system that works quite well, allowing the benefits of tap-and-go (which is a godsend when you have to deal with the elderly trying to pay for groceries but are frail and bewildered by the pin pad), while limiting it to a âwonât bankrupt someoneâ fraud risk.
This does seem like an hilarious oversight though. The cards canât be reprogrammed once theyâre issued, I hope, meaning the only option if the issuing banks are serious about addressing this is to cancel each card and reissue them. And the volume of cards theyâd probably have to cancel would cause so much bad will/press I just canât see that happening.
That is what the article is about. Transactions are supposed to be capped at GBP 20, but the check for that is done in the chip, and has a bug where it doesnât check transactions denominated in foreign currencies correctly. So yes, it is the simplest work around ever, and they already screwed it up once.
Er, no, itâs not misleading.
In the UK, contactless chip-and-pin cards do not require you to enter a pin when used contactlessly, as long as the transaction amount is small enough (under ÂŁ20).
But, according to the researchers quoted in the article, this limit is ignored if the transaction is in a currency other than sterling.
Iâm guessing this is because of the difficulty of maintaining exchange rates, even approximate ones, for an arbitrary number of currencies. Of course, in that case, the sensible thing would have been to require a PIN for all foreign-currency transactions, regardless of amount.
a lot of people not reading the article today!
[quote]But EMV cards donât have to make contact with a reader to be used. They can also be used for contactless transactions for speed. The EMV system in the UK limits the maximum value for a contactless transaction to ÂŁ20, requiring a PIN for anything more than this.
But the researchers found that the system doesnât recognize foreign currency transactions and therefore doesnât require a PIN for these.[/quote]
These cards and the chip are universal, which is why you can pay when you travel, and most aspects are the same everywhere. they do have per country rules and per bank rules programed onto the chip by the bank though and apparently so far as we know this flaw only affects the UK rules programed onto the chip.
- This flaw only affects card programmed for the UK that we know of so far.
- Chip-and-Pin (EMV) cards have contactless payments built into the card (tap and go), whether or not your bank has enabled it and in the UK it has a ÂŁ20 limitâŚBUT
- This flaw bypasses the pin by using contactless payments.
- This flaw bypasses the ÂŁ20 limit by charging in other currencies.
So basically it gets around the typical security measuresâŚand can charge up to $1million to your card, the max the chip allows for regardless of localized programing. (Note: this doesnât mean that banks arenât going to be able to track where the money is going or that this is a smart idea, just that the security of the card is bollocks.)
Itâs okay iâve not read the article before commenting before as wellâŚ
You are correct, the tap-and-go or contactless feature never requires a pin in any country, and is a part of the EMV standard, and EMV chips.
I suppose, instead of re-issuing cards so early, they could issue those little faraday cage wallets to every active user. They could even spin it up - âHereâs your little aluminium card condom, because we careâ.
EDIT: What am I talking little. I mean sturdy of course.
a lot of people not reading the article today!
Iâd welcome you, Mr Grin-face, to point out where anything I said contradicted the article or demonstrated a lack of knowledge about the issue at hand, please.
You are correct, the tap-and-go or contactless feature never requires a
pin in any country, and is a part of the EMV standard, and EMV chips.
You got that you directly contradicted yourself there right? You replied to someone saying âa pin is required if the transaction is >20â with âa pin is never requiredâ. Which is it? (a rhetorical question - several of us already provided examples of when a PIN is required). Maybe you just didnât realise that the security measure the University researchers were talking about circumventing was the necessity to input a PIN? Because thatâs exactly what the issue here is - use a foreign currency on some UK issued VISA cards, contactlessly, and it wonât require any authorisation from a terminal. That authorisation is provided by⌠a PIN.
For clarity, this is the direct quote from the Wired article: âBut the researchers found that the system doesnât recognize foreign currency transactions and therefore doesnât
require a PIN for these.â
My security measure to keep my EMVâd cards safe is⌠carry two of them next to each other, so any machine Iâve tried so far to just hold my wallet over reports âToo many cards detectedâ and makes me remove one.
Exactly the same thing happened with Snapper cards (the New Zealand version of Oyster cards, developed by the same guy-with-a-seafood-naming-fetish) when my university started putting RFID on their Student IDâs. Suddenly everyone had to fish out their bus cards, where as previously weâd been able to hold up our wallets etc. to the bus terminal. Security through Technological Limitation I suppose.
The UK has all those EXACT same things with lower no-pin limitsâŚand it doesnât work very well due to the flaw because the flaw circumvents those exact things. So I read your comment to mean that either a) you didnât read the article, b) you didnât understand that the flaw circumvents those exact things, or c) you just wanted to share that this works the same where you live as just about everywhere else.
I apologize for incorrectly assuming option A, my mistake. The Mr. Smiley was simply so that youâd know it was meant to a light hearted ribbing and you didnât have to be Mr. Super DefensiveâŚgeezeâŚapparently you bypased the smiley security measures and withdrew maximum offense. <= see that means a joke/humor
Except that is a feature the machine implementsâŚand was added to machines precisely because having more then one card together can make both get charged or the wrong one get charged by a machine. Any nefarious reader would charge both cards. Keeping more then one card together doesnât offer any protection at all it just triggers a failsafe recently added to the legitimate machines. It adds zero actual security or protection.
Even if you did read it, thatâs wrong. Itâs not $1 million- itâs 999,999.99 units of any foreign currency. 999,999.99 Euros is 1.25 million dollars. 999,999 Bahraini dinars is 2.65 million dollars.
Just hope they steal 999,999 Iranian Rial from you instead. Itâs worth about 23 quid (37 USD, 43AUD).
The wired article that is the one linked to was titled:
[quote]Flaw in New 'Secure' Credit Cards Would Let Hackers Steal $1M Per Card | WIRED
Flaw in New âSecureâ Credit Cards Would Let Hackers Steal $1M Per Card[/quote]
the BB post states:
i was just going off of what i read in the linked to material.
the article you link to states:
up to that amount in a foreign currency, doesnât necessarily mean that number of units OF each currency, it could be read either way really, it seems just as likely that wiredâs and bbâs interpretation is the correct one, that this visa system as a $1M USD hard limit, as USD is the base international currency for visa coding, but you could be correct that it is that many units in whichever currency.
@Beanolini Do you have any additional information on this, that actually clarifies one way or another??? Iâm curious which it is nowâŚ
@doctorow Cory, do you know if this limit is $1M USD, ÂŁ1M, or 999,999.99 units of any currency? Thanks!!!