I just don't understand why my card even has a magnetic stripe anymore. It's been years since I've seen any terminals that could actually accept it, it's all chip and pin over here. If I could get a card without the strip I'd gladly do so.
The United States is still predominantly magstripe. We’ve had chip-and-no-pin for a few years but many large retailers haven’t enabled it, possibly because transactions are so much slower (usually 30-60 seconds) and less reliable.
> possibly because transactions are so much slower (usually 30-60 seconds)
I don't know the details of the technological differences in transaction communication between the two, but in the UK chip and pin is noticeably and consistently faster to perform transactions in my experience, often to the the point that it's perceptibly instant... although it has been quite some years since i've used magnetic ones so that's from memory.
I suppose one way to protect yourself if you are never going to use your card in the US, is by destroying the magnetic strip (magnetically).
The slow reads are entirely a technical failure by some of the large vendors. Some systems are as fast as you describe and most of the ones which I see being that slow are much faster for NFC, so I’m pretty sure it’s just that they were rushed into profuction to meet the deadline imposed by the card vendors.
* many places moved from offline magstripe authorisation to online chip-and-pin authorisation (while still often using card terminals that use dialup connections, and connect per transaction)
* many US banks have really slow authorisation servers (for whatever reasons!); I remember some sales staff being really surprised at my card going through in about a second (and that verification probably involved a network roundtrip to the UK!)
Maybe it's just a difference in how relatively new the technology is to US retailers then, UK shops have had plenty of time to work out the kinks and learn what hardware to avoid.
The first generation of Chip&Pin in the UK were garbage too. Slow and often failed to read the chip, resulting in awkwardly cleaning the chip contacts.
Most of the machines were replaced inside of the first year and things have improved substantially since then.
Ahh yes I do remember a few instances of that now... I wonder what the introduction of the magnetic strip was like, looks like that technology arrived in 1969, anyone here experience that transition?
"UK chip and pin is noticeably and consistently faster to perform transactions" is not because chip&pin process is faster, but because the risk of counterfeit cards is lower and the system can be configured to not verify small transactions against the bank, saving a network roundtrip - the terminal just "talks" to the chip, and does the full verification with the bank later in offline mode, without requiring the customer to wait for the outcome. Doing the same with magstripe would be much more risky.
Hmm, are you talking about the £30 limit? because other than having to manually enter a pin it doesn't seem significantly longer... no i haven't timed it, and I'm not saying that you're wrong, just that it still seems to be bellow a perceptibly significant amount of time. Or perhaps I just don't do enough shopping to have a broad enough range of samples.
I get a Monzo notification on my phone whenever I make a payment. I often feel my phone buzz before the machine has even finished and allowed me to take my card back.
I don't think the percieved speed is simply due to offline mode.
When arriving from Europe to the US it feels like going back in time. To take an example, in Poland most card transactions are contactless and I don't think there are any terminals left that do not accept contactless payments. When Apple Pay was enabled, it was instantly available everywhere (and I do mean everywhere) and nobody even calls it "apple pay", it's just known as paying with your phone, which was possible with android phones for a long time already.
Also, I don't think there are any places left where you swipe the magnetic stripe. If for some reason you don't use contactless, it's a chip transaction. I believe it's pretty much the same all across Europe?
In my experience (I'm in the US) the chip cards were noticably slower when they were first introduced, but in the last year or so that seems to have been mostly resolved. Gas pumps are the one big holdout that still does mag-stripe reads. I don't think I've seen a chip read gas pump anywhere yet.
Everywhere I go supports magstripe. An increasing percentage support chips but I still see terminals which don’t, or more commonly, where they have a sign telling you not to use it because it’s not enabled or broken. I’m assume there have been a lot of slacker IT departments caught out by these upgrades since it’s usually big chains which have problems.
Try swiping sometime. In my experience if you have a chip card and try to swipe it, the reader will reject the swipe and tell you to insert the card instead.
This varies hugely by retailer, though. I'm convinced there's a level of optimization that some just aren't incentivized to do.
When I'm at O'Reilly Auto Parts, the pinpad is beeping at me to remove my card almost the moment I've inserted it. It's shockingly fast. (Then their neolithic-age printer takes 8 more seconds to generate a receipt, but... baby steps!)
I wish whoever set up their system could go show some others how it's done. Because yes, on average, most retailers have abominably slow processing for chip cards.
Yes, in Portland Oregon we have a grocery store called New Seasons that implemented a chip reader system where as soon as you walk up to the checkout you can insert your card, it tells you to remove it immediately and then the clerk continues to ring up your groceries. This might just be the way it works in other parts of the world, but in the US this particular implementation was surprisingly smooth compared to the multi step dance that other retailers require. Don’t insert card until all purchases have been rung up, ok now insert card, do not remove card, move to new screen, but still do not remove card, ok, now remove card, now sign, etc.
In the rest of the world, the customer isn’t standing around waiting for someone else to bag their groceries, so there isn’t a parallelisation possible - you stick your card in once you’ve finished bagging everything.
I live in the U.S. and I have exactly one store that I go to which doesn't support the chip. Small store running on a shoestring, so I'm not terribly shocked. Everywhere else I go it's chip only, if you swipe the machine will bark at you and tell you to insert the card into the chip reader instead.
It's all chip and pin where I live too, and has been for ages.
Often enough, the chip or the reader is dirty and fails to read, the terminal will prompt you to swipe the card through the mag-reader instead. Usually, it will prompt you to try the card reader again, then back to the mag-reader for a final swipe before continuing.
In the Netherlands, when we switched to a new chip system, most terminals blocked the mag-swipe with some cardboard sign instructing the user to use the chip instead.
I'm pretty sure the swipe-style is aggresively deprecated by the banks. I talked to a vendor who had an older terminal that would not accept NFC, and he mentioned that within 2 years, he'd have to get a terminal that would process NFC payments.
The deprecation works by shifting fraud risk to the merchant. I know for a fact this was done in the US and UK, and I would assume the rough playbook was used everywhere, it's named "liability shift".
The idea is, if there's fraud and the real account holder gets their money back (a chargeback in payment industry terms) somebody has to eat that loss. The liability shift rules say if you didn't do EMV, that's you. For a bank that decided they wouldn't issue EMV cards, they pay when there's fraud on their non-EMV cards - so the merchant still gets their money. But for a merchant if the customer has an EMV card but they swipe it, if that comes back as fraud they're not getting their money.
If the terminals suck, and your business has very low fraud rates or your markup is so enormous you can eat plenty of fraud and not care, it could make sense to ignore liability shift. Especially at first when customers know they could go elsewhere. But as terminals improve, and everybody else is forcing them to use the chip anyway, offering swipe is pretty much a sign "Commit fraud here, ask us how".
For NFC I don't know, it's hard to imagine them trying liability shift. "Use this less secure option or, we'll stick you with fraud costs for the uh, more secure option?" maybe they're just doing the usual thing where they raise fees for everybody who doesn't want to go along with their latest craze :/
in parts of Europe you can use Revolut, where you can choose whether to enable or disable contactless payments, chip and pin, ATM withdrawals and online payments, depending on what you want to use the card for. You can even keep all of them off and only activate a specific feature for a few minutes when needed.
You can stratch it off, or use a very powerful magnet to erase the strip. When scratching be careful not to damage the NFC antenna which loops around in the card.
It doesn't need a 'very powerful magnet'. In fact I'm surprised how easy it is to make the magnetic strip unreadable. The way I (unintentionally) do it is simply to keep the cards together in the wallet. Their individual magnetic stripes destroy each other. All the cards are unreadable now, except for the newest card. And no, there aren't any other magnetic or electro-whatever device nearby.
Actually, the prudent thing is to actively damage the NFC antenna.
There is not much point in damaging the magnetic stripe but leaving wireless functionality... they are exactly the same thing only wireless works from a greater distance.
That's absolutely not true. Magnetic stripe is just a dumb carrier of information - you can buy a $5 reader off eBay and read every card in the world, it's not protected in any way. Modern NFC cards do not surrender their information to some random reader - they need to receive a valid cryptographic key first to reply with the data - and such key can only be produced by an authorized terminal. A normal NFC reader will not read any data off a contactless card, it's just not possible(yes I am aware that there have been attacks demonstrated, but they were all timing based, with extremely limited use in real world).
Depends on the card. All NFC cards in Sweden are just as dumb as a magnetic stripe cards. I actually believe all cards in Europe are but I could be wrong.
It's there, in plain text, any normal NFC-reader will get you everything (there even are android-apps that does it in the play-store).
In Britain, where people have arguably embraced contactless cards to a greater extent than individuals in other countries, researchers have routinely been able to copy the financial details of some cards, including the 16-digit card number and expiration date, by merely passing their own N.F.C. reader close to a person’s wallet.
There have been numerous other demonstrations of this as well.
> researchers have routinely been able to copy the financial details of some cards
I think this is the key. The implementation of each card may differ leading to inconsistent results.
As a general rule I suggest covering up the CVV or scratching it off if you're sure you have it somewhere safe. An option is to also erase the magnetic strip. It might lead to a less useful card (in cases where only magstrip would work) but definitely a more secure one. And for any NFC card an RFID shield sleeve does wonders.
Yes? And that is a common technique to do it. Hide a small camera behind the counter, make sure quickly hold a customers card in view of it and you are done.
NFC though has the advantage to be read from a distance, easily through a pocket and wallet (if the wallet doesn't have an rfid shield). Surely open up that attack vector isn't helping?
If you are paying attention you can detect someone trying to photograph your card (they shouldn't even be handling it in the first place). But through your pocket? Practically impossible to detect.
edit: The fact that we still print everything needed to make a purchase on the card itself isn't particularly flattering for our species.
>And that is a common technique to do it. Hide a small camera behind the counter, make sure quickly hold a customers card in view of it and you are done.
Nobody actually does this. Name+card#+cvv+expiry just isn’t worth the hassle, easier to get 1000s at a time via phishing or hacking web shops.
Stripe dumps are an entirely different market, with ATM pins increasing the value of a single dump up to 100x.
>If you mean the CVV it isn't required to make a transaction.
that's incorrect. there's a cvv1 on the magstripe that's needed for magstripe transactions, and there's cvv2 that's on the back of the card that's mostly required (depends on merchant policy) for card not present transactions. for EMV transactions, you need a payment terminal because the card will refuse to communicate unless the other side has a valid certificate. even then, the card only returns a signed response, which you can't use elsewhere.
>No? You just said so yourself? "depends on merchant policy" Why would an attacker choose a merchant whose policy denies their use case?
it's not as easy as you think. nearly all merchants require some sort of additional information (cvv, billing address, cardholder name) in addition to card number + expiration date. reason being, for card not present transactions (eg. online), the merchant is liable for fraud (the purchase amount + ~$25 chargeback fee), so they have a strong financial incentive to collect/verify as many pieces of information to reduce their losses. it would be insane to not collect any of those (only requiring card number + expiry date), because the chargebacks will bankrupt you. the reason i said "depends on merchant policy" is because some merchants (iirc amazon) don't collect cvv2 (but they do collect billing address + cardholder name), which I presume is for convenience/conversion rate reasons. I don't actually know of any merchants that only collects card number + expiry date.
But name is the only additional information you need to make a legitimate purchase, and that information isn't a secret (if you, under any circumstance, ask for someones CVV they will tell you to fuck off. Ask for their name is another thing (maybe even present on a name tag or in many cases trivial in a certain context)). It will make it slightly harder to just randomly scan peoples pockets on the subway but still an absolute security nightmare.
>But name is the only additional information you need to make a legitimate purchase
where did you get the impression that there are merchants (worth stealing from) that only accepts card number + expiry + name? the example I gave was with amazon, and they take name AND address. even if you're able to find a merchant with lax security and is worth stealing from, how long can you keep the scam up for? maybe a week or two before the fraud reports start pouring in? then they'll patch up their systems and you're back to square one. you're better off installing skimmers and using the card numbers at any merchant that accepts credit (at least in the US).
>will make it slightly harder to just randomly scan peoples pockets on the subway but still an absolute security nightmare.
considering that you have to be pretty close for NFC to work, whoever is doing it is going to look pretty suspicious as he's bumping into everyone walking endlessly through the train.
>Just disable NFC altogether, no reason not to.
I can think of one: convenience. wave your card in front of the reader vs insert card, wait, type in, wait some more, then taking out your card.
Do amazon really even validate the address to the card owner? I've sent stuff to different locations in different names using the same card.
I've heard poker and gaming sites are popular to extract funds (and simultaneously launder them), don't expect them to have much security no.
> considering that you have to be pretty close for NFC to work, whoever is doing it is going to look pretty suspicious as he's bumping into everyone walking endlessly through the train.
Seriously? Just go during rush hour and you can basically stand still, the victims will practically bump into you for you. I don't expect anyone to attempt sprinting a carriage at a time...
Doubt it, maybe for US residents? When I did my first purchase my address didn't match because I was officially living at my parents but sent the package to my own address.
You make it sound like this is difficult or rare, yet banks have a very lax attitude about this and consequently funds thieves with billions upon billions every year. Somehow it is worth it, relying on the victims to scan their transaction history for errors (talk about convenient!).
NFC payment cards are cryptographic protected. It's not just read it and you have a 1:1 copy. Attacks are possible but only online attacks (this is no offline payment system) and with the right critical timing.
Apparently there do exist some cards that are protected, but all I've seen and all I've got access too are completely passive. They serve the exact same function as the magnetic stripe only from a greater distance.
Having just travelled in the almost-cashless country of Norway, I found a surprising example: the Oslo airport fast train gates operate by magswiping a payment card. I suppose it's because contactless doesn't reliably work internationally.
It's interesting to contrast that to Japan's standard "IC" card NFC system, with multiple vendors (Pasmo, Suica, etc.). Everything in that system is so blazing fast. Commute-hour Tokyo subways full of people moving as fast as they can without resorting to a full run, TAPTAPTAPTAPTAPTAPTAP... through the turnstiles, very low failure rates (I've never witnessed one), not really a noticeable delay, and it'll show you your balance if you can swivel your head fast enough as you're whipping through the gate.
It makes a much more recently deployed system in my area of the US look like a total embarrassment: seconds per processed tap, a much higher tap failure rate (regularly see tap failures for myself and others), etc.
Yes, that's as close to perfect as it can get. Just rush through the turnstiles (and btw the default position is open - nothing stops you as long as the card has cash, so there's no pausing at all), figure out where the train (or subway) is after that, not to mention not having to figure out tickets from the machine. The only decent way to travel, just go go go, no delay. And you can use the same card to buy a coffee from the vending machines in the station.
But then again trains and a lot more really work in Japan. Supermarket? No waiting for payment (card or otherwise) - they're using double-buffering.
One trick (which I believe has been fixed) is not so much a replay attack but a multiple transaction attack. A modified terminal makes multiple transactions on the card while the card is still in the terminal, coupled with another attack that modified what was presented on the screen of the terminal could turn a single $5 transaction to 3 $500 transactions.
There are plenty of flaws in the underlying technology, and most especially in real world implementations, but I don't know that any of them result in the chip being cloned. Anybody?
An example I know about with one of those flaws was the "Yes card" which MITMs a real (presumably stolen) card and arranges that the conversation goes like this:
* Legitimate terminal "Hi, I'm a Legitimate terminal, who are you?"
* Real card: "Hi, I'm Sizzle's Real Payment Card from Real Bank"
* Legitimate terminal "OK, let's do an offline transaction. I want Sizzle to authorise payment of 24.50. They entered PIN 1234, is that OK?"
MITM Yes card blocks this and tells the card instead:
"OK, let's do an offline transaction. I want Sizzle to authorize payment of 24.50, but I can't be bothered with a PIN so let's skip that"
* Real card: "OK, yes, payment of 24.50 sounds fine" (cryptographically signed message)
So this way you don't need the correct PIN, since the card never realises you entered a PIN, and so the transaction OK simply never mentions the PIN at all. You don't clone the card though, you need a real card, you're just using something like a Confused Deputy attack where the card and terminal misunderstand the situation.
A _smart_ backend at the bank could identify this fraud when the offline transactions are processed, hours or days later, but many did not, and even if they did spot it the fraudsters got away with their transaction meanwhile. The permanent "fix" for this was to roll out new cards and terminals, given this costs money it was probably not done widely or quickly.
