Credit Card Security Chip

[Greg Bockelman]

I just received my first debit card with the EMV chip. EMV stands for Euro-pay Mastercard Visa, FWIW.

I am getting conflicting information about just how secure these things really are. The banks say they are the greatest thing in secure cards, but then there are other companies that are making security sleeves or security wallets that prevent the cards from being read from some distance.

So whats the real deal? Are they more secure or not? Are the folks selling the sleeves just preying on our fears? Are they necessary? If so, kind of goes against what the credit card companies are saying.

So what does the PoA brain trust have to say about it?

 

[FWTxPilot]

The EMV cards do not transmit anything. The wallets are for RFID type cards that broadcast information to a contactless card reader.

 

[Gucci Pilot]

I have an EMV card and I noticed that most places don't even have the function available on the card reader(even though it is clearly a new reader with the EMV slot) to use it so I end up swiping it anyways. Going to Europe they use it almost everywhere.

 

[PeeGee]

my wife is intimately familiar with how it works, I am not. But from what I gather it's not as secure as chip and pin like they use in europe.
If the merchant doesn't have a chip card reader they're taking the liability for fraud into their own hands (pockets...)
I'm sure I can ask her if you genuinely want to know how it works on the backend, but as far as I understand the chip provides an authentication process vs the mag strip that just holds the credit card number and expiration.

As I understand the electronic wallet like apple and android pay are even better, the token it generates is like a one time use credit card number that is used, and then thrown away. Kind of like a code hopping garage door remote I guess.

that's the end of my knowledge on the subject.

 

[Greg Bockelman]

The EMV cards do not transmit anything. The wallets are for RFID type cards that broadcast information to a contactless card reader.

Ok, so the EMV cards are secure, well as secure as they can be.

But what exactly is an RFID type card? What is it used for and who uses them?

And how would I know if a card is so equipped?

 

[Henning]

As long as it's not an RFID chip (call and ask if it has this capacity as well, some do) it cannot be read from a distance to the best of my understanding. Wells Fargo finally gave me a chip card, yay, it's a real PITA in Europe to not have one. If you need a pack of smokes after store hours, you have to drag someone out of a bar to stick their card in a machine for you for the age ID. Usually increase the price by a beer unless a friend is in the bar.

 

[Sac Arrow]

The EMV cards do not transmit anything. The wallets are for RFID type cards that broadcast information to a contactless card reader.

Correct me if I'm wrong, but both RFID and EVM are passive RF devices that use near field communication, the difference being the transaction code created with an EVM transaction negates the use of the card information in duplicate.

 

[PeeGee]

Ok, so the EMV cards are secure, well as secure as they can be.

But what exactly is an RFID type card? What is it used for and who uses them?

And how would I know if a card is so equipped?

the only ones I'm familiar with are like the paywave that seems to be phasing out in favor of electronic wallets like apple and android pay, I don't know how the rfid works on those. even if read from a distance the transaction has to be authorized on the phone so it's useless data.

 

[Bill]

As I understand the electronic wallet like apple and android pay are even better, the token it generates is like a one time use credit card number that is used, and then thrown away. Kind of like a code hopping garage door remote I guess.

Yes, Applepay generates a once time transaction code that does not contain any personal info like CC number. And yes, it is a one time use code, if someone somehow steals the code and tries to re-use it, it won't work. I use it when I can.

 

[Henning]

Correct me if I'm wrong, but both RFID and EVM are passive RF devices that use near field communication, the difference being the transaction code created with an EVM transaction negates the use of the card information in duplicate.

I think you're right on that, it wasn't that it couldn't be read, it's that the data couldn't be used, but that's a known false premise; there is no "can't", someone always figures out a 'how' for every 'can't'.

Where's Jessie on this? He knows all this crap inside and out.

 

[PeeGee]

Yes, Applepay generates a once time transaction code that does not contain any personal info like CC number. And yes, it is a one time use code, if someone somehow steals the code and tries to re-use it, it won't work. I use it when I can.

it's kind of neat to see how those transactions work on the backend, she can see the route they take and has described it, I just forgot the finer details
well that and I don't know how much I can say without risking getting her in trouble. She was involved in the implementation of both chip and apple/google pay.

 

[Bill]

it's kind of neat to see how those transactions work on the backend, she can see the route they take and has described it, I just forgot the finer details

The other cool thing about ApplePay is once your cards are in the app, you get near instant notification anytime your card is run. No matter it be from ApplePay, traditional swipe, or an auto charge like memberships.

It's great, I'll be able to see an unauthorized charge almost instantly.

Good stuff.

 

[PeeGee]

The other cool thing about ApplePay is once your cards are in the app, you get near instant notification anytime your card is run. No matter it be from ApplePay, traditional swipe, or an auto charge like memberships.

It's great, I'll be able to see an unauthorized charge almost instantly.

Good stuff.

****. I wish I'd paid more attention. especially to how the phone hardware works. I think the android phone emulate the chip where the apple phones have a physical chip. oh well, conversations you never figure you'll have.

my bank doesn't support android pay yet, her's does. sprouts and walgreens is about the only place we use it because the acceptance is so small for the time being.

 

[Matthew]

Slowly, my local vendors are enabling the chip reader on their CC terminals. I still have to swipe at most of them, though. I noticed that the chip reader is slower - you have to plug in the card, sign, and wait for it to tell you "OK to remove card". With the mag stripe, you just swipe it. I have been assuming the delay is the transaction being completed at both ends, something that happens when you swipe but at least then it doesn't prevent you from putting the card away while you wait.

 

[jesse]

I think you're right on that, it wasn't that it couldn't be read, it's that the data couldn't be used, but that's a known false premise; there is no "can't", someone always figures out a 'how' for every 'can't'.

Where's Jessie on this? He knows all this crap inside and out.

In NYC busting my ass building software/hardware combinations for EMV transactions

EMV and Contactless are two entirely different things, often grouped together.

A typical standard EMV card has a chip mounted on it that requires contact to interact with. The reader sends them 3-5 volts depending on some factors. Typically it will also have the same magnetic stripe on the chip for backwards compatibility (though it is possible to have an EMV card with no MSR strip).

A contactless card contains a RFID chip. A transaction occurring over contactless may utilize EMV or it may not, depending on more factors.

So it's perfectly possible to have a contactless chip that actually just transmits your credit card number and runs the transaction with nothing EMV involved.

It's also possible to have a contactless card that utilizes EMV to better secure things and doesn't support MSR over the contactless method at all.

So to sum this up: EMV != Contactless

An EMV card does not have to support contactless. A card without contactless even if it is EMV cannot be read without contact to the chip.

A contactless card may or may not be an EMV card. It may or may not use EMV for the transaction. A contactless card can be read without contact.

If your card supports contactless you'll typically have a logo like this on there:

As a consumer its pretty easy to figure out if your card is EMV or contactless or both by looking at it. If it has a chip it supports EMV. If it has the above logo it supports contactless as well. Whether or not the contactless will run the transaction with the EMV security features or whether it'll run it like a traditional magnetic swipe transaction is pretty much impossible for you to determine as a typical consumer (and somewhat depends on the terminal) and quite frankly doesn't matter much to you since you're not liable for the fraud anyhow.

There are lots of details about the EMV implementation and how it's rolling out that makes it kind of a joke. That's about all I'd like to say publicly

I personally don't carry a debit card and never will. I sure the hell wouldn't be carrying a debit card that was contactless.

Back to coding...

 

[Henning]

Slowly, my local vendors are enabling the chip reader on their CC terminals. I still have to swipe at most of them, though. I noticed that the chip reader is slower - you have to plug in the card, sign, and wait for it to tell you "OK to remove card". With the mag stripe, you just swipe it. I have been assuming the delay is the transaction being completed at both ends, something that happens when you swipe but at least then it doesn't prevent you from putting the card away while you wait.

Basically the "swipe" is like an old tape deck head reading a 1/4" of tape. Once it reads it, it has the info. To the best of my understanding, the chip actually is part of the hardware of the transaction process as well.

 

[jesse]

Basically the "swipe" is like an old tape deck head reading a 1/4" of tape. Once it reads it, it has the info. To the best of my understanding, the chip actually is part of the hardware of the transaction process as well.

Correct. There is a lot that happens between the chip, the terminal, the processor, and the brand networks. It's somewhat secure.

The problem is that it's super easy currently to take any EMV chip card, swipe the magnetic data, and print your own card with that magnetic data with no EMV chip that will be accepted anywhere. I suspect they'll lock that down, but it'll probably take yeeeeaarrrsss.

The wheels don't turn quickly in this industry. The certification requirements are a ***** and take LOTS of time and man hours.

 

[Mtns2Skies]

Correct me if I'm wrong...

One of the biggest benefits to the chip is that card skimmers are no longer feasible:

http://www.thedenverchannel.com/new...rs-were-found-at-3-safeway-stores-in-colorado

 

[SkyDog58]

I have an EMV card and I noticed that most places don't even have the function available on the card reader(even though it is clearly a new reader with the EMV slot) to use it so I end up swiping it anyways. Going to Europe they use it almost everywhere.

Same with Canada. I think every time we used a card up there on our trip this year, we had to use that. They even bring a handheld card reader to your table at restaurants.

 

[Matthew]

Basically the "swipe" is like an old tape deck head reading a 1/4" of tape. Once it reads it, it has the info. To the best of my understanding, the chip actually is part of the hardware of the transaction process as well.

Yeah. If it were simply a case of plugging it and then removing it (similar to a quick swipe, or the way the mag stripe readers work at my gas station and ATM), I wouldn't notice any difference. I don't know all the transaction back-and-forth details, but that chip seems to be more integrated into it than the data that's on the mag stripe.

 

[Henning]

In NYC busting my ass building software/hardware combinations for EMV transactions

EMV and Contactless are two entirely different things, often grouped together.

A typical standard EMV card has a chip mounted on it that requires contact to interact with. The reader sends them 3-5 volts depending on some factors. Typically it will also have the same magnetic stripe on the chip for backwards compatibility (though it is possible to have an EMV card with no MSR strip).

A contactless card contains a RFID chip. A transaction occurring over contactless may utilize EMV or it may not, depending on more factors.

So it's perfectly possible to have a contactless chip that actually just transmits your credit card number and runs the transaction with nothing EMV involved.

It's also possible to have a contactless card that utilizes EMV to better secure things and doesn't support MSR over the contactless method at all.

So to sum this up: EMV != Contactless

An EMV card does not have to support contactless. A card without contactless even if it is EMV cannot be read without contact to the chip.

A contactless card may or may not be an EMV card. It may or may not use EMV for the transaction. A contactless card can be read without contact.

If your card supports contactless you'll typically have a logo like this on there:

As a consumer its pretty easy to figure out if your card is EMV or contactless or both by looking at it. If it has a chip it supports EMV. If it has the above logo it supports contactless as well. Whether or not the contactless will run the transaction with the EMV security features or whether it'll run it like a traditional magnetic swipe transaction is pretty much impossible for you to determine as a typical consumer (and somewhat depends on the terminal) and quite frankly doesn't matter much to you since you're not liable for the fraud anyhow.

There are lots of details about the EMV implementation and how it's rolling out that makes it kind of a joke. That's about all I'd like to say publicly

I personally don't carry a debit card and never will. I sure the hell wouldn't be carrying a debit card that was contactless.

Back to coding...

Say you wanted to strip the swipe of its data to leave you with stripe less card (would there be a security benefit?), what would be the best way to go about it?

 

[jesse]

Correct me if I'm wrong...

One of the biggest benefits to the chip is that card skimmers are no longer feasible:

http://www.thedenverchannel.com/new...rs-were-found-at-3-safeway-stores-in-colorado

Actually, today, they're just as feasible as they were before.

Both track 1 and track 2 of the magnetic swipe data on a card contain a field called the Service Code. The service code tells the terminal whether or not the card is EMV equipped. If the card is EMV equipped, and the consumer swiped it, the terminal will demand the consumer dip the card to run it as an EMV transaction.

However, if you take an EMV card, skim it with a reader, change that service code to say that the card is not EMV and then print your new card with the modified service code you're all set. You can then run the card as a swipe card anywhere, the terminal won't know it's suppposed to be EMV, and the networks will accept the transaction because they want to maintain MSR compatibility.

So $100 in gear and still today you can skim cards and print up your own replacements regardless of whether or not the card you skimmed was EMV equipped.

This hole will probably close up..but it'll probably be yeaaaarrss.

Even without this hole - there are still ways.

 

[Bill]

A typical standard EMV card has a chip mounted on it that requires contact to interact with. The reader sends them 3-5 volts depending on some factors.

So looking at the "chips" on my EMV cards, I see the probe marks, and I also notice the patterns of the chips are wildly different. Are these "chips" just passive resistance networks with different resistances meaning different things? Or are they really active devices that are powered up by the transaction terminal?

 

[Henning]

Also, if I don't see the contactless symbol on the card, is that an assurance that it is not, or just 'usually' (is it required)?

 

[Henning]

So looking at the "chips" on my EMV cards, I see the probe marks, and I also notice the patterns of the chips are wildly different. Are these "chips" just passive resistance networks with different resistances meaning different things? Or are they really active devices that are powered up by the transaction terminal?

I looked at one under a loupe and it looked more complex than simple resistance.

 

[Matthew]

It's more than measuring resistance - there is quite a sequence of events that occurs:

https://en.wikipedia.org/wiki/EMV#Transaction_flow

 

[Warlock]

All my cards have been EMV for awhile...Walmart, Home Depot, and Lowes all have the readers and use them. In Europe its really universal only difference is the American cards don't require a pin number and the machines default to English when you use them or at least that's my experience as of last week in Belgium and France...but that has evolved over the last couple of years. This time was the first time I had my American EMV cards work seamlessly.

 

[Matthew]

Here's the place with the inner workings:

http://www.emvco.com/best_practices.aspx?id=217

Download the "Guide to EMV Chip Technology" PDF.

 

[jesse]

So looking at the "chips" on my EMV cards, I see the probe marks, and I also notice the patterns of the chips are wildly different. Are these "chips" just passive resistance networks with different resistances meaning different things? Or are they really active devices that are powered up by the transaction terminal?

They are active devices that get powered by the terminal that the terminal then interacts with.

https://www.emvco.com/specifications.aspx?id=223

Download the Book_1_ICC_to_Terminal_interface and look at page 39

 

[Bill]

Here's the place with the inner workings:

http://www.emvco.com/best_practices.aspx?id=217

Download the "Guide to EMV Chip Technology" PDF.

Ah, so it is an active device in there.

 

[Bill]

They are active devices that get powered by the terminal that the terminal then interacts with.

https://www.emvco.com/specifications.aspx?id=223

Download the Book_1_ICC_to_Terminal_interface and look at page 39

Very interesting, thanks!

 

[SixPapaCharlie]

FWIW I had my credit card information stolen and used on 3 occasions last years.
All the security is out the window when you hand your card to a server at a restaurant.

 

[Henning]

FWIW I had my credit card information stolen and used on 3 occasions last years.
All the security is out the window when you hand your card to a server at a restaurant.

When you see their phone open to Amazon, pay cash. I'm mostly a cash user anyway. I tend to buy local and spend cash.

 

[Bill]

FWIW I had my credit card information stolen and used on 3 occasions last years.
All the security is out the window when you hand your card to a server at a restaurant.

Always have a "clean" card as a backup, one that never leaves your person, that you do not use for online transactions, etc. No guarantees, but it's nice to have a card to use when the other is compromised.

 

[flyingron]

Correct me if I'm wrong, but both RFID and EVM are passive RF devices that use near field communication, the difference being the transaction code created with an EVM transaction negates the use of the card information in duplicate.

You're partially wrong and partially right. The EVM has comes in both contact (that's the visual "chip" thing you see, it's not really the chip but the contacts to talk to it) and near field RF versions.

 

[Sac Arrow]

You're partially wrong and partially right. The EVM has comes in both contact (that's the visual "chip" thing you see, it's not really the chip but the contacts to talk to it) and near field RF versions.

I think I understand. So the contact version is powered and read by physical contacts, and the RF version is inductively powered like an RFID?

 

[jesse]

I think I understand. So the contact version is powered and read by physical contacts, and the RF version is inductively powered like an RFID?

yes but the rfid on cards may or may not utilize EMV.

 

[Sam D]

Here's an interesting story I read recently on EMV fraud in France.

Chip-card fraud in France
Chip cards also have vulnerabilities, though they require more effort by crooks to exploit. In May 2011, French banking group GIE Cartes Bancaires discovered an ingenious form of fraud involving about 40 chip-and-PIN cards stolen in France and used to make purchases in Belgium.
The “man-in-the-middle” attack allowed a stolen chip card to initiate a transaction then an extra chip soldered on top of the original chip told the remote server that an entered PIN, even if random, was authentic. The original chip on the stolen card completed the fraudulent purchase.
Computer scientists Houda Ferradi, Rémi Géraud, David Naccache and Assia Tria, based in Paris, helped police with microscopic, protocol and X-ray forensic analysis of “what the authors believe to be the most sophisticated smart-card fraud encountered to date,” the researchers wrote. Their work helped prosecute the fraud artists.
“The chip module is slightly thicker than normal, with the chip bulging somewhat through the card, making insertion into a point-of-sale somewhat uneasy, but perfectly feasible,” the researchers said in their report.

Read more at http://www.northbaybusinessjournal....ity-fraud?gallery=4844200#ryb0VtCg2YIrlOog.99

 

[Henning]

Like I said... There is no 'can't'.

 

[ggroves]

FWIW I had my credit card information stolen and used on 3 occasions last years.
All the security is out the window when you hand your card to a server at a restaurant.

When I was in Germany this year, the servers at restaurants brought a portable CC terminal to the table for me to enter my PIN code to complete my CC transaction.

This is how it should be here.