OT - credit card upgrade question

Page 3 of 7  


I stumbled across that as well when I started investigating why my EMV card suddenly started asking for signature verification when it had been perfectly happy with PIN verification up until late last fall. I was still using the slot and not swiping.
Among other things, I discovered that my card issuer had change the verification priority on my EMV card to signature because of a banking industry concensus that US card users would be too confused by a PIN request for a credit transation.
While looking into that change, I read about Walmart enabling swiping for EMV cards as a temporary measure.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

More or less correct. Depending on how the RFID chip is programmed, it could be a single serial number or several smaller numbers/characters.

There's basic physics involved. Since a passive RFID chip has no battery, it get's it's power from the radio waves of the signal it receives. That means it's never going to be able to send out a stronger signal.

EMV stands for for Europay, Mastercard, Visa, the consortium that developed the technology. The chip is nothing more than a small cpu, secure memory and I/O all in one.

Communication between the reader and the card is initially clear text, but transitions very quickly into an encrypted exchange. The details of how and why that exchange is secure is too complicated for a Usenet post. Neither the card nor the terminal will proceed with a transaction unless they are convinced the other is legit.

You seem to be assuming that the EMV card works just like an RFID card, except that there is a physical connection for the EMV card and the RFID card works by radio. There is nothing in common between the two. RFID cards return a small number of bits, with no encryption. EMV cards are micro computers with memory.

There's more involved than just sending a unique ID number. And as I posted previously, the mag stripe on EMV cards contains a code that indicates it is an EMV card. After October, most EMV readers will reject swipes from cards coded as EMV capable. Cloning an EMV chip is also not possible for anyone other than the manufacturers of the EMV cards. There's a reason EMV cards cost 10X what a mag stripe card costs and a reason why banks are willing to incur that cost.

No. See above.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 4/11/2015 9:54 AM, Arthur Conan Doyle wrote:

And in conclusion. . .
Thank you for a good explanation. The one thing to take away from this discussion is the RFID chip may not be so good, but the EMV ship is OK and far less prone to fraud.
Reading how it works and that eventually the swipe will be a thing of the past, it is foolish to destroy the chip in any manner. While I understand some initial fear, the fact is, it is a dumb thing to do to make the card less secure. A little research bears it out.
I also not tht in the future, liability for loss will be to the card issueer or the merchant, depending on who has the least security. It would be good for them to put the liability on those dumb enough to reduce the security of their cards intentionally.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 4/11/2015 10:43 AM, Ed Pawlowski wrote:

I'd agree about EMV chips with the USB like connecton. RFID chips, well, major problems in my opinion.
- . Christopher A. Young learn more about Jesus . www.lds.org . .
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 4/11/2015 8:36 AM, Mayayana wrote:

They are different and the EMV card is more secure. It required contact, not just a "nearby" situation.
http://www.startribune.com/business/246054421.html The other type of chip-based card doesn’t require physical contact between the card and the card reader; it uses RFID radio technology to send data short distances through the air. These cards are available today, and have names such as Visa PayWave, MasterCard PayPass, American Express ExpressPay and Discover Zip.
The problem with RFID cards is that, unless the card is inside a protective covering, they can be read from a few inches away by someone who has a portable RFID reader. Metal foil is said to be the best protective coating to prevent data theft. Some wallets are now sold with protective pockets for RFID credit cards, although the degree of protection provided is not uniform.
http://www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php http://www.snopes.com/fraud/identity/pickpocket.asp
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Thank you. That helps to clarify things. It also seems to indicate that EMV is coming to the US no time soon. My brand new Mastercard is PayPass, with RFID. My 3 other cards have no chip at all. Before this discussion started I had just assumed EMV was a marketing term for RFID in credit cards.
I'm still confused on one point, though. From your first link:
"RFID proponents say that if the cards use security codes that automatically change after every use, information stolen from a card could only be used for one fraudulent transaction."
I don't see how an RFID chip holding a unique number could use changing "security codes". That kind of language is where it all gets murky. Is the author mixing up RFID with EMV? If there are changing security codes, what does that *really* mean? It's not convincing for them to say it's secure if they don't detail how, exactly, it's secured.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sat, 11 Apr 2015 12:49:36 -0400, "Mayayana"

This is off the top of my head so my memory could be faulty but... EMV was developed years ago by a consortium of card companies (EuroCard, Master Card, and Visa thus EMV). It was widely accepted in Europe but US banks decided it wasn't worth the extra cost. What the people on this thread are calling RFID is really a variety of wireless systems. Some just provide a fixed number to ID an item. That is usually what it meant by RFID. Others involve a microprocessor and memory but are also wireless. The reader has a coil to supply power to the chip wirelessly. The chip wakes up and can communicate (two-way) with the reader. I don't know if EMV now has a wireless version, but the older implementation had contacts on the card.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Here in Canada we have the "EMV" style chip cards, but they also work as a "pay pass" card. The range on the "pay pass" appears to be well under half an inch from my experience. If tyou don't "tap" perfectly square to the serface of the reader, most often it will not authenticate. The RFID key fob for the keyless entry system at the office is less demanding, but still requires being a lot closer than half an inch from the reader.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sat, 11 Apr 2015 12:49:36 -0400, "Mayayana"

If they told everyone exactly how it was secured, it wouldn't be secure any more. "If I told you how it works I'd have to kill you"
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| If they told everyone exactly how it was secured, it wouldn't be | secure any more. "If I told you how it works I'd have to kill you"
:) I should hope not. Finding out can't be so difficult. Knowing there's encryption, for instance, doesn't help to bypass it. But before I'd trust it I'd want to understand the details of how it works so that I could assess whether there are risks.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 4/11/2015 6:48 PM, Mayayana wrote:

What risk? The cardholder has no risk. All risk is borne by the issuer or in some cases, the merchant of they do not have proper security.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

A combination of challenge response with encription is pretty darn safe. Combine something to know with something to show.(Chip-PIN).
I'm sure not worried about thesecurity of the chip card. It is at least an order of magnatude safer than a mag-stripe card with signature"verification". Easy to "fudge" a signature - particularly when the signature on the card virtually never stays readable, and virtually no merchant checks the signature - particularly with "self serve" checkouts.
With Chip-PIN either you know the PIN or you don't.. No "fudging" Cover the pin pad with your other hand and rest your fingers on the keys you are not pressing to defeat anyone using an IR camera to determine which keys have been pressed if you are paranoid.
Just don't be "blonde" and write the PIN on the card!!!!!!!!!!!!!!!
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sat, 11 Apr 2015 23:59:57 -0400, snipped-for-privacy@snyder.on.ca wrote:

Since it's a pain to sign on those little electric boxes they have at the checkout counters these days, I just sign a squiggly line. Nobody's complained (yet), Then I started doing it on paper receipts. Still no complaints (yet).
Try it, it's sure a lot faster and easier.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Fri, 10 Apr 2015 22:08:19 -0600, Arthur Conan Doyle

Some "active" rfids don't need a battery either - they have an inductive power loop, so are powered by the sensor. Key-fobs are one such application.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 4/10/2015 8:24 AM, Mayayana wrote:

The letter I got said some thing about the chip making a single use identifiable code for each transaction. Doesn't sound like the text you quoted.
- . Christopher A. Young learn more about Jesus . www.lds.org . .
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Mayayana wrote:

The range is small, like an inch or less.
You could build a RFID detector, detector. The chip itself is powered by an induced electrical field.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 04/11/2015 07:24 PM, G. Morgan wrote:

There you go again -- introducing technology into the conversation. Everybody know a passive rfid chip can be scanned from 50' away through a concrete block wall.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
rbowman wrote:

Is that bad?

It depends on the power of the transmitter. The FCC regulates reader's output power. The biggest ones I know of are the ones mounted above EZ-Tag lanes, good to about 25' with LOS. Those require a licence to deploy.
Perhaps the government has access to higher power ones, but then you and me will be complaining about high-frequency energy being shot through our bodies.
Do you have a reference to normal consumer grade RFID chips being read at 50' though concrete?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 4/9/2015 8:49 PM, Mayayana wrote:

The problem with magnetic stripes is that they encode the user information, and anyone who gets their hands on the card can used a small card reader to copy it. Which has and does happen. Clerks and servers can carry small scanners, take the customers cards and drop them, bend down, discreetly swipe the card, then hand it back to the unaware customer.
Magnetic cards are less secure than chipped cards, which is why the majority of credit card data theft occurs in the US, the last major bastion of magnetic stripe credit cards.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

While ATM skimmers and clerks scanning cards under the counter are occasionally a problem, they aren't the source of a huge amount of card fraud.

The source of most of the card compromises are card terminals and company servers that support those networks, not the mag stripe on the back of a card.
The reasons card issuers have been reluctant to go from issung cards that cost .20 to make to cards that cost $1.20 to make is that there are multiple security issues with the end to end payment system and each problem needs to be addressed. Many will argue that unauthorized card use (which happens with cloned cards) can easily be addressed by smart processing. I know that I already get calls and txts like this from my bank:
Bank: "Did you just attempt purchase flowers in New York?" Me: "No." Bank: "OK, cut your card up. You'll get a new one tomorrow."
EMV cards are not a silver bullet. They solve some specific issues: card cloning, offline transaction authentication, and if programmed properly - support tokenized transactions. The latter being where the card number is not exposed to the merchant. All the merchant sees is a one time transaction code that can't be reused.
You might jump up and say that last feature is why everyone should get EMV cards and the merchants should all install EMV readers. The thing is that same functionality could (and will) be implemented in a smartphone app and simple scanner. Then all those hundreds of millions of dollars invested in EMV cards and readers are thrown away.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Site Timeline

Related Threads

    HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.