Horsecrap! They were known as "ATM" cards and were offered by every bank as far back as the early 80s. Visa and MC were nowhere in the picture. I used one for 20 yrs and never once succumbed to the debit card rip-off, even long after they became the norm to clueless plastic users in CA.
nb
snipped-for-privacy@aol.com wrote in news: snipped-for-privacy@4ax.com:
I believe that some things like balance remaining/available get written to the chip, so less info has to be transmitted over the data lines. The whole chip thing was said (somewhere) to be much more secure and theft proof.
Some credit card issuers offer virtual account numbers on their web sites. Features may vary, but it's a different number than the one on your plastic card. It's good for only one merchant, and in some cases you can specify a time and dollar limit. You can also cancel it early. This came in handy for me when I used a virtual number to subscribe to an online publication. Deep down in the terms and conditions was an evergreen clause -- automatic renewal unless I cancelled. I chose not to renew and forgot about it. When I was notified that "there is a problem with your credit card" I simply ignored it.
Nothing, other than all CC terminals would need PIN entry capability. This could be a problem with restaurants, for example.
The chip allows off-line use, important for the early European market (20 years ago). As noted above, not so much in the US. The two systems started apart, for good reason, and the cost to change either exceeds any benefit.
It's been a while since I looked at the spec, but I think it has to do with where the PIN is validated. On a traditional debit card, the PIN is sent to a server at the card processor and ultimately to the issuing bank for approval. With Chip & PIN, the authentication can be done in the card itself. The terminal captures the approvals over a period of time and sends them to the bank in batches.
IFF you trust the cryptography. It makes little sense with cheap communications, though.
You're missing the complete picture - and I'm assuming we're discussing the US here, not another country.
You are correct - at first there were just ATM cards. Those cards were only valid at the issuing bank's ATM machine. Then came regional networks - ie Cirrus, Plus and a bunch of others. ATM cards branded with those network names could be used at your own bank plus grocery stores and the like in your area.
The problem was when you wanted to use your card on the other side of the country or even downstate. That's when Visa and MC stepped in with their national networks. Each had two types of cards: offline/online, or online only.
The offline/online cards were branded just like the credit cards and banks liked it when you used them as a credit card because they collected 3% or more in transaction fees. Stores liked it when you used them in online (PIN) mode, because the transaction fees were much less.
I haven't looked at the contracts from Visa and MC, but I suspect there are restrictions on banks that want to offer national branded cards from competing with themselves by offering ATM only or online only cards. That and it avoids a lot of consumer confusion.
Minor correction - Cirrus and Plus were the online networks that Visa and MC ran. The regional nets were things like CASH, MPACT and a bunch of others.
I've said, in more than one post, this applied only in CA as far as I know. I now live in CO and I may as well live on Mars. All my ATM experiences in CA are totally nonexistent, here. I'll not repeat it again.
nb
That really sounds like a hacker's paradise. I assume they believe their encryption is unbreakable but that is just a dream. If this is batch verified, the scammer has time before he is discovered.
Um, no.
At the point of sale, you insert the card into the reader. The user has to enter the pin into the reader's keypad, which presumably sends the pin to the chip on the card. The chip sends back something to the reader to indicate that the pin was correct. So the verification happens in real time - not "batch verified".
I would also guess that for any retailer that is making at least a few CC transactions per minute, that they have their CC machines connected to the store's internet connection - perhaps they have a dedicated phone line and internet service just for their CC machines so that their CC readers are not on the same IP network as the rest of their store's computers.
If someone steals the card and inserts it into a hacked reader, and has the reader modified to generate all possible 4-digit pin numbers to run against the card, the chip on the card is designed to invalidate itself if more than a few incorrect attempts are made to guess the pin.
Replicating the card, with the chip and it's embedded user-selected pin, is pretty close to impossible.
Replicating a convential mag-swipe CC card is trivial if you have physical possession of the card. The chip'd cards also have a mag-swipe track, which I guess can also be duplicated.
Here's something that you might want to do with your credit card:
Take some white-out (white correction paint) and paint over the 3-digit "security" code on the back of the card.
When ever you hand out the card to someone (like a waiter at a restaurant) for processing, and if they bring the card back to you and you notice that the white paint has been scraped off so as to show the code, you know that something fishy is going on.
But if you have a hacked card chip, you know the right PIN and you make sure there is lots of money on it.
The banks fraud detection unit will not see any of these transactions until the batch is sent.
All you have to do is put a chip on a card that transmits the right stuff to the reader. It doesn't have to be a real card or a real chip.
Yes it is very easy to clone a credit card, that is why they do fraud detection in real time. If a card shows unusual activity they call you and if they don't get a response pretty quickly, they invalidate the card.
the chip and pin has already been cracked
I expected that might be true. If it is made by humans, another human can defeat it.
When I was in the computer biz I showed the bank that their ATM was vulnerable to attack. I found the leased line, in one of those phone company splice gravestones you find along the side of the road and hacked into the ATM. Granted I did have the encryption key (a trivial one BTW) but I was able to send the ATM the command string that had it pumping out money, thinking it was talking to the bank. On the bank end they were just seeing the proper response to it's "Hey mon, you dead?" poll. I had a fairly sophisticated piece of test gear but I bet I could have done it with a laptop and a Bi sync modem.,
I assume they got smarter in later generations of ATM.
I just bought some shocks, went online @ Advanced Auto Parts. If you put the code #P20 in, you get 20% off. So, figure I'd just run down to Advance & get them over the counter for same price. NOT! Told me go home, order online for the discount, mark it for pickup @ whatever store and head down to the store in about an hour. Anyways, that's the only way to get 20% off, so I did it. Glad there are 3 of their stores within 7 miles of my place.
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.