I stumbled across that as well when I started investigating why my EMV card
suddenly started asking for signature verification when it had been perfectly
happy with PIN verification up until late last fall. I was still using the slot
and not swiping.
Among other things, I discovered that my card issuer had change the verification
priority on my EMV card to signature because of a banking industry concensus
that US card users would be too confused by a PIN request for a credit
While looking into that change, I read about Walmart enabling swiping for EMV
cards as a temporary measure.
More or less correct. Depending on how the RFID chip is programmed, it could be
a single serial number or several smaller numbers/characters.
There's basic physics involved. Since a passive RFID chip has no battery, it
get's it's power from the radio waves of the signal it receives. That means it's
never going to be able to send out a stronger signal.
EMV stands for for Europay, Mastercard, Visa, the consortium that developed the
technology. The chip is nothing more than a small cpu, secure memory and I/O all
Communication between the reader and the card is initially clear text, but
transitions very quickly into an encrypted exchange. The details of how and why
that exchange is secure is too complicated for a Usenet post. Neither the card
nor the terminal will proceed with a transaction unless they are convinced the
other is legit.
You seem to be assuming that the EMV card works just like an RFID card, except
that there is a physical connection for the EMV card and the RFID card works by
radio. There is nothing in common between the two. RFID cards return a small
number of bits, with no encryption. EMV cards are micro computers with memory.
There's more involved than just sending a unique ID number. And as I posted
previously, the mag stripe on EMV cards contains a code that indicates it is an
EMV card. After October, most EMV readers will reject swipes from cards coded as
EMV capable. Cloning an EMV chip is also not possible for anyone other than the
manufacturers of the EMV cards. There's a reason EMV cards cost 10X what a mag
stripe card costs and a reason why banks are willing to incur that cost.
And in conclusion. . .
Thank you for a good explanation. The one thing to take away from this
discussion is the RFID chip may not be so good, but the EMV ship is OK
and far less prone to fraud.
Reading how it works and that eventually the swipe will be a thing of
the past, it is foolish to destroy the chip in any manner. While I
understand some initial fear, the fact is, it is a dumb thing to do to
make the card less secure. A little research bears it out.
I also not tht in the future, liability for loss will be to the card
issueer or the merchant, depending on who has the least security. It
would be good for them to put the liability on those dumb enough to
reduce the security of their cards intentionally.
They are different and the EMV card is more secure. It required contact,
not just a "nearby" situation.
The other type of chip-based card doesn’t require physical contact
between the card and the card reader; it uses RFID radio technology to
send data short distances through the air. These cards are available
today, and have names such as Visa PayWave, MasterCard PayPass, American
Express ExpressPay and Discover Zip.
The problem with RFID cards is that, unless the card is inside a
protective covering, they can be read from a few inches away by someone
who has a portable RFID reader. Metal foil is said to be the best
protective coating to prevent data theft. Some wallets are now sold with
protective pockets for RFID credit cards, although the degree of
protection provided is not uniform.
Thank you. That helps to clarify things. It also
seems to indicate that EMV is coming to the US
no time soon. My brand new Mastercard is PayPass,
with RFID. My 3 other cards have no chip at all.
Before this discussion started I had just assumed
EMV was a marketing term for RFID in credit cards.
I'm still confused on one point, though. From
your first link:
"RFID proponents say that if the cards use security codes that automatically
change after every use, information stolen from a card could only be used
for one fraudulent transaction."
I don't see how an RFID chip holding a unique
number could use changing "security codes". That
kind of language is where it all gets murky. Is
the author mixing up RFID with EMV? If there
are changing security codes, what does that
*really* mean? It's not convincing for them to
say it's secure if they don't detail how, exactly,
This is off the top of my head so my memory could be faulty but...
EMV was developed years ago by a consortium of card companies
(EuroCard, Master Card, and Visa thus EMV). It was widely accepted in
Europe but US banks decided it wasn't worth the extra cost. What the
people on this thread are calling RFID is really a variety of wireless
systems. Some just provide a fixed number to ID an item. That is
usually what it meant by RFID. Others involve a microprocessor and
memory but are also wireless. The reader has a coil to supply power
to the chip wirelessly. The chip wakes up and can communicate
(two-way) with the reader. I don't know if EMV now has a wireless
version, but the older implementation had contacts on the card.
Here in Canada we have the "EMV" style chip cards, but they also work
as a "pay pass" card. The range on the "pay pass" appears to be well
under half an inch from my experience. If tyou don't "tap" perfectly
square to the serface of the reader, most often it will not
authenticate. The RFID key fob for the keyless entry system at the
office is less demanding, but still requires being a lot closer than
half an inch from the reader.
| If they told everyone exactly how it was secured, it wouldn't be
| secure any more. "If I told you how it works I'd have to kill you"
:) I should hope not. Finding out can't be so difficult.
Knowing there's encryption, for instance, doesn't
help to bypass it. But before I'd trust it I'd want to
understand the details of how it works so that I
could assess whether there are risks.
A combination of challenge response with encription is pretty darn
safe. Combine something to know with something to show.(Chip-PIN).
I'm sure not worried about thesecurity of the chip card. It is at
least an order of magnatude safer than a mag-stripe card with
signature"verification". Easy to "fudge" a signature - particularly
when the signature on the card virtually never stays readable, and
virtually no merchant checks the signature - particularly with "self
With Chip-PIN either you know the PIN or you don't.. No "fudging"
Cover the pin pad with your other hand and rest your fingers on the
keys you are not pressing to defeat anyone using an IR camera to
determine which keys have been pressed if you are paranoid.
Just don't be "blonde" and write the PIN on the card!!!!!!!!!!!!!!!
On Sat, 11 Apr 2015 23:59:57 -0400, email@example.com wrote:
Since it's a pain to sign on those little electric boxes they have at
the checkout counters these days, I just sign a squiggly line.
Nobody's complained (yet), Then I started doing it on paper receipts.
Still no complaints (yet).
Try it, it's sure a lot faster and easier.
The letter I got said some thing about the chip
making a single use identifiable code for each
transaction. Doesn't sound like the text you
Christopher A. Young
learn more about Jesus
It depends on the power of the transmitter. The FCC regulates reader's
output power. The biggest ones I know of are the ones mounted above
EZ-Tag lanes, good to about 25' with LOS. Those require a licence to
Perhaps the government has access to higher power ones, but then you and
me will be complaining about high-frequency energy being shot through
Do you have a reference to normal consumer grade RFID chips being read
at 50' though concrete?
The problem with magnetic stripes is that they encode the user
information, and anyone who gets their hands on the card can used a
small card reader to copy it. Which has and does happen. Clerks and
servers can carry small scanners, take the customers cards and drop
them, bend down, discreetly swipe the card, then hand it back to the
Magnetic cards are less secure than chipped cards, which is why the
majority of credit card data theft occurs in the US, the last major
bastion of magnetic stripe credit cards.
While ATM skimmers and clerks scanning cards under the counter are occasionally
a problem, they aren't the source of a huge amount of card fraud.
The source of most of the card compromises are card terminals and company
servers that support those networks, not the mag stripe on the back of a card.
The reasons card issuers have been reluctant to go from issung cards that cost
.20 to make to cards that cost $1.20 to make is that there are multiple security
issues with the end to end payment system and each problem needs to be
addressed. Many will argue that unauthorized card use (which happens with cloned
cards) can easily be addressed by smart processing. I know that I already get
calls and txts like this from my bank:
Bank: "Did you just attempt purchase flowers in New York?"
Bank: "OK, cut your card up. You'll get a new one tomorrow."
EMV cards are not a silver bullet. They solve some specific issues: card
cloning, offline transaction authentication, and if programmed properly -
support tokenized transactions. The latter being where the card number is not
exposed to the merchant. All the merchant sees is a one time transaction code
that can't be reused.
You might jump up and say that last feature is why everyone should get EMV cards
and the merchants should all install EMV readers. The thing is that same
functionality could (and will) be implemented in a smartphone app and simple
scanner. Then all those hundreds of millions of dollars invested in EMV cards
and readers are thrown away.
HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.