It's been a while since I looked at the spec, but I think it has to do with
where the PIN is validated. On a traditional debit card, the PIN is sent to a
server at the card processor and ultimately to the issuing bank for approval.
With Chip & PIN, the authentication can be done in the card itself. The terminal
captures the approvals over a period of time and sends them to the bank in
At the point of sale, you insert the card into the reader. The user has
to enter the pin into the reader's keypad, which presumably sends the
pin to the chip on the card. The chip sends back something to the
reader to indicate that the pin was correct. So the verification
happens in real time - not "batch verified".
I would also guess that for any retailer that is making at least a few
CC transactions per minute, that they have their CC machines connected
to the store's internet connection - perhaps they have a dedicated phone
line and internet service just for their CC machines so that their CC
readers are not on the same IP network as the rest of their store's
If someone steals the card and inserts it into a hacked reader, and has
the reader modified to generate all possible 4-digit pin numbers to run
against the card, the chip on the card is designed to invalidate itself
if more than a few incorrect attempts are made to guess the pin.
Replicating the card, with the chip and it's embedded user-selected pin,
is pretty close to impossible.
Replicating a convential mag-swipe CC card is trivial if you have
physical possession of the card. The chip'd cards also have a mag-swipe
track, which I guess can also be duplicated.
Here's something that you might want to do with your credit card:
Take some white-out (white correction paint) and paint over the 3-digit
"security" code on the back of the card.
When ever you hand out the card to someone (like a waiter at a
restaurant) for processing, and if they bring the card back to you and
you notice that the white paint has been scraped off so as to show the
code, you know that something fishy is going on.
But if you have a hacked card chip, you know the right PIN and you
make sure there is lots of money on it.
The banks fraud detection unit will not see any of these transactions
until the batch is sent.
All you have to do is put a chip on a card that transmits the right
stuff to the reader. It doesn't have to be a real card or a real chip.
Yes it is very easy to clone a credit card, that is why they do fraud
detection in real time.
If a card shows unusual activity they call you and if they don't get a
response pretty quickly, they invalidate the card.
On 11/9/2011 10:31 PM, firstname.lastname@example.org wrote:
the chip and pin has already been cracked
I expected that might be true. If it is made by humans, another human
can defeat it.
When I was in the computer biz I showed the bank that their ATM was
vulnerable to attack. I found the leased line, in one of those phone
company splice gravestones you find along the side of the road and
hacked into the ATM. Granted I did have the encryption key (a trivial
one BTW) but I was able to send the ATM the command string that had it
pumping out money, thinking it was talking to the bank. On the bank
end they were just seeing the proper response to it's "Hey mon, you
dead?" poll. I had a fairly sophisticated piece of test gear but I bet
I could have done it with a laptop and a Bi sync modem.,
I assume they got smarter in later generations of ATM.
The CC companies couldn't care less about fraud or making it safer for
the customer. The reason for "high fees and interests rates" seems
pretty self evident.
The whole industry is a rip-off and different states deal regulate it
--or not!-- it in different ways. CA initially issued universally
usable ATM cards. You could go into most any retail store and either
buy merchandise or request cash, money pulled directly from your
checking acct, with no involvement by the CC companies, whatsoever.
Unlike debit cards, where CC companies get a piece of the action.
I moved from CA to CO. The banks, here, claim no such practice has
ever existed anywhere. This I found hilarious, as the bank I was
trying to open an account at here in CO has also has branches in CA
that do exactly that. Whether or not CA still has usable-everywhere
ATM cards, I do not know, having moved 3 yrs ago.
Which is why I refused to use one. A CC card transaction can be
disputed. Not so a debit card.
I originally stated "almost" any/everywhere. In the 20 yrs I used
one, that was pretty much the case. I was almost never refused a
transaction by ATM card. That included restaurants, mini-marts, gas
stations, box stores, dept stores, etc. Most stores in a mall always
excepted ATM cards as payment, including Penny's, Sears, Macy's, etc.
Granted, cash-back was pretty much limited to large sprmkt chains, but
I could always get $100+. Also, any ATM machine, including other
banks, would honor any ATM card, for a flat fee.
Here in CO, an ATM card is good only at the issuing bank's branch ATM
machine, PERIOD, end of story. In short, they're useless for general
transactions. Commercial machines here in CO dispense cash only for
They are/were known as Visa Electron and Matercard Maestro cards. Unfortunately
my bank stopped offering them a few years ago. Also known as online only or PIN
based debit cards as they could not be used in offline signature mode.
Horsecrap! They were known as "ATM" cards and were offered by every
bank as far back as the early 80s. Visa and MC were nowhere in the
picture. I used one for 20 yrs and never once succumbed to the debit
card rip-off, even long after they became the norm to clueless plastic
users in CA.
You're missing the complete picture - and I'm assuming we're discussing the US
here, not another country.
You are correct - at first there were just ATM cards. Those cards were only
valid at the issuing bank's ATM machine. Then came regional networks - ie
Cirrus, Plus and a bunch of others. ATM cards branded with those network names
could be used at your own bank plus grocery stores and the like in your area.
The problem was when you wanted to use your card on the other side of the
country or even downstate. That's when Visa and MC stepped in with their
national networks. Each had two types of cards: offline/online, or online only.
The offline/online cards were branded just like the credit cards and banks liked
it when you used them as a credit card because they collected 3% or more in
transaction fees. Stores liked it when you used them in online (PIN) mode,
because the transaction fees were much less.
I haven't looked at the contracts from Visa and MC, but I suspect there are
restrictions on banks that want to offer national branded cards from competing
with themselves by offering ATM only or online only cards. That and it avoids a
lot of consumer confusion.
I've said, in more than one post, this applied only in CA as far as I
know. I now live in CO and I may as well live on Mars. All my ATM
experiences in CA are totally nonexistent, here. I'll not repeat it
Some credit card issuers offer virtual account numbers on their web
sites. Features may vary, but it's a different number than the one on
your plastic card. It's good for only one merchant, and in some cases
you can specify a time and dollar limit. You can also cancel it early.
This came in handy for me when I used a virtual number to subscribe to
an online publication. Deep down in the terms and conditions was an
evergreen clause -- automatic renewal unless I cancelled. I chose not
to renew and forgot about it. When I was notified that "there is a
problem with your credit card" I simply ignored it.
Maybe something unique to where you travel? I haven't seen any small
merchants imprint cards for a really long time. Low end CC terminals
such as the popular Verifone vx-510 are inexpensive:
And even mobile business folks and businesses that set up say at shows
use terminals with embedded aircards like this:
Or swipe adapters for smartphones running a virtual terminal.
I and wife have couple retail business established over the years after
we retired. It is not a franchise chain stores but we do well. We often
get orders from outside our city as far away as South of the border.
We eat the difference in card processing service charge. That is called
customer service. We only do this to known repeat customers who we
personally saw at least couple times. No, to total stranger first timer.
If they have to order it from the dealer, why are you dealing with them?
Or not ordering it online yourself, if you know the part numbers? No
disrespect to Advance and the other FLAPS, but that is not where to buy
serious parts, it is where to buy wiper blades and cheaper generics for
non-critical systems where the part isn't model-specific.
But to answer your question, yeah- they wanna make sure you at least
have the card, and aren't just scamming for resellable parts using
somebody else's CC number. They also don't trust their own employees
that much- with a card in hand, they have a virtual paper trail. I don't
recall using a CC over the phone in years, other than to confirm a hotel
HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.