So Much For Chip & PIN Security

**Jim Koepke** · 12-08-2015, 5:07 PM

Looks like there is already a hack for these.

http://boingboing.net/2015/11/26/tin...et-simula.html

jtk

**Phil Stone** · 12-08-2015, 5:27 PM

Seems to be specifically due to poor security practices by American Express.

Originally Posted by Jim Koepke

Looks like there is already a hack for these.

http://boingboing.net/2015/11/26/tin...et-simula.html

jtk

**Brian Elfert** · 12-08-2015, 8:18 PM

This has NOTHING to do with chip and pin. This uses the magnetic stripe. This is NOT about bypassing chip security.

**Mike Henderson** · 12-08-2015, 8:19 PM

Originally Posted by Phil Stone

Seems to be specifically due to poor security practices by American Express.

Yep. And in the US, the chip cards don't use a PIN - you have to sign for the sale. I think there's a couple of reasons for this.

1. The card companies are afraid you will not remember the PIN and therefore will not use their card.

2. The processing people charge more to process a transaction with a signature than with a PIN.

However, people seem to be able to remember a PIN - for example the PIN to get into their smart phone or their bank debit card. So if the user can set the PIN on their card(s), they can certainly remember it.

Mike

**Myk Rian** · 12-08-2015, 8:25 PM

I wonder if Amex has a response to this.
90% of the merchants we go to don't use the chip anyway. At least not yet.

**John K Jordan** · 12-08-2015, 8:31 PM

In every place we visit in Europe, EVERYONE uses the chip cards and PIN. From boat tickets in Venice to pizza in Switzerland.

JKJ

**Gerry Grzadzinski** · 12-08-2015, 8:33 PM

Originally Posted by John K Jordan

In every place we visit in Europe, EVERYONE uses the chip cards and PIN. From boat tickets in Venice to pizza in Switzerland.

JKJ

Canada as well.

The only places I've been to that use the chip are Wal Mart and Sam's Club.

**Brian Elfert** · 12-08-2015, 8:38 PM

Target and Home Depot now accept chip cards. Many places have readers for chip cards, but they can't actually take chip cards yet.

**Gerry Grzadzinski** · 12-08-2015, 9:32 PM

You're right. I forgot that I used the chip card to pay for my Christmas tree at HD on Saturday.

**Dan Hintz** · 12-09-2015, 6:36 AM

Originally Posted by Brian Elfert

This has NOTHING to do with chip and pin. This uses the magnetic stripe. This is NOT about bypassing chip security.

Yes and no. While it's a bit flip in the magnetic stripe, it's still a valid workaround to the Chip and Pin (by removing it form the equation altogether). The card is made to appear to the machine as if it's a standard non-chip card.

However, it should be noted this attack will only work for a short period of time (about a year from now). Once the requirement for ALL machines to accept chip-and-pin cards goes into effect, this trick will fail. Essentially, the machine will assume it's an old card that needs to be replaced by the issuer.

**John K Jordan** · 12-09-2015, 7:09 AM

I don't understand what good the chip card is without the PIN. I thought the real reason for the chip cards was to tie a secret PIN to an encrypted chip that couldn't be copied easily like a magnetic strip.

A stolen card cannot be used if the PIN is required. Anyone can use anyone's card if the PIN is not required.

It seems to me that the only value of using the chip without a PIN is it eliminates the physical motion of sliding the card through the slot at the right speed. And just when I got good at that...

JKJ

**Stewie Simpson** · 12-09-2015, 8:58 AM

Originally Posted by John K Jordan

I don't understand what good the chip card is without the PIN. I thought the real reason for the chip cards was to tie a secret PIN to an encrypted chip that couldn't be copied easily like a magnetic strip.

A stolen card cannot be used if the PIN is required. Anyone can use anyone's card if the PIN is not required.

It seems to me that the only value of using the chip without a PIN is it eliminates the physical motion of sliding the card through the slot at the right speed. And just when I got good at that...

JKJ

http://www.visa.com.au/personal/secu...hipcards.shtml

**Matt Meiser** · 12-09-2015, 9:00 AM

Because the chip is a lot harder to replicate than the magnetic strip. Its very easy to read the data off a magnetic strip of a real card and store it, then later write it onto the strip of another card. Stolen physical cards aren't the big issue.

**Brian Elfert** · 12-09-2015, 9:07 AM

The chip generates a different number sequence for every transaction. If somebody hacks the system and gets that number it will do them no good. No, it doesn't help if someone actually steals your card, but the majority of the fraud has been criminals hacking into computer systems to get credit card numbers in large numbers.

**Brian Elfert** · 12-09-2015, 9:12 AM

Originally Posted by Dan Hintz

Yes and no. While it's a bit flip in the magnetic stripe, it's still a valid workaround to the Chip and Pin (by removing it form the equation altogether). The card is made to appear to the machine as if it's a standard non-chip card.

Sure, but the OP's post made it sound like someone had managed to hack the actual chip itself which they have not.

Considering that I don't think even 25% of merchants have chip card readers yet I don't think this is a big deal. There are many large chains that still don't have chip card readers up and running. A local chain installed new credit card terminals along with a new POS system last summer. They still don't have the chip readers working. (Didn't have credit card terminals at all before.) I find it hard to believe that anyone would install a new POS system in 2015 and not be able to immediately accept chip cards.

Thread: So Much For Chip & PIN Security

Thread Tools

Rate This Thread

Display

So Much For Chip & PIN Security

Posting Permissions