> However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.
Who are these businesses? Seriously, stop issuing cards without chips and send new card readers to theses businesses. End of story.
Is it because US businesses use deeply embedded card readers in custom POS machines that aren't modular?
Everywhere I go in South America and Europe, businesses have portable readers. The card companies just sent them new readers and they were accepting chips overnight. Same when NFC was introduced.
The US payment and banking systems are truly maddening.
When Canada moved to Chip and Pin there was no fanfare.
Merchants started getting chip terminals as part of the regular replacement cycle, consumers started getting chip cards as part of that regular replacement cycle, and eventually the terminals started telling users to insert their card.
Interac was the first mover because most people were already familiar with swipe and pin, so the move to chip and pin was a virtual non-event. When the credit card companies moved the issuing banks had to issue PINs, but everyone already knew the mechanics of using it.
The most interesting part is that the US already has the infrastructure to support this. I went to a Walmart in the US and paying with my Canadian credit card worked EXACTLY like it does in Canada - insert card, confirm amount, enter PIN, done. The cashier was a little confused that I didn't need to sign for it, but ultimately they just went with it.
The problem is that there's no equivalent party in the "infrastructure" position in the US that Interac occupies in Canada. There's just 500 different state-level banks, who all license different companies to make their ATM cards. (This is the same reason it took so long for the US to get past two-day ACH settlement.)
For the purposes of accepting these cards as payment (which seems to be a much more common skimmer threat, for example at gas pumps) don't MasterCard and Visa fill this role?
The vast majority of terminals in the US use chip, but I doubt the US will ever require pin numbers for credit card purchases. It's just too inconvenient. Banks are willing to eat the tiny reversed transactions in exchange for making the payment flow more efficient.
What about it is inconvenient? We've had Chip+PIN in the UK since 2006 and contactless payments since 2007 and it isn't inconvenient at all. Supporting card machines are everywhere and in addition portable card machines are extremely commonplace. Even in restaurants they just bring the card reader to the table and you either tap-to-pay or you put your card in and enter your PIN.
You have to remember not one, not two, not three, but several digits. Not only that. You have to look at a keypad. Oh, and you have to push buttons. Not once, not twice, but several times! Pity the poor fool who accidentally pushes the wrong button. More looking at a keypad and button pushing!
Yeah, I don't get it either. My only guess is the customer support calls for forgotten pins are more expensive to deal with than dealing with the incidents of fraud the pin would prevent.
Don't they have to deal with those forgotten PIN calls anyway? Don't you need a PIN to get cash out of an ATM?
My debit card and its PIN are used for a few different things - in-store payments, using the ATM, and authenticating when in-person at a bank. The last one is interesting - each desk at the bank, both the tellers and the offices where you talk to someone, has a terminal and every interaction starts with putting in your debit card and entering your PIN.
Extending this to credit card is no big deal - my main bank syncs the PIN between the debit and credit cards. I only have a credit card with the other bank that I use and I haven't set foot in one of their branches in 20 years, so I have no idea whether they sync the PINs or use their cards for in-person authentication.
Imagine that in this other alien culture, most people were using credit cards for most transactions and rarely ever use their ATM/debit card. They don't have a day to day use for cash so do not frequent ATMs nor do they have much reason to frequent bank branches.
They've been presenting a credit card and making a squiggle with a pen for years and never remembered a PIN at all. Their credit card bill is paid electronically online somehow, either automatically because of a direct debit configuration setup years before or via an interactive banking website. These were authenticated with a web password and perhaps archaic knowledge of a routing number and checking account nunber. No PIN in sight there either...
Do you say this because you believe that Americans are exceptional compared to the rest of the world? Because the rest of the modern world has made the change without trouble.
it’s because american corporations put profit above all else, and someone probably crunched the numbers and determined that faster transactions make them more money despite higher occurrences of fraud
When still requested, the signature is often just scrawling something into a signature box on a touch screen of the same device with the chip reader or contactless receiver. There might be some stylus dangling on a tether and often a spastic finger tip is sufficient to satisfy the UI.
Generally (at least in my part of the US) people stopped being asked to sign for small purchases several years ago; usually now convenience stores and big box stores under a certain dollar amount just ask you to tap a button instead of sign.
Signing is very rare these days, non-existent for small purchases... and still seemingly rare for larger ones. I've spent hundreds of dollars in single transactions without signature or pin.
In Ireland I’ve had to enter a PIN for as little as 15 Euros. It’s very variable. Never run into this in Europe before and it’s been something of a pain because I don’t have a PIN on any of my personal cards. Fortunately I found I do have one on my corporate card.
The threshold varies between banks but there is often a limit as to how much you can spend or many times you can use "unverified" contactless payments (i.e. not Apple Pay which forces biometric verification) in a row before it will stop and demand a Chip+PIN transaction instead, to prevent someone who finds/steals a card from spending large amounts without ever needing to know the PIN.
For example, if the contactless limit is £100 and it only allows four contactless transactions in a row, the worst damage that can be done is £400, so banks and card issuers only need to manage the liability for fraudulent contactless transactions up to that amount (Visa and Mastercard call it "Zero Liability" protection).
I am nit sure how it works elsewhere but with NFC i can set limit when PIN is required . And with NFC on phone this gets preapproved by using biometrics.
The time is moot in almost all situations as long as it doesn’t take you longer to enter the PIN than it does for a cashier to finish tallying items. The concern I’ve heard businesses raise is that people won’t remember it but that’s also a chicken and egg problem since people will remember what they use regularly.
Of course, since it’s the 2020s and not the 1990s we don’t need either since NFC is widely supported and an Apple/Google device transaction secured by biometrics on the client is far better and already widely supported.
I've heard this argument but I honestly don't understand it. This is the reality for making credit card purchases in Canada, having to remember PINs for credit cards is something I've never heard anybody complain about.
Maybe it's because the prevalence of Interac already trained us to deal with PINs.
I want to call out this country wide edict. I've seen this done in both the United States and Canada. I do not know your personal situation, but I'm fairly sure it wasn't across the entire country of Canada.
Except not everyone in Canada requires chip and pin, and the parent comment made it sound like there are no other options with credit cards across the entire country.
Based on my experience both the United States and Canada are usually moving financial tech through different regions and social groups in phases and at different paces.
I'm trying to think of specific examples occurring nation wide and credit card technology just doesn't register. Maybe the removal of the Canadian penny, or paper dollar?
The paper dollar was converted to a coin in the '90s and the two-dollar bill followed suit.
Yes, every card in Canada is chip and PIN except possibly some prepaid gift cards. The same is the case across Europe and Australia and has been for the better part of two decades now.
Exactly. Removal of some of the coinage and paper was nationwide. They are no longer legal tender.
While all cards in Canada may have chip and PIN, no such event occurred where across the nation everyone started using it for every purchase, like there was no transition, nor different options to use with the same card. Consider contactless-enabled card payments as an example (like the original post did).
The assertion that the United States is somehow behind Canada in payment technology because all credit card issuers do not issue cards with chip and PIN seems invalid to me. Additionally the surprise at not requiring signatures. Merchants have been accepting contact-less enabled card payments in the United States, requiring no signature, for quite awhile.
The $1 and the $2 notes stopped being issued in 1989 and 1996 respectively. They are not demonetized and you can still exchange such money at any bank in Canada, or the Bank of Canada, for its face value.
>While all cards in Canada may have chip and PIN, no such event occurred where across the nation everyone started using it for every purchase, like there was no transition
What the hell is this supposed to mean? EMV-enabled cards were rolled out as each bank got onboard, replacing cards at expiry with EMV-enabled ones. Eventually no further non-chip cards were issued.
After a while, the same thing happened for contactless as well.
>nor different options to use with the same card.
EMV supports multiple applets per card, so you can absolutely have a debit and a credit card in the same physical card, choosing which you want to use after you insert it into the reader. These are unusual, perhaps because most people seem to prefer separate cards.
>The assertion that the United States is somehow behind Canada in payment technology because all credit card issuers do not issue cards with chip and PIN seems invalid to me.
The United States isn't just behind Canada, it's behind Europe, Australia, and most of Asia, as well.
I can send money from one European country to another in a regulated maximum of 15 seconds 24/7/365 (look up "SCT INST"), but the Americans can't get it from one bank to another in the same country quicker than a day or two (or sometimes three, apparently). Never mind consumers trying to punch in someone's ABA routing and account numbers to pay them... lol nope, hence the mess of insecure third-party services like Zelle, CashApp, etc.
Skimmers aren't really a thing in Europe because everything is EMV, and I don't mean the abortion which is chip-and-signature (although that still proves possession of the original card).
>Additionally the surprise at not requiring signatures. Merchants have been accepting contact-less enabled card payments in the United States, requiring no signature, for quite awhile.
Again you speak from whence you know not. Google Pay and Apple Pay use a different CVM, referred to as CDCVM, for which there is no PIN as user authentication is handled by the device (hence the need for a fingerprint or face scan before they can be used). For small transactions plastic cards are permitted to perform contactless transactions without a PIN in most countries for convenience as the risk of fraud is low given the maximum cumulative cap of perhaps €50/$50, configurable by the issuer, before a PIN becomes required, which caps the bank's liability in case of theft (since the cardholder is not on the hook for it).
>The $1 and the $2 notes stopped being issued in 1989 and 1996 respectively. They are not demonetized and you can still exchange such money at any bank in Canada, or the Bank of Canada, for its face value.
Since January 1, 2021, the Canadian $1, $2, $25, $500 and $1,000 bank notes are no longer considered legal tender. Essentially, this means that you may not be able to use them in cash transactions.
===
>> While all cards in Canada may have chip and PIN, no such event occurred where across the nation everyone started using it for every purchase, like there was no transition
> What the hell is this supposed to mean? EMV-enabled cards were rolled out as each bank got onboard, replacing cards at expiry with EMV-enabled ones. Eventually no further non-chip cards were issued.
> After a while, the same thing happened for contactless as well.
Again, I am explicitly making the claim that it is misleading to suggest Canada was ahead of the United States by mandating all credit cards have chip and PIN, because by then you could do the same thing with contactless (signatureless transations, with a benefit of not using a pin) just like in the United States.
>> nor different options to use with the same card.
> EMV supports multiple applets per card, so you can absolutely have a debit and a credit card in the same physical card, choosing which you want to use after you insert it into the reader. These are unusual, perhaps because most people seem to prefer separate cards.
I'm aware. I've had one.
>> The assertion that the United States is somehow behind Canada in payment technology because all credit card issuers do not issue cards with chip and PIN seems invalid to me.
> The United States isn't just behind Canada, it's behind Europe, Australia, and most of Asia, as well.
I kindly reject your assertion, because you are basing it on Canada requiring all cards have chip and PIN, but not enforcing its usage at all terminals.
> I can send money from one European country to another in a regulated maximum of 15 seconds 24/7/365 (look up "SCT INST"), but the Americans can't get it from one bank to another in the same country quicker than a day or two (or sometimes three, apparently). Never mind consumers trying to punch in someone's ABA routing and account numbers to pay them... lol nope, hence the mess of insecure third-party services like Zelle, CashApp, etc.
> Skimmers aren't really a thing in Europe because everything is EMV, and I don't mean the abortion which is chip-and-signature (although that still proves possession of the original card).
>> Additionally the surprise at not requiring signatures. Merchants have been accepting contact-less enabled card payments in the United States, requiring no signature, for quite awhile.
> Again you speak from whence you know not. Google Pay and Apple Pay use a different CVM, referred to as CDCVM, for which there is no PIN as user authentication is handled by the device (hence the need for a fingerprint or face scan before they can be used). For small transactions plastic cards are permitted to perform contactless transactions without a PIN in most countries for convenience as the risk of fraud is low given the maximum cumulative cap of perhaps €50/$50, configurable by the issuer, before a PIN becomes required, which caps the bank's liability in case of theft (since the cardholder is not on the hook for it).
I think we're done talking now, given you keep telling me I don't know what I'm saying, and you are obviously just ignoring the fact that I've been completing contactless, signatureless transactions with my credit card for a significant amount of my purchases made in the United States and Canada since 2008.
I'm curious what actually determines when a pin number or signature is required. I seem to get asked for them pretty randomly, sometimes not at all. It's been this way everywhere I go (currently living in Germany). What does the store actually do with all the signed receipts at the end of the day, anyway?
When I first moved from Canada to the US, before I got an American credit card, I used my Canadian card to tap as I was so used to doing. More than once, the clerk looked at me as though I were a wizard.
That's funny, I had similar experiences moving from the United States to Canada. When most people were paying with their debit cards at the terminal, I would tap my credit card (at the time issued from the United States) and have no signature. Like in your case, some clerks seemed surprised.
I'm unable to measure how "common" it was across two giant land masses with very different populations sizes. My personal story was paying by credit card via tap and requiring no signature, with a card issued in the United States while in Canada, and having people be very surprised at its use.
> Who are these businesses? Seriously, stop issuing cards without chips and send new card readers to theses businesses. End of story.
Alternatively - do what Monzo does in the UK and issue cards with a magnetic stripe that is disabled in the backend by default.
If you try to use the magnetic stripe, it sends you an alert that says "Someone (possibly you) tried to pay using the magnetic stripe. Do you want to allow the magnetic stripe for the next hour?"
Then if you travel to a country that relies on magnetic stripe, similarly it sends you a message saying "You have travelled to X - sometimes you may need to enable the magnetic stripe in order to use an ATM. Do you want to temporarily enable the magnetic stripe?"
Gas stations, parking meters, and ticket dispensers at most train/bus stations. They should replace them but I figure the problem is that they are built in to giant kiosks
With gas stations, there is so much more to it than just replacing a card reader in the kiosk, or even just replacing the kiosk itself. You may have to even tear out all of the old networking equipment. https://news.ycombinator.com/item?id=28207062
Thanks, but the post you linked is making me irrationally angry. Why does a gas pump card reader need full internet connectivity?! It's outrageous! Just use the two wires to talk to a head unit in the building! Then it brings up the gas pump advertising screens which are already a sore point for me (two conveniently located stations have these, so I can't go there anymore because I find the accompanying audio intolerable).
The whole situation smells like it involves a lot of vendor lock-in, too (which I always hate to see).
Replacing is not as simple as sending a new terminal. Then you’d have to integrate it with the legacy software workflow and modify the existing furniture at the airport to support a pin pad.
Also, we have your ID and you are going to be cleaning security, so we’re pretty certain you say who you are. Regardless of the physical security of the credit card.
Why is the US a special case though? Every other country replaced these old card machines more than a decade ago. Every other country has airline ticket counters too.
My fruit stand at the farmers market figured out how to accommodate a credit card reader. They did not have to replace any furniture. They literally have no counter space, and managed to make it work. A portable card reader with a pin pad is a solution that can work in all the hard cases.
> Replacing is not as simple as sending a new terminal. Then you’d have to integrate it with the legacy software workflow and modify the existing furniture at the airport to support a pin pad.
The rest of the world figured this out long ago; this is already a solved problem.
I just do not goddamn care any more. The writing has been on the wall for years, and if your business is based around accepting credit cards and you continue to dig your head in the sand, that's on you.
I encountered this in the US a few days ago. It made me angry because it locks out those who don't have a smartphone or aren't willing to install Yet Another App.
It’s relatively common in the US as well but having backup is important for visitors, when apps need a forgotten password rentered etc. Way too many ticketing and other systems are way too unfriendly for the occasional user as it is without requiring that an app has to be used.
NFC means I can pay with my watch. I think in China they rely upon phone cameras and QR codes. Great if you've got your phone with you, but I can go out for a run with just my watch and pay using NFC.
Yeah this is what I do, taking my watch out for a run and being able to track my run, etc. Then being able to stop at a shop on the way back for a cold drink or to pick up some groceries and just pay with the watch is so convenient.
Sucks that everything else about smart watches sucks tho. Thanks to Apple making the "pretty" Apple watch, other brands have forgone things like eink/mip displays that get better battery life. :/
I’m in Australia and an American friend who is visiting was shocked at how nearly everywhere from small cafes to supermarkets all support payments with Apple/Google pay and tap and go.
This spring I left a job working with payments in a SaaS for the self storage industry. I don't remember exact numbers but the overwhelming majority of the card present payments we processed were either keyed by hand or swiped with a magtek reader. A great many self storage companies are mom and pop operations that only have one or two locations, often run by retirees to supplement their retirement income. Needless to say they (and the industry as a whole) are highly resistant to change.
> This spring I left a job working with payments in a SaaS for the self storage industry. I don't remember exact numbers but the overwhelming majority of the card present payments we processed were either keyed by hand or swiped with a magtek reader. A great many self storage companies are mom and pop operations that only have one or two locations, often run by retirees to supplement their retirement income. Needless to say they (and the industry as a whole) are highly resistant to change.
In Europe you can buy card terminals for €30 with no monthly fee, and you don't even have to be a registered business entity.
Now that I check, that same company exists in the US too:
We're talking about people often in their 60s or 70s who quite literally hate technology and don't want to spend any money on it unless someone puts a gun to their head. Seriously, the company I worked for had dropped support for windows XP before I ever started there, but they still had some customers running it when I left (this year).
From the POV of these small business owners that Sumup terminal doesn't do anything to help them and if anything makes their life harder. It won't integrate with their business management software (our product) and most likely will have higher transaction fees than their current payment processor. The company I was with offered EMV terminals that were fully integrated with the management software (I helped write the integration), but there wasn't a lot of interest in them outside of larger companies. The small guys in general don't have a lot of incentive to care about information security. One of the other projects I worked on was migrating the management software from using encrypted CC numbers stored in its database to using tokens. When we took away the ability for users to unmask and view the full CC number some of them started saving saving card numbers in the plain text customer info fields (address, etc.).
Sure, but if the US government was on top of passing legislation to force businesses to stay up to date in order to protect consumers we wouldn't be having this conversation.
> great many self storage companies are mom and pop operations that only have one or two locations
Exactly the type of company that should be getting one of those portable card readers that can be easily replaced.
It can't be harder to enter an amount in the device and ask the customer to insert card and type pin than typing numbers or swiping many times, getting signatures, etc.
What is scary though is how easily the rfid can be read off of a person. It's a great thing to have but card issuers should include some kind of protective sleeve with every card rather than relying on the consumer to be both aware of and able to use an rfid blocking wallet.
Old payment card RFID contactless was really insecure; it basically spat out the data on the magnetic stripe. New contactless is directly tied to the EMV chips and requires the whole cryptographic round trip and such. You can put a protective sleeve around your cards if you want, but it doesn't really add much in real security anymore.
If payment can be authorized through the chip by mere proximity, without any explicit authorization by the owner, then it's still insecure. Of course the thief would need to have an official payment terminal, but those are everywhere.
Technically yes you are correct, but the threat model here is similar to someone grabbing a card from you and dipping it into a terminal chip reader without your permission. This is what the PIN part of chip-and-PIN protects against; the chip part (also applicable to EMV contactless) protects against card duplication and transaction replay.
There is a huge difference between this kind of attack and what an attacker can do with the old scheme of magnetic swipe data over RFID. With the former, the only thing an attacker can do is perform a real transaction in that moment; this transaction leaves behind an audit trail tied to a real merchant (the operator of the terminal) and their bank account. An attacker cannot, however, initiate additional payments without accessing the payment card again, and without access to the cryptographic secrets held by the payment service provider, they cannot extract the card number to use for online transactions.
With the latter, it's equivalent to skimming a the magnetic stripe: an attacker can clone the card and reuse it for transactions as often as they'd like for whatever amounts they can authorize. In addition, they will have access to the plaintext card number, which would allow them to use it for online transactions. And absolutely none of this leaves behind an audit trail of how the attacker got your card.
I disabled mine on the card, and exclusive useless NFC payment from my banking app. That still requires my explicit authorization and is therefore a lot more secure. I started doing this during Covid when we weren't allowed to touch anything anymore, and I'm not going back.
maddening maybe, but because of the simple equation that the fraud losses from continuing to use swipe and issue cards without chip are high, but the margins on credit cards, due to the high rates are high enough to cover it. Carrying a balance on a credit card in Europe and South America is not very common (your account bank will grant a decently priced overdraft facility (not the crazy US fees there), rebates/points/miles are lower - so it just pays to be complacent here for the industry.
Here in Alberta, it's the law that you need to pay before you pump[0]. If you're at a modern pump you insert your card, it does a preauth for some amount (you can select common amounts, like $20 of fuel, or "fill up" which is like $125 or $250 depending on the station), then when you're done it does a purchase for the exact amount.
If you're not at a modern pump, or you're paying cash, you have to go into the store, prepay for something that you think will fill your tank, fill your car, then go back into the store and get your change.
US is the same, except the pre-auth is set by the gas station owner, so you may need to go inside to pay with a debit card with less than that amount, and large trucks need two transactions to fill up
I added some gas in Frenchglen, Oregon. Population 11. You went into the store, told the clerk (owner in this case, I'm sure) that you wanted gas, she turned on the pump, then you took a photo with your phone and took it back to her so she could charge you. $6.75/gallon, which was about $2 more than in Burns (population 2766).
She didn't have any problem taking a chipped card but I imagine there are self-serve places that can't. It was only in 2018 that Oregon allowed self-serve in counties with less than 40,000 people. 17 of the 36 counties qualify.
The advice I've seen with credit cards seems to be "always tap if you can" since that's not subject to skimming or stealing a PIN.
There are not many anymore without a CHIP reader, because VISA and Mastercard FINALLY stopped the delay of shifting liability for all fraud to the individual gas station in summer 2021.
Delivers... new gas pumps? Because often with self-serve pumps, the pump and the card reader are one-and-the-same. Probably modular in some internal sense, but not with an expectation of owner serviceability; more "call the manufacturer" serviceability.
It's crazy how I never carry cash anymore. I can't even think of the last time I used an ATM. I often just leave the house with my phone and buy stuff with apple pay.
Also how is magnetic strip still a thing? I thought this was replaced with chip and tap years ago...
Sometimes I don't when my local ATM is down (which seems to happen so often...), but when I can it feels much better to me. No digital records, no potential for this type of skimmer or other scam, don't have to give up my ATM pin, no worrying about my phone running out of charge, able to give it away freely to anyone in need without setting up a digital transfer, the old taco truck still only takes cash, etc.
I will be sad when cash starts to be less accepted. Already there are a (small) number of modern restaurants that don't accept cash in my area.
In my country (Eastern Europe), you can get a code from the bank's smartphone app, to get cash from the ATM, without using a card or pin. Helps with potential skimmer attacks.
In Australia, day to day you can get up to $100 cash out at the grocery store. I think this is safer than the ATM since the readers are generally in use all the time so there is less chance that they have been tampered with. At least, I've never heard of someone getting their card details stolen at the supermarket. And I have heard plenty of ATMs around me being compromised.
It must be in my area, and it seems to be legal at the federal level in the USA.
"There is no federal statute mandating that a private business, a person, or an organization must accept currency or coins as payment for goods or services. Private businesses are free to develop their own policies on whether to accept cash unless there is a state law that says otherwise."
It may be illegal to refuse cash as payment for an existing debt but businesses are free to choose how (and with whom) they conduct business, including which forms of payment they accept.
I'd love to see what happens if I eat a meal, then say, "Sorry, I only have cash."
They can be mad about it, but I don't think I'm breaking any laws by not having their preferred payment method to pay that debt, right? They can even ban me from the restaurant but—for that meal—I can't get charged with theft of services (or whatever the innkeeper laws are that relate to this situation)
Might depend on if there was clear notification before ordering your meal that they don't accept cash. In that case, you've incurred a debt that you knew you would be unable to pay. That might be some sort of fraud but it probably varies by jurisdiction.
They must either take the cash or forgive the debt, no matter what the sign says. If they don't want cash they shouldn't have served you food until they got their preferred payment method, in which case you could just walk out without having eaten and owe them nothing. Since they decided to serve you, then you now owe them money, which you must be allowed to pay back in cash with US currency. This rule is written on the face of the currency itself.
For sure, and I think even a cashless restaurant would take cash rather than let you leave for free. Presumably the ones truly refusing cash are the type that take payment before you incur any food debt.
It isn't in NYC[1]. We have some local businesses that ignore the law, and are (supposedly) being fined daily for continuing to violate it[2]. I'm not sure if the city has managed to collect yet.
Some do. Some you can go in person to pay for the good to be delivered online. Then, some (mullvad) you can mail cash. Don't, in America, they steal it. But you can.
Is it really no digital records, or just fewer/obfuscated digital records? I would think that the ATM keeps tracks of the serial numbers of the notes it gave you?
As the article says, some smaller outfits still use card stripe data.
The impetus to get retailers to start using the chip was "Liability shift". The payment networks gradually changed the rules (I think in the US pay-at-pump gasoline purchases were last to get this, while big retail stores were earlier) so that the liability if a transaction is latterly discovered to be fraudulent is with the retailer who accepted the dodgy transaction, not the payment network if the retailer didn't use the chip.
But I imagine if you're a little store in the country, maybe you do six card transactions per day, almost all of them with customers you know personally who just find the card more convenient, liability shift isn't a huge worry for you, while the cost of a new payment terminal is a significant issue.
The actual payment infrastructure doesn't care about any of this. Those old impression machines? Mag stripe? Put the card in manually? Tap your iPhone? In all cases the actual transaction which moves money, "Settlement", just needs the account number to take money from and amount to transfer. These different methods have different "Authorization" behaviour but Authorization is about mitigating risk for the retailer, and the bank, and only very tangentially intended to have any benefit for you to customer, it doesn't move money, and it isn't mandatory.
In my experience, the mom and pop outfits usually have a reasonably modern system from verifone/square/etc that accepts tap to pay; it's the giant behemoths (e.g. USPS or Lowe's) where I'm more likely to encounter antiquated payment tech.
Good point. Not only do I still have cards with mag stripes, I still have some with embossed numbers. And probably half of the people with credit cards are younger than the date when that was obsoleted.
A hotel I stayed at actually made an impression from my card in... I'm going to say maybe 2015 (I'm pretty sure this is before Trump, but it's after Marvel started re-publishing Miracleman). Hotel somewhere in the middle of Nottingham. Room nice enough, but no actual card machine.
There’s a pizza joint down the street from me that was still using one when the pandemic started. I would call them to order and they’d show up with the impression machine. I couldn’t use my Apple Card to pay with them.
If your phone breaks or you lost it, if there is no connectivity, if apple decides to cancel your digital existence, then what?
And it means everything you buy is associated with you and recorded forever to be sold to endless advertisers (and worse) and the transaction may be blocked by third parties.
If you pay cash it works without a depending on anything external (no internet, no electricity), it is not traced, it can't be blocked by third parties.
Cash is the optimal payment mechanism for nearly everything. It only is inconvenient for very large payments, but for anything day-to-day, opt for cash.
Cash is only optimal for privacy, not convenience or availability or speed or security.
If my credit card is stolen, I get my money back (so long as I reported it in time, and didn’t surrender to them my pin). Not so with cash.
Cards take a second or two to process payments on average. Not so wish cash.
My bank account / credit card limits always have enough to cover my purchases, whereas my physical wallet might be low/empty and require a trip to the ATM / bank for a withdrawal.
Re internet/electricity outages, this is so rare enough to not be a concern. POS can also do offline transactions just fine if you have power but no internet. And a lot of retail and critical infrastructure places have both wired and cellular Internet links for high availability.
There is definitely still a place for cash, but it’s not a big thing for a lot of people anymore.
The last time I used cash it was because my kid threw up in a taxi and I needed to quickly make it up to the driver. Yes I could have paid card as well, but seeing the physical cash was likely more meaningful to de-escalating the situation.
> Cash is only optimal for privacy, not convenience or availability or speed or security.
Security == privacy. And cash certainly wins availability by a long shot, it can't be blocked by any kind of outage. Convenience is arguable I suppose. I'd rather hand over cash than deal with anything electronic that can fail.
> If my credit card is stolen, I get my money back (so long as I reported it in time, and didn’t surrender to them my pin)
Credit cards don't have a PIN, that's a debit card. But yes, you get the money back from fraud with a credit card, that's true.
> Re internet/electricity outages, this is so rare enough to not be a concern.
Depends where you live I suppose. In many areas electricity outages are a daily occurrence.
> In many areas electricity outages are a daily occurrence.
I’ve lived in 4 continents, never had daily, weekly, or even monthly outages.
> Security == privacy. And cash certainly wins availability by a long shot, it can't be blocked by any kind of outage.
If you don’t have enough cash in your wallet then you don’t have any availability. If you have a internet outage your debit/credit cards still work offline.
Also security does not equal privacy. If you are living in a state where this is true, you have bigger issues with the entire system than ATM skimmers.
> Credit cards don't have a PIN, that's a debit card.
Everywhere I have lived bar the US has PINs on all card types. It’s only a matter of time before it becomes ubiquitous in the US too.
Generally in Europe, when a card is inserted into a terminal for a chip transaction, PIN entry is required. There is no particular delineation between whether it's credit or debit like this. Contactless transactions have a small percentage chance to request PIN, but contact transactions always do it, as all european cards (AFAICT) have put the PIN CVM ahead of the signature CVM, or just dropped the signature CVM entirely, for around 20 years now.
I wasn't aware that Chip+Signature cards even exist in europe.
Whereas the US is all over the place with different methods for different cards, and mag stripes still in use, sometimes requiring you to enter a PIN alongside that, all largely driven by retailer reticence to update their hardware.
No connectivity for the retailer's device, not for the customer device.
There are also quite a few payment terminals that still do dial-on-demand to get authorisation from the merchant service provider (Chip&PIN/NFC Contactless).
I still see those in the UK especially at independent fuel stations. The additional delay waiting for the terminal to dial and connect sometimes makes me think it has failed - had a few occasions where the line was busy and the terminal redialled several times before it finally made it!
Offline transactions are available in many systems up to certain limits defined by both th card and the terminal. They get reconciled later.
Merchants not having connectivity is a rather small problem in this day and age really, with ubiquitous mobile data connections. (Yes, I am aware someone will be along shortly to tell me they have yet-another-edge case where it doesn't work for them. I don't really care, for the vast majority it is a massively convenient way to conduct business.)
Carrying cash is more common in NYC due to many small businesses there being cash-only. For instance, halal food carts are cash-only. As a result, there is higher ATM usage in NYC where these ATM skimmers were found.
Even the halal food trucks are starting to accept credit cards. I know of at least two in Brooklyn that have a reader, however they do require a minimum payment (usually $8 or so).
Im the exact opposite, I always use cash. The only time I use a card is when im purchasing online. I find it far more convenient and I can pay for and buy things without worrying about peoples card systems being up or skimmers or anything like that.
The Dairy Queen I stopped by today used a mag strip reader but it is becoming increasingly uncommon. The local grocery store had to revert to using it twice last year when there was something wrong with the chip approval process. This was on all registers so I don't think it was the readers themselves that were the issue unless perhaps they had received a bad update that was later corrected.
But it does seem like the more secure these systems are getting, the less robust they are. Perhaps that's just one of the tradeoffs we have to accept. The college football season started with a game between Nebraska and Illinois in Dublin, Ireland. The beer at the game was free because there was a technical issue with the payment provider. Being a "cashless stadium", they simply had no way of accepting payment.
My recent cards (and not only mine, I saw that happen with others people cards too) just tell the terminal they can't be used by a mag stripe at all. I assume what the terminal without a smartcard/payless should allow a mag strip read, but I haven't seen them for like... 10 years? But I'm not in the US of A, for that matter.
Same, to be honest I feel like I haven't seen actual money in years. I'm always surprised how much it changes every time I get close enough or actually handle a bill.
To be fair though, after seeing physical Canadian money (got some bills and coins for my son), US money isn't nearly as cool.
The chips on my card have a habit of not working, and my bank doesn't give NFC "tap" cards. Mag-stripe has saved my bacon a couple times after the chip wouldnt read.
And the fancy Amex tap card barely works -- Apple Pay is more reliable.
I'm left handed and had a lot of trouble using tap until I realized my thumb was covering/shorting out the chip. If I hold cards in my right hand tap works great.
I often just leave the house with my phone and buy stuff with apple pay.
I admire your uncomplicated, predictable life.
Sometimes I want to buy something from a guy with the ice cream cart at the park. Sometimes I need to tip a valet, a doorman, a hotel maid, or another service worker. Sometimes I want to buy Girl Scout cookies from the girl with the table on the corner. Sometimes I want to buy something from one of the 35 million Americans without a bank account. Sometimes tow truck drivers take cash only. Many of the late-night restaurants and food carts in my city are cash only.
Some day I'll go cash-free. But my life is not yet that simple.
I think it's clear the person you're replying to isn't from the US since they seem unaware of how prevalent even magnetic swiping is in the US (or was when I left before the pandemic, when I visited a few months ago it seems interest in contactless has finally started to catch on).
Also from the US. The last business I encountered that insisted on swiping cards was this past Spring, a toy vendor in a local mall. Contactless is normal, and my issue is I will sometimes want to pay someone a tip that only takes Venmo which I just don’t have nor want to have.
Cash-only is far more prevalent than card swiping, and even that is incredibly rare.
I pay other people with venmo but refuse to accept payment (I'd literally rather just forgive the debt) for exactly that reason. I don't trust paypal, so they do not get access to my account.
I am from the US! Probably living in the Bay Area has influenced my ability to use tap to pay almost everywhere now. Covid definitely accelerated this though.
As for parent claiming my life is “uncomplicated” and “predictable” I won’t say they’re wrong. I have a pretty boring yet comfortable life.
The only thing that has changed in the past couple years is that a few more of the larger gas stations chains have renovated with new chip readers. Most small businesses are switched over.
You can still count on old gas pumps and pay parking kiosks using mag stripes.
US person here, I can do this too, but in a limited fashion. In fact the donut shop in my circuit used to be cash-only but eventually relented because of the pandemic.
> Sometimes I want to buy something from a guy with the ice cream cart at the park.
The ice cream van that comes past our house is contactless card-only.
> Sometimes I need to tip ...
Ugh, tip culture!
> Sometimes I want to buy Girl Scout cookies from the girl with the table on the corner
She's probably got Square.
> Many of the late-night restaurants and food carts in my city are cash only.
Where they exist, they're more often card-only here.
This is not to say one is superior to the other, but it is very geographically and culturally dependent. If I had to choose to leave the house with either my Apple/Android-pay enabled phone or a pile of cash, the phone would get me a lot further in this country.
Someone tried to tip the valet in my garage with Venmo once. It turned into a near 20-minute ordeal with half a dozen people backed up behind her waiting to get their cars.
As a double advantage, it ensures the workers tips are 1099-K'd when their venmo hits $600 aggregate and they can't weasel out of the social contract of paying up for muh roads.
This is, as far as I know, only true if you use the business "mode" in venmo. I certainly take in a lot more than $600 in aggregate per year via venmo (passthrough rent), and don't get a 1099-k.
Slight correction: it is true if the sender marked that payment as for "goods and services" on the confirmation screen[0]. When you are about to make a venmo transaction, there is a toggle for it. Afaik, it is fully up to the sender.
1) That makes sense because the $600 threshold has never existed before. The first time this will ever be reported at this threshold is this year. According to Secretary Yellen the threshold was lowered to $600 because people earning that much are high-income billionares that need held accountable.
2) In non-business "mode" it's still not your choice if the sender tags it as 'goods or service.'
3) Customers and Workers may be wary to potentially violate ToS by defrauding Venmo and/or the IRS by falsely tagging a transaction that there is an easily electronically auditable record of. Venmo ToS explains your account may be terminated and funds 'held' if you do this, and tons of random people sending you money on a regular schedule is easily identifiable as not 'friends and family.' This is far easier to trace than someone spending putting $200 in singles in a drawer at the end of the night and spending $20 x 10 at the grocery store.
4) Your 'pass-through' rent situation is far less falsely identifiable as goods and services income. 2000x people sending $5 over a year is far more identifiable to a computer than the exact same few people sending you $1k a month or whatever. A very large number (high hundreds to thousands) of nodes sending small amounts over the course of the year easily 'sniffs out' someone providing goods/services and can be bet on to be found out by Venmo compliance sooner or later.
I've caught and reported two pumps at fuel stations near where I live. One of them I watcheded when the police showed up and with the fuel station employee removed the ble module storing the data.
I think though for gas pump skimmers, there are devices that plug into the pins of the OEM card reader and just copy the data straight from the OEM card reader. (The thieves just get a universal gas pump key to open up the cover and install their device inside the pump, which is why you see those tamper stickers.)
Yeah, I've seen a few different implementations of this. The pump one I was able to watch them remove had a clone skimmer attached where your card goes which sent it's data to a bluetooth module hidden inside the service door.
That's a really cool store. I'm surprised they went all in on SAM MCUs for lots of their stuff, as I don't think the Atmel SAM product line has much of a future since being purchased my Microchip (although that was 6 years ago).
Is anyone else annoyed that:
- We could have had chip & PIN, but for some reason (I'm guessing it's to do with how merchants take the hit for card fraud and VISA + MC think having to punch in a few numbers each sale will lead to fewer sales)
- Those tap targets on CC readers sometimes aren't where the antenna is, and you have to rub your card all over the reader to get it to work?
- Chip transactions take way longer than tap transactions, like 10 seconds? Why?
Contactless transactions using your phone are fast, secure and easy. Over time they will replace almost all current usage of chip & pin or magnetic stripe.
Charged for what? I have payment options on my phone so I don't have to bring my wallet everywhere. Works great, even for public transit and it's the same price as the card.
Charged as in has a full and operational battery. A card with a chip in this does not require that. I can also intentionally give someone else my card to effect a purchase and neither myself nor my phone actually has to be there.
Fraud clearly hasn't had a deleterious effect on the entire system, and the penalties for fraud align incentives to fight fraud properly. It's not such a large problem that I'm willing to take steps backwards in terms of functionality and privacy to digitize my purchasing.
Wouldn’t it be cool if payment terminals were also Qi enabled so even if the phone was dead it could provide enough power wirelessly to enable payments to be made?
That's actually already how NFC works. The chip being read doesn't need its own source of power – the EM field in the terminal induces a current in the target NFC chip and then uses that same EM field to read the contents. That's why your contactless debit card doesn't need a battery.
Powered devices like a phone have read/write NFC chips that the device will write data to on demand, usually waiting for some form of user auth to make it secure, e.g. an iPhone keeps the NFC chip empty until you specifically request to pay for something, at which point it authenticates you (e.g. with FaceID) and then writes the data to the chip which can then be read by the terminal to authorize payment. Once payment has been made it wipes the NFC chip again.
But a device can have some payment info written to the NFC chip at all times, which is what iPhones do when you have the "Express Transit Card" option enabled – with certain authorized vendors, that payment data stays on your phones NFC chip indefinitely, so you don't need to auth with FaceID and even when the phone is out of battery it can still be read by those authorized terminals.
If your threat model is a modern phone running out of battery, I suggest an external battery pack. Portable, powerful, and allows you not to carry a slow chip and pin.
Maybe I've picked the wrong phones, but I've also found them to occasionally completely die without any advance warning even if treated carefully, so I remain a bit wary about using them for anything ultra-critical.
And mobile phone providers over here don't guarantee even two nines of reliability, never mind that even 3½ days of no service per year is already too much for some critical things, like being able to get at your money.
And the local public transport association for example tries to disclaim any responsibility for any sort of problems if you're using their mobile ticketing app – if it doesn't work, though luck, your problem, buy a new ticket or pay a fine. Even if you've bought a monthly season ticket there are no special provisions, and the rules don't even differentiate between technical issues caused by myself [1], those caused by third parties (like the mobile service provider) or those caused by the public transport provider respectively its app developers themselves.
[1] Although while I can take care to keep it sufficiently charged, not letting it fall to the ground or whatever, I still can't prevent it from just randomly dying anyway, or the manufacturer issuing some borked update or whatever
personally I hate the idea of always needing a phone with me -- i leave mine at home most of the time just using my wallet and nfc transit card to get around
Difficult to overstate how much you're in an extreme, extreme minority position if you own a smartphone and don't carry it around pretty much everywhere.
that's one of the pirmary things for me too even as a guy with usually large pockets i find it annoying to walk around with them in my pocket espcially in the summer
plus on the bus or train I usually use a book or my kindle so it's easy to forget the phone
You may think that, but get an Apple Watch or other smart watch that can do it. 10x better than the phone was. Don’t need to get anything out of your pocket or even carry the phone in the first place.
You can also tap with the card but you'll have to enter the PIN if you're paying more than some amount (different for different currencies and/or banks).
I have OP’s problem too. When there’s an icon it’s easy, but some terminals (older ones?) don’t have the icon anywhere but support the functionality so you just have to sort of try to figure out where it is.
It can also be a problem on small terminals. The bigger ones have plenty of room, but sometimes the small ones put it awkwardly on the back where you would never look for it.
The really annoying part is that some terminals beep when the card read is done, while others beep at the start of the read, meaning if you are primed for the first type, you will prematurely take your card away and cause an error, requiring a second attempt.
This gets me every time
I actually find the "Square" based nfc readers to be the best. There's no real feedback because it's just a tiny, watch sized brick that you pass your card anywhere in the vicinity of and it reads it so fast you basically can't screw it up.
Maybe you only go to stores that happen to use a specific brand of reader? About a third of the machines I tap on place the sensor somewhere different from the icon, and the staff just continually tell people to tap some other hidden location like a specific corner or the bottom middle of the screen. (Colorodo and California)
How am I supposed to remember good PINs for the tenish payment cards in my wallet without writing them down (probably on the card itself), setting them all to the same thing, or setting them to poor choices?
Setting them all to the same is probably not unreasonable.
You could also do something like set the PIN for a given card to the security code backwards or to the last two digits of the account number concatenated with the first two digits of the security code.
Either of those should be fine under the threat models applicable to most HN readers.
When I take the NYC subway, which now accepts contactless payment at the turnstile[1], I simply hover my card or device over the terminal and it completes the transaction in less than a second. Is there some trickery happening here? Why are tap transactions taking 10 seconds in other cases?
This makes me wonder who manufactures these. Are they made as custom devices by a criminal group to commit the crime? Are they manufactured in another country -yes, that one- and you can buy them on the darknet? Did the group buy one of these ATMs to build the skimmer or possibly get inside information from someone at the company?
You don't even need the darknet; there are plenty of clearnet carding forums. Just search "carding forums" — they're right there, hanging about in the open, all Google-visible and everything. (There are dark-web ones, too, but they're not really any different than the clearnet ones.)
From a few cursory searches, it seems like 1. people generally build their own skimming tools by following guides; and 2. this isn't organized crime, but usually just some really obsessive individuals thinking they can get rich quick.
(If you think about it, the incentives for selling the skimming tools themselves are all wrong: if someone with sloppy OpSec buys your tool and uses it, and it gets into the bank's hands to be studied, they've now ruined it for all your other customers.)
This is why I really like the added security of the new Apple magnetic wallet I got. The wallet holds your cards and attaches to the back of the phone using magnets. While the inside of the wallet is magnetically shielded, I’ve found it’s nearly impossible when actually handling the magnetic wallet not to accidentally pass the card past the outside of the magnetic wallet. I have found that my card no longer works in pure magstripe readers such as parking meters and other older devices. Having ruined my magnetic stripe, Apple has protected me from mag stripe attacks. An idea so bold, no one but Apple could have thought of the magnetic card wallet.
Can't have a mag stripe vulnerability if there is no more mag stripe, such simple and elegant solution is tradition for Apple (can't have a broken home button when you don't have one!)
Do you mean that credit cards in other countries don't have magnetic stripes, or just that nobody uses them?
Living in Canada, there's basically no instance where we'd swipe our credit cards, but they've still got mag stripes; and when I visit the US, I sometimes have to swipe my card, and it does work to do so.
> Do you mean that credit cards in other countries don't have magnetic stripes, or just that nobody uses them?
I don't know about other countries, but a few days ago I got a new Visa card in France. It still has the magnetic stripe. I'm not sure if I've ever seen it used here, but a few years ago I think they were still in use in German gas stations (at least).
Some banks have a nice feature where they allow you to disable the magnetic strip of the card. I presume the information is still physically on the card, but they can somehow know that the payment was done that way and decline it.
I’m in the UK, my cards still have the stripes but in my entire life (I’m 27) I’ve never used it. I don’t even think the card payment terminals we have here have the reader for the stripe anymore.
In Europe, most still have the stripe, but often you can't do magstripe payments unless you enable it beforehand through your bank's app or similar (which is often temporary and disables itself again after 24 hours). I've only ever had to do that when travelling outside of Europe. Most terminals here can't even read the magstripe (and there are even some NFC-only ones).
The card brands are just now beginning the process of phasing out actually putting magstripes on the card. The USA will be a bit later, but over the next few years they’re going to start disappearing from cards.
You're right. Poor choice of words. I seem to recall it's around 2025ish where most cards won't have mag stripes. Mag stripes only exist today because of the US. Everyone else uses the chip for either chip and pin or tap.
So you mention lower in the thread that in fact you didn't get the new Apple magnetic wallet, but actually a 3rd party wallet and just assume Apple's will have the same problem.
That seems like a distinction worth mentioning, especially with the first comment on the article.
While it seems reasonable that Apple's wallet might have the same problem, you dont actually know.
Yes I didn’t realize how seriously people would view this until after I could no longer edit the comment. I mostly thought my story was funny. Though it is true that my Popwallet demagnetized my cards due to the ease with which once can accidentally contact the non shielded exterior of the magnetic wallet with the magnetic card. As I said down thread, apple intentionally designed a wallet that has to have relatively powerful magnets on the exterior. A lot of people in thread are claiming their apple wallet hasn’t demagnetized their cards, but they have not confirmed if they’ve accidentally contacted the magnetic exterior of the apple wallet with their card. Obviously the inside of the wallet is shielded and I don’t believe my card was demagnetized due to poor shielding, but by accidental contact with the magnetic face of the wallet during handling. Apple is clear in their marketing materials that the inside of their wallet is shielded, but they say nothing about risks associated with accidental card contact on the magnetic exterior of their wallet. And this is the situation of concern for me. Perhaps they use much weaker magnets than Popwallet, and you’re right that I can’t say for sure, but I suspect they still use reasonably powerful magnets and accidental contact with a magstripe on the magnetic side of their wallet could pose a problem for cards.
Your original comment was funny, and the ones making fun of you for the sort of important, uh, tweaked detail are also funny, so you are 2 for 2 if the intent was to be lighten hearts.
The problem is with the system Apple designed. They have a small removable wallet with magnets on the back. While I’m using a Popwallet brand wallet with my iPhone, the way it is designed I don’t think the official wallet would be any different. It has to have one side with exposed magnets per Apple’s design, and when handling the removable wallet I’ve found myself accidentally touching the magnetic side with my card. I genuinely don’t think it would be different with the official wallet.
Well my thought on "pop sockets" is when one of your flagship products needs another product for people to hold it... some one f'd up and is not there anymore to call out the bs.
You don't actually need them to hold the phone though, just some people want to hold on to less of their phone to keep it on their hand. I personally just hold on to my phone with my own hand.
Perhaps the large phone is not for you, but rather for people with large hands.
People never complain that tiny devices are too small for their big hands — they correctly conclude that they're made for children or for adults with small hands. But for some reason people expect to be able to use huge phones and phablets with regular-sized hands, rather than accepting that they're intended to be comfortably held by people with huge hands, who find regular-sized phones too small.
Yeah, OP clarified he was using another brands wallet lol. Weird to dunk on Apple implying they underengineer their products. Engineering and (probably) precision manufacturing some magnetic shield is exactly the kind of thing Apple would do.
From [0]:
According to Apple's site, "the leather wallet is shielded so it’s safe for credit cards." That shield protects both Low Coercivity (LoCo) and High Coercivity (HiCo) cards — which is a fancy way of saying how resistant something is from being demagnetized. So, LoCo cards are considered things like hotel keys and gift cards while credit cards fall under HiCo.
Sorry if I wasn’t clear, but I’m saying that it’s easy when handling the small removable wallet to accidentally touch the non-shielded side of the wallet. Both my Popwallet and the Apple wallet have essentially the same design. A shielded pouch for credit cards, and a magnetic backing that attaches to the phone. The magnetic back cannot be shielded on the side that attaches to the phone, or it wouldn’t attach to the phone. The problem is not insufficient shielding on the inside of the wallet, the problem is the way apple designed the system. Apple designed a small removable wallet with magnets on one exterior face of the thing. When handling the magnetic wallet I’ve found myself accidentally touching my card to the unshielded side of the wallet. I think the way apple designed it, their solution is “don’t do that”, but it’s very easy to do.
Brand new Visa Debit card from Chase Bank. I’d have thought it was one of the good ones. I should say I’m actually not using the official Apple magnetic case but the Popwallet brand which includes a little finger holder thing. Perhaps they’re using more powerful magnets than apple.
One, it is a light hearted comment. I’m mostly just having some fun. Two, I suspect that the official wallet would have the same problem. The point is that apple designed a system where the wallet has to have magnets in it. The official apple product documentation states that there are in fact magnets in their wallet. And yes, just like my Popwallet brand, the inside of Apple’s wallet is magnetically shielded. The issue comes when you are handling the small removable wallet and your cards together. If you place your card next to the side of the wallet with magnets, you’re exposing it to the magnet without any shielding to protect your card.
I don’t have an official Apple wallet to test, but Apple repeatedly makes the same claim as the Popwallet - that the inside of the wallet is shielded. I think the problem is that apple designed a system where cards and magnets are close together, and during handling it is easy to expose the card to the unshielded side. This is why I think it is appropriate to jab at apple.
Which problem? People are misunderstand me and thinking I am saying that the problem is poor magnetic shielding, aka that the cards when properly stored in the wallet are being demagnetized. But what I am saying is that when handling the wallet it is easy to accidentally touch the card to the outside of the wallet where the magnet is. Are you saying you can rub your cards on the outside of the magnetic wallet, on the magnet, and not demagnetize your cards? I’m still trying to determine whether people are talking about touching the card to the magnetic side of the wallet or they think I’m referring to putting the card in the wallet and having a failure due to poor shielding. I’m not talking about the latter.
I’m mostly having fun, but Apple’s official wallet also has magnets on the back. The point is apple designed a system where a small removable wallet needs to be handled with your cards. That’s apple’s system design. And I suspect that you would encounter the same issue with Apple’s official wallet. Just like my Popwallet apple says the inside of the wallet is shielded. But the outside cannot be shielded as it has to magnetically attach to the phone. So unless the apple wallet has much weaker magnets, in which case it would fall off the phone easily, then it’s going to have the same issue. The problem is with the system apple designed.
Is it? Numerous people up and down this thread who do use the official one have told you they've not experienced it, so I'm not sure your assumption holds.
They’ve not experienced the issue when touching a magnetic card to the magnetic side of the wallet, or they’ve not experienced the issue when placing the card in the shielded section? Because what I’m saying is the former is unfortunately very easy to do, and that would be easy no matter which brand holder is used.
The small number of places with older swipe only terminals. Or when the chip isn't working (Lowes has a stripe reader on the register if the main terminal isn't working; mainly used for gift cards though). And finally, an alert employee might not accept a damaged card.
I've seen a few people in the US mention "when the chip isn't working". I don't think I've encountered this... ever? Of course, when the merchant's only alternative is handling cash, maybe there's more incentive to keep the card machine in order
At best I've found chip reading to work about 60% of the time across a range of local merchants here. And now the debit card I have, which is less than a year old, has a chip which has completely quit working. Making it totally useless for the (thankfully small) number of merchants whose POS systems won't let you fall back to mag-stripe when the chip fails.
As far as I'm concerned, chip cards can get stuffed. They're utter shit in my experience.
That sounds like you are somehow mistreating them, or your local merchants use "special" terminals (or maybe your bank is just using crappy materials). I can’t even remember how long ago it was that swiping worked, but chips have never broken until I cut them for the replacement card, this is over 3 different banks.
That sounds like you are somehow mistreating them,
I don't think I am. All I do is take it out of my wallet, put in the reader, take it out, put it back in my wallet, lather, rinse, repeat.
or your local merchants use "special" terminals
That would make sense if we were talking about one merchant, or even just two. But I can go to Barnes & Noble, Lowes, Food Lion, the local corner gas station, Ace Hardware, it doesn't matter, I routinely find the chip readers less reliable than the magstripe reader. I can't explain it, but chips are tainted in my worldview at this point.
> "At best I've found chip reading to work about 60% of the time ... Making it totally useless for the (thankfully small) number of merchants whose POS systems won't let you fall back to mag-stripe"
Here in the UK, many (most?) new payment terminals don't have mag-stripe readers at all. And I expect banks will start issuing new cards without a magnetic strip in the near future, if they haven't done so already.
I agree that chip & pin isn't ideal, not just because of reliability issues but also because of the security risk of PIN disclosure. But thankfully contactless (incl. Apple Pay/Android Pay) has already replaced it for 99% of daily transactions.
But if your card's chip is broken, can't you just get your bank to send out a new one?
But if your card's chip is broken, can't you just get your bank to send out a new one?
Of course I can. But that means I have to stop and take time out of my day to call my bank and dick around with them. And then if the new card comes with a new number (I don't know if it will or not), and/or expiration date (that almost certainly will change), then I have to login to EVERY SINGLE ONE of the places online where I use that card for some kind of automatic payment and change the payment details. I'm extremely loathe to do that, because it's incredibly tedious and painful, and I always miss one anyway and wind up getting scary emails about how my account is about to be closed.
Sure, my hand will probably be forced on this sooner or later. But as it stands, I just haven't cared enough to deal with all of that.
It might depend on your bank, but if you request it, it should be possible for them to issue a new card on the same account without cancelling the old card.
Your new card will have a new number and expiry date, but the old one will remain valid.
In any case, these days my web browser remembers card numbers and fills them in automatically, so it’s really not such a big deal to update card numbers online.
It might depend on your bank, but if you request it, it should be possible for them to issue a new card on the same account without cancelling the old card.
That's a good point. I guess I should call them and see if that's an option. If so, that sounds like the best of both worlds.
I could also buy a phone that has NFC / tap to pay support, and link my card to Google Wallet and use that. An awful lot of the place I shop support that these days...
I had a similar experience, but a clerk at a gas station wiped the chip edge of the card down and it worked on reinsertion. No idea how not really visible dirty (maybe from my very old wallet) was contributing to chip read failures but I have a much higher success rate after copying this fix.
I find it odd that they're so unreliable in the US given they're neither new nor complicated technology and have a decade of use in Europe before they even started gaining adoption in the US, but I'll take your word for it. I wonder what US card or terminal manufacturers are doing wrong for such a reliability difference
Chip payments occasionally had problems in Europe too. The chips on the cards, or the contacts on the terminals would get dirty or wear out or whatever. Contactless is much more reliable.
Remember that the US is huge, diverse, and opinionated, and really struggles to realize "My experience isn't everyone's experience"
I've had the chip struggle like once in my life. That was on a card very near it's expiration date. Most people I see in the store have no problems with their payment method, and when I was a cashier in 2012, people seemed to have significantly more problems getting their magstripes to scan.
All of this is SUPER dependent on which flavor/brand of POS is popular around you, the effort your bank put into making a good implementation, and whether your local merchants actually put effort into running their business and keeping equipment maintained. Pretty much nothing in this discussion is generalizeable to all of the US other than "We were late to the party of chip cards"
I’ve had the readers at Home Depot occasionally fail to read my chip card. The last time it happened an employee told me that the readers were designed for slightly thicker cards than some banks are using and so don’t always make contact but if you lightly press down on the exposed end after you insert it that lifts the chip end up enough to be read.
I’ve had no problems with their readers since I started doing that.
If you go anywhere where they hold a tab open, such as a bar, you can't do that with tap/chip. Not that that's a blocker, since worst case you do a bunch of single transactions, but it's an annoyance.
And in Canada. 99.9% of the time if the machine asks you to use the magstripe period there's something wrong and the payment isn't going to process regardless.
Originally I was thinking they could handle an open tab like a gas station — place a hold on the card for $X for an open tab. But then, the more I thought about it, I’m not sure I want to be the bartender that has to explain why there was a hold of $100 on a college kid’s debit card.
Sorry you can’t buy lunch, but the hold will get released in a few days, so it’s ok!
You could just prepay $X. Then extend it every so often. Any remainder gets refunded at the end. Honestly, in Australia I have not swiped my CC in over a decade.
In some ways we are pretty spoiled here in Australia, with regards to fintech adoption. The local farmers markets either take cash or contactless (or both depending on the stall). Its the literal only remaining place that I visit that takes cash-only at some stalls. Everywhere else is all contactless, all the time.
I suppose so. But it still blows me away that doing basic everyday payments in the largest economy in the world is still so poor and their physical money is terrible.
> Sorry you can’t buy lunch, but the hold will get released in a few days, so it’s ok!
I've bought gas in France with a Monzo card and the pump was able to hold and release money immediately - ~150EUR hold initially, as soon as I put the pump down it adjusted to the real amount.
Seems like the tech to make this happen does exist, it's just a matter of not using a shitty bank.
The whole "giving your card away" thing is so foreign to me (German). Fuck no, I’m not giving you my card. In restaurants and bars they either come by with their handheld terminal, or you go to the machine at the register and simply pay like in any other place.
America having invented the dining (later credit) card, we have some customs remaining from when they worked analog.
I understand why Germany, a poorer country which was late to electronic payments, wouldn't do this; I don't understand the hostility to it. But then, I'm American, we've been doing this longer than you've been alive.
> I understand why Germany, a poorer country which was late to electronic payments, wouldn't do this; I don't understand the hostility to it. But then, I'm American, we've been doing this longer than you've been alive.
You mean payments between banks that take two to three days within the country instead of a regulated maximum of 15 seconds across borders?
It's a shame you're so salty that the rest of the world has far overtaken the US. You may have been doing it "longer", but you've absolutely failed to iterate and are still stuck with obsolete technology that's rife with fraud, for which a more appropriate feeling than saltiness is shame.
The chargeback is always there, in the background, keeping people honest, broadly speaking. I generally wave my watch at something and carry on with my day, due to the innovative work of Americans. I mean probably a few Germans at Apple, but they're Americans now, and that's what matters.
But having a clunky thing at home you stick your debit card in is okay too! I guess.
There are a large number of “smart” tab systems in use in US bars where the system retains your magnetic stripe data for the duration of your visit. You pass off your card, it is swiped and immediately returned. If you don’t settle your tab, it’s automatically settled with a pre-set tip using the stored track data. It’s convenient for bar owners and patrons as the bar doesn’t have leftover cards to deal with and the patron doesn’t have to retrace their steps to recover their forgotten card the next day.
Interesting, I haven't encountered such a system at UK bars/pubs. Either it's entirely pay-as-you-go (easy when everyone has contactless), or, at fancier places, they'll trust you to run a tab without taking a card up front.
More or less a security nightmare than a drawer or tray full of physical credit cards behind a busy bar at night, which is the alternative at US bars? I'd argue that time-shifting card data is actually safer, even if it is often against the merchant agreement.
I really haven't heard of much trouble caused by these systems - of course, they require magnetic stripes in general, which are a massive attack vector, but the bar use case specifically doesn't seem to cause additional issues that I'm aware of. There are so many lower-tech and easy ways to steal magnetic track data, like skimmers, that I don't think compromising bar-back point of sale systems is a particularly high priority for most criminals.
Anyway, this is probably just a small snapshot in time regardless, since once swiped-card transactions finally go away US bars will have to switch to the mobile terminal pay-as-you-go method anyway.
Speak for yourself, I can't tell you how many times I've left my card at the bar because of an open tab. Nowadays I'll favor places that give me my card back when I open a tab.
Fred Myers (a grocery store) where I live doesn’t have NFC POSes in their self checkout kiosks, so I have to whip out my card to chip there. But otherwise I don’t usually use it (though I bring it just in case).
Lots of smaller stores have readers where either the tap or the chip is broken. I just went to one today and took out my card to insert the chip instead of using Google Pay.
One of the shops near me can only do tap reading on their reader as the chip isn't working. My debit card only has chip, no tap. But I can pay with Google Pay via my phone. The CVS near me the tap readers in the pharmacy don't work. But the chip readers do.
I can see how this is annoying, but I think I use the magstripe 1 time per year on average. Although, I could see it being used more often by bartenders and other merchants who take my card.
Even EMV contactless is designed to work offline. There's no need for the mag stripe at all anymore unless you encounter a truly ancient card terminal. The last time I remember encountering one was at a toll booth in Italy around 2011 or so. And the transaction was immediately declined by my UK bank!
Transport for London works similarly for contactless payment card acceptance on the tube, buses, etc. Cards are authorised in offline mode, with transactions processed overnight at the end of each day.
But they also maintain an internal blacklist of declined cards, so the most you'll get away with is one day's travel around London. Per card.
It's absurd anyone thought those stupid translucent green plastic things would solve any of this, if anything more surfaces and greebles on the ATM just make it easier to hide a skimmer. If the surface was a razor thin slot on a completely flat surface you'd struggle to hide anything on it. Instead we have this stupid giant hunk of plastic that doesn't even look like part of the machine anyway.
I think the magnetic strip needs to go. We hardly use them in Australia to the point where one of our major banks actually has a touch reader on their machine.
Some sort of one-time verification would be great. An SMS or a push notification would go a long way to making this type of scraping harder.
> The magnetic stripe will start to disappear in 2024 from Mastercard payment cards in regions, such as Europe, where chip cards are already widely used. Banks in the U.S. will no longer be required to issue chip cards with a magnetic stripe, starting in 2027.
Absolutely. Here in the Netherlands, magstripe payments are disabled by default. Only if you’re travelling outside Europe do you need to enable them manually (through your bank’s app or website).
Magstripe is long dead throughout Asia as well. The US (as always) has been behind the curve on this, but contactless became pretty ubiquitous during COVID.
Monzo (UK) doesn't allow magnetic stripes in ATMs unless you enable them in the app.
Chip and pin and NFC terminals have been a standard in the UK for over a decade now. I wouldn't be surprised if magnetic stripe readers still exist only for US tourists.
As a person who was quite amused by a [quite gentry, ie recently entered the workforce afain] Domino's staff who didn't even knew how to handle a magstripe in 2016 I find this is quite baffling.
I find it's the chip readers that are very flaky. Certain stores I go to simply have unreliable chip readers and I often have to fall back to the stripe. This has even happened at a couple places right after they replaced their readers. It seems to be related to alignment of the card in the slot, which has led me to a procedure that on the second try, I'll put the card in while sliding it pressed against the left edge of the slot, and on the third try I'll slide it in on the right edge of the slot. This small bit of offset often makes the difference.
I suppose after the stripe goes away, they'll have to improve these machines in a hurry. I just don't understand how they're so shitty and yet the rest of the world seems to be using them without issue.
As a person who used the chip for almost a decade I can assure you what or you had extremely shitty readers all your life or somehow you bank provided you with extremely shitty card somehow. I struggle to even remember when I needed to reinsert the card again.
> Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.
> Shockingly, few people bother to take this simple, effective step.
I haven't taken cash out of an ATM (or carried cash altogether) for years now, but I never really used to do this as I always assumed it was protecting against the threat of someone looking over your shoulder and then subsequently mugging you.
If I ever end up using a cash machine again, I will be sure to cover the digits. Thanks Krebs!
I've always wondered about how modern contactless methods are more resistant to skimming. Couldn't someone compromise two machines and essentially MITM the NFC communcations, intercepting the card's response from the first machine, and replaying it against another remote machine, along with the PIN recorded from a camera? Though I suppose the ATM company could combat this by encoding the machine's ID or a nonce with the message that the card's smart chip responds to, so it only works when replayed on that first machine - is this what happens in practice?
> Though I suppose the ATM company could combat this by encoding the machine's ID or a nonce with the message that the card's smart chip responds to, so it only works when replayed on that first machine - is this what happens in practice?
Yes, more or less. The chip and contactless flows defined by EMV both require the card to generate a nonce for the transaction. The terminal also generates its own nonce[1].
Unfortunately "random" is a headache for a certain type of bureaucrat. They can't really do "random" or "unpredictable" and it needs somebody who actually understands what is going on to sit down and walk through how they can check whether to tick this box. For the Web PKI we had this problem extensively. No, if you set the top bit of this 128-bit integer, that's not 128 random bits. That's 127 random bits, the top one isn't random any more, see?
Anyway, the EMV test spec tells them to ensure the numbers are different not that they're random even though the cryptography requires randomness to work. So if you make terminals, the way to ensure you pass is not to use random numbers, as there's a tiny chance a random number fails the test. To pass, just ensure you emit a sequence of different numbers. For example 1, 2, 3, 4, 5. That's not random at all, but it's different and so it passes the test.
As you would expect this is an exploitable bug. Light Blue Touchpaper covered this years back.
> as there's a tiny chance a random number fails the test
There’s ~4e23 _grains of sand_ on Earth. There are more possible values in 128 bits than grains of sand on Earth.
Take it further. There are 10^11 stars in our galaxy. If every star in the Milky Way had a planet identical to Earth orbiting it, there would be ~4e35 grains of sand on all the Earths orbiting all the stars of the Milky Way.[1]
If you assigned each of those grains to its own value, we’d only need 0.11% of the possible values of 2^128.[2]
I think it’s safe to say those bureaucrats are wrong :)
Sure. As an engineer who knows what they're doing I of course agree with you. I'd argue with management that random is both obviously the correct choice and unlikely to cause compliance problems. But...
Here are some of the "Unpredictable numbers" from a series of EMV transactions reported in a paper in 2014:
F1246E04, F1241354, F1244328, F1247348
That's a 32-bit value, so not enough to count living humans, never mind grains of sand. And it's not very "Unpredictable", indeed the researchers have more data from the logs which allows them to predict with confidence future values from that same terminal, basically the low 15 bits are a clock which repeats every 32768 cycles, with cycles having a fixed duration of several milliseconds. The high bits, if they change, don't change for a prolonged period.
I'm a bit curious now how compliance with the spec is tested.
It certainly can't be done with "pure" unit tests, and it would be difficult to ensure sufficient entropy even with "impure" tests that examine multiple nonces generated in sequence.
Do you happen to have a link to the paper you mentioned?
... mentions these values and links a paper they wrote, I suspect it isn't the 2014 paper I was thinking about but it's on the same topic.
The good news is that in the years after this work, I believe the rules were tightened up, there's a good chance if you buy a brand new EMV terminal the people testing it wouldn't have accepted 1, 2, 3, 4, 5 as a series of "Unpredictable numbers", so crooks today are less likely to be able to exploit this, and more likely to get caught.
The bad news is that courts remain very easily persuaded that banks know what they're doing, and expert witnesses who can make it clear that the bank have no idea what they're doing and shouldn't be trusted more than a typical citizen are expensive. If it ends up being your word against a bank, the court is probably going to believe the bank.
From my understanding you can't really skim these cards as the cards sign some piece of data using a private key stored only on the card that never gets exposed in the transaction. I might be _totally_ wrong though.
That's pretty close: the private key alone can't prevent replays, since any material generated from just the private key could be recorded and replayed. Instead, the card mixes its private key with a nonce to produce a session key.
The magnetic stripe is just data. NFC is a handshake: the chip is a tiny MCU. There is still a root of trust required to prevent MITM, but the device would need to be compromised. This is why keys and certificate chains are stored in secure memory that is resistent to side channel, and even physical attack (it breaks easily and the die can't be shaved down).
“A tiny MCU” in this case means Microcontroller Unit, not Marvel Cinematic Universe. Don’t expect to find Antman running around on your chip preventing fraud.
Surely that’ll get you a one use token but not data good for repeat use? In addition you would have to send that to the network as a retailer yourself. So it would not be anonymous.
It’s completely useless. Because the terminal you’re using is involved in what gets signed, even if you replayed the data to a different but identical contactless terminal (say the next gas pump over) the signatures would fall apart and it wouldn’t work. The serial numbers and such are different.
Also there are transaction counters involved. So even if you could overcome that the processor would see that your card had two transactions with counter 268753 and reject the second. The terminal also has its own transactions counter mixed in too.
And even if you could overcome those I’m almost positive that timestamps are involved too. So even if you could replay the transaction to the same exact terminal and get around the transaction counter issue the time would be different and I think that would cause it to fail.
It really is a well designed system. It follows that software law that people can know absolutely everything about the process and it’s still secure as long as the private keys aren’t given away.
It may be worth running a magnet over your cards at this point. I can't think of a time I've used the mag-stripe.
The skimmers here have a passthrough hole for the chip which means the mag-stripe only exists to feed the skimmers. So even this use case that gets skimmed isn't even using the mag-stripe itself!
I've used the mag stripe tons of times over the last couple of years. Most of the time it's when I get "CHIP MALFUNCTION" errors at a card reader, or sometimes they just tell me to swipe for no good reason. I wouldn't kill the stripe unless you've got a backup with you, at least for a while.
That's opt-in but I think every credit card company in the US offers to alert you by SMS or app notification when a transaction has been made. I have that setup for my cards but it is annoying each month when the internet bill hits my card because they do their processing at 3am.
Most of the banks I've dealt with in Europe deliver them as push notifications, and I just tell my phone to summarise them and deliver them silently. So whenever I check my phone anyway, I see that there's been some transaction, but they'll never interrupt me.
Definitely not every bank offers this (looking at my small credit union) but most do and it's great! I just wish it would let me know when restaurants add the tip on.
No - I only get asked for approval on particularly suspicious transactions, normally based on amount, merchant reputation, and geography.
I believe this difference is because in the US merchants are on the hook for fraudulent transactions and in the rest of the world the customer is on the hook.
So if someone steals my card and makes a bad transaction, I just go into the app, flag it as fraud/not me and no money comes out of my bank account. The merchant ends up eating the cost because it's better for them to eat a small fraud percentage than to add more friction to the checkout process.
I like how this old-fashioned security measure still applies:
Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.
Another low-tech thing I have done to protect myself is I have physically cut the numbers off my cards with scissors. My name and expiration date are still there. This way when I pay at a restaurant in the US and the card is out of my sight I don't worry about someone writing down the card details. So far not a single business has refused me when I hand them my modified card with the numbers cut off.
Although you will be out of luck in the very rare situations where the merchant has to fall all the way back to a completely offline transaction on paper. Usually they use a little plastic roller device that impresses the number onto carbon paper to reduce errors, which is why they were embossed rather than printed in the first place.
> Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.
So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.
Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.
I see this as part of the 'war on cash'. Cash itself cannot be skimmed etc - but when you use your card, it can be. The problem appears to be the use of ATMs to get cash out - the message is that its risky. Of course, if there were banks, and you were able to get cash out in ye olde fashioned way, this wouldn't be a problem.
The point I'm trying to make is that technology introduces risks that cannot really be quantified - you won't even know that someone has stolen from you for a while by cloning your card (a few hours/days) - with cash if it is stolen it is obvious immediately. This lack of access and ability to get an accurate picture of your finances is not going to get better with crypto.
Key security measure, and it is trivial - just start it as a new habit, and remind all your family & friends who didn't read the article.
>> most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.
>>Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.
> However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.
That's why you usually need an external push to advance security. Manufacturers/businesses didn't drop CFC, lead, asbestos,... voluntarily, usually there's fierce resistance. Wireless tap payment terminals run for less than 50 bucks in retail stores, it's a negligible expense for any business (that's why you even see them among street vendors, restaurants where each waiter has their own terminal...).
I'm still a little surprised I can't easily get chip-only credit cards that have no magnetic strip on the rear, but rather have a backup card that has a strip, and use chip/tap for everything else.
Could always cut out the chip and place it on another recipient card. Nobody looks at the card for chip+pin transactions, but you’ll lose “tap” payment ability.
I suppose you could get an “associate card” and destructively disable the chip and magstripe to accomplish your goal.
Since cards have relatively recently gone to not having embossed numbers, the card slots are now probably just a little bit wider than most new cards, allowing a device like this to fit.
Correct. I'm not familiar with the implementation details, but there's a handshake involved in the NFC tap that prevents it from being cloned using a "dumb" skimmer like this.
Not a payment security expect, but based on my limited knowledge, the transaction is verified with the chip embedded in the card/device itself so I don't think that skimming devices like these can bypass NFC protections.
I feel about it the same way I feel about people saying "i am on wireless" (when telling people whether they are using ethernet or wifi). Totally fine in the context.
Since we are talking about payment card skimmers, "contactless" feels appropriate here too.
I can't help but smile when I see these skimmers. It's amazing how advanced they are!
I would love it if my bank would let me use my virtual debit card with a contactless flow to withdraw cash. I'd imagine that's much harder to replay or otherwise manipulate. I've seen some ATMs (mostly Chase?) with the contactless symbol on them, but I've never been able to get them to work.
I always use the Chase Debit cards stored in my Apple Wallet to access Chase ATMs. Works great. You can use the Apple Wallet cards to unlock the ATM vestibule doors after hours too.
Good to know that it works with their own cards! I don't actually have a Chase debit card; I was hoping that my virtual debit card would work with their machines :-)
(The bank I use does actually use JPMC as their customer bank, so I was hoping that Chase ATMs would see my card as a "whitelabeled" Chase card. But no such luck.)
Contactless checkout has a different security scope for card issuers. Magstripe + Pin is reusable, contactless auth has protections that bind the key exchange to that specific merchant and multiple pay auth attempts from a merchant get throttled.
I haven't looked into it, but I would guess that there's a key exchange with the reader that binds the contactless payment to that reader in such a way that the card produces a signed unique identity that proves it is the card without leaking the actual card numbers to the reader. Just a guess, but that's how I would want to build something like this. You don't have that much room on a chip but way more than a magstripe. (Security pattern: something you have that is time/merchant delimited)
I believe that in magstripe they just have a strip magnetized to produce some digits + your pin (Security pattern: something you know + something you have).
Contactless uses a cryptographic operation to secure the transaction, both reader and chip are active participants. Compare with magstripes which are passively read and thus trivially subject to replay attacks.
I don't use any card where you cannot deactivate the magnetic stripe entirely by software. This way the magnetic stripe gets useless because transactions through it are blocked. I live in Europe and nearly never need the magnetic stripe (one big exception was one ATM which would not work without it).
To highlight the action item from the end of the article: for this attack to work they need a video of your PIN from a nearby hidden camera, so cover the PIN pad with your other hand as you enter your PIN! (I always thought this was paranoia, but apparently not)
For all the people saying why not use chip and pin cards for all your payments, using cash is EXTREMELY common for day to day small purchases in NYC and doesn't seem to be going away any time soon.
Ha. Honestly I’m having a blast at all the reactions from Europeans (and others) in this thread.
The large local bank in my city doesn’t support it. Their ATMs only started using EMV as few years ago. I’ve seen contactless on national chain bank ATMs once or twice but I don’t think it worked for me for some reason.
We dropped magstripes over a decade ago for chip and pin (though cards still ship with them for use overseas), and pretty much every payment terminal in stores have supported contactless for two years, but I haven't seen a contactless ATM here in Ireland - I assumed there was some liability reason they wanted chip and pin
Here in Russia you still have to enter the PIN after you tap the card. You used to be able to tap with your phone too, back when Google Pay and Apple Pay worked.
where do you live that banks allows you to even use the strip? once we got chips like 10+ years ago banks have since disabled the strip, i mean why have a chip if your card is going to get fraud ? defeats the purpose of it
Seems like you ought to be able to buy bismuth foil tape to put over the mag stripe, and block any sort of reader. It's not like most of us ever need to use it.
a) You can still run transactions as magstripe-only transactions (without any PIN or even signature required) or
b) copy the security code (which on most American cards are also encoded on the magstripe) and use it online (CNP transactions). If you're familiar with 3D secure, most American banks and merchants don't require 3D secure to buy.
who is still using these old card? don't they expire? i mean its been like more then 10 years since we all switched to chipped cards i don't even know any place that has a strip reader or any bank that has them even enabled, i mean whats the point of adding a chip for security if your still allow strip readers...
Absolutely everywhere in the US has them. They exist for two purposes: first they’re used for fall back if there’s a problem with the EMV chip. Second I’m not aware of any gift cards (except perhaps prepaid debit cards) that have EMV chips. So if you buy a $20 gift card to Home Depot for someone that’s going to be magstripe.
Honestly I didn’t start seeing EMV/contactless available on gas pumps until about 18 months ago.
The cards are very insecure and primitive and have been replaced by smart phones in most areas.
One core way they are insecure is based on the main concept of the money which fails to utilize cryptography. Any money that uses cryptography to prevent the need for sharing secrets to execute transactions is a cryptocurrency. Any currency that does not use cryptography is obsolete.
Using physical pieces of paper is also ridiculous at this point. The only real utility is to avoid any kind of taxation, and the only reason that is needed by people is because governmental structures are also horrible and obsolescent.
Curious what you use if you don't use an ATM, ATM card, a bank, or fiat currency?
People like to use this type of rhetoric around crypto and crypto-maximalism, but you absolutely cannot function day to day using purely crypto at this point in time.
Glad to know I'm not the only one that has abandoned money and transitioned entirely to the barter system. This past year, I only paid two hogs to the IRS. The future is here.
Who are these businesses? Seriously, stop issuing cards without chips and send new card readers to theses businesses. End of story.
Is it because US businesses use deeply embedded card readers in custom POS machines that aren't modular?
Everywhere I go in South America and Europe, businesses have portable readers. The card companies just sent them new readers and they were accepting chips overnight. Same when NFC was introduced.
The US payment and banking systems are truly maddening.