42 comments

[ 3.4 ms ] story [ 84.2 ms ] thread
If we used chip and PIN in the US would this still have been possible?
Can you buy things online with chip and PIN?
Not sure if this is serious or snark, but...no, you use the card number, of course. Similarly, the magnetic stripe is not typically used in online transactions either.

The question is whether the chip-and-PIN technology would have revealed less information (i.e. insufficiently much to allow online purchases, etc.).

Target's card readers, last time I checked, suck in the whole card like some ATM machines. So they can easily OCR the card number and CVV2, and store that.

What always weirded me out about Target is that they used the credit card number (or name, or something on the card) as the key into their "loyalty program". If you bought some generic drug last time, this time their machine will print out a coupon for the name-brand version. This always weirded me out a little bit, though there is nothing preventing them from just storing a hash. Of course, the average developer never stores just a hash, and here we are.

> Target's card readers, last time I checked, suck in the whole card like some ATM machines. So they can easily OCR the card number and CVV2, and store that.

At least in the Minneapolis store I shopped at during the breach, it was a simple swipe terminal.

Why would you think that Target OCRs CVV2? They already have CVV1 (used for card in hand) read off the magstrap, so what would they want with CVV2? It would also be an insane violation of PCI rules.
As far as I know, big companies can negotiate with the individual networks to do whatever they want with your credit card information, including storing the data in a non-PCI-compliant manner.
From TFA:

The shop was selling data stolen from the magnetic stripe of each card, which thieves can re-encode onto new, counterfeit cards and use to go shopping in bricks-and-mortar stores for items than can easily be fenced or resold.

Is that possible to do with a chip and PIN card? Most of the focus from these articles seems to have to do with replicating the cards and using the replicas in stores, not online.

That's supposed to not be possible at all.

I remember maybe a decade ago there was a kind of scare (well, at least the TV news talked about it) about YesCards, some kind of fraudulent EMV cards, but according to Wikipedia[0] it doesn't look like they would still work today.

[0] https://fr.wikipedia.org/wiki/Yescard (for some reason, the English article is deleted).

It appears that chip-and-pin probably uses a challenge-response type of authentication, which would make the card nigh-impossible to duplicate.

Chip-and-pin won't help you with online sales, but for any card-present sale (brick-and-mortar) it should ensure counterfeits cannot be used, and the PIN of course is the second factor to ensure only you can use the card.

Yes, you can - http://en.wikipedia.org/wiki/3-D_Secure

When I buy something online using my CC, and if the payment processor supports that (mostly local/european shops), I get redirected to a page on my bank for verification. Some banks require the PIN to be entered, some others to enter your login credentials, some coordinates from your code card or even verify with a SMS code.

Not exactly using the chip, but it involves the PIN surely.

MasterCard has the same thing in the US. I think it's called SecureCode.
If the payment gateway decides to not implement this kind of protection, the payment goes through anyway (I'm guessing it'll be more expensive for the merchant, but still).
My bank issues chip and PIN readers for login and signing purposes. They are also used for 3-D Secure transactions.
Why not keep it simple: text message w/ reply...?
The chip still provides a "track 2 equivalent" to the terminal - http://www.emvlab.org/emvtags/show/t57/

If an attacker intercepts that, they can get the account number from it and potentially use it for online purchases. But they wouldn't have the postal code or security code, which most but not all ecommerce merchants require.

It's a rather flawed system - there are strict protections around certain cardholder data like PINs, but none of that really prevents fraud since just the account number is enough to make certain purchases.

I don't see what the big deal is. If you use a credit card (not debit card), you aren't the one be defrauded. In the U.S., consumer protection laws limit the liability due to credit card fraud. If the fraudulent change is more than $50, the customer can dispute the charge within 60 days. During the investigation period the credit card company cannot collect on the disputed amount nor can they report this to the credit collection agencies. In other words it's the bank that out the money. This is why I prefer credit cards over debit cards. With a debit card the money is yanked out of your account. The onus is then on you to recover the funds.
(comment deleted)
I've always liked this too. Let the bank figure out how not to have their money stolen.

(Yes, this adds cost to the transaction. But as long as people want to take each other's money without permission, there is always going to be a cost to using money, whether it's an interchange fee, higher taxes, or just getting $500 bucks stolen on the subway from time to time.)

At the end of the day, it's not their money, its your money. You're paying the transaction and fraud costs built into purchases, which flows to merchants, which flows back to the banks and processors.

Just because its not a line item somewhere on your bank statement doesn't mean you're not paying for it.

Sure, but at the end of the day its service that is so convenient and useful at a price that is so low I'm happy to pay for it.
If you are taking unique and extraordinary steps to protect yourself, you're actually paying twice - with the effort to protect yourself and the money for your bank to protect you. This sort of action isn't meaningful unless it's collective. Even then, do you think businesses would lower prices or simply take home more money?
Damn it i want two way verification on any purchase over X amount! Meaning anytime a charge over X amount (an amount i set) tries to go thru I get a text message asking for me to approve or deny it.

This is getting ridiculous! 1st Adobe who I will never do business with again (had to cancel my accounts & open new ones) and now Target!

Although it's not two-factor, some banks will send you push messages or texts for every transaction taking place on the card. I use Simple, they do the former. One nice feature about Simple is you can disable the debit card directly from within the app, and then re-enable it if you need to (for example, if you lose your wallet temporarily).

Simple also sent me a new debit card automatically without prompting, their systems having noticed I'd shopped at Target last week.

The problem with the two factor system as you describe is that while it works for 'cardholder not present' transactions (and there already exist standard two-factor methods for such payments, not that many banks use them), it would make retail POS payments incredibly slow. You'd have to wait for a text/push, you might not have any reception, then you've got to reply, etc. This is one reason why EMV is, for all its failings, more attractive than mag-stripe: it is considerably harder and more expensive to clone EMV cards.

+1 for Simple. I LOVE the transaction push notification feature, as well as the enable/disabled card functionality in-app.
So it's closing time at the bar, everyone who's left at 2 AM is probably drunk, they're all closing out at the same time, and you want them to have to fish out their phones and correctly respond to a challenge/response SMS before they're ushered out the door? Sorry, this sounds like a nightmare to implement.
It doesn't have to be on by default. Just make it an option, so that those of us who don't get shitfaced on a regular basis can safeguard our credit cards.
I find that response insufficient, not to mention insufferably smug. You can't control when other people leave it turned on, merchants can't control when their customers have it turned on, and there are cases where people spend large enough amounts of money to worry about, get bottlenecked at checkout, and for whatever reason might not do a great job at smoothly handling SMS challenge/response. If having an expensive night out at the bar is too déclassé for you, how about the Christmas shopping rush at a high end department store that has shitty wireless reception?

Just because a solution solves your use case doesn't mean it's a good idea. The fact is, this would be a total nightmare to bars and B&M retail establishments, to name two examples, and any significant change to the credit card system requires merchants to be on board.

The best solution for customers is still chargebacks. Unfortunately, merchants still have to eat the cost when a chargeback happens, which is why security provisions like chip and PIN typically come with the revocation of chargeback privileges. But if merchants are the ones driving these security features, they have absolutely no reason to go along with something that creates a worse experience for them.

hey it would no doubt stop billions of dollars being stolen.

Also, if you have this enabled, your purchase doesn't go through until you approve the charge. As for wireless reception... 4G & 3G solves that as it justs a text message going through.

Further banks who offer this could set a high default amount like $500 and the end user could change it to something higher.

Further, further as noted by another here, the user has the ability to enable this or not. If you know you are a irresponsible drinker then this would not be a solution for you. Also, if your passed out drunk how are you going to pay your bill anyway?

This is something I want after being hacked and a solution that would suit my needs and many others who choose it.

Anyone have any other solutions?

Did you even read the comment you're responding to?

> Also, if you have this enabled, your purchase doesn't go through until you approve the charge

That's the problem. You already drank the drinks. How's the bar going to get paid? Even in a retail situation, the amount of time it takes for the SMS exchange to go through, or for you to argue with the person at the register about it not working, makes bottlenecks even worse and makes more hassle and more loss for merchants. Since merchants are the ones driving adoption of security features, they'll never sign onto something that doesn't help them.

> As for wireless reception... 4G & 3G solves that as it justs a text message going through.

How does that solve the problem? Lots of places have poor mobile reception.

> Further, further as noted by another here, the user has the ability to enable this or not. If you know you are a irresponsible drinker then this would not be a solution for you.

That's not the problem. The problem is that merchants can't control which cardholders have this feature turned on, nor can other customers. So as a bartender (not that I am one, but for sake of argument), let's say you forgot to charge your phone and it died and as a result I can't close your tab at the end of the night. What am I supposed to do? There are 20 people trying to close their tab at the same time. That's why merchants will never allow this kind of thing to be implemented.

> Also, if your passed out drunk how are you going to pay your bill anyway?

I'm not talking about "passed out drunk", I'm talking about "leaving the bar at closing time but still capable of closing the tab" drunk. Although if you are pass out drunk, the bar will kick you out and hold onto your credit card to make sure they still get paid. Otherwise, drunk people are perfectly good at signing receipts or remembering their PIN for their chip and PIN, or else bars wouldn't accept credit cards already.

> This is something I want after being hacked and a solution that would suit my needs and many others who choose it.

As I said, just because a solution solves your use case doesn't mean it's a good idea.

> Anyone have any other solutions?

Yeah: file a damn chargeback. Problem solved.

Failing that, chip and PIN for in-person purchases and 2FA for online purchases only.

Well, Europe is pretty much transitioned to chip and PIN by now, and I have anecdotal evidence that drunk people can very much manage to type their PINs, so it's not out of the realm of possibilities.

That said, I'd still love to get proper two factor auth on online purchases.

Chip and PIN is more feasible than SMS challenge/response because the second factor is "what you know" (and type in multiple times a day) vs. "what you have" (and have to fish out of your pocket assuming you didn't lose it).
Yeah just what I want, to wait behind some slow old person to figure out how to authorize their purchase.
> Damn it i want two way verification on any purchase over X amount! Meaning anytime a charge over X amount (an amount i set) tries to go thru I get a text message asking for me to approve or deny it

I generally agree, but it would suck if I'm travelling and my phone isn't roaming.

Interesting that it's cheaper for the banks to buy back their own cards than reissue them during giftmas.
> Interesting that it's cheaper for the banks to buy back their own cards than reissue them during giftmas.

They are not "buying back" anything. The cards can be resold at will.

(comment deleted)
>They are not "buying back" anything. The cards can be resold at will

I see you have never carded. The banks are searching by BiN to find their own cards, and according to Krebs, buying them back. They said they did this to avoid having to reissue cards during Giftmas which is their biggest shopping holiday thus saving money.

They aren't buying them back for use, they are buying them back to find correlations and figure out where the breach happened. The site basically allows you to buy cards from 'bases'. Each of these 'bases' are just a source of cards so if all of the cards they buy were used at the same place (which only banks will have this information on where the cards have been used), then you know that the breach is there. Along with this, I bet they also buy cards that the owners don't know are even stolen yet which means they can cancel and reissue those owners new cards without anything ever being stolen. So it is a combination of finding the breach and to also stop their customers from having all the hassle of having stolen credit cards.
Cool, you can buy CC's there using bitcoin (also Western Union, MoneyGram, and Lesspay). Explains why you can't do the reverse (buy bitcoin with a CC).
Bitcoin has always been a popular choice with black marketplaces far before Bitcoin was popular (think SR and the like), and only became more popular as LibertyReserve fell over.

However it isn't really used as a currency, and more as a transport mechanism for cash (seeing how Bitcoin isn't anonymous at all, I'd imagine the strongest reason for these guys to use bitcoin is you can't chargeback with bitcoin)