Why are chips safer than magnetic stripes?
After the recent Target hack there has been talk about moving from credit cards with magnetic stripes to cards with a chip.
In what ways are chips safer than stripes?
Chip & Pin has been hacked too, however: - http://www.theregister.co.uk/2012/09/13/chip_and_pin_security_flaw_research/ - http://www.nbcnews.com/id/49020916/ns/technology_and_science-security/t/criminals-crack-european-chip-and-pin-cash-card-security/#.UuFNyk4o6Xk - http://www.zdnet.com/chip-and-pin-crack-code-released-as-open-source-3040090637/ - http://www.zdnet.com/chip-and-pin-is-broken-say-researchers_p2-3040022674/
I was listening to NPR talk about this topic this morning. Apparently most of the world aside from the US have moved away from magnetic stripes.
@agweber That may well be true. I'm in the Netherlands (tiny country between Germany and France) and we do still have mag stripes on are cards, while they shouldn't be used anymore, to give shops the time to buy alternative payment machines.
Well everything's hackable if you want to get meta. It's more like how difficult is it to hack is the reward worth my time to hack it at all.
As an aside, how is a chip used in online transactions? Is it just as safe as an in-person transaction? What I see is that a backup magnetic stripe can be used, but that seems counterproductive to the whole reason to have a chip in the first place. https://www.citi.com/credit-cards/template.do?ID=chip-technology-questions
Bear in mind that debit cards (e.g. `Maestro`) are more secure than normal credit cards (MasterCard) because they require ONLINE verification of the PIN.
The difficulty of pulling that off compared to skimming a magnetic strip is like the difference between running 5 KM start to run and the iron man.
@Jim - online transactions are card-not-present. They don't work off of either, they just work off the card number and typically the vendor must pay a higher fee because of the higher degree of risk associated with card-not-present transactions.
It's more like the difference between a 1 kM leisurely walk and winning an iron-man challenge.
but isn't that always the way - magstripe cloning probably started off reasonably hard, but the cost of kit comes down, people automate the process... chip&pin should be inherently harder than magstripe, but not prohibitively so in the long run. And of course there's always the obligatory wrench-attack: https://xkcd.com/538/
@Jim in Belgium the bank issues a challenge and you need the chip and a special device+PIN to get the response for it
@agweber Might be true indeed. I haven't moved around all the world, but here in Norway we have been using the chips as the de facto standard for some years now.
@11684 In all countries I know, bank cards still have a magnetic strip that can be used by ATM. But it's more difficult to skim in a shop since the card typically stays mostly out of the machine when using the chip.
It really is hard to believe that the USA is still using non-chip cards. I think I vaguely remember my parents having those when I was a young kid.
Back in the 90s, I used to work at a club that issued membership cards. For some reason the card writer we had at the time was capable of writing the same data as used on bank cards (can't remember the details but I seem to recall it was multi-track?). I read my bank card and wrote the same data back to a membership card which I could use to draw out cash from my account. It was a great party trick.
You can't clone the chip.
A magnetic strip holds a secret number, and if someone knows that number they can claim to be the owner of the card. But if a bad guy swipes the card, they then know the number, and can make their own card, i.e. "cloning". This has turned out to be a major practical problem with magstripe cards.
A chip also holds a secret number. However, it is securely embedded in the chip. When you use the card, the chip performs a public key operation that proves it knows this secret number. However, it never reveals that secret number. If you put a chipped card in a bad guys machine, they can impersonate you for that one transaction, but they cannot impersonate you in the future.
All of the above assumes that the implementation of the chip is good. Some chips have been known to have implementation flaws that leak the secret code. However, chip and pin is now pretty mature, so I expect most of these issues have been ironed out.
While it is hard to reverse-engineer one of the chips which are usually used in chip-cards, it isn't impossible. It's just that you need lab equipment worth several thousand dollar and experts who know how to use it, while a magnet stripe can be cloned by anyone with $100 hardware and step-by-step instructions.
There was an interesting talk about reverse-engineering of chip-cards at the Chaos Communication Congress last year, unfortunately in German: http://www.youtube.com/watch?v=xlpudEdVv7A
IIRC the chip also supports a legacy mode which uses a CVV1 like the magnetic stripe (no crypto going on).
@Philipp For most crimes it is not enough to be able to clone the card, you also have to do it without the owner noticing and blocking it. If you have already stolen the card in order to bring it to your chip-scanning lab to copy it, why would you need a copy?
@eBusiness I could not just copy it. I could also read and even manipulate confidential data stored on it.
The current chip-enabled credit cards, at least here in the US, don't use crypto. My smartphone can use NFC to steal all the info that is on the chip in my Visa card (which includes everything that is on the magnetic strip).
You can clone a chip, as noted in this question http://security.stackexchange.com/questions/46319/why-emv-cards-cannot-be-cloned/, and it's more trivial than using equipment beyond the reach of most. It takes much more effort and equipment than a magstripe copy, but it can still be done for under $1000.
Also, there are non-technical security benefits to the chip & pin system. For example, if you are paying for your meal at a restaurant, if you use a magstrip card, you typically hand your card to the waiter after he brings the check. He then usually processes your transaction at the cash register, which means your card leaves your sight for a minute or so, ample time to clone your card if anyone in the restaurant staff is a crook. With a chip card, a portable POS device is needed, or the customer goes to the cash register, the card being in his or her sight the whole time.
@Bob this is true. But this has to be enabled by the issuer of the card. Still, the chip cannot be cloned. Yet, if enabled, one might create a magstripe with that information or just use it online. This is a high risk for contact-less payment cards as the owner might not notice that his card gets copied.
In the UK, chip-and-pin has been standard for ages. You'll have trouble paying with an American chip-less card in many places. Online transactions are done with a challenge-response to the card's chip, requiring a (free) card reader, the card to be present and you to know the PIN. Also, Credit Cards are safer than Debit Cards, as the bank has insurance for fraud and refunds on Credit, but if there are dodgy transactions of your Debit card then you are liable.
@OrangeDog I agree with most of your answer, but a couple of point: card readers are not free; merchants typically rent these (at about £30 per month) although PayPal Here is an interesting alternative. Consumers are not liable for debit card fraud (provided they've not been negligent) but you are correct that credit cards are safer, because during the dispute on a debit card you are out of pocket, while on a credit card the card issuer is out of pocket.
@Philipp At least the Chips used here in Germany are very safe. The only hack I know of with current generation cards is to grind (is that the correct word here) the card, take pictures of all the layers of the chip with a microscope, semi-automatically stick them together on a PC and use a software to semi-automatically recreate the data from this images. Pro: You can even pay without knowing the PIN then Con: Card is destroyed, owner will notice! Also very very expensive and time consuming. Thieves here just copy the legacy magnetic stripe and use the clone in some 3rd world country or USA!
@paj28 card readers for online banking authentication are free (at least all mine were). I wasn't referring to merchant terminals .
@paj28 online banking helper machines are usually free from the bank, although if you lose / break it, I guess the bank could ask for money for a new one. Details of the system here: https://en.wikipedia.org/wiki/Chip_Authentication_Program