4

I understand why credit cards with embedded chips are more secure (since they generate one time codes), but does this affect the added security benefits provided by the chip? Can cards still be cloned as long as they have magnetic strips, even if a chip is present, because of this?

Obviously some locations don't have chip-enabled terminals yet, so embedded chips can't be used for transactions everywhere. However, because of this, the card is still able to be read via magnetic strip (and thus able to be copied, since all the magnetic strip does is provide the card information unencrypted, no?).

For example, couldn't a thief install a credit card reader of his own at the point-of-sale, accumulate card data from people that way, and then duplicate people's cards to use? How can the chip prevent scenarios like this if it's not required (and magnetic strip can be used instead)?

Edit: The article suggested that answers this post, doesn't. It touches on the subject but doesn't provide a full answer. It says:

"..the magnetic stripe and the chip are used in two different ways, and having both does not mean that the security is lowered to the security of the weaker of the two. ...chips are better, because they are more efficient (no need to handle a network call) and harder to clone (statistics show a fraud rate divided by about 10)."

It explains why most transitional cards have both, but doesn't provide many details about security advantages or disadvantages of pin/chip (separately or together). Why doesn't the magnetic strip compromise the security provided by the chip, especially if the chip is compromised somehow? It seems to, so my question still remains. The article suggested as answering this post, just simply doesn't.

Also, korockinout13's answer (https://security.stackexchange.com/a/136416/52840) seemed to tell me what I wanted to know, but it seems to have been downvoted a lot, which seems odd considering it seemed to answer my question.

Netside
  • 41
  • 4
  • 1
    If you don't hand-over the card to the merchant and use PIN, then it's not going to be cloned (presumably). So it's not nullifying. – Aria Sep 10 '16 at 00:31
  • 1
    The chip provide security benefits for card issuers and merchants. It is not designed to protect cardholders. Instead, it pushes a good chunk of fraud liability back to cardholders. – KristoferA Sep 10 '16 at 03:08
  • Also, I don't believe this question is a duplicate because the other related post only discusses why cards have both a magnetic strip and chip. I specifically want to know if the magnetic strip negates the security added by the chip. I can see where the confusion comes from since my OP wasn't so clearly written. Question should be more straightforward now, sorry for any confusion. Not sure if I should ask a new question (to receive new answers), but will check back soon. – Netside Jan 09 '17 at 04:34

3 Answers3

4

Most terminals that are pin and chip enabled will force the user to use the chip when it is present on the card. The transition will be long in the usa, so the magnetic stripe is there for backward compatibiliy.

user123952
  • 41
  • 1
  • 2
    Yes, that's a good summary. But note that you can still exploit it: a fraudster with a stolen card will tkinter with the chip to render it unusable; a terminal will notice a "broken" chip and ask the merchant for a fallback transaction with the magnetic stripe. – grochmal Sep 10 '16 at 01:13
  • Also, some things cannot read chips, such as smartphone credit card readers (Square/Stripe, etc.), and it seems a chip isn't required in those cases even for cards that have both strip/chip. This is what originally prompted my question. – Netside Jan 09 '17 at 04:55
  • I think grochmal's comment answers my question with a solid "Yes", but correct me if I am wrong (and I know this is an outdated, marked as duplicate post - although it isn't a duplicate IMHO, since a search may miss the posts suggested answer this one because of the title, etc.). The magnetic strip is obviously a security hazard, and not as secure as the chip (like if the card only had the chip but no traditional magnetic strip, it would be more secure). – Netside Jul 01 '17 at 01:11
1

Not all POS machines are PIN and Chip ready. Magnetic strip is available for the transition period

user114258
  • 11
  • 1
  • Yes, thanks for saying this, because this makes me reask my question: Doesn't this make cards with both pin and chip less secure than if you had a card with only a chip, and no traditional magnetic strip at all? – Netside Jul 01 '17 at 01:08
-3

From what I've hewrd, the card's magstripe contains a binary flag that states whether or not the card has a chip. If the card reader supports chips, this flag being true causes the reader to force the use of the chip. Say someone clones your magnetic strip; all they have to do is modify that flag and set it to false and write it onto a blank card. Now, the card can be swiped without requiring the chip.

With that logic, it is possible to circumvent the forced chip reading, making chips less effective until they completely replace magnetic strips.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • 1
    This is almost true, except that the "flag" can't be modified without causing the entire card to be rejected by the bank, since the bank knows what it's supposed to be set to. There's other ways to work around it, as grochmal's comment on user123952's answer shows, but modifying the magstripe data is not one of them. – Bobson Sep 11 '16 at 00:52
  • Good answer and comment from both of you, thanks. This is more along the lines of what I was asking, although my original post wasn't written so clearly. I edited the question to be clearer. – Netside Jan 09 '17 at 04:52
  • Why was this answer downvoted so much? This made perfect sense to me. I updated/edited the OP to better communicate why this question doesn't seem to have been answered (since this answer was downvoted, it seems the point of my question wasn't interpreted well). Maybe more will be revealed about why this was downvoted so much. I'd really like to know, honestly. – Netside Jul 01 '17 at 01:29
  • To me, this answer confirms the answer to my question I suspected: "Yes, the stripmakes the card less secure until everywhere is forced to use chip authentication", but why was it downvoted so much? I'd love to leave it at that and not dig deeper, but I feel there is something I'm missing. – Netside Jul 01 '17 at 01:35
  • It's downvoted because he veered off course after the second sentence, and everything from the third sentence onward related to simply changing the flag is false. Changing any data on the card will invalidate the card, and validation occurs on every transaction. – alzee Jul 01 '17 at 10:20