184

After the recent Target hack there has been talk about moving from credit cards with magnetic stripes to cards with a chip.

In what ways are chips safer than stripes?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Thomas
  • 3,841
  • 4
  • 22
  • 26
  • 6
    ever put a strong magnet to a stripe? – ratchet freak Jan 23 '14 at 14:33
  • @ratchetfreak What would happen? – thefourtheye Jan 23 '14 at 16:31
  • @thefourtheye erase the mag stripe – ratchet freak Jan 23 '14 at 16:55
  • 13
    @ratchetfreak Wouldn't that make the chip more secure (albeit, unusable)? – BanksySan Jan 23 '14 at 18:22
  • 16
    I was listening to NPR talk about this topic this morning. Apparently most of the world aside from the US have moved away from magnetic stripes. – agweber Jan 23 '14 at 18:59
  • 5
    @BanksySan Security is Privacy, Integrity, *Availability*. – David Jan 23 '14 at 20:08
  • @agweber That may well be true. I'm in the Netherlands (tiny country between Germany and France) and we do still have mag stripes on are cards, while they shouldn't be used anymore, to give shops the time to buy alternative payment machines. – 11684 Jan 23 '14 at 20:15
  • As an aside, how is a chip used in online transactions? Is it just as safe as an in-person transaction? What I see is that a backup magnetic stripe can be used, but that seems counterproductive to the whole reason to have a chip in the first place. https://www.citi.com/credit-cards/template.do?ID=chip-technology-questions – Jim Jan 23 '14 at 20:35
  • Bear in mind that debit cards (e.g. `Maestro`) are more secure than normal credit cards (MasterCard) because they require ONLINE verification of the PIN. – Richard Le Mesurier Jan 23 '14 at 20:56
  • 2
    @Jim - online transactions are card-not-present. They don't work off of either, they just work off the card number and typically the vendor must pay a higher fee because of the higher degree of risk associated with card-not-present transactions. – AJ Henderson Jan 23 '14 at 21:34
  • These cards *are* coming to the US! –  Jan 24 '14 at 04:29
  • 4
    @Jim in Belgium the bank issues a challenge and you need the chip and a special device+PIN to get the response for it – ratchet freak Jan 24 '14 at 09:14
  • @agweber Might be true indeed. I haven't moved around all the world, but here in Norway we have been using the chips as the de facto standard for some years now. – Arve Systad Jan 24 '14 at 09:58
  • @11684 In all countries I know, bank cards still have a magnetic strip that can be used by ATM. But it's more difficult to skim in a shop since the card typically stays mostly out of the machine when using the chip. – Relaxed Jan 24 '14 at 11:42
  • 1
    It really is hard to believe that the USA is still using non-chip cards. I think I vaguely remember my parents having those when I was a young kid. – TRiG Jan 24 '14 at 13:16
  • 1
    Chip & Pin has been hacked too, however: - http://www.theregister.co.uk/2012/09/13/chip_and_pin_security_flaw_research/ - http://www.nbcnews.com/id/49020916/ns/technology_and_science-security/t/criminals-crack-european-chip-and-pin-cash-card-security/#.UuFNyk4o6Xk - http://www.zdnet.com/chip-and-pin-crack-code-released-as-open-source-3040090637/ - http://www.zdnet.com/chip-and-pin-is-broken-say-researchers_p2-3040022674/ – Brian Minton Jan 23 '14 at 17:18
  • 1
    Well everything's hackable if you want to get meta. It's more like how difficult is it to hack is the reward worth my time to hack it at all. – Michael J. Calkins Jan 23 '14 at 20:28
  • The difficulty of pulling that off compared to skimming a magnetic strip is like the difference between running 5 KM start to run and the iron man. – Lucas Kauffman Jan 23 '14 at 21:31
  • It's more like the difference between a 1 kM leisurely walk and winning an iron-man challenge. – Lawrence Dol Jan 24 '14 at 00:39
  • 1
    but isn't that always the way - magstripe cloning probably started off reasonably hard, but the cost of kit comes down, people automate the process... chip&pin should be inherently harder than magstripe, but not prohibitively so in the long run. And of course there's always the obligatory wrench-attack: https://xkcd.com/538/ – Chris H Jan 24 '14 at 08:50
  • Back in the 90s, I used to work at a club that issued membership cards. For some reason the card writer we had at the time was capable of writing the same data as used on bank cards (can't remember the details but I seem to recall it was multi-track?). I read my bank card and wrote the same data back to a membership card which I could use to draw out cash from my account. It was a great party trick. – Basic Apr 13 '15 at 11:28

5 Answers5

231

You can't clone the chip.

A magnetic strip holds a secret number, and if someone knows that number they can claim to be the owner of the card. But if a bad guy swipes the card, they then know the number, and can make their own card, i.e. "cloning". This has turned out to be a major practical problem with magstripe cards.

A chip also holds a secret number. However, it is securely embedded in the chip. When you use the card, the chip performs a public key operation that proves it knows this secret number. However, it never reveals that secret number. If you put a chipped card in a bad guys machine, they can impersonate you for that one transaction, but they cannot impersonate you in the future.

All of the above assumes that the implementation of the chip is good. Some chips have been known to have implementation flaws that leak the secret code. However, chip and pin is now pretty mature, so I expect most of these issues have been ironed out.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • 60
    While it is hard to reverse-engineer one of the chips which are usually used in chip-cards, it isn't impossible. It's just that you need lab equipment worth several thousand dollar and experts who know how to use it, while a magnet stripe can be cloned by anyone with $100 hardware and step-by-step instructions. – Philipp Jan 23 '14 at 14:59
  • There was an interesting talk about reverse-engineering of chip-cards at the Chaos Communication Congress last year, unfortunately in German: http://www.youtube.com/watch?v=xlpudEdVv7A – Philipp Jan 23 '14 at 15:16
  • 2
    IIRC the chip also supports a legacy mode which uses a CVV1 like the magnetic stripe (no crypto going on). – Bob Jan 23 '14 at 16:32
  • 33
    @Philipp For most crimes it is not enough to be able to clone the card, you also have to do it without the owner noticing and blocking it. If you have already stolen the card in order to bring it to your chip-scanning lab to copy it, why would you need a copy? – aaaaaaaaaaaa Jan 23 '14 at 16:38
  • @eBusiness I could not just copy it. I could also read and even manipulate confidential data stored on it. – Philipp Jan 23 '14 at 16:49
  • 6
    The current chip-enabled credit cards, at least here in the US, don't use crypto. My smartphone can use NFC to steal all the info that is on the chip in my Visa card (which includes everything that is on the magnetic strip). – wingedsubmariner Jan 23 '14 at 17:44
  • 5
    You can clone a chip, as noted in this question http://security.stackexchange.com/questions/46319/why-emv-cards-cannot-be-cloned/, and it's more trivial than using equipment beyond the reach of most. It takes much more effort and equipment than a magstripe copy, but it can still be done for under $1000. – Owen Jan 23 '14 at 18:00
  • 11
    Also, there are non-technical security benefits to the chip & pin system. For example, if you are paying for your meal at a restaurant, if you use a magstrip card, you typically hand your card to the waiter after he brings the check. He then usually processes your transaction at the cash register, which means your card leaves your sight for a minute or so, ample time to clone your card if anyone in the restaurant staff is a crook. With a chip card, a portable POS device is needed, or the customer goes to the cash register, the card being in his or her sight the whole time. – Boluc Papuccuoglu Jan 24 '14 at 00:07
  • @Bob this is true. But this has to be enabled by the issuer of the card. Still, the chip cannot be cloned. Yet, if enabled, one might create a magstripe with that information or just use it online. This is a high risk for contact-less payment cards as the owner might not notice that his card gets copied. – cimnine Jan 24 '14 at 09:19
  • 4
    In the UK, chip-and-pin has been standard for ages. You'll have trouble paying with an American chip-less card in many places. Online transactions are done with a challenge-response to the card's chip, requiring a (free) card reader, the card to be present and you to know the PIN. Also, Credit Cards are safer than Debit Cards, as the bank has insurance for fraud and refunds on Credit, but if there are dodgy transactions of your Debit card then you are liable. – OrangeDog Jan 24 '14 at 10:22
  • 1
    @OrangeDog I agree with most of your answer, but a couple of point: card readers are not free; merchants typically rent these (at about £30 per month) although PayPal Here is an interesting alternative. Consumers are not liable for debit card fraud (provided they've not been negligent) but you are correct that credit cards are safer, because during the dispute on a debit card you are out of pocket, while on a credit card the card issuer is out of pocket. – paj28 Jan 24 '14 at 10:26
  • @Philipp At least the Chips used here in Germany are very safe. The only hack I know of with current generation cards is to grind (is that the correct word here) the card, take pictures of all the layers of the chip with a microscope, semi-automatically stick them together on a PC and use a software to semi-automatically recreate the data from this images. Pro: You can even pay without knowing the PIN then Con: Card is destroyed, owner will notice! Also very very expensive and time consuming. Thieves here just copy the legacy magnetic stripe and use the clone in some 3rd world country or USA! – Josef Jan 24 '14 at 10:27
  • 2
    @paj28 card readers for online banking authentication are free (at least all mine were). I wasn't referring to merchant terminals . – OrangeDog Jan 24 '14 at 11:19
  • @paj28 online banking helper machines are usually free from the bank, although if you lose / break it, I guess the bank could ask for money for a new one. Details of the system here: https://en.wikipedia.org/wiki/Chip_Authentication_Program – rjmunro Jan 24 '14 at 14:05
  • You can't clone the chip, but the card number is still imprinted on the card. So you could still copy the card credentials and use it for an online purchase. Only way to stop this is to stop printing the name and other details on the card. – Engineer2021 Jan 27 '14 at 15:39
70

The chip carries out a cryptographic operation on data passed to it that requires knowledge of the key that is strongly protected within the chip - so an attacker cannot easily copy the card.

That said, there have been some successful research papers on timing or power attacks, but these are from lab conditions, and probably not a real worry in the wild.

In the UK pretty much all bank cards are chip and pin - which does lead to one of our most common types of fraud: The magstripe is skimmed, and the details used in a country with no chip and pin infrastructure.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 2
    +1 for magstripe fraud abroad. It was also the case for a while that some cash machines only checked magstripe. I think this is now fixed – paj28 Jan 23 '14 at 14:16
  • IIRC the chip also supports a legacy mode which uses a CVV1 like the magnetic stripe (no crypto going on). – Bob Jan 23 '14 at 16:32
  • 2
    Also the man-in-middle attack was proven some time back. Going to become much easier with such powerful mobile devices we all carry. – Richard Le Mesurier Jan 23 '14 at 21:00
  • 4
    Is it possible to get a chip and pin card *without* a magnetic stripe? – gerrit Jan 24 '14 at 11:26
  • @gerrit a strong magnet corrupts the magnetic stripe, so just diy it :) – ratchet freak Jan 24 '14 at 13:43
  • The problem is that it's pretty easy to make a fake chip and pin machine to record the PIN, and read the stripe and the printed information on the card. You can then make a clone card to use in US machines & you have the PIN. – rjmunro Jan 24 '14 at 14:07
  • ISTR a researcher in the UK deliberately frying the chips then trying the cards in holes-in-the-wall - which fell back on using the mag stripe data without any complaint.....but this was some time ago. – symcbean Jan 24 '14 at 20:36
  • Also works non-abroad, you can damage the chip, and after 3 attempts with the broken chip, it will ask you to use the mag stripe (in about 80% of the machines I have used in NA). So at this moment it adds almost no additional security, but eventually/hopefully they will phase out the mag stripe completely – Spooks Jan 29 '14 at 19:41
  • @Spooks, you bank is told that the mag stripe was used, so can use it as part of a data mining system to detect stolen cars. – Ian Ringrose Feb 01 '14 at 16:04
  • @Spooks some merchants in the UK are *very* reluctant to take magstripe transactions for just this reason. (which can be a pain for foreigners with non-chip cards. – Peter Green Dec 13 '15 at 01:21
34

The magnetic strip contains the exact information used to identify the card. The chip holds a piece of information that it doesn't share, but that it can use to prove it has that information.

Thus, a magnetic stripe is dumb and can be copied, but since the chip doesn't give out its secret, a vendor can't simply copy it when you use it.

A magnetic stripe says "I'm credit card ABC." when the point of sale asks the number. With a chip the point of sale says "what is your response to this random value?" and the chip gives a response that the point of sale can validate, but since the next point of sale will use a different random value, the response is useless to a thief.

Community
  • 1
AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
16

Other answers already given are correct, but I would like to give the following as an answer with no technical background required on part of the person asking:

When you use a magnetic strip Credit Card, the device is saying to the card: "My user will input a PIN to verify, let me read your strip so I can check it".

( EDIT:

OK, the above paragraph is not what actually happens. But the POS (or other) device reads (or is capable of reading) all the information contained in the strip. That means you can manufacture a card which is for all intents and purposes a copy. )

When you use a chip Credit Card, the device is saying to the chip on the card: "My user has provided 4567 as the PIN, is it correct?"

Now, because the chip is smarter than a magnetic strip (which is in effect only a store for data), it can answer this question. This way, the PIN can stay hidden.

Boluc Papuccuoglu
  • 579
  • 3
  • 6
  • 7
    This is not correct. The PIN is not stored on the magstrip (although it is right that the chip can authenticate the PIN). The problem with magstrip is cloning of the card to be used without a PIN, not leaking the PIN. –  Jan 23 '14 at 18:36
  • Yes, that's true, my bad. But the gist of my answer is this: the device READS (or can read) THE WHOLE INFORMATION stored on the magnetic strip. Whereas with a chip you can withhold the information from any devices and ask the chip the authenticate information. – Boluc Papuccuoglu Jan 23 '14 at 20:49
  • The device afaik does not verify a magstripe PIN. The magstripe PINs get sent upstream online to the bank for validation. The magstripe does not contain enough info on the tracks to validate a PIN (at least not MasterCard nor Visa) – Richard Le Mesurier Jan 23 '14 at 21:03
  • 1
    +1 for the edit - the new explanation is good. – Richard Le Mesurier Jan 23 '14 at 21:09
  • 3
    If the device says to the card "the user entered PIN 1234" and the card says back, "that is correct", how, exactly, does the PIN remain hidden? – Lawrence Dol Jan 24 '14 at 00:36
  • 1
    @SoftwareMonkey the device is the input device for the pin you can't hide it from that, to prevent brute force the chip disables itself after 3 tries – ratchet freak Jan 24 '14 at 09:16
  • So someone can still steal the physical card and get the PIN from the POS system? There's no security to stop that scenario? For instance, if a cashier runs the card for you, and "forgets" to give it back, and has a way to read the memory of the POS? – iconoclast Jan 24 '14 at 16:16
  • 1
    @iconoclast: Indeed, but I think the assumption is that the POS device is at least as hard as the card to manipulate. I don't know how feasible it would be to build an "evil" POS terminal that logs all pin codes, but you still need to steal the card which the cardholder will probably notice (contrary to the magstrip case where you can quickly copy the card without the owner noticing). – Emil Styrke Jan 27 '14 at 12:00
  • @EmilStyrke, common (legitimate) POS terminals for chip & pin will have internal kill switches and protective membranes to disable them in the event of tampering. However, the spirit of the standards is often poorly implemented by the card industry, to the point that these protections are trivially bypassed. Authenticating a never-before-seen C&P terminal as being legitimate and unmodified alas remains unresolved (undeployed), yet user opinion drives this as most users will implicitly trust such terminals with no further thought of verifying tamper seals/protective marks (impractical anyway). – Cosmic Ossifrage Jun 17 '15 at 23:08
7

You might want to clarify your question - here's an answer as to why it's safer card issuer:

If a magstripe card is stolen it's quite easy for the thief to use it fraudulently - how often are signatures really checked (in fact in the US I've often had the card handed back to me before I've signed, even where extra ID isn't requested).

If a chip&pin card is stolen then used fraudulently, the card alone is not sufficient for use - a good thing of course - but that puts the onus on the owner to protect the pin (check the T&Cs). Say the card was stolen just after the owner used a cashpoint where the thief shoulder-surfed the PIN, then the thief is at least as likely to get away with using the card - and can now withdraw cash rather than just buying goods as a forged signature would allow.

Then of course there's the simple matter of intimidating (or worse) the victim of a theft into handing over the PIN.

Here's a BBC article - we're on chip&pin in the UK - a quote from near the end

[The victim's bank], Barclays, returned the £640 she had lost, but some banks can be reluctant to pay refunds if people have been careless with their Pin codes.

edit: generalised "bank" to "card issuer"

Community
  • 1
Chris H
  • 4,185
  • 1
  • 16
  • 22
  • 1
    If there's some particular way the asker should clarify their question, could you leave a comment on the question requesting that clarification? Comments are the place for clarification requests, rather than answers. Ironically it's unclear in what way you find the question unclear, so please be clear about that! – doppelgreener Jan 23 '14 at 23:28
  • @JonathanHobbs, fair enough, but I wasn't asking for clarification per se. I was answering the question from another point of view while acknowledging that the OP problem meant "safer for the user" – Chris H Jan 24 '14 at 08:37
  • You could check an ID, but the cashier has no knowledge that a signature is valid or that it belongs to the person. – Engineer2021 Jan 27 '14 at 15:40
  • Unfortunately, EMV (the Chip & PIN protocol) has numerous flaws which historically meant the card *is* sufficient. For instance, the "PIN okay" response form the card can be trivially subjected to a MITM attack, since the reply "all OK" 0x9000 signal from the chip to the PIN entry device is not authenticated (source: http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf). I have lost track of the current state of vulnerabilities in EMV such as these, but the banks have historically been reluctant to fix them. (Cheaper to pay-out in the handful of successfully challenged cases.) – Cosmic Ossifrage Jun 17 '15 at 23:17