11

Recently I received a new debit card which has both a magnetic stripe and a chip (as did my previous card).

I know the magnetic stripe can be easily copied whereas the chip system hasn't been compromised (yet?). I suppose the stripe is still there for legacy purposes, even though in the last years I've not seen nor heard of a terminal or ATM that didn't accept chip payment.

As far as I am concerned, that's like buying a new fancy lock for your front door while leaving the back door unlocked. Is that analogy right, i.e. is a card with a stripe AND chip no more secure than a card with just a stripe? And if so, why would my bank allow such a security risk? Why not get rid of the stripe altogether?

Ps: If it matters, I live in the Netherlands.

EDIT: For clarity, I'm mostly concerned about the following scenario:

A thief skims an ATM (probably (?) chip payment), but can still get the stripe because the card goes into the ATM. Suppose he reads my PIN too. He then fabricates a new card and empties my bank account.

Kvothe
  • 213
  • 1
  • 2
  • 6
  • 1
    I had a debit card with an (unintentionally) damaged magnetic stripe for years. I never had a problem with it... until I went on vacation in Sweden where no ATM would accept it. As long as there is still a significant amount of ATMs in the world incapable of using the chips, banks still need to hand out cards with stripes. – Philipp Apr 08 '14 at 19:53
  • @Philipp Sweden ATMs are chip capable, but however, it requires a valid magstripe to open the "shutter" over the card slot that prevents foregin objects from being inserted. Buying a SkimProt and putting over your damaged magstripe will make it usable in all ATMs that are chip-capable, and still make you secure against theft as the magstripe will then only contain 0000000000000000 as card number, but still be valid in the sense that it opens the "shutter" door. – sebastian nielsen Sep 11 '16 at 23:51

4 Answers4

11

Details depend on bank, card type and country, so they vary quite a lot, but the generic model is the following:

  • The magnetic stripe contains, mostly, a computer-readable copy of the information embossed on the card: account number, holder name, expiration date.
  • The chip contains a secret key which is used to "sign" (not necessarily a true signature; often a MAC) transactions.
  • The chip knows the PIN code and refuses to work until the PIN code has been presented; it also locks itself if too many wrong PIN codes are presented.

When a payment terminal uses the magnetic strip, it must talk to the bank, establish a secure tunnel with the bank, send the PIN code entered by the user, and verify that the owner's account has enough money on it.

On the other hand, when a payment terminal uses the chip, the PIN code is sent to the chip only, and there is little need to talk to the bank at all. The whole transaction can be conducted offline. Of course, for big amounts, it is still a good idea to talk to the bank to know whether that much money exists on the buyer's account, but small transactions can be done efficiently with no network at all.

Thus, the magnetic stripe and the chip are used in two different ways, and having both does not mean that the security is lowered to the security of the weaker of the two. From the bank point of view, chips are better, because they are more efficient (no need to handle a network call) and harder to clone (statistics show a fraud rate divided by about 10). This is often translated into financial advantages granted to merchants who switch to chip-aware terminals.

There can be variants in all of the above. For instance, some card include in the magnetic stripe an encrypted version of the PIN code -- but it won't be verified in the payment terminal. Instead, the terminal will have to talk to a regional bunkerized server who knows the decryption key and can do the verification. For some other card types, it is pretty clear that the magnetic stripe does not know anything about the PIN code, e.g. the chip-less American Express cards (from a few years ago) where you could change your PIN code by phoning your bank.

In any case, all the security features of a debit or credit card are not meant to protect you. They protect the bank. From the point of view of the bank, you are the enemy (regardless of what they claim in their ads).

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 1
    What if the ATM is skimmed? I don't know how it works in other countries, but here the bank always ends up with the bill. – Kvothe Apr 08 '14 at 19:26
  • 2
    Skimming copies the magnetic stripe and tries to get the PIN code as well (e.g. with a well-placed camera). This allows crafting a fake card with _only_ the magnetic stripe. That fake card will work on all systems which accept a chip-less card. This is one of the reasons why banks work at transitioning to mandatory chip usage, but they still ship cards with a stripe because the transition is not complete yet. In effect, the weakness is not the presence of the magnetic stripe, but the fact that there still are terminals who work on the stripe. – Thomas Pornin Apr 08 '14 at 19:38
  • 3
    In France nobody uses the stripe. In Canada, chip usage is very recent (about 5 years or so) and not all merchants have switched yet. Chip usage in North American cards has been stalled for 20 years (1986 to 2006) because of the 1986 French patent on smart cards (patent that expired in 2006...). – Thomas Pornin Apr 08 '14 at 19:39
  • Oh okay, so effectively they are picking legacy support for outdated terminals over a bit of security? – Kvothe Apr 08 '14 at 19:47
  • 4
    Yes. And since it is _their_ money in the end, and banks tend to have a good grasp of money (in all senses of the word), I kinda trust them for making the decision which minimizes their losses. – Thomas Pornin Apr 08 '14 at 19:49
8

It is a question of liability:

  • If a merchant uses chip & pin, and the transaction turns out to be fraud, the card issuer pays for the fraud (assuming the merchant has not been negligent).
  • If a merchant uses the magnetic stripe, and the transaction turns out to be fraud, the merchant pays for the fraud.

When chip & pin was first introduced, in theory a merchant could have made a business decision not to pay for the new card terminals, and just to accept the fraud liability. In practice, everyone decided to move to chip & pin, which is exactly what the card schemes wanted.

paj28
  • 32,736
  • 8
  • 92
  • 130
1

They have the magnetic strip for backwards compatibility. The raised surface of the numbers of some cards ensures that even legacy manual swipe systems will work should the power go off.

user8230
  • 11
  • 1
0

Depends on the bank, card type, there can be several reasons for a magnetic stripe to exist on card:

  • Backward compatibility: there are old terminals can't accept chip. Also, chip card processing is not well standardized as magnetic stripe card processing (yet), and is more complicated too, thus a terminal may be able to accept only certain type(s) of chip.

  • The magnetic stripe can be used as a back-up, in case the chip becomes faulty. Details varies from bank to bank, some may have policy to limit the amount, frequency of using the card in such a way, or even disallow it altogether. Usually procedure requires that chip must be tried first, and only if it can't be processed then magnetic stripe can be used. Bank policy may requires cardholder to report such case, or accept liability.

As for your concern about reading PIN from magnetic stripe, normally PIN of any form isn't contained in the stripe. The primary use of PIN is to authenticate cardholder, i.e. only cardholder knows the PIN and can perform transaction (the PIN is also stored securely by the bank, and should be irretrievable). If the PIN is included on the magnetic stripe, anyone with proper equipment can read/skim the stripe and get it.

lenin
  • 51
  • 2