The reality, though, is that Apple Pay is an exceedingly secure mobile payment platform. In fact, it may very well be the safest way to make any type of credit card payment. To understand why, below is a general overview of how the system works behinds the scenes. Note that this article is meant to paint the Apple Pay process in broad strokes, as a good portion of the nitty-gritty technical details aren’t yet publicly known and, due to security considerations, may never be fully disclosed.
Keywords: credit card. Europe and much of the rest of the developed world has already left those insecure cards behind, using chip and PIN-based systems using debit cards instead. In other words, Apple Pay could be nice for the antiquated US payment market, where Apple still has a decent market share to pull this off.
Europe? I’m not so sure.
Here in the UK I can get through an entire day with just a single debit card. Tube from home to the centre of London using contactless payment (if I forget my Oyster card), lunch paid for using contactless payment, tube home using contactless payment, and any online purchases I make already have my card details. Even paying for a drink in a pub is now as straightforward as swiping across a reader. Aside from getting some cash from an ATM, I can’t even remember the last time I took my debit card out of my wallet to pay for something.
Apple’s new payment system might make some inroads in the US or other places where consumer payment facilities are particularly primitive, but it’s crazy to think that this will be popular in Europe or Asia.
I can’t even remember the last time I used an ATM, it’s probably been a year or two. I don’t own a credit card, either, I just pay for everything with debit card. I use PayPal as a man-in-the-middle when paying online for stuff, though, as then only PayPal has my card – details; don’t want to spread such things all over the Internet.
I could use Android and NFC to pay for things, but I just don’t really see the point; with a credit card I just put it in, type the PIN and that’s that. No fingering the screen or taking out an expensive piece of hardware somewhere where someone could easily bump into me and I could drop it, and so on. I agree with what you and Thom are saying: it’s unlikely Apple’s Pay-system will gain much traction.
So you exist without Cash then?
To be honest, I would not want to put my entire life on just one card which is what you are seemingly doing. I spread the methods of payment around using cards from different banks etc and use a lot of cash. I would not dream of buying a Coffee with a card. There again, I was brought up in an age before credit cards.
If the ‘spooks’ want to find out about you, you are making it ever so easy. Should you be doing that in this post Snowden age?
Yes. Cash is easy to steal, easy to lose and cumbersome.
As if using cash or not would change that. There are most likely already thousands of mistakes you’ve made here and there, using cash won’t magically make them disappear. Like, you know, do you have a job or other source of income? Well, there you go then. You seemingly use Internet, so there you go again. Do you have a phone? Well..
I’m not paranoid enough to think that some fairytale “spooks” would suddenly deem me so god damn important that they’d have to physically find me.
There’s always one!
Bring out the steel hats again to stop aliens reading out thoughts!
and completely anonymous.
So are kids. Should we stop to reproduce now?
Yep. Makes a huge difference. If you use a single system, your card provider knows almost everything about you by now (or can guess most of it with very high accuracy) and can do with this knowledge whatever he wants.
Wrong. Of course there are other sources of information like area ratings for addresses, the car you drive (if any), etc.. However, this is guesswork and therefore fairly limited (and sometimes completely wrong) because if is based on hypothesis about what is “normal”. E. g. somebody who lives in area X normally earns more than Y / year.
I worked for a marketing research company. We needed some tea drinkers for a test campaign. Without data of electronic payment systems, you could get such addresses only by guesswork or by organizing a competitions where you “sell you data” for the right to take part or other cumbersome and inaccurate methods. There was a huge amount of uncertainty in compiling an address list for such a campaign.
With electronic payment system data: No problem at all to buy a highly accurate list of tea drinkers (and its easy got get way more complex profiles)
You don’t have to be paranoid. Card data analysis is already common. The question is if you like to live with that and the consequences ..
Another point: Why do you think people tried to get as much cash as possible when the banking system in Cyprus or Grece started crashing.
Physical cash has some disadvantages. However, you are more or less in control what you do with it. Electronic cash gives full control to the provider of the system. At any time, in any place. Always.
Well, Germany here. Here I have to used ATMs all the time, and carry large amount of cash around, most places do not accept cards. Not sure why not, but shopping in Germany is a like stepping 20 years or more back in time.
Still if they resists card technology I can’t imagine why they would accept phone technology.
If you wonder why Germany loves cash so much – this might shed some light (crazy, I was just reading this article before juming on OSNews (-.): http://qz.com/262595/why-germans-pay-cash-for-almost-everything/
And I can do all that here in the US. I specifically live in Portland, OR but the same is true for most major cities here.
Now I will admit that it mostly isn’t contactless, but I personally don’t see that as a horrible burden. With a debit card, I do the swipe and enter my pin. If it is a credit card, more an more places allow for transactions without signature if they are below $50. Failing that, horror of horrors I have to wait a couple of seconds to sign something.
I don’t get where this “have to go to the ATM” stuff is coming from. Now personally I happen to like cash, but for the last three months I have done everything but very small transactions (like gum) with my debit card.
Even the food carts take credit cards thanks to Square, Authorize.net, etc.
One the key attractors of Apple pay for me is not having anybody I am paying seeing my card number or collecting my PIN number. The only real problems I have had on my debit card have been when I have used them a lot in places with low paid transient staff, such as petrol stations on a long road trip, where obviously at some point someone harvested my account data. Both times this happened the bank picked on the suspicious payments even before I did and said that data harvesting was the probable cause. So the idea of nobody in the entire payment process actually knowing my card numbers is an attractive idea. As to whether Apple Pay will gain any traction in Europe – who knows?
Tony Swash,
Some banks already offer this as a service by using one time card numbers.
http://www.bargaineering.com/articles/generate-time-credit-card-num…
It’s a pretty obvious thing to do, but unfortunately in the US we’ve been stuck with magstrip “dumb cards” for an eternity. And there’s no practical way to implement these security measures until all the places we visit support european EMV standards (restaurants, retailers, gas stations, grocery stores, museums, etc).
I appreciate that apple-pay (ie EMV + CVV3) is better than our dumb cards today, however it does concerned me that apple’s policy of banning competing implementations will discourage further innovation.
Edited 2014-10-05 02:37 UTC
Having just returned from a trip to the US it is actually impossible for a non resitent to pay for some things with a Credit/Debit card.
This is because certain establishments demand a ZIP code along with the Card vendor’s auth of the card. No US Zip code? No sale buddy. That means no sale to Canadians as well. Having been involved with the systems that handle Credit/Debit cards I find this insistence of a Zip code a bit strange. The Card Issuer will auth the transaction. Job done. If I stole a card then It would be easy to find the zip code of the owner so how can the insistens of a zip code make the transaction more secure especially when you have used a PIN already.
Then some states make paying for Gas with a card very difficult. For example in NJ, it is illegal to have self serve Gas Stations. The attendants prefer cash transactions.
I can’t speak for NJ, but for everything I discussed no zip codes are asked for or required. Including for gas. Perhaps things are different in the garden state, but I haven’t seen what you mentioned in any of the Cities I have lived in or visited for work or pleasure.
Zip codes are only supposed to be required for Card-Not-Present transactions online or over the phone. If you are in physical possession of the credit card, you just run it through the swipe and offer ID if requested.
We get a fair number of Canadians here in Portland, OR and not a single one has mentioned a problem using their credit cards, or complained about the US being some kind of hellish cashscape.
jockm,
From my experience setting up merchant accounts, it’s up to the individual merchants whether to verify the zip codes using “AVS”:
https://www.authorize.net/support/CNP/helpfiles/Account/Settings/Sec…
Here in new york some gas stations prompt for zip codes and others do not. I guess this is because “pay at the pump” stations can’t accept signatures, so they figure they’ll require the zip code instead. It’s uncommon but even some retailers need zip too. I would guess that places getting alot of tourists would not require the zip though.
Ultimately the US just needs to suck it up and upgrade it’s payment systems to meet international standards, we’ve been the lowest common denominator for far too long.
Edited 2014-10-06 16:57 UTC
Fair enough, and as I said I couldn’t speak for NJ (or NY for that matter). I can only speak for where I live, have lived, and visit.
Over the last several years more and more vendors have moved to a model where no signature, or any additional information is required for credit card purchases. Apparently the bigger (at least parts) of NY and NJ are behind the times in that regard. I sympathize with the poster who had that problem, but I still don’t think that represents the norm here in the US.
I think it’s coming from people who read about such things, but don’t actually experience them. I tend to keep a small amount of cash in my wallet, but that’s only for emergencies, and usually as cash back from a store transaction. Like you, I usually do everything via debit card (or electronic checks). I think I’ve been to an ATM once in the past 6 months.
Chip/Pin is coming to the USA, albeit slowly. Liability shifts are largely starting in October 2015. It’s a very large infrastructure that has to be changed, and someone’s got to pay for that.
Besides… given the number of exploits on the EMV vulnerability page I was just reading, it’s not that much more secure, it just gives banks more ability to claim it’s not their fault.
Debit cards and credit cards have nothing to worry about.
Apple is going after the swipe fees. Nothing revolutionary to see.
The article is about how secure Apple Pay is, and why it is so secure. Yes, more secure than Chip and Pin systems even.
It may be more secure, but most people don’t have any problems even with chip’n’pin debit cards and thus the question becomes: does Apple Pay really offer so much more convenient payment-experience over plain-old chip’n’n that it would be enough to sway people over?
I do not see it being such a radically superior experience that it’d be enough to push a system that people are already used to and which is already in use everywhere out of the way. Since it also only works for Apple-customers implementing it may just simply not be a cost-effective plan for most companies.
WereCatf,
I doubt the technology nor security will significantly drive adoption of apple pay, however apparently apple intends to ban alternative payment providers on the iphone.
http://www.cnet.com/news/apple-locks-down-iphone-6-nfc-to-apple-pay…
I am disappointed, though not surprised by this. It’s another instance where apple chooses to restrict users rather than allow them to choose between alternatives that are best for themselves. If things have merit, then they shouldn’t need to be forced on people (looking at you too google+ & metro).
Speaking of NFC innovation, bitcoin over NFC has real potential. It makes bitcoin much easier for average users!
http://www.coindesk.com/sigsafe-key-tag-brings-bitcoin-payments-nfc…
That is precisely why Apple is headed for irrelevance (again). People want choices.
People do not want choices of how to pay. They want to just pay. If ApplePay works everywhere people shop, then people won’t care that alternative payment systems are not available on their phone.
I don’t think they’ll lock down their NFC forever. It’s too useful, for instance to pair my camera to my phone. Apologists claim it’s to solidify the API before release, but personally I think it’s just to get a head start on the competition, ensuring they get the biggest possible customer base.
No. more secure than american credit card system, much less secure than chip and pin.
How? With Chip and PIN you have hand over your card data to the vendor and then punch your PIN out on a piece of kit whose security status is unknown, with Apple Pay the vendor never ever sees your card number.
Apple, your carrier and the bank see it, plus all the worms and virii roaming on your phone.
…and therefore any Government department which wants to see where you spend your money.
*Grammar Nazi Alert*
http://en.wikipedia.org/wiki/Plural_form_of_words_ending_in_-us#Vir…
Apple will, the carrier will not.
No, you do not. This is false, at least in The Netherlands. Shops do NOT see your PIN/account data whatsoever – only the payment provider does. This will still be the case for Apple Pay.
The payment provider still gets all your data with Apple Pay; this is no different than with chip and PIN. And, of course, an NFC terminal can be altered just as much as a regular PIN device.
Apple Pay might be more private/secure than credit cards – but not more secure and certainly not more private than chip and PIN.
EDIT: Just looked at Apple’s site, and this is where the confusion stems from:
“Every time you hand over your credit or debit card to pay”
Erm, I don’t know about how debit cards work in America, but you sure as hell do not hand over your debit card to anyone here in NL. Nobody sees or handles your card but you.
Edited 2014-10-04 20:57 UTC
Thom Holwerda,
That’s a curious difference, here not all places are setup for the customer to swipe their own card. For example, in most restaurants it’s the norm to physically hand over one’s card to a waitress where they take it away out of sight and then bring it back with a receipt for you to sign. At these kinds of establishments, it doesn’t matter if it’s a “debit card”, the merchant will still process it like a credit card as long as it has a visa/mastercard logo on it. My understanding is that in the US, a customer is only responsible for fraud when the pin is actually used.
I usually go to self-service gas stations, but in places like new jersey “full service” gas stations are mandated by law and customers are not supposed to touch the pumps, you are supposed to hand your card to the attendant. Another gas station near my job was self service, but you had to hand the card to the cashier who was sitting behind bullet proof glass.
All the movie theaters I’m aware of are the same, slide your card underneath a pane of glass, they’ll slide it back with your movie tickets.
We have street festivals with lots of venders. Many venders sell food/ice cream out of truck windows. Some accept credit cards, but you’ll typically have to pass your card to them to scan inside the truck.
I’m not saying everywhere’s like this, places like wallmart, home depot, burger king, grocery stores, will usually have payment systems that customers use themselves, but it’s just not universal.
Edited 2014-10-05 03:42 UTC
Alfman,
I can’t speak for the Netherlands, but in the UK ever since the Chip and PIN system was introduced, all transactions by credit or debit card require a PIN for authorisation (except for ‘contactless’ payments via NFC). This means the customer needs to be at the terminal when the card is being authorised.
If your card’s chip can’t be read for some reason, the magnetic stripe will be used – but because by default you need to key in your PIN, every place that accepts cards has to have some sort of customer-facing card terminal.
Is there are minimum transaction amount where if the transaction is over that amount you must use a PIN? Do you need to use a PIN to get cash back? There must be some scenarios where you need a PIN, or they wouldn’t have called it chip’n’pin
Its those scenarios where Apple Pay is at least theoretically more secure. Whatever scenarios use the PIN require sharing the PIN with the terminal (exposing it to capture). Apple Pay doesn’t use the PIN this way, the PIN is only used between you and your device.
I personally think the difference is splitting hairs – it isn’t that big of a deal imo. But it is different.
It is different as I outlined above. Its just debatable whether the difference is all that significant.
That’s the point though. Even if you completely own the data going in and out of an NFC terminal you will never see a PIN number in either system. The difference comes about when a PIN is required – in a chip’n’pin card scenario you have no choice but to enter your PIN on someone else’s keypad…
Of course Apple Pay isn’t the only solution to this – I’m not making an argument for Apple Pay in particular being better. But using a private device for PIN entry has advantages.
The PIN is ALWAYS used, no matter the size of the transaction.
But not during contactless NFC payments…
I’m not saying chip/pin isn’t superior to magstripe/swipe, because obviously, it is.
I wouldn’t assume it’s invulnerable, however:
http://threatpost.com/researchers-find-serious-problems-in-chip-and…
Definitely not the case in Poland… (I was just buying drugs in a pharmacy the other day where that happened, there was no physical way but to hand over the card over the counter)
And yet, I’m sure you’ll be able to generate a new token by speaking to a customer service representative armed with your date of birth, current address, and last four digits of your SSN.
Or something equally mindbogglingly simple that will completely undermine all the security provisions built into the service.
It can’t be both and this definitively isn’t an in-depth look. This article is also a good example of why people who don’t understand security shouldn’t write about security.
Uh…that’s not how math or encryption works. Of course it’s mathematically generated, that’s how secure tokens are created. You CAN’T create secure tokens without using math.
This reminds me of the guy who wrote to Bruce Schneier stating how his encryption algorithm was the most secure ever because it didn’t use any math. At all.
No, that’s not how it works.
Sooo….is it the number from the card or is it dynamically generated?
To summarize the article:
“Apple Pay is an implementation of the emerging EMV payment standard and a some people with a vested interest says it’s really secure so it must be”
I’m sure Apple Pay is secure enough and most likely an improvement over current schemes but this article is in no way an in-depth look at anything and it’s really much too early to say how good Apple Pay really is.
But it isn’t a secure token… I’m not saying math isn’t used to generate them, but I think the point the article was trying to get across was that these numbers are not hashes nor are they encrypted values – they are nothing more than surrogate keys.
1. You add a card to Apple Pay.
2. The request to do this is transferred to the Credit Card Company.
3. The Credit Card Company issues a unique “Apple Pay” Credit Card number to your device (the token).
Its just a surrogate key, it is not mathematically tied to anything. Without the Credit Card Company’s system linking the two together, there is no relationship between them whatsoever.
This is how I understand it works from what I have read so far…
The cryptogram (NOT the token) serves the same purpose as a CCV. In other words:
Token = Credit Card Number
Cryptogram = CCV
The main difference is the cryptogram changes for every purchase. It is generated on device and ties together the Surrogate card number, biometrics (or a pin), and the transaction info itself.
1. Credit Card Company knows the real credit card number, the surrogate credit card number (token), and the device Id (i.e. some form of public key derived from the Device itself plus biometrics/pin number acting as the private key).
2. Device knows the surrogate credit card number (the token), and generates a cryptogram using the private key (device Id, biometrics) plus transaction info.
3. The merchant gets nothing but the surrogate credit card number (token), the cryptogram, and the transaction info and sends them to the Credit Card Company for verification.
4. The previously problematic “real” credit card number still exists independently and can still be used in a pinch. But it is never exposed to anyone when using Apple pay – it isn’t even a part of the system – only the credit card company (the issuer) needs knowledge of it.
The cryptogram is essentially the transaction info digitally signed. If you have the Device ID (public key) and the surrogate credit card number (the token) you can prove it was generated by a device holding the same public key with knowledge of the surrogate key AND the private key (biometrics/pin number).
The beauty of the system, imo, is:
1. The credit card company doesn’t need to know your pin or biometric info – they just have a public key derived from it, whose only purpose is to validate the cryptograms.
2. The merchant never needs to know this info either, they just get a digital signature which is useless on its own.
3. The token (surrogate credit card number) won’t work without the cryptogram, and it isn’t mathematically tied to a real credit card number anyway. It is throw away information, completely worthless on its own.
ps. This may well be completely wrong, but it fits the descriptions I have read, assuming they are accurate. It also makes logical sense, so I’m inclined to think it is pretty close to reality. There also may be more layers involved, as I would not be surprised if the transaction info itself was encrypted somehow between the merchant and the credit card company to prove its validity independently, but that would not be part of Apple Pay itself.
galvanash,
Right or wrong, it’s a better description than what the article provided.
This is how I understand it as well. However keep in mind that a credit card number is itself a surrogate key. Having a new surrogate key for the old surrogate key adds indirection, but doesn’t fundamentally alter security by much unless it’s a one time key (which I’d expect that it is).
The problem with credit cards is that they’ve always conflated identification and authentication. When credit card numbers are used for identifying the account AND authorizing the transaction, that’s a major problem since anyone who has our account id can implicitly authorize additional transactions and commit fraud. Lots of places misuse SSN in the same manor. In principal, authorization should still be secure even if identity is public knowledge.
That’s where smart chips and NFC really shine, they makes electronic signatures via PKI practical. The digital signature is not merely ID, it is proof of authorization for a specific transaction. A merchant can copy your ID, but cannot forge your authorization.
I’m always iffy on using biometrics for security. Maybe they’re fine for convenient/casual logins, but it would be foolish to assume biometrics like fingerprints cannot be compromised. We leave them everywhere, and fingerprint hashes are computationally enumerable.
The article is pretty heavily implying that this is a one-way hash. I can’t see any other way how it could be a representation of the card number and also be in any way safe and secure to use. If it is not a cryptographic one-way hash then they really dropped the ball when creating this EMV standard. On the other hand, it’s the credit card industry so maybe they just went for obfuscated CRC32.
I do like how the author implies that the tokens are better because they’re not cryptographic and mathematically generated. Yeah, that’s not how it works buddy. Maybe writing articles on technical subjects isn’t for you.
Soulbender,
Really? Read this part again:
You seemed to assume that a one way hash is involved, but it isn’t required because a random surrogate key can be used to identify the account at the bank instead of the usual account number; no hashing. This surrogate key can be used in place of the normal account number within transactions.
On the one hand, one might think the surrogate key is safer because the underlying account number doesn’t need to be used in the transaction. However the corollary is now the account number doesn’t need to be present to make a transaction, and the surrogate key becomes just as vulnerable to theft as the legacy account number used to be.
So while the surrogate key hides the account number, it cannot provide transaction level security (unless it is changed between transactions), that’s where PKI signatures come in. The PKI signature is the cryptographic primitive that prevents forgery… I think you already get the crypto stuff.
Edited 2014-10-04 09:22 UTC
But then how is a random and unique 16bit number not mathematically generated?
Btw, doesn’t this mean it’s a just GUID/UUID?
Edited 2014-10-04 09:32 UTC
What’s guid enough for Apple is guid enough for me.
Not 16 bit, 16 digits… I.e. it is in fact just a regular credit card number, more than likely generated exactly the same way as all credit card numbers – using the ISO/IEC-7812 standard.
http://en.wikipedia.org/wiki/ISO/IEC_7812
I would guess each credit card company that supports Apple Pay is registering a particular IINS number to identify those as “Apple Pay” so they can receive special treatment in the authorization system – i.e. require cryptograms to authorize transactions instead of CCV code. Or maybe the authorization system is smarter than I think and abstracts the difference away entirely and just treats the cryptogram as a special form of CCV. Who knows…
All I was saying was they are not hashes or encrypted values – but they are generated mathematically (obviously) from a sequence. My understanding is that credit card numbers are not random at all, but they are not purely sequential either. Exactly how they come up with the 12 digit account identifier is anyone’s guess, but fundamentally it is just an opaque value – it has no purpose other than to serve as a unique key.
Its the cryptograms (digital signatures) that secure the system. The token (credit card number) really doesn’t matter. You could publish it on billboards and no one could do a thing with it.
Edited 2014-10-04 10:28 UTC
For the finance geeks or mathematically inclined – these are much more detailed explanations of Apple Pay written by someone who did alot more digging than I did:
http://pomcor.com/2014/09/14/apple-pay-emv-and-tokenization/
http://pomcor.com/2014/09/20/apple-pay-must-be-using-the-mag-stripe…
Long story short the consensus seems to be they basically just implemented the EMV contactless standard using “mag-stripe mode” – which is sort of a transitional standard meant to require minimal changes on the financial services side (which makes a whole lot of sense for the US market).
Fundamentally it more or less works like I described, but the links above give FAR more detail and specificity.
Upside, however, is for once it seems Apple avoided Not-Invented-Here syndrome – it is an implementation of a ratified standard. They may also in the future (conjecture) support EMV “standard” mode, in that case theoretically they would be inter-operable with European POS systems.
galvanash,
Good of you to follow up! That makes sense, although if true, apple’s press release was rather deceptive. It led us to believe that apple invented a new payment technology that would need to be deployed to merchants, when there’s no new technology at all and it’s using the legacy magstrip mode of EMV. I wish we could get a clear official answer rather than a vague press release.
Anyways using an existing standard will make apple-pay infinitely more useful.
I do have a question for anyone in the know: what is the max length of the cvv3 field specified to be in existing point of sale terminals (the dynamic, per transaction cvv value)? The static CVV2 pin written on the card is typically 3 chars long, which is nowhere near the number of bytes needed for a cryptographic signature. It makes all the difference between cryptographically secure transactions or merely playing a game of chance.
http://randomoracle.wordpress.com/2012/09/11/cvv3-demystifying-cred…
Edited 2014-10-04 16:40 UTC
I cant find the answer to that unfortunately…
So I misunderstood this too. Thing is mag stripe credit cards actually have 2 CVV codes. The CVV1 code is encoded on the mag strip and is not a 3 digit number (its a hash or something, but no one seems to want to disclose exactly what it is other than it is used to prove the card was physically present during a transaction). The CVV2 code is the one you are talking about (the 3 digit code on the back of the card). Its only real purpose is to act as a 2nd factor for card-not-present transactions (assumption being to know the CVV2 code you must have physical possession of the card – just having the mag stripe data won’t do it because it isn’t part of the mag stripe data).
The CVV3 code (dynamic CVV) replaces the CVV1 code, not the CVV2 code. It is meant to be a more secure mechanism for card-is-present transactions. The CVV1 code is static and cloning the card’s mag-stripe will get it, CVV3 is unqiue per transaction but it can’t be generated by pure mag stripe cards – it needs some kind of chip assistance.
This is essentially “mag-stripe mode” sub-standard of EMV where the card/device uses most of the protocols and techniques from the EMV standard, but the backend authorization network still works as if it is dealing with mag stripe cards.
So it definitely isn’t a 3 digit value, but what it is seems to be very hard to find out…
galvanash,
The capacity of the magstrip is *very* limited (note “characters” are 4/6 bits and not even 7/8 bit bytes):.
http://money.howstuffworks.com/personal-finance/debt-management/mag…
Since a dynamic CVV3 only came about with the smart chip, it needn’t be so limited as the legacy magstrip fields are, but who really knows for sure.
Yea, this shouldn’t be so difficult to find, I give up.
It’s too bad we cannot ditch the magstrip format entirely, including this EMV magstrip compatibility mode. By embracing it, I’m afraid we will solidify it’s role as an inferior US standard well into the future. It’s one of the problems of incremental evolution, it results in tons of legacy baggage being carried forward. Sometimes it’s just nice to start clean. But on the other hand, a convoluted system that has 100% share is more useful than an ideal system that has 0% share.
Actually, as usual I find out more after posting…
CVV1 and CVV2 ARE different values, but they are in fact both 3 characters – but on the mag stripe a character is 5 bits so it is essentially a 15 bit sequence (i.e. they are not necessarily numeric characters like the CVV2 code – but they may be – don’t know). Anyway, this outlines it pretty clearly:
http://www.magtek.com/documentation/public/99800004-1.08.pdf
So if the idea is to remain completely compatible with the existing standards for mag stripe authorization, the maximum size of a CVV3 code must be 15 bits – it can’t really be any larger.
BUT… People are saying that previous intrusion tests against the standard have found that some of the OTHER data encoded in TRACK 2 is not stable across CVV3 transactions (where with mag stripe cards it is). In other words if you capture the output from a CVV3 transaction before it goes to the CC company and encode it on a magstripe, it only works if you use the ENTIRETY of track 2, just changing the CVV code doesn’t cut it. What else it changing I don’t know.
Some of the control characters or possibly even some other fields are being used for different purposes in CVV3. Track 2 can hold up to 40 characters…
So… I don’t know
It makes a lot of sense though because most of the data on track 2 is redundant – Its all on track 1 as well… This was done to deal with imperfect readers and unstable magnatization – things that simply don’t matter at all if you are not storing the data on a mag stripe. There is probably some magic marker used on Track 2 to tell the authorization network “hey, this is a CVV3 transaction – act accordingly and read track 2 differently”.
Edited 2014-10-05 05:16 UTC
galvanash,
Wow, your link was much better than mine
I wouldn’t think CVV3 should ever be present on a magnetic strip…? As a dynamic field, it only makes sense with a chip, I would have thought it was added specifically for NFC.
It’d be nice to know, but ignorance is bliss
The reason I am saying that is numerous sources I read stated that when operating in magstrip mode, the EMV standard presents the data identically to a magstripe card (in form if not in function).
In fact, some references to “tests” indicate that a capture of the data produced as the final product between a card and a contactless reader can be written to a magstripe card, and if the transaction is canceled (the transaction counter isn’t incremented) than the “cloned” magstripe card with the dynamic CV code will in fact work exactly 1 time (won’t work again since the counter on the CC side would have now incremented). How accurate this is I don’t know, but I read it from multiple sources.
I guess what I’m getting at is the protocols between the card/device and the reader are EMV, but the final result of the data is in fact identical to what a magstrip transaction generates (making it 100% interchangeable as far as the protocols of the authorization network go). It may be handled completely differently once the data gets to the CC company for final authorization, but over the wire they are in fact the same thing.
galvanash,
I understand what you are saying about equivalence, we know the EMV magstrip submode is 100% equivalent to a real magstrip. However it is still a submode and CVV3 might exist entirely outside of the magstrip submode. That’s my educated guess.
Note that if this theory is correct, it would mean that CVV3 can only be transferred by back end systems that support the european EMV standard. If a european card is brought over here and scanned via a US non-EMV compliant magnetic reader, it lacks the dynamically generated CVV3 also, explaining why it is less secure here than at home.
The problem is, how tough will that 12 digit + cryptogram be to crack? If you can crack the encryption algorithm, then you can conceivably re-use the token on another phone. At that point, the 12 digit (16 digits, but the last 4 match the card account number) number effectively becomes the credit card number.
All you’re really doing is substituting one 16 digit number for another, and making it both more complicated, and more automated.
All you just did was describe the nature and challenges of encryption in general…
So what? If you got far enough to actually do what you are describing you have completely broken the system (the system specifically designed to stop you from doing exactly that).
You are not identifying a flaw, you are just saying
“but if you crack it it’s bad”. Of course it is…
I’m not saying the system doesn’t have flaws – I’m just saying we do not have enough information to determine that one way or another – which frankly sucks…
No, the “flaw” of encryption is assuming it can’t be broken.
In this case, though, Apple is touting a 12+4 digit number as the end-all of security and encryption. For comparison, take a standard NT hash of 15 characters (upper/lower/numeric/symbol), around 72^15 combinations, and that can be cracked with modern computers in a matter of minutes.
In that sense, I agree– we don’t have enough information to declare it “secure” or “silly”, which is worrying (well, not to me, I’m unlikely to ever use ApplePay).
Hopefully the hardware dependent part, “the cryptogram”, has significantly more bits in it.
I’m just skeptical of anyone who says the solution to solving the lack of security of a number is to replace it with another number.
Read this as it may help you understand a bit better:
http://pomcor.com/2014/10/05/which-flavor-of-tokenization-is-used-b…
The thing you are not getting is the “replacing it with another number” is not related to securing Apple Pay – it has nothing at all to do with the security of Apple Pay. The thing intended to be secured (more aptly put “hidden”) by this mechanism is the horribly insecure system that it is meant to replace. It’s the real credit card number that this indirection is meant to secure.
1. The “real” credit card number is not stored on the device at all.
2. The “real” credit card number is not used during transactions and is never sent over the wire at all.
3. The only place where a relationship exists between the “real” credit card number and the Apple Pay token is within the credit card companies internal systems.
This is all done to remove the “real” credit card number form the equation – because “real” credit cards support CVV1/CVV2 security which is woefully lacking…
Follow?
In Canada we have a firmly established payment system called Interac which has more or less already solved the payments problem without getting phones involved for more than 20 years. Having ‘mobile’ payments honestly doesn’t add anything to my consumer experience.
So, I don’t see many businesses here jumping on the apple pay band wagon. I might be surprised though.
That said I am interested in seeing the banking apps enabling mobile payments directly to the app stores instead of billing my credit card.
We’ve been complaining about how intrinsically insecure our credit cards are for decades, yet Visa/Mastercard never cared since they don’t hold any liability. If a criminal uses a stolen card at your business, which you cannot realistically do anything about, your merchant contract makes you financially responsible for the fraud even though it’s not your fault that security built into (US) credit cards is just about non-existent.
If we could have held visa/mastercard responsible, you can bet they would have changed their tune and mandated secure credit cards decades ago simply to protect themselves. Frankly, anyone even remotely fluent in cryptography should be able to come up with something better. How many billions of dollars of fraudulent transactions could have been avoided?! This is why the US gets so far behind, our corporations become complacent and they’re the ones running the country.
To say something is “more secure” than credit cards says more about the horrendous insecurity of credit cards than the security of anything else.
I welcome more competition to break up the toxic stranglehold in the US market, however it’s never a good sign when security depends on withholding technical information. I’m afraid none of the challengers (paypal, google walet, apple pay, etc) truly have our interests at heart. Ideally they would get behind a universal open payment standard rather these incompatible proprietary ones.
Edit:
Forbes article about how 2015 will be the year we may finally be getting more secure cards in the US.
http://www.forbes.com/sites/tomgroenfeldt/2014/06/23/more-secure-cr…
Not to nit-pick, but I found the wording used here confusing. In the US as least:
Credit Card: A system using plastic cards to make purchases against credit. At point of sale all you need is possession of the card.
Debit Card: A system using plastic cards to make purchases using funds directly from a bank account. At point of sale you need both the card and a pin number.
The US has both, and have had both in widespread use for at least 25 years… The difference between the US and Europe boils down to the technology used to physically secure the cards. We still have antiquated mag-strip base security while in Europe you have EMV. The only real difference is mag-strip cards are easy to counterfeit, EMV cards are not. But a clone debit card without a valid pin cannot be used to make a debit transaction (although some cards are effectively both and would still work as a credit card).
I don’t think you understand the US market that well. I’m not saying that Apply Pay won’t take off, I’m saying if it does it has little to do with security concerns and more about convenience (no need to carry actual cards).
Fact is, while we are certainly due to move on from mag-strip based security, there is no real big push to do so coming from consumers – because we have established federal laws concerning liability for fraudulent purchases. If you see fraudulent charges on your card, you call your credit card company and tell them and the charges are removed – no major fuss or bother. It is more of a minor annoyance than anything else (at least for consumers – merchants often get screwed).
Also, just saying EMV does you no good for online purchases – as the card is not present anyway… There is actually fairly well-reasoned resistance in the US to moving to EMV because many people think it will actually increase the amount of fraudulent transactions – because it will cause the bad guys to switch primarily to online scams where they can do a lot more damage in a lot less time.
As far as point of sale – even there EMV is not perfect. Something like Apple Pay is loads better than either system, because it would require possession of the device and a way to unlock said device (fingerprint/pin/whatever) – but importantly you do not have to share the unlock code with the merchant.
With EMV every time you key in a pin number in a merchant terminal, you are at risk of it being captured. If someone gets your card AND your pin it is game over – and in Europe good luck trying to get the charges removed…
This must be a US thing because in Europe (and many other places) you don’t need the pin number at the point of purchase with a debit card. It works just like a credit card with the only difference being that you need enough balance to make a purchase.
Yes, my understanding is that it is a US thing. It was/is a stop gap to make direct fund transfer transactions more secure (since we don’t have EMV). Been around for decades and extremely widely used. Its not fancy but it works fairly well.
Ok… Now I feel ignorant. How does that work? If someone physically gets your card they can just use it with no other security factor???
Edited 2014-10-04 06:11 UTC
Well, I guess it’s just like a credit card then
To be honest, I might remember this wrong but IIRC my debit/atm card was VISA and Mastercard “compatible” (for lack of a better word) and I could use it the same way as a credit card without providing a PIN when purchasing.
Just swipe and you’re done. This was like 15 years ago though so things have probably changed in some ways.
If it is anything like mine, there are two ways to use it.
Debit requiring pin, used with various payment terminals supplied by the bank and partners.
Debit using Visa, this do not require a pin and has Visa function as a escrow service.
Nope, it works the same way in Canada.
Not in Canada
For the past 2 or 3 years, you need the PIN number to make a retail purchase using a credit card here.
I believe they typically call those “cheque cards” in the US.
For smallish amounts, yeah – at my place contactless NFC payments up to 50zÅ‚ (about 12€) obviously don’t require you to enter the pin.
In Australia at least, you still need the PIN for all debit transactions.
You also need a PIN for credit over $30 and contact-less payments over $100.
Payment without a pin only works with low values. It is either 5€ or 30€, I’ve only used it with less than 5.
Edited 2014-10-04 10:55 UTC
As far as my own cards go (both Irish and UK, so European), I need a pin number to use either my credit card or my debit card. If I don’t have that, I can’t use it at all – can’t even use my signature or ID to complete the sale. The machine simply doesn’t allow it for my cards.
The only exception is certain types of purchase where a pin number isn’t allowed up to a certain amount (€25 IIRC), and I can use contactless payments for them. The vendors need to have special approval to use these systems though, most need a pin number no matter how small the payment.
You can use a debit card in the US as a credit card without a pin if you run it as a credit card.
Hm, works that way in Poland (which, last I checked, was part of EU even…) only for contactless transactions up to some smallish amount (50zÅ‚, about 12€); otherwise you need the pin.
Uhm, what’s the problem exactly in getting them removed? We just call the bank in the exact same way as you say you do in the US.
The only thing EMV really protects against is the most basic forms of credit/debit card scams by copying the card. After we got Internet transactions the entire thing is somewhat meaningless and my guess is the US never adopted it because of just that.
What puzzles me about the US is how every store seems to prefer a signature over entering a pin. It just takes too long in comparison!
That was an error on my part. I did not realize you guys had passed consumer liability protection laws back in 2009. My information was old, I apologize.
WTF!?? Europe have always had stronger consumer protection laws that US, what makes you think otherwise?
Because in this case that just isn’t true…
Before 2009 if you had a fraudulent charge and the bank didn’t see clear evidence of fraud they simply didn’t not remove the charges – leaving you on the hook. All they had to do legally is say “our system did not fail”, and unless you as the consumer could prove fraud you were screwed.
The law passed in 2009 moved the onerous of proof to the bank. The bank has to prove you were at fault, otherwise they are required by law to remove the charges (which is how the US law works too).
http://en.wikipedia.org/wiki/Chip_and_PIN#Banks.27_liability
Where did you hear that lot of nonsense? Outside of the people who write the stores policies, nobody cares how you complete your transaction. And about the only place you sign with a pen is at a restaurant or a coffee stand. Nearly everywhere you sign, you do it on the same screen you enter your pin on. I’m not sure why you think that’s somehow `too long in comparison`.
Mastercard and Visa both use chip and pin for credit transactions in Australia too; the only differences between credit and debit here are:
You need money in your account to make a debit transaction
Credit is easier to use online
Credit allows PIN-less payments for transactions under $30 and contact-less transactions under $100.
Credit is actually *more* secure here, because the major banks insure all credit transactions against fraud; if someone rips you off on a debit transaction, you’re on your own.
That’s why I actually use the credit system to make debit purchases. It can take longer to be reflected in your account balance, but it works identically to debit otherwise – you still need money in your account, because it’s a debit account, even though you’re using the credit system.
That sounds close to the US, we just don’t have EMV (at least not widely).
Debit requires pin and physical card everywhere. Credit cards generally don’t use PINs at all except when used in ATMs for cash advances. At point of sale credit cards never use PINs, we just sign the ticket. But generally if under $20 no signature is required.
We also tend to use credit cards more, even though the system is far less secure, specifically because of liability protection.
Edited 2014-10-04 06:40 UTC
Sounds exactly like everyone else before they adopted chip+pin.
The US dropping the ball on this and being behind most other 1st world nations is really perplexing.
One thing you can look forward to:
I could get cash out of ATMs using my phone because of NFC if I wanted to, which is related to the swap-over to the new system.
Like the others at the top of the comments, cash is pretty much obsolete for me now; it’s simple to send people funds electronically using just their phone number, and all stores/services accept cards.
Edited 2014-10-04 06:45 UTC
How can you say that when we still measure distances in miles and milk in gallons… Never underestimate the power of the US to resist change
You guys make us sound like we are still in the stone ages… We barely use cash either. Everyone takes cards here too. I send money electronically to people all the time. We just go about it a bit differently. I have nothing at all against EMV/chip’n’pin – but to us we don’t see much to gain from it to be honest. It is a slightly more secure way of doing what we already do…
It’s not all that perplexing. I work in security developing software and hardware for two large banking companies that you know. The reason why banks are resistant in the US to upgrade the card systems is because, believe it or not, credit card fraud in the US on average is lower than in other countries. Also, the cost of upgrading all of the systems, hardware and cards for all cardholders is much more expensive than the actual fraud. A lot of the fraud that happened recently in the U.S. did not happen with collection at the card level, it happened in the back office by monitoring transactions and cracking databases. The banks are also not that progressive with the problem. As a matter of fact, even the hardware of the ATM machines is not even locked with a different key in the US. A key to one manufacturer’s ATM machine will open all of the models of these manufacturers from all banks. The banks rely on hardware and software encryption on Windows XP machines embedded in the ATM to protect customer data!
Edited 2014-10-06 03:58 UTC
The other thing that people miss is…so what you have a pin and chip…if you buy something online you are just typing the number and the CCV in anyway…so what does the symbology matter? The magstripe data is not even encrypted in the slightest either.
It’s not very perplexing. This usually happens when you are the first to implement a system that works. There are usually no compelling reasons to change the systems when it work, up until the point you do, and then you leap frog everyone else again.
When you have something that works, the cost of change might not be justifiable.
People will want to use Apple Pay for the prestige. Apple will tell them using credit card is “has been”. they will want to enter the “modern world” and use Apple pay, because it’s … new! Hipsters all over Europe and Asia will proudly ask their shop if they accept their Apple pay and look down on them with disdain when they shamely admit thay they don’t still, those neandertals.
I did pay the toll bridge in Denmark with a debit card without the pin-number. Dutch supermarkets do not accept credit cards which is a bit annoying for the tourists. In Sweden they accept them the same as debit cards with pin number.
To pay small amount of money (vending machines, parking meters, canteens) the Dutch can use chipknip (insert debit card and press OK) a bit faster then using the whole pinnumber / transaction thing. But that will discontinue in 2015. Not that you could pay the public transport with that no they ‘invented’ a billions of euro costing system not compatible with anything. Which doesn’t work and annoys everyone.
Apple pay is born dead because it’s tied to iOS, an OS with less than 10% market share (in Europe) and dropping. And even worse, only the iPhone 6 will support it. What’s the point for merchants to support it?
Edited 2014-10-04 09:48 UTC
On many websites things are often discussed as if Apple’s market share in the rest of the world is the same as in USA (well, I guess that goes for most topics over there). iMessage for instance. Completely understandable that it is discussed as a major player in USA, but it’s pretty worthless elsewhere. So when discussions go on and on about some minor improvement in iMessage group chat, it pushes away non US readers.
My country is maybe the European country where iPhone has the highest market share, but there’s still always a good friend or family member who doesn’t have it and it makes Apple only services unusable or a hassle.
Because its supported by many front end payment processors and is or will be supported by many point of sale software.
And all they really need hardware side is an NFC reader which many merchants already have.
That’s the beauty of Apple Pay, the format preserving token ensures that there’s little to nothing that merchants need to do to at least get a basic level of support.
I prefer cash, it is harder to steal my physical money, whilst still not impossible.
Edited 2014-10-04 18:51 UTC
Not me. My bank doesn’t insure cash against being lost or stolen.
In Australia we have a chip on our cards. Signatures were recently phased out completely so transactions are PIN only. The exception is PayPass, a touch and go system (no identity check) , for small transactions.
Visa/Mastercard transactions don’t need a pin when they’re less than $30 either.
It’s not everywhere, but it’s enough places. My sister used to work at McDonald’s, had her card stolen and used repeatedly in $30 blocks to drain the savings account attached to the card.
The banks insure credit transactions, so it was really only a minor inconvenience, but still…
Edited 2014-10-06 08:41 UTC
Chip and pin has nothing to do with debit. It can equally be use with credit cards, as it is in Canada. Apple Pay will be the first system that is actually convenient to replace using the credit cards themselves (outside of perhaps Japan, but it is more secure than what they are using).
So yes, finally making nfc payments practical is a big deal.
We’re using NFC all the time in Europe… I do it all the time with my free debit card
China has been using this type of payment system for years already, Apple is quite late to the party, I have never had any problems in the 5 years I have worked in China
First, it does seem that several people are confused about credit card vs. debit card.
Credit cards are cards linked to credit-only accounts. All purchases are subtracted from the available credit. The total spending limit of the credit account is set by the credit issuer and a minimum monthly payment is required. Credit accounts are not money in the bank, they’re a `loan` given to you in the form of credit, which much be paid back + the cost of interest.
Debit cards are cards linked to checking accounts. Charges are subtracted from the actual balance in your account. Credit plays no part here. However much money you’ve deposited into your account is how much you have to spend.
Debit cards with visa/mastercard logos are simply debit cards as described above but with a virtual visa/mastercard account linked to them so they can be used at places that only accept credit cards, and/or you want to get the added protection of a credit card without actually having a credit card. These cards are _not_ credit cards. There is no extension of credit. Again, the balance in your checking account is your spending limit.
I live in the US. I’m not sure if the following is true for all states or just mine. All debit transactions require a pin. Credit transactions never require a pin but do require a signature if the sale is over the certain amount. This varies from store to store, typically between $25-$50. Credit and debit purchases are insured against fraud. Having fraudulent charges reversed is usually as easy as a couple minutes on the phone with your card issuer.
I’ve had to deal with fraud 4-5 times total between my credit card and my checking/savings bank accounts. One of those turned out to be a fast food worker who was getting paid to use a card reader when she was ringing up peoples orders. All of the remaining cases involved hackers obtaining information from servers, and the actual plastic cards weren’t involved in any way. At most its been a very very minor inconvenience, and even that might be putting it too harshly. My credit card company issued a new account number and overnighted the new card to me so I had it next day. My bank issued new account numbers and I was able to drive down to my local branch and pick up new cards same day, although they also offered to overnight them.
Its never cost me anything, never held up my money, had no impact on my credit scores, nothing. Most of the time the banks had it all sorted out and fixed before I even knew anything happened. The inconvenience I’ve experienced is so insignificant it’s normally not even worth mentioning but since there seems to be misconceptions over what happens in the US to customers and their accounts, I figured I’d share.
Is there anything saying it cannot be used with debit cards?
The transaction is the same regardless if yu have an debit or credit card, either you have credits enough, or you have money enough (debit card), so, i see no reason why it should not work with a debit card?
Replying to myself, i mean debit cards from example Visa/Mastercard?
What’s this “keyword credit card” ignorance?!?
We HAVE debit cards in the US, YES we can use them how you use them. We ALSO have credit cards — and EVERYPLACE that lets you use a credit card lets you use your debit card AS IT’S THE SAME BLOODY SYSTEM!!!
Quite literally, all of our debit cards have the credit card company logo’s on them because they are interchangeable; anyplace you can spend one you can spend the other.
Which is to say, pretty much EVERY BRICK AND MORTAR STORE IN THE NATION.
Herpafreakingderp.
Not quite.. Places that accept credit cards or cash only, certain restaurants for example, only accept debit cards with a Visa/Mastercard logo because only those debit cards can be ran as credit.
Wrong again.. Not all debit cards come with a Visa/Mastercard logo. Student checking accounts don’t typically have the logo. The same is true for accounts used by under-aged kids/teens. There are good reasons _not_ to have a debit card with a credit card logo on it and every bank or credit union I’ve used gives you the choice.
Credit cards and debit cards are not one and the same. Neither are credit cards and debit cards carrying a Visa/Mastercard logo.
Where exactly are you, ’cause I sure as shine-ola ain’t never seen that ****… and being I’m in back-woods New Hampshire which is typically BEHIND the curve on tech, that seems really strange and almost alien a concept.
Certainly seems like no bank or credit union available to me here offers that. (I just checked their sites…)
Sounds like a really ***tarded option to me.
Edited 2014-10-07 01:13 UTC
It is less common now, but debit only cards do still exist (for the reasons he listed). When debit cards were first introduced (late 80s?) they ONLY worked for PIN transactions – and for the most part only worked with the ATM at your bank.
Gradually ATM networks became common and you could use the card at any ATM in your banks ATM “network” (NYCE, Star, etc.).
Cards supporting credit transactions came a few years later if I recall correctly, and rapidly became the norm. But like he said there are still banks that issue debit only cards for various reasons.
In other words over three decades ago… and those who don’t want it are little more than tinfoil hat lunatic fringe. Gotcha.
Wow, attitude problems.
Debit only cards (without visa/Mastercard logo) are quite usual in Europe.
In sweden where i live these are the most used cards bu students under 18 years old.
Also, people that have economical problems usually cannot get an Visa/Mastercard d
ebit card and have to settle with an debit only card.
BUT, most of these people also know the limitations with having these kind of cards and therefor it is not an problem.
I live in WA, previously in CA. My main banking is with Boeing Credit Union.
It may seem pointless to most of us but there are good reasons to have a debit-only card instead of a debit-credit card. Beyond students and kids, those cards are recommended for people recovering from bad credit or who have poor money management.
I am confuse. Every “debit-credit” card I have seen just debits from your account no matter which way you run the card. That is the point. And it is how everyone I know recovering from bad credit, or who prefer not to deal with credit work.
Having a debit card without a credit credit card option just limits were you can buy, not how you can buy. Here in Oregon we mostly see this with the EBT/Oregon Trail cards used to disbuse food stamps, WIC, etc
My debit card comes with maestro logo and is issued by the bank. The creditcard I got mostly for holidays and amazon is a mastercard also issued via the bank and every month the bill comes usually after payday and before the rent and is paid automatically. I don’t use the credit facility (pay in installments) because that’s expensive due the added interest.
Shops in NL prefer debit cards the transaction fee is lower.
Edited 2014-10-07 09:47 UTC
“Dozens of European ATMs rooted, allowing criminals to easily cash out”
– http://arstechnica.com/security/2014/10/dozens-of-european-atms-roo…
“EAST estimates that European ATM fraud losses in 2008 were nearly 500 million Euros, although roughly 80 percent of those losses resulted from fraud committed outside Europe by criminals using stolen card details. EAST believes this is because some 90 percent of European ATMs now are compliant with the so-called “chip and pin†or EMV (an initialism for Europay, Mastercard and VISA) standard.”
– http://krebsonsecurity.com/2010/05/fun-with-atm-skimmers-part-iii/
Sure is a good thing Europe spent all that money to replace existing cards & card readers to support chip & PIN. The minor inconvenience caused to thieves was certainly worth it…
BallmerKnowsBest,
Unfortunately a big part of the problem is backwards compatibility. chip&pin is more secure, but so long as the magstrip is still there, it will remain the weakest link. A criminal doesn’t have to defeat chip&pin if he can skim the magstrip and produce counterfeit cards that work in places that have no chip&pin.
To be fair though, in most of these cases I suspect the fraudulent transactions were committed using the magstrip data rather than breaking chip & pin. Once lagging countries finally ditch legacy processing systems (looking at you USA), magstrip skimming will become a thing of the past.
My bank implements a fairly simple solution: magstrip-only payments need to be expressly turned on in account settings.
zima,
Not an option for everybody, but yea the only way to protect from legacy magstrip vulnerabilities is to block it. Technically it can still be skimmed if it’s still there, but at least copies will be denied just like the original.
That leaves online transactions to be concerned about, I assume the card number and CVV2 are written on the card, right? I’ve always thought a good solution to this would be out of band channels, since we’re already using a computer. We’d go to the bank website (or use a special app) to generate one-time-use credentials that become worthless even if they’re copied.
For online transactions they came up with something called “3D-Secure” – authorisation of the transaction on the bank website, and using SMS code. But it’s a bit of a security theatre, since apparently it depends on support of the shop website – when I tried once to up my PayPal (which apparently doesn’t support 3D-Secure) account, the transaction went through anyway. Now on PayU (or ~local PayPal equivalent) OTOH it’s supported…
Edited 2014-10-12 00:03 UTC
https://www.rbcroyalbank.com/onlinebanking/bankingusertips/notices/s…
New wallet software just announced by my bank in Canada.
http://www.rbcroyalbank.com/mobile/wallet/#how-to-use
Interestingly its not compatible with any ios device but it does work with my Z10