No. of Recommendations: 3
stevenjklein,

You wrote, It's difficult to duplicate because the chip itself cannot be easily duplicated.

First, the chips are dirt cheap. Second, in the US you don't have to duplicate the chip - you just have to program a card with a magnetic strip that fakes the card's info that was captured from the chip.

Also, With credit card readers that focus only on the magnetic strip, anyone with a card reader/writer could copy the magnetic strip from one card to another, creating a perfect duplicate.

Like I was saying, you don't have to dup the chip - at least not in the US. Also, an RFID reader isn't that expensive.

What's more, I *own* an EMV card reader. My employer bought it for me for VPN access. (My badge contains an EMV chip.) Cost? $10. The reader can write a card as well. I don't have the knowledge needed to clone my security badge; but it should be possible - though I admit it's probably a much tougher problem. Also, I suspect you would need to duplicate the chip's unique ID, which might be problematic if that is never directly exposed.

Finally, In every country that has rolled out this system, fraud has dropped dramatically, as the bad guys shift their attention to low-hanging fruit — countries that haven't yet implemented EMV cards. I suspect that's a big reason why credit card fraud is increasing in the US.

http://en.wikipedia.org/wiki/EMV#Successful_attacks


I agree US banks need to do something. Credit card fraud is rampant. Unfortunately its businesses that take the brunt of it as banks and card holders are mostly immune.

The first attack mentioned in this wiki article do not inspire confidence in EMV. This piece mentions what is known in wireless circles as a replay attack. It's a well-known attack vector and secure communications protocols have been dealing with them effectively for nearly two decades. It's not even that hard a problem to address. The hard one is a man-in-the-middle attack - though those tend to be harder to carry off (especially in bulk) when the communications are effectively near-field.

The other attacks appear to focus on harvesting the PIN or bypassing PIN verification. It appears the European system stores the user's PIN on the card somewhere. This is fundamentally insecure, even if the device never directly discloses the PIN once programmed. Keeping both the key and the PIN on the same device circumvents most of the advantages found in 2-factor authentication methods.

But like I said, we may need to force the banks to do something to make it harder - if only because so many businesses get taken by credit card fraud.

- Joel
Print the post  

Announcements

UGC Disclosure Notice Regarding Credit Card Posts
Community board discussions about credit cards are not provided or commissioned by banks who may have advertising relationships with The Motley Fool. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.
TMF Credit Center
The Motley Fool Credit Center arms you with real tools and simple messages, that will help you in every credit situation.
When Life Gives You Lemons
We all have had hardships and made poor decisions. The important thing is how we respond and grow. Read the story of a Fool who started from nothing, and looks to gain everything.
Contact Us
Contact Customer Service and other Fool departments here.
Work for Fools?
Winner of the Washingtonian great places to work, and Glassdoor #1 Company to Work For 2015! Have access to all of TMF's online and email products for FREE, and be paid for your contributions to TMF! Click the link and start your Fool career.