A Finextra member 23 March, 2011, 12:18 0 likes

Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha.

So, chip and PIN is broken, because there are some online merchants who break the card scheme rules?

Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha.

A Finextra member 23 March, 2011, 12:52 0 likes

Not sure what the first commentator was laughing about.

Skimming devices are certainly big business in fraudster circles. Looking at these, I doubt many would notice them.

Back when I used to work on ATM's in banks, I often used to see card inserted into empty card holes when the ATM was open.

Technology works for both sides, doesn't it?

Adam Nybäck - Anyro - Stockholm 23 March, 2011, 13:13 0 likes

@Neil Chip skimming is only interesting if you can use the data to produce a new chip that mimics tha original.

If all you want are card number and expiry date it's enough to have a camera since they are both printed on the card.

A Finextra member 23 March, 2011, 15:15 0 likes

How does getting the card PAN and expiry date compromise Chip & PIN Security?  Slightly misleading headine I think!

The PAN and exp date should not even work online without the CVV on the back of the card... the issuer should be validating the CVV. If not present/correct on a MOTO tran, the tran should be declined

A Finextra member 23 March, 2011, 15:46 0 likes

I am not sure why the second commentator, if he doesn't understand why the first commentator is laughing so heartily, is in the card security business!

A Finextra member 23 March, 2011, 15:47 0 likes

More US Sponsored drivel.  More scaremongering.  When can we see factual based fraud discoveries instead of speculative academic exercises? 

 The cost and technical prowess required to skim a chip rather than a magnetic stripe make the type of attack detailed unlikely.

 As the writer correctly observed – there are mechanisms in place to ensure that, should chip data be compromised, a dummy/clone mag stripe card could not be created (iCVV being one example).  However – the author neglected to observe that often Multi-Application Chip Cards use Alternate PAN’s to Identify Differing Applications (from what is considered the Primary or Default Application).

 Issuers are slowly beginning to patch holes in their Authorization systems – such as the ability to compare TVR, CVM and CVR Data to ensure a Man-in-the-Middle attack has not altered the data.

 It has been known for a while that SDA Cards are significantly weaker than DDA or CDA Alternatives – this is why most issuers in the Western world are transitioning away from SDA.

 Initially Chip & PIN was believed to be able to reduce Transaction load on Authorization systems as it was expected that there would be an increase in under-the-floor-limit offline transactions.  However the opposite occurred – mainly because Issuers were lazy in the configuration of their EMV ICC Logic and partially because they lacked the ability to make advanced parameter changes using post-issuance scripting.  

A Finextra member 23 March, 2011, 22:17 0 likes

Haha,

So true Dave, but I can see the Americans: 'omg! are you saying that everyone can have my PIN if I use my Chip card? So I'll have to smack those chips with a hammer just like I did with all my RFID too?'

Anyway, skimming is not an Issue if noone figured out how to counterfeit those babies, innit?

A Finextra member 24 March, 2011, 14:05 0 likes

Well, if it is broken fraudsters are being unusually slow to cotton on to the fact. UK card fraud fell 17% last year and is at its lowest level since 2000. They must be on their hols.