topic Re: Chip & PIN warning in Credit Cards

Chip & PIN warning

Anonymous — Fri, 09 Jan 2015 21:15:14 GMT

Hello!

I've been reading these forums off and on for about 2 years now and I finally decided to join to offer my knowledge of Chip & PIN technology as a fairly longtime banker.

Nearly everyone here seems so excited about Chip & PIN coming to the US, but I personally prefer Chip & Signature myself. And here's why:

For the past 5 years I have worked for a major Canadian bank (until very recently) and have handled numerous fraud investigations at the branch level. What most people don't seem to realize is that Chip & PIN is not at all a secure system. Studies by major UK universities have shown repeatedly that Chip and PIN technology has been flawed and easily exploited from the very beginning, and I have seen it happen!

I realize that Chip and PIN does have some advantages, and it is certainly more secure (for the banks) than magnetic stripe technology. But what about for the customer?

Many people here have discussed the upcoming liability shift from banks to merchants. Unfortunately, nobody seems to realize that the real liability shift, kind of a secret one, is from the banks to their customers.

An example: I recently took a complaint from a customer about a nearly $2000 charge that appeared on her account statement. This person swore up and down that it wasn't hers and that she had no idea what it was. Having personally waited on this customer many times in the past, I had no reason to doubt her and every reason to believe her based on a well established banking relationship and knowledge of her character.

So I sent the dispute off for investigation, knowing what the result would be. When the answer came back a few days later, the bank said that the person's Chip card and correct PIN were used to pay for the charge and that the bank would not reverse the transaction--just as I thought. It was then my great privlege to pass this awful news along to the customer, who ultimately lost the entire $2000. This particular Chip and PIN transaction was on her debit card, so the money had already left her account at the time the transaction was made. The transaction also did not go over a VISA or MasterCard debit network, but rather the Canadian Interac debit network, so there was no opportunity to use VISA or MasterCard policies to limit her liability.

So, what happened? Well, somehow (I don't know how) the customer's card was compromised, and likely the criminal used any 4 digit PIN number at all to make the charge. There is a way these people have of tricking the chip terminal into thinking the entered PIN was correct. I don't know all of the ins and outs of how they do it, but I have seen the results many times. When the bank sends away for information from, for example, VISA International or MasterCard or whichever network was used, a report is generated by the card processing company of the bank whose terminal was used. For example, a company such as Moneris in Canada, or Chase Payment Tech. Anyway, the report indicates whether or not a correct PIN had been used by sending a code of Y for yes and N for no. If the report says Y, then even the bank that owns the credit card believes that the correct PIN was used, and they then refuse to take any liability for the charge--the customer has to pay.

This example is just one of many that turned out the same way during my time with the bank. Part of my reason for ultimately leaving banking was due to my disgust with this kind of situation. I saw many customers taken advantage of after Chip and PIN became the standard in Canada. I don't know in every case whether or not the customer was being honest, but in a number of cases I did know the customer quite well and do not believe it was in the person's character to lie to the bank. The bank's character, however, is another story...

Why am I telling you all this? Well, Chip and PIN is coming--that's inevitable! So there's no way around it. My advice is to never let your card out of your hand/wallet/sight when Chip and PIN comes, because then it is much more difficult to have your card compromised. If your card has a RFID chip in it, it can't hurt to get a RFID blocking sleeve or wallet either! I have both. My other way of dealing with this is to have a few different cards all with relatively low limits. This way, if the bank says "Your PIN was used, you have to pay!" then at least the damage won't be as significant.

In Canada, a law was passed a few years ago that no auto CLIs are allowed. If the bank wants to increase your limit, they have to ask you for permission to do it. If you consent, then up it goes to the offered amount. This makes it easy to keep limits where they are. In one case I became uncomfortable with a 5 digit limit I had and decided to call the issuer and lower it by a few K to $7,000. Personally I think anywhere in the $2,000 to $5,000 range is ideal, though having one card with above $5K isn't too bad. I prefer higher limits on LOC accounts that are not accessable by either a bank card or credit card. This is also good if you carry a balance as the interest on a LOC is usually much lower than on a CC (at least in Canada).

Please note that all banks in Canada operate in the way I have described--as I believe they do in other Chip and PIN countries and untilately will in the US. In Canada they all eventually made some slight changes to their terms and conditions, and from then on the customers were on the hook. I make no guarantees that the same WILL happen in the US, but I would be extremely surprised if it didn't happen after while. I have advised numerous people in Canada to write to their federal MP to have a law enacted to pass liability back over to the banks whether or not a correct PIN was used, but since it affects a relatively low percentage of the population overall, most people are neither aware of the issue nor inclined to write letters about it--right up until it happens to them!

If anyone has any questions about this issue, I am happy to answer them insofar as I can without giving out any confidential information related to my past customers. I also prefer not to say which bank I worked for.

I have some (limited) knowledge of underwriting from my time as a banker as well and will eventually share some of that. Whether or not people choose to believe this post is of no interest to me. I offer it simply for informational purposes. Do with it as you will.

Re: Chip & PIN warning

Anonymous — Fri, 09 Jan 2015 21:22:27 GMT

Yes, what you say is certainly true in the UK, the PIN being used being regarded by the banks as proof that either you did it, or were sufficiently negligent (writing the PIN on the card for example) that it becomes your responsibilty.

Some of the UK research you mention was partially driven by that, enough reports of people saying that they DIDN'T make the transaction that it got hard to believe that they were all lying.

Re: Chip & PIN warning

Lyythine — Fri, 09 Jan 2015 23:00:57 GMT

It also doesnt help when Wells Fargo sends me a PIN that is the same digit repeating 4 times... I asked them to issue me a new pin, it was the same PIN. ugh.

Re: Chip & PIN warning

ojefferyo — Sat, 10 Jan 2015 00:21:24 GMT

Debit cards in the US are like that and have been like that. We are told by the bank that if a debit card is used with a PIN there will never be a chargeback to us, meaning the customer is left on the hook. If your debit card has a Visa or Mastercard logo on it run it as credit.

Re: Chip & PIN warning

lg8302ch — Sat, 10 Jan 2015 00:38:03 GMT

It is the same way with other European card issuers. If used with the correct pin the reliabilty is with the customers until the moment the card is reported lost or stolen. What the main problem is in some European countries that the lender sends a default pin on the card and does not allow it to be changed for a number that can easy be remembered. So the pin on my 4 German cards I do have to write down and basically need to look up each time I want to use the card. This is a security issue for me and a nightmare. Switzerland is easy and the cards allow you to modify the pin at any ATM for the pin you like. Therefore many customers with cards where the lender does not allow to select the pin of choice and only accepts the intitial default pin people are writing it down and worse carry it in their wallet or even write it on the card. I do not like that I have to save it in my mobile but there is simply no way to remember a ton of different pin numbers for each card. If the US starts with chip & pin it will be mandatory that the card issuer lets the customers select their pin of choice. Like this you can remember and do not have to write it down.

Re: Chip & PIN warning

Anonymous — Sat, 10 Jan 2015 00:39:14 GMT

Hmm... I assumed the chip and PIN system was better on all fronts. After hearing this, I'd almost rather use the magnetic stripe technology safe in the knowledge that, per my CCC, I'm not liable for any fraud.

I've heard that Apple Pay is one of the most secure ways to pay, since it's almost impossible for someone to obtain any meaningful information. Do you have an opinion on the security aspect of it?

Re: Chip & PIN warning

ElBarrbaro — Sat, 10 Jan 2015 00:44:02 GMT

@Anonymous wrote:
Hello!

I've been reading these forums off and on for about 2 years now and I finally decided to join to offer my knowledge of Chip & PIN technology as a fairly longtime banker.

Nearly everyone here seems so excited about Chip & PIN coming to the US, but I personally prefer Chip & Signature myself. And here's why:

For the past 5 years I have worked for a major Canadian bank (until very recently) and have handled numerous fraud investigations at the branch level. What most people don't seem to realize is that Chip & PIN is not at all a secure system. Studies by major UK universities have shown repeatedly that Chip and PIN technology has been flawed and easily exploited from the very beginning, and I have seen it happen!

I realize that Chip and PIN does have some advantages, and it is certainly more secure (for the banks) than magnetic stripe technology. But what about for the customer?

Many people here have discussed the upcoming liability shift from banks to merchants. Unfortunately, nobody seems to realize that the real liability shift, kind of a secret one, is from the banks to their customers.

An example: I recently took a complaint from a customer about a nearly $2000 charge that appeared on her account statement. This person swore up and down that it wasn't hers and that she had no idea what it was. Having personally waited on this customer many times in the past, I had no reason to doubt her and every reason to believe her based on a well established banking relationship and knowledge of her character.

So I sent the dispute off for investigation, knowing what the result would be. When the answer came back a few days later, the bank said that the person's Chip card and correct PIN were used to pay for the charge and that the bank would not reverse the transaction--just as I thought. It was then my great privlege to pass this awful news along to the customer, who ultimately lost the entire $2000. This particular Chip and PIN transaction was on her debit card, so the money had already left her account at the time the transaction was made. The transaction also did not go over a VISA or MasterCard debit network, but rather the Canadian Interac debit network, so there was no opportunity to use VISA or MasterCard policies to limit her liability.

So, what happened? Well, somehow (I don't know how) the customer's card was compromised, and likely the criminal used any 4 digit PIN number at all to make the charge. There is a way these people have of tricking the chip terminal into thinking the entered PIN was correct. I don't know all of the ins and outs of how they do it, but I have seen the results many times. When the bank sends away for information from, for example, VISA International or MasterCard or whichever network was used, a report is generated by the card processing company of the bank whose terminal was used. For example, a company such as Moneris in Canada, or Chase Payment Tech. Anyway, the report indicates whether or not a correct PIN had been used by sending a code of Y for yes and N for no. If the report says Y, then even the bank that owns the credit card believes that the correct PIN was used, and they then refuse to take any liability for the charge--the customer has to pay.

This example is just one of many that turned out the same way during my time with the bank. Part of my reason for ultimately leaving banking was due to my disgust with this kind of situation. I saw many customers taken advantage of after Chip and PIN became the standard in Canada. I don't know in every case whether or not the customer was being honest, but in a number of cases I did know the customer quite well and do not believe it was in the person's character to lie to the bank. The bank's character, however, is another story...

Why am I telling you all this? Well, Chip and PIN is coming--that's inevitable! So there's no way around it. My advice is to never let your card out of your hand/wallet/sight when Chip and PIN comes, because then it is much more difficult to have your card compromised. If your card has a RFID chip in it, it can't hurt to get a RFID blocking sleeve or wallet either! I have both. My other way of dealing with this is to have a few different cards all with relatively low limits. This way, if the bank says "Your PIN was used, you have to pay!" then at least the damage won't be as significant.

In Canada, a law was passed a few years ago that no auto CLIs are allowed. If the bank wants to increase your limit, they have to ask you for permission to do it. If you consent, then up it goes to the offered amount. This makes it easy to keep limits where they are. In one case I became uncomfortable with a 5 digit limit I had and decided to call the issuer and lower it by a few K to $7,000. Personally I think anywhere in the $2,000 to $5,000 range is ideal, though having one card with above $5K isn't too bad. I prefer higher limits on LOC accounts that are not accessable by either a bank card or credit card. This is also good if you carry a balance as the interest on a LOC is usually much lower than on a CC (at least in Canada).

Please note that all banks in Canada operate in the way I have described--as I believe they do in other Chip and PIN countries and untilately will in the US. In Canada they all eventually made some slight changes to their terms and conditions, and from then on the customers were on the hook. I make no guarantees that the same WILL happen in the US, but I would be extremely surprised if it didn't happen after while. I have advised numerous people in Canada to write to their federal MP to have a law enacted to pass liability back over to the banks whether or not a correct PIN was used, but since it affects a relatively low percentage of the population overall, most people are neither aware of the issue nor inclined to write letters about it--right up until it happens to them!

If anyone has any questions about this issue, I am happy to answer them insofar as I can without giving out any confidential information related to my past customers. I also prefer not to say which bank I worked for.

I have some (limited) knowledge of underwriting from my time as a banker as well and will eventually share some of that. Whether or not people choose to believe this post is of no interest to me. I offer it simply for informational purposes. Do with it as you will.

G

And thats why i no longer use my debit card period. Only credit cards.

Re: Chip & PIN warning

Anonymous — Sat, 10 Jan 2015 01:23:22 GMT

Every single major issuer is preferring signature here, not PIN. Judging by how hard they're pushing Apple Pay and the like I highly doubt that'll change any time soon.

BTW, http://www.law.cornell.edu/uscode/text/15/1643 is good reading.

Re: Chip & PIN warning

Anonymous — Sat, 10 Jan 2015 02:09:04 GMT

@Anonymous wrote:
Hmm... I assumed the chip and PIN system was better on all fronts. After hearing this, I'd almost rather use the magnetic stripe technology safe in the knowledge that, per my CCC, I'm not liable for any fraud.

I've heard that Apple Pay is one of the most secure ways to pay, since it's almost impossible for someone to obtain any meaningful information. Do you have an opinion on the security aspect of it?

Chip & Pin is much more secure than stripe. The bad impacts only come if the rules are changed to limit the protection, due to the "security" of chip&pin.

Re Apple Pay, I don't know. If you look at the papers that describe chip&pin attacks, a lot of work has been put in into identifying weaknesses (e.g. the algorithm depends at one point on a Unpredictable Number being generated. Researchers found that some implementations used are really highly predictable, using timestamps for example, see http://www.bbc.com/news/technology-19559124 for an older example)

While I'm sure Apple has got a lot of security people to examine it, it probably hasn't had the number of people or length of time, for weaknessse to be exposed.

Re: Chip & PIN warning

Anonymous — Sat, 10 Jan 2015 02:30:56 GMT

@Anonymous wrote:
@Anonymous wrote:
Hmm... I assumed the chip and PIN system was better on all fronts. After hearing this, I'd almost rather use the magnetic stripe technology safe in the knowledge that, per my CCC, I'm not liable for any fraud.

I've heard that Apple Pay is one of the most secure ways to pay, since it's almost impossible for someone to obtain any meaningful information. Do you have an opinion on the security aspect of it?
Chip & Pin is much more secure than stripe. The bad impacts only come if the rules are changed to limit the protection, due to the "security" of chip&pin.

Re Apple Pay, I don't know. If you look at the papers that describe chip&pin attacks, a lot of work has been put in into identifying weaknesses (e.g. the algorithm depends at one point on a Unpredictable Number being generated. Researchers found that some implementations used are really highly predictable, using timestamps for example, see http://www.bbc.com/news/technology-19559124 for an older example)

While I'm sure Apple has got a lot of security people to examine it, it probably hasn't had the number of people or length of time, for weaknessse to be exposed.

It sounds like they can't get you for more than $50 though according to that Cornell link, regardless of whether PIN was supposedly used or not. Being unable to pass real liability to the consumer may be one reason why banks aren't bothering with PIN here.

Re: Chip & PIN warning

Anonymous — Sat, 10 Jan 2015 03:19:38 GMT

I'm not yet familiar with the Apple Pay payment system, so I can't really comment on that one for now. However, I will comment on the Cornell document. The thing that really jumps out at me is Line 1 of the Limits of Liability section:

"(1) A cardholder shall be liable for the unauthorized use of a credit card only if—"

That word unauthorized is the one that's trouble. If your correct PIN is used, then as far as the banks are concerned, that transaction was an authorized use of your card. If a customer walks into their bank branch and says "my card was used for an unauthorized transaction", the bank will investigate, and if the report comes back and says that your correct PIN was used, then the bank says "You made (authorized) that charge, so you have to pay for it!" How exactly can someone argue with them? They've got the report from VISA or whoever that proves it was you that did it, and the banks never, ever admit that it might not have really been you, so there's no unauthorized charge to dispute. The stance of the banks is that Chip and PIN is impregnable, uncrackable, flawless, perfect. If the investigation comes back with a Y (yes) showing in the 'Was PIN verified?' section, then it could only have been you that made the transaction.

Personally, I love the Chip and Signature system. It's not that easy for a card cloning crook to forge my signature. Even if they have my real card, I purposefully don't sign the back of my cards unless and until some merchant points out that it's not signed. In 99% of the cases where a chip terminal is used, the merchant never even gets to handle the card and therefore never sees the blank signature panel. If the bank has a transaction with an obviously forged signature (non match) on the receipt, then I win the fraud dispute.

Re: Chip & PIN warning

Anonymous — Sat, 10 Jan 2015 03:51:24 GMT

I'm not in front of my computer right now but I saw an interesting video recently about the various chip and PIN vulnerabilities. He also gave what a cardholder should ask the bank if they try to claim the charge was authorized. When people asked those questions the success rate was fairly high for getting the charges reversed.

Ultimately it won't matter much in the short to medium term. There are a large number of merchants here that are getting terminals that can't even do PIN (a major example being Square). The business case for the banks to adopt PIN won't be compelling for a very long time if ever since lost and stolen fraud is already fairly low. Even if they did there will be a lot of merchants where PIN won't even be asked for.

That said it would be nice for people to have a choice to get PIN cards for international use if nothing else.

Re: Chip & PIN warning

Anonymous — Sat, 10 Jan 2015 04:09:58 GMT

@Anonymous wrote:
I'm not yet familiar with the Apple Pay payment system, so I can't really comment on that one for now. However, I will comment on the Cornell document. The thing that really jumps out at me is Line 1 of the Limits of Liability section:

"(1) A cardholder shall be liable for the unauthorized use of a credit card only if—"

That word unauthorized is the one that's trouble. If your correct PIN is used, then as far as the banks are concerned, that transaction was an authorized use of your card. If a customer walks into their bank branch and says "my card was used for an unauthorized transaction", the bank will investigate, and if the report comes back and says that your correct PIN was used, then the bank says "You made (authorized) that charge, so you have to pay for it!" How exactly can someone argue with them? They've got the report from VISA or whoever that proves it was you that did it, and the banks never, ever admit that it might not have really been you, so there's no unauthorized charge to dispute. The stance of the banks is that Chip and PIN is impregnable, uncrackable, flawless, perfect. If the investigation comes back with a Y (yes) showing in the 'Was PIN verified?' section, then it could only have been you that made the transaction.

Personally, I love the Chip and Signature system. It's not that easy for a card cloning crook to forge my signature. Even if they have my real card, I purposefully don't sign the back of my cards unless and until some merchant points out that it's not signed. In 99% of the cases where a chip terminal is used, the merchant never even gets to handle the card and therefore never sees the blank signature panel. If the bank has a transaction with an obviously forged signature (non match) on the receipt, then I win the fraud dispute.

G

Since the terms of use require that the card is signed before it is valid, not so sure. I think the bank could argue (if of course they knew) that by not signing you were being reckless ((as well as violating agreements) , so the thief could sign your card in any way they chose and produce a matching signature.

Re: Chip & PIN warning

Anonymous — Sat, 10 Jan 2015 04:35:46 GMT

Here's the video I was referring to earlier: https://www.youtube.com/watch?v=XeZbVZQsKO8. Just as a warning, it's fairly technical and it's about an hour long. I'm not too worried since those vulnerabilities seem to require that one have the physical card. AFAIK they haven't managed to clone a chip card yet.

Re: Chip & PIN warning

nyancat — Sat, 10 Jan 2015 04:53:06 GMT

@Anonymous wrote:
Here's the video I was referring to earlier: https://www.youtube.com/watch?v=XeZbVZQsKO8. Just as a warning, it's fairly technical and it's about an hour long. I'm not too worried since those vulnerabilities seem to require that one have the physical card. AFAIK they haven't managed to clone a chip card yet.

They're not going to either, from the card alone, the encryption used is extremely strong and relies on a shared secret that is never transmitted. You'd need access to the bank's database to get that secret to be able to clone a card.

Insecure implementations are always a concern of course, including CVM downgrade attacks that aren't properly checked. I cannot comment on the original poster's story. The UK drastically increased consumer protections after banks pulled this one so the same situation wouldn't happen in the UK. I think we can assume fake transactions can happen, but they rely on implementation weaknesses.

Look at the attack on American cards in Brasil recently - totally nonsense cryptograms were submitted, and the bank authorised the transactions!

Re: Chip & PIN warning

Anonymous — Sat, 10 Jan 2015 04:53:14 GMT

Yes, it's definitely not advisable to lose (or have stolen) an unsigned card! Of course, under Chip and PIN, the PIN is considered the person's "electronic" signature, so the physical signature becomes less important. There are even some newer cards that no longer even have a signature panel on them. But it's still a good point. If I ever find a fraudulent transaction on my card, I'll be sure to sign the back before I file a report.

Re: Chip & PIN warning

NRB525 — Sat, 10 Jan 2015 05:17:32 GMT

There is a big marketing push among the US CC issuers to promote "zero fraud liability". It would be a good exercise to read through the fine print of these offers to ensure there aren't any "oh by the way" issues such as authorization by PIN.

And the idea of limiting a card credit line makes sense. What good is a low-utilization, high limit credit card if a fraudster boosts your utilization by $10k

Re: Chip & PIN warning

cashnocredit — Sat, 10 Jan 2015 07:02:35 GMT

@Anonymous wrote:
Every single major issuer is preferring signature here, not PIN. Judging by how hard they're pushing Apple Pay and the like I highly doubt that'll change any time soon.

BTW, http://www.law.cornell.edu/uscode/text/15/1643 is good reading.

This is true. Americans have a fairly large number of cards and issuers are wary of making cards harder to use by requiring pins. The bulk of fraud is cloned cards, not stolen ones. Cloning info is easily grabbed from mag stripes and sold in bulk to cloners. Shutting that down is the main goal bankers here have.

As for the OP's point, there are a number of MITM attacks against pins with EMV chips. They involve compromised ATMs but there have been some reported cases over at krebsonsecurity.com. These will probably be ironed out but pins are still a pita.

EtoA:

I too decreased the daily purchase limit to 2k on one of my debit cards that the bank had increased to 10k. Way too much exposure.

Re: Chip & PIN warning

elim — Sat, 10 Jan 2015 06:55:52 GMT

Great post OP and thanks for sharing it. I relocated near the Canadian border a couple years ago and this is very useful to me. You sound very experienced and I hope you stick around.

Re: Chip & PIN warning

lg8302ch — Sat, 10 Jan 2015 09:25:27 GMT

I am not worried about chip & pin security if you follow the recommended security advise. After all I have been using chip & pin daily for the past 12 years and no issue so far. Just have to make sure when entering the pin you cover up the terminal so no one can pick up your pin when you enter it and certainly do not carry it around in the wallet. It is so much more efficient at check out outside the US. The double paper slip printing takes forever then the merchant comparing the signature and with mine asking for ID in most cases as when in a hurry my siggy does not look the exact same as on the card. Love the pin entry