1

In this thread: Why are chips safer than magnetic stripes?

the answers all seem to be that the chip cards are far more secure and difficult to copy. Here is my problem, and my question. A couple of years back, there was a lot of talk about moving cards to a chip system - and a lot of counter talk about how INSECURE the chips were (RFID, if I recall?) - as they could be read with simple readers up to a few feet away from the card itself.

So, what is missing from my information? Are the RFID chips that were in the news a couple of years back different from what is in use in UK or Germany? And yes, I googled, and it seems like they might be - but I didn't see anything definitive in my results.

Mark G B
  • 151
  • 1
  • 6

3 Answers3

9

RFID is a technology for contactless cards. A basic smart card is not RFID-able; for decades, payment smart cards were not RFID; to talk to the chip you had to plug to it (that's what happens in a payment terminal).

In recent years, a number of banks have begun to promote some extra "electronic cash" systems. With such a system, an RFID-able chip is added into a credit card which may also have a non-RFID chip. The contactless transactions are kept separate from the "normal" transactions; possibly, the card contains two distinct chips which are physically separated; or maybe the separation is only "software". However, the rules for both kind of transactions are normally distinct, for three reasons:

  • The contactless interface might conceivably be abused more easily since, by definition, it is contactless.
  • The convenience of the contactless interface would be severely diminished if the user still had to type his PIN code. The contactless payment is meant for small, everyday transactions (e.g. when you buy a croissant in a bakery) which are supposed to be conducted as fast as possible.
  • When using the contactless interface, the chip draws power from the variable magnetic field of the reader; this is much less power than what can be obtained through the normal connector. Correspondingly, the RFID chip is generally unable to perform extensive computations; in particular, digital signatures are out of the question.

So the expected result is that when a credit card has a chip AND can engage in contactless payment operations, then the latter is only about a small, finite "wallet" with at most 100$ in it or so; and completely hacking the card through its RFID interface does not give access to the main credit line of the card owner.

An extra source of confusion is that the concept of smart cards was patented in France in 1986. Many non-French banks, in particular in North America, thus decided not to deploy smart cards until the patent expired (in 2006). Before 2006, thus, these banks regularly justified their opposition to smart cards by sleazy suggestions about the "insecurity" of smart cards (these were damn lies, but they worked well with the customers). In 2006, right on cue, began to appear TV commercials about how banks had just discovered a new technology which is super-safe to protect card owners: the smart card. (Technically, this also is a damn lie; smart cards have never been about protecting customers; smart cards are about protecting banks because banks are ultimately responsible for transaction security, and are legally obliged to refund customers when fraud occurs.)

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • Smartcards also come with a liability shift, i.e. much of the liability for fraudulent purchases shifts from the bank to the consumer. It will be much more difficult for defrauded customers to recover lost money if it was stolen because their smartcard, or some part of the payment system, was compromised by a third party. – Michael Hampton Jan 25 '14 at 06:16
  • To comment on the third reason (low power and RFID): Technically you can do complex calculations. They are just slow. So you would need to keep the card near the reader (in in the field) for a long time. This conflicts with the goal of easy quick usage. – Hennes Jan 25 '14 at 14:16
  • Fraud causes consumers stress, even if the bank ultimately foots the bill. So making cards more secure does benefit both bank and consumer. The liability shift - or, at least, the shift in burden of proof is more concerning. But given that some lying consumers will claim a transaction is fraud when they actually initiated it, then I don't see any better solution than to make the payment system as secure as possible, and then work off the assumption it is secure. Better ideas are welcome :-) – paj28 Jan 25 '14 at 23:03
  • Why do you say digital signatures are out of the question? I'm pretty sure they're still present in both Visa and MasterCard contactless transactions (PayPass/PayWave), although there are less of them than in a chip transaction. – Peanut Jan 28 '14 at 00:37
0

Chip and PIN is attractive to banks, because (in the UK) they could claim that if your account was cleaned out, it was because you gave your pin to someone.

This, as you might guess, is trivially false: see Anderson http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

davecb
  • 313
  • 1
  • 6
0

'Chip card' can mean as many things as there are possible uses for computer chips.

However, in the sentence 'chips vs mag stripe' it means the specific technology of authorising card payment transactions via on-card cryptography chips, most often according to the EMV standard, also called chip&pin in UK and other places. This is one specific use of chips in cards - and has zero relation with RFID technology.

There can be (and are) some creditcards with both of these features, but most EMV chip creditcards are not RFID; and most RFID cards aren't creditcards or even related to payments at all, there are many other uses for card-shaped objects that can compute.

Peteris
  • 8,389
  • 1
  • 27
  • 35