Discover it chip cards available

[AllieNeko]

If you have a Discover it card, you can now request to get a chip card. I have mine in my hand, it only comes in the basic design, but they've made it nicer than it was - shinier and more metallic looking. It's chip and signature, not PIN unfortunately (no surprise in the US, and to be fair the chip is 90% of the security benefit). Definitely worth requesting for the security benefits. Supposedly, chipped Discover More cards will come out next year, but frankly I suggest you call and change to the it - there's no disadvantage, only advantages to the it.

Now, why is this worth posting on here? It means that one of the hurdles to Apple Pay is crossed. Discover is now processing EMV transactions and has EMV on their network. That's a good sign. Apple Pay requires some other bits, like tokenisation and, of course, Apple's support, but Discover HAS said they're working on these. It'll be interesting to see if it happens.

 

[mobilehaathi]

Can you explain how the chip makes it more secure?

 

[hallux]

Can you explain how the chip makes it more secure?

I suggest a little reading.. http://en.wikipedia.org/wiki/EMV

 

[AllieNeko]

Can you explain how the chip makes it more secure?

When a terminal is chip-enabled it *should* not allow the card to be swiped (there are exceptions, for example Walmart is chip-enabled but is allowing chip cards to be swiped to reduce customer confusion... which is ridiculous...; also the card can be swiped if a merchant is enabled for OTHER chip cards but not that brand... for example, many merchants in Ireland are not chip-enabled for American Express). Thus, (almost) every merchant that is chip enabled is one less place a counterfeit magnetic stripe made from a chip card can be used.

The chip cannot be counterfeit, though there are some very limited and technically complex pre-play attacks. The terminal generates an "unpredictable number" and the card uses this number, along with a key in the chip (which is never revealed) to create a response cryptogram. This cryptogram is then sent to the issuer to be verified, proving that the card is genuine.

There are some limited attacks, one widely described one a team at Cambridge discovered is that, for some older terminal firmware, the unpredictable may, actually, be very predictable. This would allow one to generate a response cryptogram to use later. This should be patched at most in the wild terminals now. Another attack involves "CVM downgrade" - taking a stolen card and making it not require the PIN. Given chip cards in the US won't even require a PIN in normal use, this doesn't apply here... for all the wrong reasons.

However, as a whole, counterfeit card fraud will be nearly eliminated when chip cards and chip-enabled terminals are widely rolled out. Today, this is one of the most common forms of fraud (e.g. massive data breaches at Target used to make counterfeit cards).

Walmart, Target, Walgreens, and Home Depot made a voluntary commitment to go first and enable chip card acceptance by the end of March, 2015. Hopefully the other three don't do so in an incredibly insecure, nearly pointless way like Walmart has (Walmart's implementation was actually done properly at first, then they made it insecure intentionally later because it was confusing customers). Walmart has said they will change their implementation back to enforcing later - I think it's stupid. It'll only cause MORE customer training issues to start enforcing the chip once almost everyone has chip cards...

Also, some smaller merchants, especially ones using chip-capable hardware provided by First Data are chip-enabled today.

Chip cards, do, of course, do nothing to secure "card-not-present" transactions such as those on the Internet. This gets mentioned a lot as a problem with chip cards, but it isn't really. The chip is meant to secure use of the PHYSICAL card. Something else is needed to secure purchases on the Internet. 3-D Secure (Verified by Visa, MasterCard SecureCode, American Express SafeKey), while imperfect, has been widely deployed in Europe. It was tried in America, but merchants and consumers hated it as it was confusing and a password they forgot. What will secure Internet transactions hasn't been decided, but ultimately I think it'll be some form of 3-D Secure... and it'll need to happen soon. But it's a separate issue from physical chip cards, and both are needed.

 

[mobilehaathi]

I suggest a little reading.. http://en.wikipedia.org/wiki/EMV

When a terminal is chip-enabled it *should* not allow the card to be swiped (there are exceptions, for example Walmart is chip-enabled but is allowing chip cards to be swiped to reduce customer confusion... which is ridiculous...; also the card can be swiped if a merchant is enabled for OTHER chip cards but not that brand... for example, many merchants in Ireland are not chip-enabled for American Express). Thus, (almost) every merchant that is chip enabled is one less place a counterfeit magnetic stripe made from a chip card can be used.

The chip cannot be counterfeit, though there are some very limited and technically complex pre-play attacks. The terminal generates an "unpredictable number" and the card uses this number, along with a key in the chip (which is never revealed) to create a response cryptogram. This cryptogram is then sent to the issuer to be verified, proving that the card is genuine.

There are some limited attacks, one widely described one a team at Cambridge discovered is that, for some older terminal firmware, the unpredictable may, actually, be very predictable. This would allow one to generate a response cryptogram to use later. This should be patched at most in the wild terminals now. Another attack involves "CVM downgrade" - taking a stolen card and making it not require the PIN. Given chip cards in the US won't even require a PIN in normal use, this doesn't apply here... for all the wrong reasons.

However, as a whole, counterfeit card fraud will be nearly eliminated when chip cards and chip-enabled terminals are widely rolled out. Today, this is one of the most common forms of fraud (e.g. massive data breaches at Target used to make counterfeit cards).

Walmart, Target, Walgreens, and Home Depot made a voluntary commitment to go first and enable chip card acceptance by the end of March, 2015. Hopefully the other three don't do so in an incredibly insecure, nearly pointless way like Walmart has (Walmart's implementation was actually done properly at first, then they made it insecure intentionally later because it was confusing customers). Walmart has said they will change their implementation back to enforcing later - I think it's stupid. It'll only cause MORE customer training issues to start enforcing the chip once almost everyone has chip cards...

Also, some smaller merchants, especially ones using chip-capable hardware provided by First Data are chip-enabled today.

Chip cards, do, of course, do nothing to secure "card-not-present" transactions such as those on the Internet. This gets mentioned a lot as a problem with chip cards, but it isn't really. The chip is meant to secure use of the PHYSICAL card. Something else is needed to secure purchases on the Internet. 3-D Secure (Verified by Visa, MasterCard SecureCode, American Express SafeKey), while imperfect, has been widely deployed in Europe. It was tried in America, but merchants and consumers hated it as it was confusing and a password they forgot. What will secure Internet transactions hasn't been decided, but ultimately I think it'll be some form of 3-D Secure... and it'll need to happen soon. But it's a separate issue from physical chip cards, and both are needed.

Thanks to both of you. It seems the security depends on the vendors no longer accepting swipes. I certainly would prefer to go towards a chip based system, but every vendor I use still has swipe machines. Actually they seem to use combination chip readers and magnetic swipe readers.

 

[yg17]

I got to use my chip for the first time in the US yesterday at a small mom and pop bakery. I swiped my card assuming EMV was disabled like it is everywhere else that has EMV readers and was pleasantly surprised when it prompted me to insert my card. Retailers should've made this move years ago.

 

[AllieNeko]

Thanks to both of you. It seems the security depends on the vendors no longer accepting swipes. I certainly would prefer to go towards a chip based system, but every vendor I use still has swipe machines. Actually they seem to use combination chip readers and magnetic swipe readers.

That is true, but MOST merchants, once they enable their chip readers, no longer allow chip cards to be swiped. Walmart is a notable, high profile, exception to this rule. And that bothers me greatly.

Most merchants in the US do not yet have their chip card readers enabled. Hopefully, no one follows in Walmart's footsteps with an extremely insecure implementation.

I got to use my chip for the first time in the US yesterday at a small mom and pop bakery. I swiped my card assuming EMV was disabled like it is everywhere else that has EMV readers and was pleasantly surprised when it prompted me to insert my card. Retailers should've made this move years ago.

Were they using First Data terminals? This is the most common chip-enabled First Data terminal deployed, though there are others: http://www.terminaldepot.net/product_images/g/981/First_Data_FD35_Pin_Pad__26421_zoom.jpg

 

[mobilehaathi]

That is true, but MOST merchants, once they enable their chip readers, no longer allow chip cards to be swiped. Walmart is a notable, high profile, exception to this rule. And that bothers me greatly.

Most merchants in the US do not yet have their chip card readers enabled. Hopefully, no one follows in Walmart's footsteps with an extremely insecure implementation.

Ahah, that may explain why I couldn't use my chip at the grocery store the other day.

 

[yg17]

That is true, but MOST merchants, once they enable their chip readers, no longer allow chip cards to be swiped. Walmart is a notable, high profile, exception to this rule. And that bothers me greatly.

Most merchants in the US do not yet have their chip card readers enabled. Hopefully, no one follows in Walmart's footsteps with an extremely insecure implementation.



Were they using First Data terminals? This is the most common chip-enabled First Data terminal deployed, though there are others: http://www.terminaldepot.net/product_images/g/981/First_Data_FD35_Pin_Pad__26421_zoom.jpg

It looked similar to that, I wasn't sure of the exact model. It had the NFC logo but ApplePay didn't trigger. Although after swiping it said "insert or tap card" so maybe I didn't do something in the right order, but at that point I already had my card out so I went with that instead of getting my phone out again.

 

[AllieNeko]

Ahah, that may explain why I couldn't use my chip at the grocery store the other day.

As a general rule, follow the prompts. If it says "insert or slide card" or "insert, tap or slide card" then insert the card into the chip reader. If it says "please slide card" or "tap or slide card" then swipe the card in the magnetic stripe reader. In both cases, if it says tap, and your card has the wave symbol (or is Apple Pay/Google Wallet/Softcard) you may tap it.

These are not firm rules, as the prompting may just be wrong at some merchants. For example, when my local Subway disabled contactless a couple weeks ago, the contactless logo went away from the screen but the prompt is still "tap or slide" - no response, however. It bothers me that Subway franchisees can even do this, when Subway is supposedly an Apple partner... The local owner is very anti-contactless, and Subway SHOULD be putting their feet down on this one.

Also, again, just because a terminal is chip-enabled doesn't mean it is enabled for all applications. Walmart terminals have long said "insert or slide" but the only application they were enabled for until earlier this year was EBT cards in some states. MOST shops do not include "insert" in the prompting if they are only enabled for EBT cards, though the slot will be lit up. Most common will be for terminals in some countries to be chip-enabled and have Visa and Mastercard applications, but Amex and/or Discover will need to be swiped. This is especially likely in countries where there are no local Amex or Discover/Diner's Club cards.

----------

It looked similar to that, I wasn't sure of the exact model. It had the NFC logo but ApplePay didn't trigger. Although after swiping it said "insert or tap card" so maybe I didn't do something in the right order, but at that point I already had my card out so I went with that instead of getting my phone out again.

You cannot tap until AFTER the sale is totalled and sent to the PIN pad. You probably tried Apple Pay too early.

 

[Apple fanboy]

But why not chip and pin in the US? We've had it for years over here. Even a chip enabled card is completely vulnerable if I've taken your card. With chip and pin you are safe.

 

[AllieNeko]

But why not chip and pin in the US? We've had it for years over here. Even a chip enabled card is completely vulnerable if I've taken your card. With chip and pin you are safe.

Because MOST card-present fraud is counterfeit card fraud, and my understanding from connections I have is that banks are afraid of customer backlash if they launch chip and PIN. There is fear that customers either would refuse to use chip and PIN cards, or would simply forget their PIN and pull out another card instead.

 

[hallux]

2 things.

How will this work in restaurants where they typically take your card and return later with the slip to sign?

As for securing internet-based transactions, the card issuers are starting to roll out systems (VisaCheckout is one) to actually take you to a site where you sign in with the account you use to access your statements, to then authorize payment. This requires participation by the vendor and the issuing bank, but it may be a step in the right direction, so long as they can keep the sign in secure. I think in this way the vendor never actually stores your credit card info.

 

[Apple fanboy]

Because MOST card-present fraud is counterfeit card fraud, and my understanding from connections I have is that banks are afraid of customer backlash if they launch chip and PIN. There is fear that customers either would refuse to use chip and PIN cards, or would simply forget their PIN and pull out another card instead.

So what you are saying is Americans can't remember a 4 digit code? Right got it thanks!

Why would there be a backlash? When Tim debuted the old fashion way to make a purchase during the Apple pay keynote, I had absolutely no idea what he was on about. Sign here, check your photo id? Seemed weird to me and the rest of the world!

 

[adk]

Thanks to both of you. It seems the security depends on the vendors no longer accepting swipes. I certainly would prefer to go towards a chip based system, but every vendor I use still has swipe machines. Actually they seem to use combination chip readers and magnetic swipe readers.

Sometime next year (September maybe?) Visa and MC will begin to hold merchants responsible for fraudulent charges when a card is swiped. This will be the time you'll see a mass switchover to EMV.

 

[yg17]

How will this work in restaurants where they typically take your card and return later with the slip to sign?

In more technologically advanced countries, where they use chip cards (aka nearly every country besides the US) the waiter brings a portable card reader to your table for you to type your PIN into.

 

[AllieNeko]

2 things.

How will this work in restaurants where they typically take your card and return later with the slip to sign?

As for securing internet-based transactions, the card issuers are starting to roll out systems (VisaCheckout is one) to actually take you to a site where you sign in with the account you use to access your statements, to then authorize payment. This requires participation by the vendor and the issuing bank, but it may be a step in the right direction, so long as they can keep the sign in secure. I think in this way the vendor never actually stores your credit card info.

In other countries, they bring a wireless terminal to the table for chip card transactions. In the US, with mostly chip and signature, they may keep doing things the way they do and simply drag you up to their station with them if you have a chip and PIN card.

Systems like Visa checkout are nice as an option for merchants, but not a good alternative to actual transaction security for merchants with their own processing.

So what you are saying is Americans can't remember a 4 digit code? Right got it thanks!

Why would there be a backlash? When Tim debuted the old fashion way to make a purchase during the Apple pay keynote, I had absolutely no idea what he was on about. Sign here, check your photo id? Seemed weird to me and the rest of the world!

No, I'm saying my connections in the banking industry seem to feel that way. Part of that is because Americans have more credit cards than people in other countries.

Sometime next year (September maybe?) Visa and MC will begin to hold merchants responsible for fraudulent charges when a card is swiped. This will be the time you'll see a mass switchover to EMV.

Kinda. Let's be clear because the way you worded that is the reason why some merchants in Europe refuse swipe cards... you are liable for swiped transactions IFF the card has a chip (or should have a chip... e.g. is a clone of the magnetic stripe from a chip card). Thus, you can still swipe non-chip cards fine.

 

[yg17]

In other countries, they bring a wireless terminal to the table for chip card transactions. In the US, with mostly chip and signature, they may keep doing things the way they do and simply drag you up to their station with them if you have a chip and PIN card.

Systems like Visa checkout are nice as an option for merchants, but not a good alternative to actual transaction security for merchants with their own processing.



No, I'm saying my connections in the banking industry seem to feel that way. Part of that is because Americans have more credit cards than people in other countries.



Kinda. Let's be clear because the way you worded that is the reason why some merchants in Europe refuse swipe cards... you are liable for swiped transactions IFF the card has a chip (or should have a chip... e.g. is a clone of the magnetic stripe from a chip card). Thus, you can still swipe non-chip cards fine.

If a chipped card is swiped in an EMV capable reader, it should get rejected. Now, does that rejection come from the bank during the authorization process, or is there a flag on the magstripe that says it's chipped? Because if it's the latter, I'm wondering what's stopping someone from removing the flag on a cloned card?

 

[AllieNeko]

If a chipped card is swiped in an EMV capable reader, it should get rejected. Now, does that rejection come from the bank during the authorization process, or is there a flag on the magstripe that says it's chipped? Because if it's the latter, I'm wondering what's stopping someone from removing the flag on a cloned card?

There is a flag on the card, that Walmart is currently NOT using to reject the card, but merchants are supposed to. Walmart's setup is an insecure mess because they do not enforce the service code. And frankly, I think it's only more confusing to customers.

Furthermore, if coded properly, a BANK can reject it too (most merchants will let you swipe after three failed chip reads - that is the standard). These transactions allow for broken cards and terminals but should be subject to a high level of scrutiny... both by the merchant who should look closely at the physical security features of the card, and by the bank which should apply much stricter fraud controls to these transactions, if they allow them at all.

The flag can be easily removed by changing the service code in the track data, but once you do this, the bank can see that the data was tampered with and SHOULD reject the transaction.

Notice my use of the word should. Just a few weeks ago, one bank that wasn't even issuing chip cards allowed over $100,000 in "chip" transactions that came from Brazil. The transaction cryptograms were, of course, nonsense. Every red flag in the book was there, but about 1/3 of them still got authorised (one system was allowing them). EMV provides the data that banks need to be aware that a card is counterfeit or is likely to be counterfeit. If their systems do not actually verify that data, that's on them.

 

[freeskier93]

I don't think this is anything new with Discover and it's meant more for traveling abroad.

 

[AllieNeko]

I don't think this is anything new with Discover and it's meant more for traveling abroad.

Wrong on both counts. It is brand new for Discover and as of today, chips on Discover cards are not widely accepted abroad (they still need swiped) though acquirers are pushing out updates now. It is primarily, though, for security in the US as merchants begin accepting chip payments over the next eight months.

 

[wordoflife]

I also got my Discover chip card. Hopefully they roll out a chipped garnet card.

 

[Anitramane]

In my country we use chip and pin. If you want to pay with the magnetic thing you have ot show ID and sign your signature.

While chip and pin is more secure than the magnetic thing, it's still hilariously broken.

 

[AllieNeko]

In my country we use chip and pin. If you want to pay with the magnetic thing you have ot show ID and sign your signature.

While chip and pin is more secure than the magnetic thing, it's still hilariously broken.

"hilariously broken"? How so? There are some obscure and easily patched vulnerabilities but nothing majorly broken.

 

[Anitramane]

"hilariously broken"? How so? There are some obscure and easily patched vulnerabilities but nothing majorly broken.

You can read this

https://www.defcon.org/images/defco.../DEFCON-19-Barisani-Bianco-Laurie-Franken.pdf

Or watch this

www.youtube.com/watch?v=JABJlvrZWbY

It's still better than magstripe though.