Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
What is it with people like you?

The transaction takes five seconds, tops. And I've used the chip at many different retailers.

Have you really used a credit card with a chip to make a purchase at a store? It may not take 30 seconds for the transaction, but it certainly takes longer than 5 seconds for the chip to be read and the account verified.
 
It has a slot for chip cards and I believe this connects to the Stands.
I was meaning support in Canada with chip and PIN.

We have our Square stands USB full - USB Scanner, Printer, and Cash Drawer. Since we are also using an iPad 2 it is not supported with this Square using Bluetooth. I have spare iPad 3's so I could make it work if Square actually supported Chip and Pin.
 
Chip hasn't been a debacle for every other country. But NFC will take care of that as with most merchants but target and Walmart if you take chip, you also take NFC

The business community also doesn't hate Visa and MasterCard's guts in other countries like they do here. Most businesses in the US would still be cash only if they could get away with it, so it's no wonder why they'd rather that using a card suck as much as possible.

Oh, and apparently First Data changed their firmware recently so the "hack" I was using to get around having to tell people how to use their own terminals doesn't work anymore. A lot of these places don't even know that they accept Apple Pay so I expect to start being shut down more often in the future. So no, we're not even close to every EMV capable terminal being NFC capable as well.

So the reason why EMV is so slow and clunky is because of an obsolete design solving a problem that the US never had, while not solving big fraud issues we do have. But since you're apparently the expert, I think you already knew that.

Magstripe cloning is one of the big fraud issues we're having though.
 
It would be great if all small businesses had Apple Pay. This is a good step in that direction. Unfortunately, there are a number of small businesses which are either using old-fashioned cash registers or old POS systems which don’t have USB ports. And yes, the Square reader has a USB port. The other problem is that you need a way of securing the reader because without a chain or something holding it to the counter, someone could easily steal it without the cashier or shop owner noticing.
 
Actually, he was correct and he seems to know more than you about the chipped cards.

The only reason for them is to protect banks. If you are sold on their PR campaign that it's for "your protection", then you should also probably put LoJack on your car. Corporations will do anything to maximize profits.

You defended someone who doesn't have a clue about what he's talking about.

I explained about the encryption/ one time code, cloning, etc, and you think he knows more than I do about chipped cards? Fat chance... Don't quit your day job. Words can't express how idiotic you look.

There a reason America has half of the world's credit card fraud despite having only 25% of the total credit card population. Mag-stripe.
 
  • Like
Reactions: pjarvi
Magstripe cloning is one of the big fraud issues we're having though.

True, but that's not the real problem. The problem is that intercepted data (through a POS breach or a skimmer) can be used to make fraudulent purchases. EMV simply prevents intercepted data from being used to make a physical card. It does nothing to prevent intercepted data from being used over the Internet, nor does it prevent the interception of the data to begin with. So the result you see in EMV countries is that fraud simply switches to card-not-present Internet transactions.

The problem is that EMV was designed to assure that all physical cards are valid cards, without having to check in with the bank. This allows offline transactions, so EMV doesn't try do anything else security-wise. It was designed for a different problem, so it doesn't solve the problem we want it to solve.
 
Last edited:
  • Like
Reactions: jblagden
True, but that's not the real problem. The problem is that intercepted data (through a POS breach or a skimmer) can be used to make fraudulent purchases. EMV simply prevents intercepted data from being used to make a physical card. It does nothing to prevent intercepted data from being used over the Internet, nor does it prevent the interception of the data to begin with.

The problem is that EMV was designed to assure that all physical cards are valid cards, without having to check in with the bank. This allows offline transactions, so EMV doesn't try do anything else security-wise. It was designed for a different problem, so it doesn't solve the problem we want it to solve.

How common is the former vs the latter though? Hint: European cards are being stolen and used in the US despite their owners not being here and the fact that the information on the chip isn't enough to make a working magstripe card.

Yes, POS breaches have been in the news lately, but they were only worthwhile to do because of our card system.
 
How common is the former vs the latter though? Hint: European cards are being stolen and used in the US despite their owners not being here and the fact that the information on the chip isn't enough to make a working magstripe card.

http://www.apca.com.au/docs/fraud-statistics/Australian-payments-fraud-details-and-data-2015.pdf
Look at page 8. Australia's fraud rates are the highest they've ever been. Page 9 shows that the counterfeit percentage went to card-not-present.

You're interpreting the situation wrong. As long as there's a hole, in this case US magstripe, fraud will migrate to that hole. When you plug it, it will migrate to the next hole, card-not-present. In order to make a real change, you have to secure the entire system.

The information on the chip is still adequate to make a working magstripe card. The only thing you're missing is the CVV, which is three digits. By simply guessing, you have a 1 in 1000 chance. If you assume they allow 3 attempts before locking out the account, then you have a 1 in 333 chance of simply guessing it.
 
  • Like
Reactions: jblagden
"chip and pin" vs "chip and signature" are somewhat industry technical terms. Its up to the card-issuer to decide which they want to implement for security. The issuer has to support it.

When someone with a US card uses their chip card in Canada, it's treated like a Swipe card.

So I expect this is the same mechanism in place with Square. The card reader is running it "like a swipe card", which means the card has to actually allow that mode. So AFAIK that means Canadian chip cards on US square readers will be treated the same as NFC/Swipe and subject to the same limitations, while a Canadian chip card used on a Canadian square reader (which would need the attached PIN pad) would only allow transactions over the NFC limit if the PIN was entered. A US card used on a Canadian reader would be treated the same as a NFC/swipe card.

Basically, you probably wouldn't be able to spend more than 50$ on with the Square reader without a PIN with a non-US card. Because the nonce changes when you do NFC transactions, if you were at a convention you would eventually need to insert the chip card somewhere to keep using it. The US cards are essentially being treated the same as a swipe card as far as the reader is concerned. It has the upgraded security of EMV/NFC but it's being subjected to the NFC rules.

So that's good enough for food trucks and small conventions/flea markets.
 
remember when Apple said no one needed NFC?, Oh wait

That's the wrong context. That was in the context of "NFC accessories" instead of Bluetooth. Because NFC accessories don't have robust security mechanisms for things like Keyboards. The NFC "accessory" market is rather immature and this is certainly not what NFC was meant for. NFC was meant for "pin-less" access control and payments. It could also be extended to inventory control, but it should never be used as a means for two electronic devices to establish a permanent data connection.
 
http://www.apca.com.au/docs/fraud-statistics/Australian-payments-fraud-details-and-data-2015.pdf
Look at page 8. Australia's fraud rates are the highest they've ever been. Page 9 shows that the counterfeit percentage went to card-not-present.

You're interpreting the situation wrong. As long as there's a hole, in this case US magstripe, fraud will migrate to that hole. When you plug it, it will migrate to the next hole, card-not-present. In order to make a real change, you have to secure the entire system.

No one ever said EMV would help with card not present fraud. Your link shows that counterfeit fraud did go down after they adopted chip, just as intended. Of course thieves will commit easier forms of fraud as a result.

The information on the chip is still adequate to make a working magstripe card. The only thing you're missing is the CVV, which is three digits. By simply guessing, you have a 1 in 1000 chance. If you assume they allow 3 attempts before locking out the account, then you have a 1 in 333 chance of simply guessing it.

The probability isn't 1 in 333 because the guesses depend on each other (i.e. you're not going to try 999 multiple times). Since the probability of not guessing the CVV correctly on the first attempt is 999/1000, 998/999 on the second and 997/998 on the third, there's a 99.7% chance of not guessing it correctly within three attempts. In other words, a 0.3% chance of a correct guess with any of those attempts.

When someone with a US card uses their chip card in Canada, it's treated like a Swipe card.

What? No. It's the same chip that other countries use, just programmed so that it doesn't need a PIN.
 
I'd say CVM is more of a technical term than chip and signature (which the banks have been using in their educational materials). Both issuer and terminal have to support a particular method of authentication in order for it to be used.
Speaking of, why in the world do they call it EMV when its supported by so many more than those 3? 'Chip card' is just lame. Why not just 'smart card' ;)
 
The probability isn't 1 in 333 because the guesses depend on each other (i.e. you're not going to try 999 multiple times). Since the probability of not guessing the CVV correctly on the first attempt is 999/1000, 998/999 on the second and 997/998 on the third, there's a 99.7% chance of not guessing it correctly within three attempts. In other words, a 0.3% chance of a correct guess with any of those attempts.
3/1000 = 1/333 = .003 = .3%
 
  • Like
Reactions: jblagden
A bit expensive considering they make 2.75 to 3.5% (plus $.15) and fees on each purchase. They gave the small reader for free when you signed up for their service.

I get that this reader is a bit more involved and electronics, so $20 wouldve still been fair.

it's still far cheaper than the hundreds you have to pay to get a merchant account and then there's fees on stop of that.

Now I can't wait to see how long it takes them to update their stands etc.
 
  • Like
Reactions: jblagden
3/1000 = 1/333 = .003 = .3%
What the bad guys do is they harvest thousands, tens of thousands, or even more cards. Then they just try random CVV across them all and the odds increase for a hit significantly. All they need is a few cards solved and they go shopping!
 
Speaking of, why in the world do they call it EMV when its supported by so many more than those 3? 'Chip card' is just lame. Why not just 'smart card' ;)
Because Europay, MasterCard, and Visa invented the standard - hence EMV. It now covers more cards, like Amex for example and they all own it now, but the name EMV is trademarked and already used so no need to change it.

FYI, smart cards use the ISO 7816 standard
 
I'm not like you where I put the card in upside down, put it in the right way and then pull it out immediately, and then do it correctly the third time. I can see why it takes 30 seconds for you to process a transaction.
It easily takes 20+ seconds to verify a chip card. When you put it in the right way, it says "DO NOT REMOVE CARD", and says that for 20+ seconds before it says complete. Have you ever paid with a chip card?
 
It easily takes 20+ seconds to verify a chip card. When you put it in the right way, it says "DO NOT REMOVE CARD", and says that for 20+ seconds before it says complete. Have you ever paid with a chip card?

Many times, it doesn't take 20+ seconds except for once. Most of the time it's 5 seconds or so.

Do you stick your card in before the cashier is done ringing up your items?
 
Many times, it doesn't take 20+ seconds except for once. Most of the time it's 5 seconds or so.

Do you stick your card in before the cashier is done ringing up your items?
Honestly there aren't many places that accept them so I can't remember for certain, but when I have the cashier tells me my total, I take my card out and insert it into the reader, and the display says "Do not remove card" for at least 20-30 seconds, then it finishes. The cashier is aware that I inserted my card too, so I'm not sure.
 
So in other words you don't know the first thing about these chipped cards, gotcha.

We know _why_ the chip cards are used.

We're annoyed that we have to stand there waiting 5-30 seconds for something which should be practically instant.

That it's protective doesn't mean that it's not annoying.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.