Podcast: Play in new window | Embed
Eddie asked: “Credit card smart chip tech. It’s not really new. It’s been around since the 80s. It’s the same technology that they used to hack Directv and Dish Network. The readers and writers are still available via the Internet. I’m looking for your opinion on how you feel it’s so much safer when the equipment is readily available to the public on the Internet to buy. Old technology. I hope it got better but in my opinion, I don’t feel it’s safe. They say it’s a digital fingerprint. It can be changed. Just looking for your opinion.”
You’re not wrong… the chips won’t make cards ultra secure, just a little more secure.
The chips you see in cards are known as EMV chips, which stands for Europay, Mastercard, and Visa, and they’re more secure than the magnetic strip, sure… since pretty much anything is frankly, but they’re not anything to write home about.
The chips have been in use in Europe for a very, very long time, and the US is actually the last country in the G20 to adopt them, but the way they tend to work is by what’s called “chip and pin,” you slide the card in, it asks for a pin, if it matches what’s stored securely on the card the charge goes through. That’s the biggest advantage of the chip, better pin encryption via its EMV microcomputer. The thing is, in the US (at least so far) they’re being used as “chip and signature,” which means you slide the card in, sign, no one bothers to check the signature, and you move on.
If [the card] was swiped the business is liable
It pretty much looks like the ones that really stand to benefit from the chips in the short term are credit card companies. The way their contracts are set up, if the card was read using the chip the fraud liability is on them, if it was swiped the business is liable.
Got an old strip-only reader? You’re liable. Got Square or PayPal? You’re liable.
Still, overall it is an improvement over the magnetic strip in terms of security, it’s just probably not one that’s worth the cost of replacing all the terminals at every point of sale in the country. They are still old technology, that if anything should’ve been adopted 10 years ago and should be in the process of being replaced now.
If you want a real and reasonable leap forward in security, try Apple Pay or Android Pay (with biometrics turned on), those two actually encrypt data properly and use biometrics to regulate who can use the card (just make sure you don’t enable an option to use “123456” or “mypassword” as alternative ways to authenticate, but hey… technology can’t cancel out stupidity).