My new project: Tact, a simple chat app.

Chipped bank card security

January 08, 2007

Here’s something I don’t understand about bank card security. I have the latest-and-greatest chipped VISA card. It has both a chip and the magstrip for older systems. And I’ve experienced a variety of security situations when paying with it. Some of which seem really insecure to me, so I’d like to understand am I misreading something or is this really to be expected.

The most desirable and secure situation with this card is the “chip-and-PIN” situation. You pay with a chip-capable terminal and need to enter your PIN to confirm the purchase. This is already the case with most retailers and public facilities (say bars, restaurants) in Estonia and also other European countries.

If you encounter a retailer that has only the magstripe-reading facility, then you need to write your signature on the slip. And in extreme cases, you may also be asked for an ID, although retailers very rarely seem to do that. See also Zug’s pranks. I understand this is being positioned as “thing of the past” until every one happily switches to the chip-reading facility.

Next up is what happens in Germany in Autobahn gas stations and I can’t remember but I think it was with some other retailers as well. They slip your card in some reader, and I can’t really tell if it’s reading the chip or stripe, but since it’s “sitting” in the terminal, I assume it’s the chip, since you can read the magstripe only by swiping, not by idle sitting (I think?). So the only thing you need to do is to press the BESTÄTIGUNG button, which is German for “confirm” or “OK”. So this already gives me the creeps, since the chip is said to be accessible only with a PIN, but here’s something that will accept me just after pressing a button. (Update: checked with someone who knows this stuff. Saying “chip is said to be accessible only with a PIN” is technically oversimplified and plain wrong, but this doesn’t invalidate the rest of this discussion.)

The “green button” scenario is quite widely spread, especially in what I think of as non-traditional locations. For example on the Danish toll bridges across Oresund and Odense all you do to pay for the crossing is insert your card and press the green button to confirm. Sure, you’ll get a receipt, but there’s no other validation going on.

And the worst offender comes from Polish toll roads from this weekend. The roads themselves are fine (more in a separate post), but paying for the toll road was quite horrifying. I drove up to the toll booth, handed the lady my credit card. She did something to it and handed it back to me with the receipt. That’s all. There was no other active confirmation from me, either signature, or green button, or yet something else. Nothing at all.

From a practical standpoint as both customer and seller, I can understand the idea that doing the transaction should be easy to both parties. But from a security standpoint, it really gives me creeps. There’s nothing stopping me from doing all this stuff with a stolen card. Sure, the amounts in case of toll road are not that huge, but how come some merchants can ignore the security rules that others must follow? Is this chip-and-pin just one big hoax, since some places can get away without checking the PIN anyway?

The whole point of signature or PIN, to my knowledge, is to validate that it’s really you, the legit user, who’s using the card. The “green button” can’t really provide that. (Of course the signature itself is merely an illusion of security. My card got stolen once, and some purchase was made with the signature on the slip that couldn’t have been mine. But when we challenged the bank with my employer since I was using a company card, the bank indicated that they couldn’t care less. And it was easier and cheaper to swallow the damage than challenge them in the court, but it left me a very bad taste of the whole security of the system.)

Or is this all a non-issue since all these merchants validate your card online so that if your card is stolen, you can just phone up your bank and all these services magically stop accepting your card and save you the money that you’d otherwise be stolen? (I doubt the latter because the transactions are too fast for any online validation to take place, even in Estonian retail stores with good connections it takes longer than the Polish toll road booth ever took.) I’ll have to dig up the Terms-of-Service of my card to see what it says about it.

And ending, of course, with the standard practical bullet that no matter what, it’s best to watch your stuff really well and not get things stolen. Most important is always to look after yourself, things then tend to work out in your favour.