According to an article in BankInfo Security, Visa and Mastercard have given fuel pump terminal vendors an additional 3 years to add support for EMV.
Visa and MasterCard announced this week that they are pushing back their liability shift dates for counterfeit card fraud that results at non-EMV chip-compliant U.S. pay-at-the-pump gas terminals to October 2020 from October 2017.
That news is an early Christmas gift for convenience-store operators and the petrol industry, even though if it leaves issuers on the hook three years longer for counterfeit fraud that might result from a hack or skimming attack at self-serve gas pumps.
But I wonder how much fuss issuers will make about the extension. Counterfeit card fraud at gas pumps pales relative to retail point-of-sale and ecommerce fraud. And despite what we heard five years ago about pay-at-the-pump skimming reaching nearly "epidemic" proportions, we hear much less about it today. That's not to say it's gone away, by any means; but it no longer appears to be a looming epidemic
Visa and MasterCard made the right decision to give gas pumps a break on EMV. The question now is, will the three year extension be enough?
(Score: 2) by ledow on Thursday December 15 2016, @03:52PM
Tell me how you would know if they ran two transactions on your card, rather than one, using a PIN recorded from a fake PINPad which relays the PIN / card interface to TWO card readers in different places (e.g. over the Internet).
Or even fake the amount you're authorising by providing you with a dummy terminal that says $2.00 and records your PIN but pulls the chip-pins through to the bank terminal unaltered with a transaction for $200 and presses the same buttons for your PIN.
(Score: 2) by theluggage on Thursday December 15 2016, @06:09PM
Tell me how you would know if they ran two transactions on your card, rather than one, using a PIN recorded from a fake PINPad which relays the PIN / card interface to TWO card readers in different places (e.g. over the Internet).
Because a chip & pin card is not just a regular card with the magstripe data stored on a ROM chip. Here's an example that might help:
My bank supplies me with a cheap-and-cheerful, self contained card reader (no WiFi or cellular, no connection to my computer - just a 10-digit display and a keypad) which their online banking site uses to check my identity when I want to make certain transactions. Here's how it works:
So, the PIN doesn't leave the reader, and the key doesn't leave the chip. You can't simply "clone" a card or send the same information twice.
OK, so in practice its a complex system, and there have been vulnerabilities [bbc.co.uk] - in that case the fault was in ATMs that were sending a predictable challenge code, so a clever crook with a gimmicked reader could collect the response from someone's card in advance. However, you have to balance these technically sophisticated cryptographic MITM attacks using modified hardware against the old system where crooks just needed to copy the card number and a rough approximation to your signature while they, legitimately, had physical possession of your card.
The biggest vulnerability of chip'n'pin cards is that they still have to support support swipe + pin or "cardholder not present" payments over the phone/internet.
Daft really - people obsessing over high-tech cryptography apps while still happily giving their card number out over the phone...