The card doesn’t tell the reader if it has money or not, that’s why the terminal still needs to contact the banking network for that. The process involving the chip is to authenticate the identity of the card, not to validate funds availability.

Anyone who accepts cards in an “offline” (saving transactions to process later) situation takes the risk of a invalid/Expired card being used, but the same applies for magnetic stripe transactions as well.

The problem is to get the right information. It’s not as simple as their name and their account number. All the information in there is encrypted so someone could make the chip and still get nothing out of it because they cant get the actual data without the right encryption key

The chip on the card doesn’t have the amount of money the person has, it has the bank account information and a set of personal encryption keys. The terminal queries the card’s ship for the bank account information, connects to the bank’s servers, runs an authentication check with the card’s personal encryption keys to confirm that the card itself is legit, and then sends the bank the charge info. The chip on the card has no idea what your account contains.

The card just says my account is XXXX at Bank Y. Then then the bank is contact (in split seconds) to say how much money is left.

So if you want a card that never runs out, it isn’t the card that needs to be hacked, it is the bank. Either trick the the real bank Y to always say “enough money” or have a fake bank (Fake-Y) that always says “enough money” to the merchant.

The card itself doesn’t have money on it. The bank has the money and the card is just a way to prove that you have the authority to transfer that money.

Say you want to transfer $3.50 to Merchant. So you stick your card in their machine and push all the right buttons*. The exchange goes something like this:

machine to to your bank: Hey, transfer $3.50 to Merchant.
bank to machine: WTF should I let you take money out of OPs account?
machine to bank: OP says it’s cool. They have this card (which you issued to them) that says they’re allowed to move money around.
bank to machine: Oh yeah? Prove it. Here’s a long random number. Tell me the correct response number.
narrator: The chip in each card has a unique code that it can combine with the random number to generate a new long and random looking number. The bank also knows that code so they know what you’re “supposed” to get.
machine to bank: Here’s your code.
bank to machine: OK I’ve transferred $3.50 from OPs account to Merchant’s account.

You can intercept those number but they’re so large and random that they’ll never repeat. The code on the card is never transferred, the chip doesn’t have the ability to report the actual code and we don’t have the technology to read the number off the chip. The math also guarantees that (with current computers) there’s no way to calculate the secret code, even if you observe millions of these challenge-response interactions. Quantum computer will be able to do it and that’s the massive weakness in all technologies that use current encryption methods. Quantum computers do enable a totally different (and possibly better) form of encryption but that’s a bit off topic.

*There is a vulnerability here where the card might just be a stolen card. Signatures don’t protect against this well. The protection around this are strictly legal (ie you can contest charges, banks can decline credit if they think it looks suspicious, etc)

The card doesn’t have any information on it about how much money is available. It’s essentially just a key for the account that does have the money, and it’s not the only key you need to unlock that account and spend the money.

For a hacker to pull off this kind of trick, they need to be able to hack the bank, not the card.

The card doesn’t have any money on it.

A good analogy is that your bank card is the same as a vault key. It only opens your vault. It doesn’t matter if you engrave 1 million dollars on the side of your key it’s still opening a vault with only 10 bucks in it.

The chip on the card contains effectively the same data as is visible on the card: bank name, account number, expiration data, and account holder. The terminal still needs to contact the bank to validate that information and ensure the account has enough funds.

What makes the chip secure is that it takes some data from the terminal, such as date, merchant number, and transaction amount, and uses some encryption to combine it into a transaction ID that is only valid for that transaction. This means the merchant, or a third party, cannot just copy the data from the card and run it for a different transaction.

Now, that security is reduced by merchants still accepting non-chip card inputs, however that is mitigated by card issuers often making the merchant liable, either partially or fully, for fraudulent transactions using insecure input methods.

As many already suggested, very often the chip doesn’t contain any information about the amount of money in someones bank account. It only contains information needed to authorise a transaction.

However, there are many different architectures and sometimes, there is an amount of money stored on a chip card and manipulations are an issue here.
However, the chip is not the only place where that information is stored.

In normal circumstances, the amount of money stored on the chip and within the bank/company are always the same as transactions are done simulteneously on both sides.
If fraud is committed, there will be an inconsistency and it is trivial for a bank to detect and take appropriate actions.

With security, it is not always about 100% preventing bad things from happening, but also detecting and recovering from attacks is important.

Attacks on smartcards do take place. If your bank decides to issue new cards well before the expiration date, you know there is a known issue with the current cards.

First of all, no hacker invented the chip card, it was some bank owner named Roland Moreno, the reason why hacking into chip cards is because it has pins on it. Second of all, it’s a physical, screenless, inanimate object, how can you hack into that, and finally, you need to know the stuff to the account in order to hack into a smartcard.