That is true when using contactless/tap to pay. If you insert the card it’s a physical power connection, similar to a USB plug – both power and data are sent through the little gold chip connection.

A lot of the people here are talking a bit about cryptography but without the background, some of it will go over your head. So I’m going to add some info at a high-level about the cryptography in use.

So there’s this method of encrypting data, like a string of characters or a photograph or whatever where you have a key to encrypt it, like a password. But, there’s a complementary key, which is a different password, to decrypt it. This system is one of several “asymmetric” encryption schemes that are around. This system is widely known as public key encryption.

The thing with these keys, you cannot figure out one of the keys by looking at the other. They appear to be completely random and unrelated to each other.

Data encrypted by one key can ONLY be decrypted by the other key. But… the corollary is also true. Data which can be decrypted by a given key could ONLY have been encrypted by the other key.

So… what they do is store a key on the chip card. The data is stored in ROM and can be written to the card once ever, during manufacturing, and cannot be changed. Also, the chip does not offer a way to figure out what that key is.

There’s supposed to be a second key, right? Well that’s readily available to the payment processor company. So what happens is that the terminal will create a manifest of data — the date and time, transaction amount, a unique “number used once” (known as a nonce), and a bit of other data identifying the retailer. This data is then sent to the chip which then encrypts it using the internal key and sends the encrypted version back to the terminal and on to the payment processor vendor. They recieve this and use the known key assigned to the card to attempt to decrypt the transaction. If the decryption succeeds, then the transaction is treated as legitimate.

I’m intentionally skipping the part involving processing the PIN.

“More and more?”

Is it 2010 again? Everyone’s had tap for the last decade lol wtf

I just today had to get gas. I normally go inside, pay cash and pump my gas. I had a few minutes to spare today so I see that the pump had one of those tap to pay emblems. I tapped my card on it filled up with gas, got my receipt and was on my way. So now my question is this, suppose I dropped my card on the ground and drove away. Someone found my card, what’s to keep them from doing the exact same thing that I just did? And how could I get my money back that they just used off of my card?

The chip only stores data – it doesn’t have any on-board power.

The chip is not just data storage, though – it’s also an antenna.

Data can be read off the chip either by physically inserting it into a chip-reader, or by broadcasting the data over a very weak, short-range radio. But since the chip doesn’t have any on-board power, it needs to get off-board power in order to send radio signals. This is done by stimulating the chip with magnetic fields, which happens when you tap it against an induction pad (same principle as wirelessly charging a phone, but with way less juice). That magnetic energy is passively converted into a tiny amount of electrical power which is then used to broadcast the data on the chip via the integrated antenna.

It doesn’t. I’m convinced it was for two main reasons. A mass beta test of the tech, and a scheme to sell new (mandatory) card readers across entire nations. That’s a lot of money.

Criminals can use devices to steal the data off of your card while it’s still in your wallet.

The chip essentially has a small math equation built into it. For simplicity sake, let’s say that the equation is x5 +10 /2

Every card has a unique equation on it. The equations are really way way more complex than my example, but the concept still works.

When you plug in your chip, the card reader machine presents a number, your chip runs the equation and spit out an answer. Using the equation above, the card reader might present the number 6. 6 times 5 is 30, plus 10 is 40, divide by 2 is 20.

Importantly, the card reader machine doesn’t see any of the equation. The card reader only sees “I said 6, card responded with 20.”

Each card’s chip has a complex and unique equation, so there is only 1 card in existence that will provide that exact response. The bank knows your secret equation, so they can verify that your card was used. But no one else knows that equation, so they can’t try to steal your identity that way.

from a consumer/user perspective, it not very different, and not “additionally” secure. form a card-issuer perspective, it almost guarantees that the card was present and its crypto/code is not “tampered/copied/duplicated”. ( at least for a properly installed and configured POS system)

unfortunately, many POS systems are not properly configured…

the chip itself is almost foolproof (i.e. extremely sophisticated equipment, and very good engineer is required to dump it’s raw contents, then too, some data is beautifully obfuscated, so that dump itself is useless).

if you are curious, this has already been worked around using ‘creative’ methods. thieves no longer try to duplicate your cards, but will outright steal and modify to accept any PIN. i am intentionally using an old article as this ‘hack’ has already been addressed by VISA and MasterCard POS systems. but there are others, lesser known hacks still around.

[https://arstechnica.com/tech-policy/2015/10/how-a-criminal-ring-defeated-the-secure-chip-and-pin-credit-cards/](https://arstechnica.com/tech-policy/2015/10/how-a-criminal-ring-defeated-the-secure-chip-and-pin-credit-cards/)

The exact same way as adding a second key lock to you houses front door would. It’s just an extra check, now instead of a single key you need two and both must be present at the same time to open the lock. I can copy your cards strip information (key A) but I also have to have the chips information (key b) or I can’t get in.

[removed]