I work for a bank, used to do disputed transactions, many of them involving cards.

The chip is *not* more secure than the mag strip. That’s not why banks forced all the cards to use them.

The chip just sends a report that it’s been used for every transaction it’s involved in. So the bank knows, if the charge on your card used the chip, your card was *physically there* to make the purchase, and that it wasn’t made online or over the phone or some other way.

This means that if someone calls the bank, says they had their card in their possession, but the last 5 chip-based charges on their account are fraudulent, the bank will deny that dispute case and say “your chip was used and you said you had your card, therefore you made these charges.”

I can confirm this pisses off *a lot* of people.

EDIT: Downvoting the person telling you that your cards aren’t safe is some pretty naive shit.

The chip is like a little computer that gets powerd inside the readers or even wireless with NFC. The magnetic strip is just like a number you have written down, only it’s readable by machines.

That leads to several problems with the strip. You can easily read and copy it for example. The chip works like a computer, you can program it to only send data when it’s properly authorized. Makes it a lot harder to extract and reproduce the data.

I haven’t seen anyone here talk about symmetric and asymmetric encryption, which I think is also a pretty important piece of the puzzle.

​

Asymmetric encryption is the backbone is a lot of modern cryptography. Imagine you have a public key and a private key. The public key, you can give out to everyone. The private key, you keep private. Both of them can be used to encrypt or decrypt messages. The thing is that if a message was encrypted using your public key, ONLY the private key can decrypt it. Likewise, if a message was encrypted using your private key, ONLY the public key can decrypt it.

​

This can have a lot of benefits. If you encrypt something with your own personal private key, the bank KNOWS it was you, because when they decrypt it using your public key, you are the only one who could have sent that transaction. The reverse of this would be if I wanted to send you a private message, I could encrypt it using your public key, and be confident in the knowledge that you are the only person in the world who could decrypt that message.

​

In the real world, this technology is used everywhere from bank cards to web browsers. Take a look at the top of your web browser, at the little lock in the URL box. That lock shows that your browser has authenticated the website’s certificate using their public key. Your bank card, and your web browser, are both doing this stuff automagically all the time. Among other things, the most important thing your bank card has on it is a set of public and private keys.

To expand a little more then some others are:

The data on the mag strip is just static, like text printed on a page. So if someone used a photocopier, they could reproduce that text and pretend to be you. This can be done by putting a hard to see device over the card reader, that can read your card as you swipe it.

The chip, however, is a little computer than can do a little calculation. The actual math it does is well out of ELI5 territory, but the idea is simple enough.

The chip has a secret number in it that, importantly, *never leaves the chip*. However, it can still prove that it has this number. It can do this by “multiplying”* this number by the random number the card reader gives it, and then giving back the result. So if the secret number was 5, the reader might give it 3, and it would return 15. The reader can them give the result to the bank (or whoever issued the card), who also know the secret number, who can verify that the result is accurate.

* In reality, these numbers are hundreds of digits long and the function isn’t multiplication, but something that is much more complex and that doesn’t have a way to reverse it, the way that division reverses multiplication. The math itself is far beyond ELI5 territory, though.

The nature of this math is such that the input and output appear to be essentially random and even if you could see hundreds of examples of input and output pairs, you still couldn’t feasibly figure out the secret number.

Because the number itself doesn’t leave the chip, the best you can do is intercept a few input-output pairs between the reader and the card, however since the card readers ask for the results with a random number (and these numbers are very large) the chance that you happen to have seen that number before are essentially 0.

Imagine I am talking to you on the phone. I ask you: What is your name? You say “Jon Smith”. Ok, I take money from Jon Smith. If you aren’t Jon Smith, I have no way to prove it. That’s the mag strip.

Instead, I ask you: What’s your name and what’s the last house number you lived at? You say Jon Smith, 3455. I can now confirm you are likely Jon Smith (or at least know something extra “secret” about Jon Smith.) That’s mag stripe + CCV.

But the problem is if someone is eavesdropping on the phone, they can claim to be Jon Smith at 3455.

So, instead of asking for your house number, I might ask you for the *sum* of the last two houses you lived at: 3455+1111 = 4566.

And the next time I ask, I might ask for the difference between your two house numbers: 3455-1111 = 2344. Even if you know the sum of the two house numbers you don’t know their difference. That’s chip with cryptography.

Of course the cryptography is much more complex than adding or subtracting two numbers but it gives you idea of how to communicate that you know some secret information without giving away the secret information.

the magnetic strip just has a number tied to it. think of it like your bank account number. if a skimmer gets it, you’re screwed.

the chip or tap uses tokenized numbers. if you’ve ever used an RSA token, or a physical authenticator, it’s like that. or heck, even google authenticator. they generate an expected number in a specific order, so each time you use it, that number is no longer valid and only valid for a short period of time. so if a skimmer gets it, it’s worthless as you’ve already used it and time has already expired it. it’s way safer and companies would probably save money related to fraud if they switched to tap.chip more quickly

The chip is like a little computer that gets powerd inside the readers or even wireless with NFC. The magnetic strip is just like a number you have written down, only it’s readable by machines.

That leads to several problems with the strip. You can easily read and copy it for example. The chip works like a computer, you can program it to only send data when it’s properly authorized. Makes it a lot harder to extract and reproduce the data.

I haven’t seen anyone here talk about symmetric and asymmetric encryption, which I think is also a pretty important piece of the puzzle.

​

Asymmetric encryption is the backbone is a lot of modern cryptography. Imagine you have a public key and a private key. The public key, you can give out to everyone. The private key, you keep private. Both of them can be used to encrypt or decrypt messages. The thing is that if a message was encrypted using your public key, ONLY the private key can decrypt it. Likewise, if a message was encrypted using your private key, ONLY the public key can decrypt it.

​

This can have a lot of benefits. If you encrypt something with your own personal private key, the bank KNOWS it was you, because when they decrypt it using your public key, you are the only one who could have sent that transaction. The reverse of this would be if I wanted to send you a private message, I could encrypt it using your public key, and be confident in the knowledge that you are the only person in the world who could decrypt that message.

​

In the real world, this technology is used everywhere from bank cards to web browsers. Take a look at the top of your web browser, at the little lock in the URL box. That lock shows that your browser has authenticated the website’s certificate using their public key. Your bank card, and your web browser, are both doing this stuff automagically all the time. Among other things, the most important thing your bank card has on it is a set of public and private keys.

Most people have the right idea, however, it depends. The banks and card processors have a spectrum of risk for different types of transactions and technology implementations.

The behavior of a chip card varies, including online vs offline authorizations. An online authorization is one where the card terminal has a discussion between the card and the bank. An offline transaction happens only between the terminal and the card.

Online transactions can involve using the chip’s crypto functions since a cryptographic value used to verify card transactions is held at the bank.

Offline transactions can use a PIN validation scheme using similar crypto functions whereby a PIN is checked by the card itself, not at the bank (we mostly don’t use them in the US). Why would anyone use offline transactions? They can be slow, costly, and require reliable internet connectivity.

Here in the US offline chip transactions are almost identical to stripe-only transactions.

A bank may require online authorizations on amounts on, say over $100. But at a snack vending machine an offline tap is just fine risk-wise. The vending machine may settle its transactions once a day or so.

Most of the data can be viewed by a normal person. You can buy a “usb smart card reader” and get free EMV reading software. You’ll see a card number, expiration, internal CVV, type, your name. A few values will be hidden, such as the encrypted PIN or transaction signing secret.

Most people have the right idea, however, it depends. The banks and card processors have a spectrum of risk for different types of transactions and technology implementations.

The behavior of a chip card varies, including online vs offline authorizations. An online authorization is one where the card terminal has a discussion between the card and the bank. An offline transaction happens only between the terminal and the card.

Online transactions can involve using the chip’s crypto functions since a cryptographic value used to verify card transactions is held at the bank.

Offline transactions can use a PIN validation scheme using similar crypto functions whereby a PIN is checked by the card itself, not at the bank (we mostly don’t use them in the US). Why would anyone use offline transactions? They can be slow, costly, and require reliable internet connectivity.

Here in the US offline chip transactions are almost identical to stripe-only transactions.

A bank may require online authorizations on amounts on, say over $100. But at a snack vending machine an offline tap is just fine risk-wise. The vending machine may settle its transactions once a day or so.

Most of the data can be viewed by a normal person. You can buy a “usb smart card reader” and get free EMV reading software. You’ll see a card number, expiration, internal CVV, type, your name. A few values will be hidden, such as the encrypted PIN or transaction signing secret.