For store, etc transactions: what’s the difference between chip and scanning the card?

225 viewsOtherTechnology

I never understood this any way but I recently came across a scammer that mentioned when they dump a card (steal the information from someone else’s debit card and put it onto a created debit card) and go to a store and the cashier asks them to do a chip that they’ll intentionally make it decline twice so they’ll have to swipe. That happens to me often with certain cards when I’m in stores. My question is, what is the difference in this context? Like how are they so different that swiping works better than the chip? I’ve seen this a lot also where chips don’t work for a lot of people. But what is the real difference (especially in this context)? Thanks.

In: Technology

5 Answers

Anonymous 0 Comments

The magnetic stripe contains pretty much what’s printed on the card, just in a machine readable format. So it’s trivial to clone: read the data, write data to a new card, done. Cards can be bought on Amazon, a card printer capable of printing a decent looking bank logo on a blank card is also easy to have.

The chip is a tiny computer. It keeps secrets and doesn’t disclose them to the reader. The reader establishes an encrypted connection between the card and the bank, and the bank in the end approves or denies the transaction. The chip can’t be copied because it doesn’t tell the reader at any point any more than it strictly has to.

If you’re okay with doing chip only transactions you could just scrape off the band entirely, and that’ll make it impossible to clone the card.

Anonymous 0 Comments

The chip is a actually computer chip, its not very powerful, but it is powerful enough to make a secure code that is only good for 1 transaction. This changes each time, not sure the exact details, but it is basically not worth stealing this code.

The mag strip though, is just a number (I think the same number as printed on the card, not sure though) that never changes. Swiping the card basically pastes in the number. So THIS is the code the scammers target since this one is easier to use once stolen.

Anonymous 0 Comments

The chip is harder to fake. The magnetic strip is pretty trivial to duplicate. Stores can be required to only accept the swipe if something is malfunctioning which is why they will try to use the chip 2x before they can accept the swipe.

Anonymous 0 Comments

The magnetic strip stores the card data in an unencrypted form. You can swipe it on any reader and read it out then load a new card with the data.

The chips don’t work like that. They are a little microprocessor on the card. Only the bank/credit card company can talk to it via cryptographic challenge-response protocol. Once the chip and the bank authenticate, the transaction can go through.

Anonymous 0 Comments

Swiping your card is like telling the point-of-sale (PoS) terminal a secret password that identifies you (your credit card or bank account). The info encoded on the magnetic stripe is pretty much just the info (cc numer, exp date, cvc code) printed on the card itself, and the card reader just reads that data off the mag strip.

This is a form of what’s called *bearer authentication*, so named because the one who bears a special token is authenticated and therefore wholy trusted as the principal with whom the token is associated. A username and password are a form of bearer authentication.

The problem with bearer authentication alone is since whoever bears the credentials is trusted as you, if someone steals your username and password, you’re cooked. Likewise, if someone steals your CC info (which can also happen through PoS breaches), you’re also cooked. Your CC info is all that’s needed to fully authenticate the bearer of that info as you and authorize arbitrary transfers of arbitrary amounts to arbitrary destinations forever, for as long as the card remains valid and unexpired. It’s very much like a username and password: whoever holds the username and password can perform an unlimited number of arbitrary actions as you. And the problem is this kind of sensitive, all-powerful credentials are exchange a lot in many different places, possibly stored in many different places. The fact that bearer tokens are all powerful AND thrown around a lot and therefore sometimes likely to get stolen or get leaked makes for a bad combo. By its nature, in a bearer authentication scheme, you must hand over your all powerful credential to prove you’re you.

There is a better form of authentication, called public key authentication. There are many forms of this: various challenge-response protocols, interactive zero-knowledge proofs, zero-knowledge succinct non-interactive argument of knowledge (zk-SNARKs), etc. Physical security keys (e.g., Yubikeys) Passkeys, etc. all rely on these kinds of technologies.

At their heart they all are based on public key cryptography. For the purposes of authentication, all you need to know is a public-private key pair can be generated, and the public key is widely known to belong to you, and the private key (which you keep private) allows you to generate messages with digital signatures that prove the message was written by you (or somebody posessing the private key) and unaltered, which anyone with the public key can verify. In this process, you never actual reveal your private key. The all powerful credential is never communicated to anyone else, unlike bearer authentication, in which you must hand over the all powerful credential in order to prove you’re you. Instead you sign one-off messages written for a narrow purpose as needed with your private key.

This is how tap-to-pay works. The circuitry inside the chip (or in the secure element of your iPhone or Android for tap to pay) holds a private key that allows it to sign messages like “I, Bob am making a payment of $10 to Acme Inc. on this date and time” that only it could have produced. With its signature, such messages can be verified as authentic by the credit card network / bank, and you can therefore make payments. And if the point of sale terminal was hacked and is siphoning off all the data to an attacker, those messages are of no use, because they are only good for that one transaction on that date (they can’t be altered to authorize the transfer of a different amount to a different account, and they can’t be replayed either). Versus if you swiped your credit card, every single time, you are transmitting to the PoS terminal a secret password that if stolen is sufficient to fully authenticate the bearer to act as you and authorize any transfer of any funds anywhere at any time.