root labs rdist

September 28, 2009

A traveler’s plea to credit card issuers

Filed under: Crypto,RFID,Security — Nate Lawson @ 7:00 am

Credit cards are all about convenience. Part of the reason for the move to contactless cards is decreasing the “transaction friction”. Studies have shown that people spend money more casually the easier it is to approve the transaction. So why do I feel like a second-class citizen when using my credit card in Europe?

As this fascinating documentary shows, credit cards started as an elite accessory for only the richest people. This is why the banks were able to charge such high interest rates — they restricted their clientele to those who could afford it. As various states (especially Delaware and North Dakota) relaxed the rules, banks moved their card operations there and began offering credit cards to more people. Today, credit cards are a common part of everyday life.

When traveling in Europe, a credit card is very useful. You get an automatic currency exchange with no need to carry around unfamiliar coins or make repeated trips to the bank if you underestimate how much you’ll spend. But if you carry a US credit card, you are shunned.

At nearly every restaurant, I’ve had the pleasure of instructing the waiter how to swipe the magstripe card. Most of them are unfamiliar with the proper orientation of the card or the correct speed. Ending every meal with a delay and apology is no fun.

Want to rent a bicycle from the Velib automatic dispensers all over France? Sorry, you can’t.

Want to take a local train in Geneva but don’t have coins? Sorry, your card won’t work either. (This caused me to miss a train with a connection that only happens every 90 minutes.)

Want to ride the TGV high-speed rail system and didn’t buy a ticket in advance? Sorry, you have to wait in the long line for a live agent. Your card won’t work in the kiosks.

The reason for all this is that European smart cards contain a chip that supports the EMV payment standard. While the US system is stuck in the 1960’s with magstripe and online verification, smart cards provide quick and cryptographically secure offline transactions. To be fair, changing out all the US terminals to support EMV would be an expensive undertaking. Also, there are estimates that smart cards cost the banks around $1.25 each while a mag card is about $0.25. I’ve heard a rumor that most of the cost of a mag card is to license the hologram. Here are two articles that describe why the switch to smart cards is taking so long.

The sad thing is, I’ve worked with smart cards for ten years. My previous company, Cryptography Research, licenses side-channel countermeasures to all the major smart card manufacturers. Experiencing these inconveniences while exhibiting at the biggest smart card trade show is probably the height of irony.

What if the credit card companies offered US citizens an upgrade option to the “International Traveler” card? I’d be happy to pay a one-time fee of $20 for a smart card option. Even though it would currently be useless in the US, at least it would save me some hassle overseas and make my card less vulnerable to skimming attacks in some countries. At a time of declining fees and increased regulation, any credit card company want the additional revenue?

17 Comments

  1. Having recently lived in Belgium for 2.5 yrs, I am in complete agreement. For another example, lets say you actually decide to use more than 4 digits for the PIN on your card (at the ATM – so beyond the chip issues you cite). Most EU machines will not let you enter more than 4 digits. So, even beyond the mag stripe issues, you may not be able to spend your money.

    And, this does not even begin to go into the reality that the EU thrives on bank transfers and does not use checks! I would *love* to be able to pay my bills here at an ATM by typing in the bank number for where I owe money. I mean, most ATMs in Belgium had most utility companies *listed* as an option in case you forgot what their account number was! Instead, here in the US we have to pay a fee (and usually not a nominal one at that) in order to pay in a relatively more secure fashion.

    However, as counterpoint, I did read (somewhat recently but cannot now find the Ars Technica article) that fraud in the UK went up once the mandatory PIN was instituted. I believe this was due to the ease with which people would call into the various banks and pose as someone else to get the PIN reset but again, I forget the details as this was some months back.

    Comment by Tom D — September 28, 2009 @ 8:04 am

    • If fraud went up, it wasn’t likely due to the PIN requirement. Fraud is like water, it tends to seek the lowest level. It’s possible US-based magstripe fraud using UK credit card numbers might have gone up.

      Comment by Nate Lawson — September 30, 2009 @ 2:27 pm

  2. I had no Idea that US doesn’t have chip cards! But I did a little searching and it seems they might have to start soon:

    http://www.creditcards.com/credit-card-news/credit-card-magnetic-stripe-ban-europe-1273.php

    Comment by igorsk — September 28, 2009 @ 8:09 am

    • That article was one of the links in my post.

      Comment by Nate Lawson — September 30, 2009 @ 2:23 pm

  3. At least in France I think the reason for such large and early adoption of smartcards is due to Gemplus (now Gemalto) and as you mention the possibility of offline transactions.

    Comment by seb — September 28, 2009 @ 9:05 am

    • You are right. In the early 90’s, Gemplus was able to convince the GIE Carte Bleue to adopt the use of smart card. The GIE Carte Bleue is the association of all French banks for the management of credit cards. At this time, Gemplus was looking for mass market for the new smart cards. the initial targets were PayTV and Banking. Telecom went only later (wide spreading of SIM cards is not as old).

      Comment by wunderbarb — October 7, 2009 @ 8:53 am

  4. Unfortunately, while I agree chips need to be rolled out further, how the EU and the UK have done it is far from perfect. Cambridge security labs have spent some time analyzing the chips, and the bank’s here in the UK at least cut a bunch of corners, effectively making the transaction insecure – not to mention that when my chip was locked machines just used my magstripe with no problem. (Their work can be found at their blog, Light Blue Touchpaper. http://www.lightbluetouchpaper.org/category/banking-security/ )

    An unfortunate side effect that is, while in the US CC companies offload to the merchants, here fraud ‘isn’t possible’ so the bank gets to blame the cardholder for their presumed poor practice. Liability is not fun for the victim.

    Sorry, forgot to add great post! Can’t wait to see your next post!

    Comment by G. Chomic — September 29, 2009 @ 5:07 am

    • I agree that the cost for the fraud responsibility offloaded to the merchant for PIN transactions may not match the security level offered by smart cards and especially the systems in the backend. But it’s clear that smart cards offer more resistance to skimming than magstripe.

      Comment by Nate Lawson — September 30, 2009 @ 2:25 pm

    • Does the EU use the broken not-really-EMV CAP protocol as well or was it just the UK? I got the impression from the “Optimised to Fail” paper from FC’09, http://www.lightbluetouchpaper.org/2009/02/26/optimised-to-fail-card-readers-for-online-banking/, that it was only the UK banks who used CAP and everyone else got it right (or at least used a protocol that, if deployed correctly, should be OK, you can still mess it up if you try hard enough).

      It’s amazing how fast Chip&PIN has taken over in the UK, I quickly got used to saying “It’s not Chip&PIN” whenever I handed my card over because everyone seemed to assume that credit card = Chip&PIN. I could also see the beginnings of the effect that Nate describes where I couldn’t use my card with automated systems but had to queue for a teller.

      Europe is a bit different, in some countries once you get outside cities and larger towns you start getting into places where they don’t take credit cards at all, only cash and EC cards, so support or non-support of EMV in your card is moot. In the UK in contrast credit cards seem much more widely accepted.

      How much of an improvement are you really getting from Chip&PIN? The banks get their liability shift back, which is presumably why they’ve been so keen to adopt it, but the difference between a doctored PIN-entry reader for a magstripe card and the same one for Chip&PIN seems pretty minimal, the only obvious difference is that you can exploit the content later for skimmed mag stripe data but have to do it live for Chip&PIN while the card’s in the reader. No bank ever admits to figures for particular types of fraud and without this data it’s hard to tell whether it’s worth the effort compared to, say, full transaction authorisation (requiring a display on the card), or transaction handling via mobile devices like phones, or other alternatives with better cost/benefit tradeoffs.

      Comment by Dave — October 1, 2009 @ 1:35 am

      • Dave, nice points. I don’t know what parts of EMV are used in particular countries. However, I do know the standard itself is basically acceptable (not great).

        You’re right that a live “double debit” is possible and PIN monitoring has the same problems as a PIN for an ATM. However, I think the smart card helps by preventing offline use of your number or an attack where your number is obtained by hacking a card processor’s database without access to the card itself.

        Comment by Nate Lawson — October 1, 2009 @ 5:06 am

  5. I heard that the US banks also lag a log WRT online banking. The issue here seems mostly political and financial than technical too.
    Also, traveling to Japan might also be unpleasant since (as I’ve been told) our VISA cards don’t work there. And don’t forget GSM phones. :-)

    Comment by Rui Paulo — September 30, 2009 @ 7:20 am

    • I’ve successfully used cards in Japan. They don’t have EMV. They’re more like the US (NTSC, 110v) than the EU. However, their CDMA phones are on a different frequency than here.

      Comment by Nate Lawson — September 30, 2009 @ 2:29 pm

      • Sure, but I was talking about VISA cards specifically. Maybe you tried American Express/MasterCard/Maestro or whatever. Anyway, that’s what I’ve heard from someone who tried to use VISA on Japan. Could be I’m mistaken.

        Comment by Rui Paulo — October 6, 2009 @ 9:14 am

      • I believe I used a magstripe Visa card in Japan, no problems.

        Comment by Nate Lawson — October 7, 2009 @ 6:54 am

  6. The NYT has another story on this topic.

    Comment by Nate Lawson — October 1, 2009 @ 9:42 am

  7. You’ll be glad to note that the fraudsters are coming after Travellers without EMV payments systems: http://news.bbc.co.uk/1/hi/business/8293523.stm

    Comment by Ian — October 7, 2009 @ 5:01 am

    • Ian, do you know if UK terminals will accept proper EMV cards rather than just modified-EMV CAP cards? From the FC’09 paper it seems like it’s a rather different protocol, and if the readers will do proper EMV anyway it begs the question of why CAP was introduced in the first place.

      It’s also interesting to see them crediting Declined by Visa and SecureCode for the drop, since a not infrequent effect of these is to make it impossible to use your card for an online purchase it’s not surprising that there’d be a drop in fraud if you can’t use your card at a site that employs them.

      Comment by Dave — October 7, 2009 @ 11:38 pm


RSS feed for comments on this post.

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 89 other followers