Chip & Pin Cards are a joke

However, I have been perplexed that at a number of pay stations, even those equipped with EMV readers, the teller can often just swipe it and things work. This defeats the whole point of the EMV card, but I can understand there is a transitioning phase that needs to happen, where eventually all readers will behave like the newer ones.

On newer machines, I thought they had got things right. You swipe the card, at which point it says "Thou shalt not pass" and the teller sticks it in the EMV reader, PIN code entered etc. Preventing any 'downgrade to less secure' badness. However, today, I forgot my PIN code. I tried it twice at a restaurant and chickened out when it proudly displayed the words "Final Attempt". After perseverating over it for a couple of hours I plucked up the courage to try it again at a book store (Penguin has republished some SF classics, "Call of Cthulu" is now mine). Alas, I got it wrong a third time and I had no more credits to try the game again (as an aside it seems to do the PIN checking on the card, and not over the wire).

I then remembered a trick I saw at a shop where their EMV reader was broken but the device didn't know it. I asked the teller to swipe my card, then when asked by the device to put it in the EMV reader, put it in the wrong way around. This causes the device to think the EMV chip is broken and let you downgrade to swipiness. Voila, security control sidestepped, I got my book and said store got their promise to pay from the bank.

This leads us to the question: What is the point. Even if we ignore many of the obvious design flaws in the EMV (self authorising transactions, seriously?), and assume it is a piece of security goodness, what is the point when a bad guy can still use *every* attack they used to use? They could have at least closed down some attack avenues by forcing cards with EMV chips to only use the EMV chip. They could have closed down a few more, by making security controls such as a cap on incorrect PIN codes actually have a consequence.

Here's my proposal. Fix the readers. Put some local incentives (Visa's stuff is alright, but too distant from us in Africa) in place to make merchants (particularly massive retailers) switch away from old POS terminals. Change the new POS terminals to only allow EMV cards to pay using the EMV. Get the fraud contact center to phone a customer when the number of PIN retries is exceeded with a secure method of how to fix it (i.e. not over the phone with "please" as an authorization), and block future requests until then. Then the important bits; get some well trained and professional staff at the call center (this is useful in more areas than one in SA banks) to handle the increased number of calls about this, and put some good advertising in place to explain the change to customers. Still in the important bit, provide incentives to customers for this, namely *reduced* liability for fraud.

What's actually going to happen?

Nothing.