Tactical Information Systems
Biometric Identification Software

Tactical Information Systems Blog

Identity & Technology

Chip & PIN Cards: How Secure Are They?


Chip and PIN cards are becoming a requirement in the US, after gaining widespread adoption in the EU. A chip and PIN factor is a type of 2-factor authentication  - you have a secure chip on the card that is effectively impossible to counterfeit (something you have), and you have a PIN that you only hold in your head (something you know). A chip and PIN card is fundamentally more secure than the conventional "mag stripe" cards used in the US now, which have no security at all. 

So this fixes everything, right?  Well, not quite:

"Once chip and PIN got fielded we began to see how things changed in the real world. And fraud didn't go down, in fact it went up.  Because first of all the bad guys went online and although initially fraud fell a little in shops, it more than caught with that by increasing online"

The talk below is a slightly technical view into how fraud works with chip and PIN. The interesting thing about how this works is that the fraudsters don't attack the hard parts - the secure cryptographic chip on the card - they attack the weak parts surrounding the system. It makes sense; why do the hard work if you can avoid it?

Chip and PIN, even with these esoteric vulnerabilities, is still infinitely better than mag-stripe cards. However, it doesn't solve the online fraud problem, and there is plenty of evidence that it makes it worse because some people who were able to easily defraud mag-stripe cards are now forced to take their fraud work into the online world.