Also, the chips aren’t that much better than the stripe. It’s harder to clone the chip and much harder to do en masse, but far from impossible. On top of that, the measure that is supposed to prevent cloning from being viable is almost never actually required, that being the PIN.
It’s called “Chip and PIN” for a reason. It’s a 2FA system where one of the factors just isn’t required and the other can be readily compromised. It’s baffling how we have a functioning system for digital payments when seemingly no one is willing to properly implement and then use a secure standard.
I travelled to the US from Canada recently and was super confused when I didn’t need to enter my PIN. Was also really confused about giving away my credit card to bartenders
At least credit cards are… on credit. You can usually just stop a transaction if someone makes unauthorised use of your credit card. If this also happens with debit cards, your in more trouble. Than the money is just gone.
Not if you’re using your card. The card can still be cloned with a few seconds of physical access. Also, with a card, there’s no PIN verification with tap to pay and no signature requirements. Because of that most countries have transaction size limits for tap to pay. Usually in the $50-$100 USD range. The US, notably has no such limits. So, if someone steals your card they can use it up to your balance/credit limit, or up to the transaction limit your bank sets, typically about $10,000 USD.
Tap to pay using a phone, apple watch, or similar device is more secure because they have actual 2FA and generate unique payment information for each transaction on top of the already existing encryption of the transaction data. Additionally, cloning the underlying payment info would require being able to access the secure enclave on the phone.
Also, the chips aren’t that much better than the stripe. It’s harder to clone the chip and much harder to do en masse, but far from impossible. On top of that, the measure that is supposed to prevent cloning from being viable is almost never actually required, that being the PIN.
It’s called “Chip and PIN” for a reason. It’s a 2FA system where one of the factors just isn’t required and the other can be readily compromised. It’s baffling how we have a functioning system for digital payments when seemingly no one is willing to properly implement and then use a secure standard.
I travelled to the US from Canada recently and was super confused when I didn’t need to enter my PIN. Was also really confused about giving away my credit card to bartenders
At least credit cards are… on credit. You can usually just stop a transaction if someone makes unauthorised use of your credit card. If this also happens with debit cards, your in more trouble. Than the money is just gone.
Fortunately in the US debit does generally require the PIN and always has even before chips.
Tap to pay is much safer though.
Not if you’re using your card. The card can still be cloned with a few seconds of physical access. Also, with a card, there’s no PIN verification with tap to pay and no signature requirements. Because of that most countries have transaction size limits for tap to pay. Usually in the $50-$100 USD range. The US, notably has no such limits. So, if someone steals your card they can use it up to your balance/credit limit, or up to the transaction limit your bank sets, typically about $10,000 USD.
Tap to pay using a phone, apple watch, or similar device is more secure because they have actual 2FA and generate unique payment information for each transaction on top of the already existing encryption of the transaction data. Additionally, cloning the underlying payment info would require being able to access the secure enclave on the phone.