undefined | Better HN

0 pointskaszanka2y ago0 comments

AFAIK it only beats magnetic stripe cards, not EMV chip cards

0 comments

lxgr2y ago

EMV chip cards still contain your card number and expiry date.

Skimmers would need a way to also learn the CVC2 from the back of the card to use it at most (but not all!) online merchants, but that's feasible using a small camera or a waiter/cashier accomplice doing the skimming.

With Google Pay and Apple Pay, and similar mobile wallets, that number is never shared during payments (and in fact not even stored on the device).

jjmarr2y ago

They do, but you can't get the card number from reading the chip. The protocol is a challenge-response one based on a private key stored within the chip.

https://en.wikipedia.org/wiki/Chip_Authentication_Program

You need to read the entire card number + cvc2 + expiry date with your camera. That's not skimming, that's just taking a photo of the card.

lxgr2y ago

No, you can most certainly get the card number and expiry via the chip and even over contactless, as it’s a vital part of transaction routing/processing. There are Android apps that can do it.

jjmarr2y ago

If I could I'd delete my original comment since I did more research and you're right.

https://stackoverflow.com/questions/14861908/apdu-command-to...

worewood2y ago

Yeah, and it's easily solvable with a sticker or a dremel to scrape the number off

lxgr2y ago

You can't dremel it out of the chip, though.

1 more reply

M95D2y ago

Any responsible user will learn the CVC, like any other password, and then erase it from the card.

didntcheck2y ago

I can certainly remember mine from repeated use, but I can't say I've ever heard of someone erasing it

catlikesshrimp2y ago

I have done it since many years ago

1 more reply

lxgr2y ago

That seems like a lot of extra effort for something that's arguably not your opsec problem, but that of the card payment industry.

In the end, you'll always have to enter it on payment websites anyway.

j / k navigate · click thread line to collapse

0 comments

lxgr2y ago

EMV chip cards still contain your card number and expiry date.

With Google Pay and Apple Pay, and similar mobile wallets, that number is never shared during payments (and in fact not even stored on the device).

jjmarr2y ago

They do, but you can't get the card number from reading the chip. The protocol is a challenge-response one based on a private key stored within the chip.

https://en.wikipedia.org/wiki/Chip_Authentication_Program

You need to read the entire card number + cvc2 + expiry date with your camera. That's not skimming, that's just taking a photo of the card.

lxgr2y ago

No, you can most certainly get the card number and expiry via the chip and even over contactless, as it’s a vital part of transaction routing/processing. There are Android apps that can do it.

jjmarr2y ago

If I could I'd delete my original comment since I did more research and you're right.

https://stackoverflow.com/questions/14861908/apdu-command-to...

worewood2y ago

Yeah, and it's easily solvable with a sticker or a dremel to scrape the number off

lxgr2y ago

You can't dremel it out of the chip, though.

1 more reply

M95D2y ago

Any responsible user will learn the CVC, like any other password, and then erase it from the card.

didntcheck2y ago

I can certainly remember mine from repeated use, but I can't say I've ever heard of someone erasing it

catlikesshrimp2y ago

I have done it since many years ago

1 more reply

lxgr2y ago

That seems like a lot of extra effort for something that's arguably not your opsec problem, but that of the card payment industry.

In the end, you'll always have to enter it on payment websites anyway.

j / k navigate · click thread line to collapse