You thought credit card skimmers were bad?

Credit card companies forced everyone to upgrade to chips because they're "more secure"

Turns out that means criminals just need to get craftier



http://www.cbc.ca/news/canada/british-columbia/shimmers-criminal-chip-card-reader-fraud-1.3953438

That shouldn't be possible, since the secret key never leaves the chip. Right?

Unless they fuck up the crypto...

Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. We have discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a ?pre-play? attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card). Card cloning is the very type of fraud that EMV was supposed to prevent.

Quote

Upgrading from swipe to chip was more so banks would stop being at fault for card data being stolen from businesses (Wal-Mart, Target, whoever else gets CC data stolen) and puts the blame onto the companies to reimburse those who are victims from CC fraud due to hacked data.

The authorization doesn't take as much data to transfer so when it does transfer to the bank it's more along the lines of "CC no. 8586 is authorized with 1234" so it's not sensitive data leaving the company and the bank just needs to be like "Yo, Wally, did Card 8586 REALLY have authorization with code 1234?"

Or something like that.

NFC was shown to be unsecure as well which is why it's mostly credit cards that have the capabilities for it.

I should really write outlines or summaries for all the articles I read.

Pretty much what Kitlero said, the chip is really only to place liability on merchants if they didn't upgrade, and a lot of the big merchants haven't yet because of costs or internal bureaucracy.