Pin and Chip Cards - Your Already at Strike Three

The Past, Present, and Problems of Credit Cards and Debit Cards

In this episode, we look at the creation of the credit and debit card, its evolution, and its ulimate betrayal to us all.

Episode #1-25 released on March 20, 2011

Watch on Youtube

Welcome to our 25th episode of your Technology Questions Answered. Today, we address the history of two our favourite payment methods, the credit card and debit card. We'll look at the birth of these cards, its evolution, and then its failings. You'll understand after, why we called this episode, Pin and Chip Cards - Your Already at strike three.

The credit and debit card we are all used to, the one with the magnetic stripe along the back, came around in 1960, and was created by IBM, with the help of Forrest Parry, an IBM engineer. He had tried numerous adhesive glues and bonding agents to get a magnetic stripe to adhere to the back of a plastic card. After numerous failures to adhere the magnetic stripe to the back of the card, one day, when he was feeling down, and his wife was busy using an iron. She took a magnetic stripe and card, and heat bonded the two together perfectly, this was the solution that came to past. And, even though it was technically because of his wife, Forrest Parry is known as being a father of the magnetic stripe card, which has been used for over 50 years in all credit cards, and debit cards. The problem with magnetic stripe cards, is that you simply need to copy the data on the magnetic stripe to another card, this is were the term, cloning, comes from, when referring to payment methods. This was strike one.

This method of payment is currently coming to past, but not before the introduction of Pay Pass, which is a form of instant payment, which requires no use of debit or credit cards, in the traditional sense. This would soon be added to almost all credit cards, in one form or another. This technology also has a serious flaw, the, so called, encryption code was cracked in under 20 minutes, rendering all Pay Pass cards vulnerable. Not only that, but they can also be recorded through the air, every time you use you Pay Pass card or chip at a payment terminal, meaning fraud was also made easier for the bad guys. This was strike two.

Then, the creation of EMV or IC cards, came to past, and is used for debit cards and credits cards the world over. The EMV / IC card is meant to be more secure than the proceeding magnetic stripe card, by requiring bank verification of the transaction, as a means of security. This is where we currently are.

So, right till now, we all seem to believe that these new EMV / IC cards are more secure than anything we have ever used before. They are not, they are susceptible to man in the middle attacks, illicit hardware tampering, etc... Even the correct pin number is not required. These man in the middle attacks take advantage of serious security flaws in the cards and machines that were not addressed before, and some reports, one which is available in my show notes, even states that the system should have been rejected, and rebuilt from scratch. The credit card companies decided against using asymmetrically encrypted chips, for the EMV model which is not secured, and should not even be on the market. All this to save one dollar, on the card, per card. This is strike three.

On top of all this, we have the technology to use one time pin numbers, and this was not even implemented as a security measure to protect anyone's account. At this point, Paypal, Google, and numerous other web sites, using the one time pin number technology, are better protected than your credit and debit card. What does this mean? We need to push all these credit and debit card companies to introduce better, more secure technology. We need to enforce the use of true encryption technology, in all payment methods.

We also need to hold the manufactures of the payment terminals accountable each time a point of sales machine sent to a merchant, pre-bugged. Yes, this seems to happen, more and more. There are many cases of point of sales machines being tampered with, but now, it even occurs before it is sent to the merchants. This means, your favourite store, may unknowingly and unwillingly, be capturing your card information for various illicit groups.

This means, the credit card companies and banks have completely failed to protect you, and your cash. And, some even try to invoke rules about how you need to prove you were not responsible for the fraud in the first place. In the UK, in 2009, a law was even passed to prevent banks from forcing it clients to prove their innocence, UK Banks are now forced to prove your guilty. So far, I haven't found a similar law in my own country of Canada, and even in the United States. This means, the banks are certainly not trying to protect us. The government has also failed to protect us, depending on which country you reside currently in. It is my hope that Canada, United States, and even your country of residence, if dissimilar, passed such a protection for its citizens, and that I just haven't found it yet.

So what are my suggestions to fix this problem.

First, encryption. We need to encrypt all data on our cards, and this, at all times. Encryption has been perfected, and as long as the encryption key is not straight forward, its impossible to crack encryption, unless using a brute force approach.

We also need to get rid of the static pin numbers. Use of a one time pin numbers is currently possible, we simply need to implement this, in all transactions. It would also be useful for those with diseases that cause problems with memory, because of the utter lack or need to remember a pin number. This means people suffering from diseases like Alzheimer's, would no longer be victims of their own memory issues.

And, furthermore, biometric identification is now widely available. Biometric identification should be used to identify all clients. We should also implement more than one kind of biometric scanning, for those that may have physical issues preventing such things as finger print identification. We can also use voice recognition, ocular, and finger print identification, and allow the choice to all people. You'd be able to refuse finger print scanning, and use your voice, or eye to confirm that your in fact the actual owner the card. All this, would eliminate, at least a large part, of the problem, which we know as financial fraud.

The only way anything is going to change, is if we all call our credit card companies, banks, and other financial institutions and demand change. We all need to demand safer technologies and require that they all comply. We all need to have new stricter laws passed, and hold them all liable for fraud, and being in accessory to fraud, for gross negligence. And, only when we all do our part to prevent fraud, and prosecute all offenders, whether it be the suspect that commits the actual crime, or the bank that did nothing effective to prevent it, when the solutions and technology was currently already accessible, will any of this finally start coming to past.

I have a few suggestions for everyone to deal with most kinds of credit card fraud.

  • Never give your credit card number over the phone, unless your talking to a trusted merchant.
  • Always sign the back of your credit card.
  • Always keep an eye on your credit card, especially during the payment process.
  • Always verify that the point of sales machine is genuine, to the best of your ability. A few tips, none of the screws are to be visible, and the identification stickers are never less than pristine.
  • When shopping online, always confirm your on a secure site. This means if there is no indication of a SSL session, do not enter your personal information.
  • Always take a receipt when using a credit card, and compare it to your statements every month, and notify you bank of any bogus or incorrect charges.
  • Always call your bank or credit card company to advise of lost or stolen cards. If your credit card has been stolen, always notify the police, and fill out a report. This will be the best 15 minutes spent, because it also protects you from your bank, if the bank decide that your responsible, because your going to have the police to back your claim up, and this usually results in little to no resistance from the bank to reimburse victims of fraudulent activities on credit cards.
  • Do not reply to unsolicited emails, and never send any credit card information using email. And, that under all circumstances, because emails are plain text, and readable by anyone, until it gets to the destination.

I hope you learned a lot about our so-called favourite payment methods, and I hope your all going to be extra careful with your credit cards and debit cards from now on. Next week, I will be talk about Protecting your identity online, and provide you with some cool tools you can use to be extra secure.

Host : Steve Smith | Music : Steve Smith | Editor : Steve Smith | Producer : Zed Axis Productions

Sources & Resources