Isn't the security of credit cards with chip worse than with signature?

Question

(I'd expect this question to be duplicate, but couldn't find any that matches the point)

It seems to me that the security of credit card transactions got worse by the switch from signing to chip usage. As is well known, nearly all providers in the US do not ask the PIN when paying (supposedly because Americans wouldn't be ble to remember a PIN), so the comparison to me is:

Before: If I lose the card, the finder needs to fake my signature (not too difficult, but not a freebie); if I mark the card with 'Check ID', there is a chance that he fails.

Now: If I lose the card, anyone can use it freely anywhere. No limits, zero risk of getting caught.

So we got a new system that is slower, and makes abusing lost / stolen cards easier?? Why?

I am aware that you can call the credit card company and report the card stolen, but that is not always as easy. When you are travelling, roaming can cost you easily 100 $ just while your call is in the wait line, and many 1-800 numbers are not even callable from outside the US. Anyway, that is not the point -

why would the industry burn money into a system that makes stealing and then quickly using credit cards easier?

Answer 1

One advantage of the chip cards is that the card information needed to make purchases can't be easily skimmed or "stolen". Another is that it is more difficult to create a fake physical card. These advantages still exist regardless of what form of verification is used (or even if no verification is used).

The type of fraud you're describing, in which your card is physically lost or stolen, is a relatively small proportion of total fraud (14% according to this site). One reason this is not as big a problem is that often, if you lose your card or get robbed, you know the card is compromised and you can cancel it. (Even if it takes you a while to do this, at least you are on the alert.) The real danger comes when your card info is stolen without your knowledge, and this is harder to do with a chip card.

It's also worth noting that there are more ways for a fraudster to get nabbed than being caught red-handed entering the wrong PIN at the point of sale. The credit card companies are still tracking card usage and watching for unusual purchases that might indicate fraud. Also, sometimes fraudsters do surprisingly dumb stuff, like use the card to buy something online and mail it to themselves. So it's not correct to say that there is "zero risk of getting caught". With both stripe and chip cards, you can catch the person by tracking them via their usage of the card.

The biggest security risk with the new cards is that many vendors don't actually require use of the chip at all -- they still let you swipe. However, with changes to credit card liability policies, this is a risk for the vendors, not for you.

Answer 2

I don't have much to add other than your signature is not required to process a charge. Signatures are kept on file for validity in the event you dispute a charge. Your signature isn't held in some magical database with signature recognition software. If you draw an shark in the signature section of a receipt that won't stop the charge from processing. In fact, many merchants don't even bother requiring the signature below a certain threshold.

There are loads of behind the scenes processing improvements offered by the EMV chip; namely prevention of card number skimming and duplication via encrypted transaction signing. While requiring a PIN adds an additional layer of security, simply processing via chip dramatically improves the network fraud prevention tools in a manner that is almost completely transparent to the user.

To your point, if your wallet is lost and an imposer holds your physical card there is no anti-fraud improvement. At any rate, you have zero fraud liability in the US.

Answer 3

One of the main advantages is that duplication from a few sources is no longer a vector. The two big examples, the lesser first, card skimming and breaches like Target's. The chip essentially generates a unique transaction code, and that is generated inside the chip. So even if you installed a chip skimmer, you'd have to beat the merchant to using the code, and it would only be good once. The same is true if you get something like the Target breach. Instead of a giant dump of card numbers, you get a giant dump of used codes, which aren't very useful for getting money. Even if the risk of stolen cards goes up, it should be a huge advantage for the banks.

Additionally, a number of the banks are now implementing quick and short term freezes, like the Discover It card app. You simply click freeze in the app if you aren't sure where your card is, and unfreeze it when you do. The assumption here is that people are more likely to freeze it and do so sooner than if they have to wait for a new card in the mail. Theoretically, there's nothing stopping a consumer from keeping the card frozen all the time, and unfreezing it when they walk into a store, except the impracticality of it.

Answer 4

Chip and Signature cards do not substantially alter the paradigm you mention in your question. The chip alters how the machine obtains your account number and transmits it for authentication, but it does not significantly alter the interaction with the clerk. It is solely intended to reduce "skimming" and similar card-number-stealing and card-forging attacks.

Specifically, a clerk is still welcome to ask to see the card to verify the signature if they wish, and/or to ask to see an ID to use the card. Some changes occurred around the same time as introducing Chip and Signature that meant that clerks will be less likely to ask for signatures for certain purchases (raising the dollar amount for no-signature-required purchases, mostly), but those changes are distinct from the introduction of EMV (chip) authentication.