REAL mobile payments, not gimmicks or old mag stripe. I'm talking EMV specification transactions on real merchant networks - you either need a smart card contact chip or NFC.
Mag stripe is dead, I don't support payment technologies that continue to promote it - Square, Shopify POS, etc. The USA is way behind on implementing EMV. (I know, Shopify is Canadian)
I should have clarified that my original comment was from the perspective of a consumer - making payments using NFC, not accepting them.
Mag stripe is horribly insecure and developing new technologies around it because of easy to perform a transaction will only allow fraud to continue to exist. In Canada, I question every merchant that does not support chip technology.
USA merchants are reluctant to change. The rest of the world is moving on with or without them.
Copy/paste from article: Pretty much every other developed country got rid of magnetic stripe cards years ago, and many countries are multiple generations beyond that tech. In the UK and much of Europe, the "chip and PIN" card, properly called the EMV (for "Europay, MasterCard and Visa"), is dominant; it's a regular plastic card, but it's embedded with a tiny computer chip that serves as authentication in conjunction with a regular four-digit PIN. The EMV system is much more secure than the magnetic stripe card; when it was introduced to France, the country saw an 80% reduction in card fraud. (It was introduced in 1992, by the way. The France of 20 years ago was more advanced than the US is now.) The benefits: authentication is far more sophisticated than reading a simple magnetized strip; it incorporates actual encryption protocols like DES, the Data Encryption Standard.
The chief vulnerability of the EMV system? IT STILL HAS MAGNETIC STRIPES. EMV cards have a magnetic stripe so they can be used in dumber, slower countries, like the US, which can't read the chips. The only real hack of the EMV system relies on transferring information from the magnetic stripe, rather than the chip.
I am not sure this is a good example. It was two-part attack. First, they compromised account information at the debit card issuer. Second, they linked new cards to these accounts (mag stripes makes this simple). How hard it is to program a 'blank' chip card (or a phone with NFC) to link to the compromised account?
This is a great example, I'll give you the details:
If USA had adopted EMV technologies, when the criminals attempted to perform a transaction with their mag stripe fraudulent cards, the system would recognize it as an EMV enabled card based on the mag stripe track data. The fraudster would be forced to use the chip on the card, and their whole scheme fails.
In short: Because the EMV wasn't accepted at these machines, mag stripe is used as a backup. If they had used EMV, they would have forced that option and not accepted mag stripe.
The two-part attack is only how they stole the cards in such a mass manner and increased their limits - They could have stolen all the mag stripe data with skimmers and cameras.
Even though others are working hard to protect payment technologies, it does nothing to help countries who fall behind.
EDIT: Program a BLANK CARD? I'm sorry, are you suggesting that it would be easy to obtain encryption keys from Visa/Mastercard/Interac etc? Do you know what you're suggesting?
I am not suggesting, I am asking. Banks issue chip & pin cards all the time. These guys already breached a bank. I'd guess programming chip & pin cards will cost thieves more than magstripe cards, but is doable.
Also, you keep insisting that if USA adopted EMV, this would not have happened. But this operation was global, thieves used ATMs in Russia, Japan, Britain, and Canada among others.
Not every machine has enabled it yet, but the merchant services provider is responsible for the damages of not facilitating the chip card. This operation would not have been as successful if the only ATMs available were the off-branded machines found in the corner of bars.
To answer your question though, I guess it would be possible, but they would need to skim the card data RIGHT at the time of card production in the personalization machine as it holds the proper encryption keys - nearly impossible. Banks typically don't do their own manufacturing (I don't know of any bank that does) and these systems are typically disconnected. This is worlds apart from what they actually did - dumping or generating mag stripe data, including the PIN Offset and writing the data onto cards like library cards, or hotel room cards.
In addition, with EMV, the card is encrypted and verified using the issuer's public key, as well as the Certificate Authority's public key. Even further, Visa/Mastercard have their own multi-tier encryption that gets applied to the cards.
I'm really getting over my head in the manufacturing process, but it is incredibly more complicated and secure than the old mag stripe days.
