Many issuers decline them outright because the merchant still gets the chip liability shift for fraud (despite absence of any of the normal chip security features!) when they do a fallback transaction. They definitely get more scrutiny from fraud departments
Conversation
Anyway, in 2018 Mastercard and Visa mandated that all issuers in Europe (and a few other places) where the chip transition happened long ago must reject all Magstripe Technical Fallback transactions. Terminals in Europe will often no longer try it too.
1
5
This is basically the card payments equivalent of "Disabling support for SSL 3.0 support" :-)
1
6
(EMV chip & contactless payments prevent card cloning by protecting every transaction with a cryptogram, which by and large means a MAC over a bunch of the data.
Alas it's an 8-byte triple DES MAC, but well...)
1
4
this was all fine and dandy until you had to drop that 3des bomb :(
1
2
Look, 3DES still provides 112 bits of security!
Although 2-key (112-bit key) mode only provides 80-bit security and is the mode in common use
3
2
3
In all honesty if your card has an available balance high enough to make breaking 2-key triple DES worthwhile, perhaps consider opening a savings account?
2
2
11
i love this definition of an acceptable level of hash resistance
2
7
Since I dug this thread up for something else, it occurred to me:
This is a gross estimate of the needed security level. Most banks have per-hour/day/week/month transaction amount limits, so the value of a card break is capped by those & however long it takes someone to notice
1
5
(these are of course to provide liability backstops for anything that other defenses/faud rules fail to notice)
2
2
Financial services are why Android's StrongBox standard for secure element keystores includes 3DES despite being released in 2018:
developer.android.com/training/artic
It's a bare minimum subset of the usual hardware keystore algorithms, and unfortunately 3DES is essential due to banks...
Find it amusing that banking services don't consider the traditional TrustZone-based keystores on mobile devices secure enough but are going to be using 3DES far into the future with the replacement. It's a bit sad that hardware implementations of a new API need to include it.
2