That sounds like one of the master 3DES key for to generate Application Cryptogram on the chip cards has been leaked. Which is very unusal as those are highly guarded by HSM in place. And it's not the same RSA key to guard the certificates

the master key is used to derive into sub level card keys to used on each chip card.

The application cryptogram is generate on the chip card to uniquely identify the card and transaction context, and used by the EMV host to validate whether the card/transaction is geniune or not.

It's a measure on how active the government is working to prevent the COVID-10 from spreading (the more people tested means government is working more to find hidden carriers)

I'd be more worry about handing your card to waitress at the restaurant than worrying about your contactless card being read remotely.

obtaining the data contactlessly is not enough to create a duplicate of your credit card(assuming proper card implementation), and certainly not enough to create a "card not present" transaction such as internet, mail, or phone purchase. (only exception is probably using pre-play attack, and this requires some elaborated setup)

A properly implemented contactless card don't even have your name in the contactless interface.

seriously, your credit card company is worrying more on the fraudulant transaction then you, and so there are fairly good measurements deployed to ensure contactless duping can't be done.

actually, most of the Chip enabled (EMV based) credit cards does have PIN, but they are just not set as preferred CVM (Cardholdver Verification Method). where predominantly it's set to prefer signature over online PIN.

EMV Chip cards offer one of the most important protection over traditional magnetic stripe only cards, which is counterfeit protection. During each EMV transcation the card will generate a unique Application Cryptogram which identify the card, and transcation using a secret key (shared only by card and the issuing bank). meaning EMV cards can not be cloned.

most of the contactless payment nowadays use one form of authentication or another using either secret keys and/or public/private keys. and those secret/private keys loaded on the card is not obtainable in normal means..

it's impossible to read the secret keys over any interface of the card. So those cloning devices at most is reading what normally a contactless terminal can read from a card. meaning those cloned cards will fail all the offline and online CAM (card authentication method) since none of the relevant keys (ICC Private Key, nor the Application Cryptogram secret key) can be read.

Unlike traditional magnetic stripe cards, chip cards has robust security build-in, most of the security breach are not from counterfeit cards, (since you can't clone the relavent data from EMV cards)

the card you just received most likely still supports PIN, just it's not preferred using PIN as the primary method for authorization (i.e. signature preferring). In most of the situation you will not notice any difference (especially in US).

you can still use the magnetic stripe as it's a requirement for credit card, however magnetic stripe is now a *backup* method for using your credit card. Again in US you won't notice any difference as most of the terminals only support magnetic stripe, however overseas in most other countries that already migrated to EMV, during a card transaction if you swipe the magnetic stripe the terminal will prompt operator to use the chip instead. Only when terminal has problem reading the chip then it'll allow physical magnetic stripe transaction for those chip enabled cards.

If it's a chip transaction, it's really close to impossible to clone the card assuming following good implementations, unlike magnetic stripe which can be easily duped

In fact it's has been done and implemented long time ago using the existing EMV chip card.
http://en.wikipedia.org/wiki/C...

there are various implementations (offline PIN, passcode, display card...)

those processing method are card not present transactions, and might be subject to abuse especially if all you use is the imprinting machine. the customer could then dispute that they never use the card at this location...

EMV chip cards does way more then just VERIFY the PIN. It can perform card authentication (card can not be counterfeit/hacked), risk management, and cardholder verification.

If I have to guess, those Chip & Sign cards issed in US are usually signature preferring (at least some PIN methods are still availible on the card, but the setting in the card will always prefer signature unless it's not possible) and not signature only cards.

*barely more secure*? EMV cards can't be copied, modified, or counterfeited if the Card Authentication Method (SDA/DDA/CDA) are implemented propertly. The Application Cryptogram generated by the card and host also means the transaction itself is secure (assume proper card and host implmentation).

Magnetic stripes has no protection at all. US is probably the last major country that hasn't go full chip technology.

EMV card is not as simple as that.. you have layers of security, such as Offline Card Authentication (Offline CAM), Cardholder Verification (PIN, Signautere..) and online CAM (where that MAC happens), unless you have means to obtain the private/secret keys required for transaction, it's going to be extremely hard to calculate

http://en.wikipedia.org/wiki/Chip_Authentication_Program

It's funny to think that even Africa or Latin Amercan issuers issue more EMV cards then US, but sadly that's true. What's worse is people's groundless fear about using contactless technology for payments. Seriously, the biggest security problem in the credit card itself is the magnetic stripe itself.