Tuesday, January 28, 2014

Next-generation credit cards aren't foolproof - From STAR Tribune


New payment technology will make cards harder for data thieves to hack, but the protection features have holes.

As the United States lumbers toward a new credit card technology to thwart data thieves like the ones who struck Target Corp., payment security experts say the new system is far from foolproof.
The chip-based smart cards, already in use in much of the world, make it much harder to produce counterfeit cards. But the cards are less effective against the widespread and growing threat of bogus online transactions that require only account information.
EMV, as the technology is known, changes the game but won’t prevent all fraud.
“It’s not a panacea,” said Paul Tomasofsky, an electronic payments expert who heads Two Sparrows Consulting in Montvale, N.J.
EMV, which stands for Europay/MasterCard/Visa, is a fairly old approach rooted in experiments to deter fraud with microprocessor chips embedded in payment cards in France in the 1980s. It spread throughout Europe and became a global standard.
But because of the sheer size of the fragmented U.S. payments system, and the huge cost to convert, the United States is one of the last countries in the world to make the change.
There’s general agreement that EMV alone would not have prevented the Target breach, in which thieves accessed data from as many as 110 million customer accounts. But EMV would have reduced the value of the information by making it almost impossible to clone the cards.
That’s EMV’s biggest boast, that it prevents counterfeit card fraud. “It does that spectacularly,” said Jeff Hall, a security consultant in the Twin Cities for Overland, Kan.-based FishNet Security.
However, that’s only part of the challenge. Online fraud that doesn’t require the presence of an actual card now accounts for nearly half of all credit card fraud in the United States, according to Fair Isaac Corp., and studies show that adopting EMV drives crooks to this card-not-present fraud.
EMV has a vulnerability
EMV has a weakness at the point of sale. While data in the card’s memory chip is encrypted when the card isn’t in use, the data is momentarily vulnerable when customers pay.
Proponents of EMV say this isn’t a big flaw because the chip spits out a unique, one-time-only security code to encrypt the data for transmission.
But critics say that if thieves compromise the card terminal or the register at just the right point, they can access the data before transmission, circumvent the one-time security code and get access to the information they want. The bulk of online merchants don’t ask for the 3- or 4-digit security code on a card, Hall said.
There are other security concerns. In the U.S. rollout, banks issuing EMV cards are not required to put a personal information number, or PIN, on either the debit or credit cards. A PIN, which only the cardholder knows, makes transactions more secure.
More important, magnetic stripes aren’t going away. In an effort to ease the conversion, the new EMV cards will still have magnetic stripes so they will work in stores that lack EMV equipment.
But magnetic stripes are easy to copy and clone. Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research, called the existence of magnetic stripes on EMV cards “a very big security threat.”
U.S. companies are grappling with these issues as the country’s gargantuan payments system undergoes the seismic shift from magnetic stripes to chips. Retailers, banks and myriad other payments players face an October 2015 deadline to be ready.
At that point, Visa, MasterCard, American Express and Discover are shifting the liability for fraud that happens in stores from the card-issuing banks to the merchants, unless the merchant is equipped for EMV.
So problematic is the EMV migration that there are questions about crossing over at all.
“Is it the solution? Honestly, I don’t think it’s ever going to happen,” said J.D. Oder, chief technology officer at Shift4 Corp., a card processing gateway company he co-founded in Las Vegas.
Is EMV worth the bother?
Retailers are understandably concerned that they are spending huge sums to update their card processing equipment for an EMV implementation that has potential security potholes.
“As long as magstripe is around, there will be major breaches, I don’t care how much EMV is out there,” said Mark Horwedel, a former Wal-Mart executive who heads the Merchant Advisory Group, aMinneapolis group working on payments-industry issues. “Visa and MasterCard, in my view, are preoccupied with making the EMV migration in the U.S. as simple as possible for the banks.”
That’s what bothers Dean Sheaffer, chief compliance officer at Boscov’s Inc. in Reading, Pa. His company is spending “hundreds of thousands of dollars,” he said, to install EMV terminals at its department stores when he’s not convinced that EMV will offer enough fraud protection.
“We don’t feel good about it at all,” Sheaffer said. “I see a number of clear issues that I think have to be vetted and resolved.”
At the top of Sheaffer’s list: PINs and magnetic stripes.
Target, a big proponent of EMV, has been rolling out EMV-enabled point-of-sale terminals at its stores since 2012. It declined to discuss EMV security concerns.
“While the new hardware has the capability to process EMV, the software is still in development,” said Target spokeswoman Molly Snyder.
A multitude of technologies are being promoted to make EMV cards more secure, although they aren’t part of this country’s official EMV rollout. One is to encrypt all card data from the instant it’s read in the store until it’s processed by the bank. Another is tokenization, in which card data in the payment processing network is replaced with a meaningless value the minute the card is authenticated.
Add the end-to-end encryption and tokens to EMV cards and you have a “pretty airtight solution,” said Oder at Shift4 Corp.
Other approaches also are circulating.
Hall, at FishNet Security, advocates a single transaction code. It’s a one-time 15- or 16-character transaction code generated by a smartphone or other smart device at the start of a purchase that replaces the card account number. The code could be displayed as a bar code on the phone that could easily be scanned by bar code equipment that retailers already have at the checkout.
“Once it’s used, it’s done,” Hall said.
Time to do away with plastic?
The cards themselves are the root of the problem, Hall and others say, and it’s time for a paradigm shift.
Richard Crone, head of Crone Consulting in suburban San Francisco, calls for ditching the country’s existing card infrastructure altogether and moving to cloud-based mobile payments, in which everything is stored more securely through the Internet in a server farm somewhere.
All payment credentials would be stored behind an encrypted firewall accessible only through strong authentication with only indecipherable tokens provided to the merchant for transaction authorization, Crone said.
“EMV as a fraud deterrent is a complete joke,” Crone said.
Still, proponents say it’s a vast improvement over the magnetic stripe system. Regardless of whatever percentage of fraud EMV doesn’t prevent, it’s better than where we are now, said Madeline Aufseeser, a payments analyst at Boston-based Aite Group.
Litan, at Gartner, agrees. Ultimately, the security arguments over EMV are “a red herring,” she said. It’s not perfect, Litan said, but EMV will significantly improve security compared to magnetic stripes and is the most realistic approach given its widespread adoption everywhere else. Companies will have to layer on other protections to thwart card-not-present fraud.
“It’s crazy to say don’t lock your front door because someone will get in your back door,” she said. “You’ve got to lock both.”

“There really isn’t any better proposal out there.”

Is the EMV going to eliminate the Fraud?

EMV is definitely not the game-changer to stopping fraud.

EMV simply shifts fraud liability from the Issuers to the merchants, as fraud WILL migrate to the online channels.

Eliminating fraud in the Card-Present (CP) space is going to be a challenge as long as the magstripe coexists on the plastic with the chip; and unfortunately magstripes will coexist, 

as merchants will slowly and reluctantly incur further costs to update their terminals. 

This will be a slow and costly process. 

Also, let's not overlook other international markets that have yet to convert over to EMV. 

With the US being a highly desirable location for international tourists, merchants will not want to refuse a sale on non-Chip cards. 

Even after 10 years, UK is still accepting magstripe payments. So the battle will continue, especially as the art of card skimming becomes even more sophisticated and possibly later on chip!! 

For now, EMV "could" become a very effective deterrent to copying card data at the POS, along with shrinking CP Fraud, 

but there are cases in EMV markets where the both card data and PIN have been breached, 
along with consumer negligence over securely looking after their PIN and card(s). 

The bigger question is what will EMV do to fraud? It's highly debatable... 

As seen in the Canadian and UK markets, EMV will certainly shrink CP fraud, but it will also force fraudster to migrate to other easily exploitable channels - namely the online shopping channel, where fraud is rampantly growing!!!

Six Things to Know About Chip Cards (EMV)

I posted the article on  "when EMV will hit the US" on 2006.  Now the time has come.

Six things to know about EMV...


Q.  The Basics – What are Chip Cards?
EMV chip cards have computer chips embedded in them. They are widely used in Europe and Asia and are beginning to be adopted in the U.S.
People who frequently travel abroad may already have chip cards or may have seen them used in London, Toronto and Istanbul. The rest of us are likely to have chip cards in our hands by 2015.
Q.  Why Chip Cards?
Chip cards better protect your account information from fraud. And every electronic payment – credit cards, debit cards, digital wallets – is almost always more secure than cash.EMV credit card
The magnetic-striped credit and debit cards you are accustomed to contain “static” data, or payment data that does not change. The data stored in the magnetic stripes includes your 16-digit card account number, expiration date and 3-digit security code (CVC) like the one found on the back of your card.
Chip cards contain the same data and more. Each purchase or transaction that you make generates “dynamic” or unique data that is encoded in a safe mode.
EMV helps protect you even if your card or your card data is lost or stolen, the technology:
  • Makes it difficult for anyone but the rightful owner to use the card
  • Protects against the creation of counterfeit cards because dynamic data is only good for a single purchase or use
Q. What is MasterCard Doing?
MasterCard is one of the original founders of the chip card standard known as EMV, short for EuroPay (now part of MasterCard), MasterCard and Visa.
We continue to advance the technology and introduce it to every country around the world . . . allowing you to safely use your MasterCard no matter where you are.
Q.  Will this Change The Way I Pay for Things?
A little bit. Rather than swiping your card, you may soon insert it into or tap it against a card reader so the chip on your card and the reader can “talk” and establish a secure connection.
Q.  Why Isn’t the U.S. Currently Using Chip Card Technology?
Historically, countries with higher fraud rates switched to chip cards earlier than countries with lower fraud rates.
Q. What will I see as a Cardholder?
First, you will see new card readers or payment terminals in your favorite stores and restaurants. Many of the new readers are already in place, especially if the business caters to travelers from outside the U.S.
Next your bank or credit union will send you a new chip card. Some EMV cards are already available in the U.S. However, the chip cards are provided predominantly on an “at request” basis and, as mentioned, most often to international travelers.