Attacks/Breaches
3/17/2014
09:06 AM
Pat Carroll
Pat Carroll
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

EMV Is Coming. But Is It Too Little, Too Late?

The Target/Neiman Marcus/Michael's Stores breach trifecta may have finally galvanized the US card payment industry. Too bad consumers are poised to change the game.

I and many others cheered the recent news that MasterCard and Visa are finally launching a "cross-industry effort to accelerate payment security." The group will focus on Europay, MasterCard, and Visa (EMV) as well as tokenization and encryption. However, those who think EMV's long-overdue entry into the largest single card payment market on the planet will strike a major blow against fraud are likely to be disappointed. That's because the US payment landscape is on the brink of a wholesale shakeup.

In this column I'll discuss the strengths and weaknesses in EMV and how it can help reduce the incidents of fraud caused by data being stolen from merchants or card payment processors. Tomorrow I'll follow up with additional layers of security that can strengthen EMV.

There are two fundamental transaction types: card present (the card holder is physically present at the time of the transaction, such as at an ATM or a point of sale) and card not present (such as during Internet purchases or mobile-device-based transactions). That distinction is critical. The evolving nature of payments -- specifically, the move toward contactless payment technologies including NFC systems, like ISIS, and digital services, like Google Wallet -- means fraud is also evolving.

To hit that moving target, the entire payment industry must aim for where the puck is heading. Otherwise there's a grave danger we'll spend billions of dollars on new chip-and-PIN cards, and POS devices capable of processing them, only to find that consumers and crooks have moved on, making EMV a "too little, too late" poster child.

Time's tight. Analysts at Gartner and IDC say mobile devices will be mainstream vehicles for banking and payments by as early as 2016. Juniper Research estimates that by 2017, more than 1 billion people will use mobile banking. It's only logical to assume that criminals will shift their focus to these new channels, thereby negating EMV's main benefits. Attackers focus their efforts where the money is.

Given all that, we certainly understand why there's scepticism about the value. But the fact is, that ship has sailed. US EMV adoption is happening. We can spend the next two, three years or more at the mercy of criminals, or we can use the rollout of EMV as a catalyst to really address fraud. I vote for the latter.

So let's look at what EMV can do for us.

Our  Mobile Commerce Survey shows physical security is critical.
Our Mobile Commerce Survey shows physical security is critical.

The EMV initiative is managed by EMVCo, a joint venture of MasterCard, Visa, JGB, and American Express. It's a global standard for interoperability of integrated circuit cards, a.k.a. "smart cards." But while it's well-established globally, with over 80 countries having adopted, EMV lags in the US, mostly due to implementation costs. In the past year or so, many US financial institutions have started issuing the somewhat pricier EMV chip-and-PIN payment cards to certain customers. The problem is that EMV is useless without compatible PoS terminals. And in fact, merchants do not see the migration to EMV as being very equitable because they're saddled with the majority of the costs (the aforementioned terminals) while the issuing banks enjoy the majority of the benefits (less fraud, fewer write offs).

At heart, consumer payment transaction security boils to authentication: Is the transaction legitimate, and is the individual involved who he or she purports to be? EMV's biggest value is in its ability to prevent fraud at the ATM or PoS through dynamic, transaction-specific authentication. EMV uses a data-processing chip embedded in an EMV card (debit or credit) or a mobile device to transmit encrypted credentials. This acts as a secondary form of identification for cardholder transactions. The EMV chip, together with the card/mobile device holder's PIN or signature, must be verified for the transaction to be valid.

Chip and PIN is a mathematically stronger form of authentication than chip and signature, since it's more difficult to steal a PIN than to forge a signature. EMV itself provides a strong security model based on industry-standard methods -- digital certificates, unique card-specific cryptographic keys, and Triple Data Encryption Algorithm (Triple-DES) deployed across a multi-entity issuing model (Certificate Authority).

The result is a complex security system, with all EMV cards requiring, at minimum, one Triple-DES unique key together with one of three increasingly secure embedded card authentication and data encryption schemes -- Static Data Authentication (SDA), Dynamic Data Authentication (DDA), or Combined Data Authentication (CDA) -- along with compatible PoS terminal hardware.

The Triple-DES key is used for encrypting transaction-specific data, the resulting "approve/reject" decision data, and to verify the validity of the response data from the card issuer.

SDA and DDA are weaker than CDA and may allow for exploitation by fraudsters since there is a potential for mischief between the process of verifying the card and approving the actual transaction. Since these are separate processes run in series, it is technically possible to interfere with the message that approves the transaction after the card has been verified. To combat this threat, CDA was developed. It essentially combines the step of the decision on the card transaction with the data being signed by the card's cryptographic key.

While  survey respondents say physical security is vital, we're not there yet.
While survey respondents say physical security is vital, we're not there yet.

More recently, security pros -- and MasterCard and Visa with their latest announcement -- have been discussing end-to-end encryption together with tokenization to help address some of the weaknesses that inevitably accompany complex security models involving many processes and parties. 

After all, cybercriminals will always find the weakest link in a process chain.

From a payments industry perspective, US adoption of EMV closes a major gap exploited by criminals today. Because EMV cards are still physical cards with magnetic stripes, in the simplest form of fraud, the card can be skimmed, cloned, and used in countries where EMV has not been deployed. So, today, it's not uncommon to see credit or debit EMV card data skimmed in Europe, cloned, and used in the US.

This, combined with the fact that domestic payment cards are almost routinely cloned and used fraudulently at retailers nationwide and online, has already resulted in major headaches for financial institutions and card processors in EMV countries. I've talked with financial institutions in Belgium, the Netherlands, and Hong Kong that, faced with increased levels of cross-border payment card fraud, are using "geo-blocking," or country-wide transaction blocking. Any use of their EMV payment cards in a non-EMV country will, by default, be declined.

Radical? Yes, but these institutions believe the risk of approving a transaction is so high that they're willing to anger their customers.

It's also worth noting that in the EMV model, the "chip" is concerned with the authentication of the payment card, while the "PIN" or "signature" is concerned with the authentication of the holder. So some card-present fraud scenarios, such as when cards are physically stolen, will survive EMV adoption. Still, EMV is clearly a valuable technology.

Of course, the world of payment technologies is complex and rapidly evolving. Even the underlying payment currencies are in flux, with crypto/digital currencies like Bitcoin, VEN, or Litecoin in play. We can't pat ourselves on the back for bringing EMV to the US. We must look ahead. In my next column, I will talk about some of the approaches and technologies now being deployed alongside EMV that have the potential to dramatically reduce overall fraud levels today and tomorrow.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Pat Carroll is the executive chairman and founder of ValidSoft, a global supplier of cybersecurity and transaction authentication solutions utilized by banks, financial services companies, and governments to secure and authorize payment transactions. He has more than 25 years ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
finansielle raadgivere
50%
50%
finansielle raadgivere,
User Rank: Apprentice
7/10/2014 | 5:58:24 AM
Re: Marketing Challenge
The most important contribution by EMV is focused on strengthening transaction security through additional authentication. The focus on the legitimacy of the transaction and the ability to prevent fraud at the ATM or PoS through additional layers of authentication specifically the PIN number will help reduce fraud and at least remove the U.S. from the status of countries where the opportunity to commit fraud is now the greatest due to its legacy magnetic stripe card infrastructure. Coupled with new standards of 'tokenization' that will/have been established by the card networks, this will start to make a difference on how consumers perceive the industry is moving to help them feel more secure, while initiating payments around the world. 
MarkS229
50%
50%
MarkS229,
User Rank: Apprentice
3/17/2014 | 10:32:20 PM
EMV won't solve the problem, but this will
I agree wholeheartedly with everything said in the article.

The trouble with any system that uses fixed credentials, is that these can be intercepted, copied and re-used. This goes for biometrics, too, since the data is digitised for transmission.

What is needed is an authentication process that doesn't use passwords, PIN codes, biometric data or multi-level encryption, and is still proof against network snooping, spy cameras and malware.

In your head is a keyword (or two) which only telepathy can reveal. When you login, you are presented with an alphabet coupled to a random assortment of 1's and 0's (or any other numbers) which you match against your keyword. Doesn't matter how the hackers intercept this, since the random assortment will be different next time. The technical details of such a system are described in www.designsim.com.au/What_is_SteelPlatez.ppsx togethere with its application to POS terminals, ATM's and online banking.

The best part, is that no fancy cards are required, and POS terminals would only need an extra HTML page.
PMCarrollVS
50%
50%
PMCarrollVS,
User Rank: Apprentice
3/17/2014 | 8:32:47 PM
Re: Marketing Challenge
Thanks kgordon597. I am a great believer in Contactless payment technology, which has to be the ultimate consumer experience in terms of convenience. What we need is Convenience with security, not versus security, and the problem with contactless remains the threat of fraud which results in low transaction limits. However, contactless (cards or mobile) can be combined with new technology which I discuss in my follow-on article and is capable of addressing the fraud issue with virtually 100% reliability.
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
3/17/2014 | 8:20:18 PM
Re: Marketing Challenge
There are no easy solutions to the card fraud problem. EMV will help in many cases, and should be adopted as broadly as possible. However, the article is right in that theives will turn their focus to other payment methods when cards become more secure.
PMCarrollVS
50%
50%
PMCarrollVS,
User Rank: Apprentice
3/17/2014 | 8:16:02 PM
Re: Card Not Present
You are correct that EMV is effectively designed for Card Present transactions, and this article is primarily concerned with EMV in this context. I do refer briefly to the difference between CP and CNP transactions, which is also referenced in the follow-on article. For completeness I should add that EMV payment cards can be equipped with features designed to add security to card-not-present transactions, such as one-time-passwords, on-card displays, or for use with personal card readers.  However such applications of the EMV card add to the production/deployments costs which can render their widespread distribution infeasible. 
PMCarrollVS
50%
50%
PMCarrollVS,
User Rank: Apprentice
3/17/2014 | 7:51:02 PM
Re: Declined
Correct, the perception in some countries is that non-EMV transactions are so risky that many banks are declining them by default (unless you specifically call in and notify them you'll be travelling to the US (or other non-EMV country), but even calling the bank in advance is no guarantee that the transaction will not be blocked). The follow-on article will outline technology available today that can enable issuing banks to differentiate between legitmate and fraudulent transactions with virtually 100% accuracy, and works irrespective of whether the card is EMV or non-EMV.
kgordon597
50%
50%
kgordon597,
User Rank: Apprentice
3/17/2014 | 6:42:20 PM
Marketing Challenge
I am looking forward to your further additions to this column, Pat. EMV is not going to be the answer for the long- term. It is decades old technology that is expensive to implement and still poses security issues. Better encryption and an absence of fraudulent attacks has led to consumer trust of companies like PayPal, and ease-of-use concerns in a retail environment have been answered with contactless payment methods like NFC, BLE and QR codes. The dilemma of convincing consumers and retailers that these alternative payments methods hold more long-term viability is a challenge for marketers. The retailers are the ones who are going to need to partner with payment companies in order to add value to the consumer experience with targeted messaging and promotions. Merchants have to be in the conversation and collaborating with the innovators to develop a more secure payments process that can be more easily updated over time.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
3/17/2014 | 1:40:59 PM
Re: Declined
OK, that makes sense. Talk about a PR nightmare otherwise -- card declined, possibly a language barrier to boot.
allieluvzkittnz
50%
50%
allieluvzkittnz,
User Rank: Apprentice
3/17/2014 | 1:20:31 PM
Re: Declined
No, what he's saying is that non-EMV transactions are so risky that many banks are starting to decline them by default unless you specifically call in and notify them you'll be travelling to the US (or other non-EMV country). Issuing a non-EMV card would be far, far WORSE for them. Disabling stripe transactions by default isn't radical, it's smart. Most banks in the US disable foreign transactions by default, too...
wayne.allen
50%
50%
wayne.allen,
User Rank: Apprentice
3/17/2014 | 12:58:24 PM
Card Not Present
The author aluded to it, but didn't clearly point out that EMV does nothing for card not present transactions.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio