Attacks/Breaches
1/24/2014
10:00 AM
Connect Directly
RSS
E-Mail
50%
50%

Target Breach: Why Smartcards Won’t Stop Hackers

"Chip and PIN" smartcard adoption in the United States is long overdue. But the security improvement wouldn't have stopped Target's BlackPOS malware attackers.

Say what you will about "smart" credit cards or EMV card-security technology: None of it would have prevented the recent theft of shoppers' credit card information from Target and Neiman Marcus. But that doesn't mean that it isn't high time our credit cards sported EMV-compatible microchips.

Cards compatible with the EuroPay, MasterCard, and Visa (EMV) standard have been widely adopted in about 80 other countries, and are easily spotted by the microchip on the face of the card. When the card is used for in-person purchases, the cardholder must first insert the card into a point-of-sale (POS) card reader and enter a four-digit PIN code -- verified by the chip -- to authorize the transaction. After three wrong attempts in a row, typically, the chip will lock itself. 

Chip and PIN EMV isn't perfect, but it has been tied to a decrease in overall levels of fraud, once countries stop authorizing payments from an EMV card that's been swiped, says Dan Ingevaldson, CTO of Easy Solutions. Indeed, card-not-present attacks -- via phone, Internet -- comprised the majority of fraud in EMV-using Canada (61%), Germany (70%), and the UK (63%) in 2012.  

In the United States, Visa has been pushing merchants to adopt terminals that are compatible with EMV, for example by exempting merchants from having to prove their PCI compliance. At the same time, however, Visa's PR machine has bent over backwards to try and avoid the impression that it's holding anyone's feet to the fire.

Why the tortured approach? Money is the most likely culprit: US merchants must invest in their own POS terminals, and may only refresh them every five years or more. Furthermore, thanks to a $5.7 billion Dec. 2013 settlement agreement reached after US merchants filed a class suit against Visa and MasterCard,  merchants now have the right, subject to state laws, to add a surcharge to any credit card. They can either do this on a "card brand" basis -- meaning for all Visa, or MasterCard cards -- or else for an individual class of card, such as Visa Signature. (Interestingly, Target was one of many businesses that criticized that settlement amount for being too little, and the future legal protections afforded Visa and MasterCard too great.)

Accordingly, any efforts by Visa or MasterCard to force retailers to adopt EMV-compatible terminals could lead to a merchant backlash, essentially holding the technology requirements hostage unless subsidized by the relevant card brand. Instead, card brands have been pushing "incentives" to drive merchants to adopt EMV. Already, US merchants that process at least 75 percent  of their transactions using EMV-compatible terminals are exempted from having to demonstrate PCI compliance.

Liability shifts 
Beginning in Oct. 2015, a "fraud liability shift" will mean that instead of merchants covering one-third of any card-related fraud (and card issuers the rest), merchants will be on the hook for all fraud that results from an EMV-compliant card being used in a non-EMV-compliant POS terminal, The Wall Street Journal recently reported. Conversely, card brands have promised to cover all fraud that results from the use of any card in any EMV-compliant terminal.

In other words: Visa is hoping retailers will adopt EMV-compatible terminals by 2015, although some industry analysts see that schedule as highly optimistic.

Whenever EMV does come into wide use here, it won't be an information security panacea. While questions remain about how Target got hacked -- many suspect a phishing attack -- the card-data breach appears to have resulted from Windows-compatible BlackPOS (a.k.a. Kaptoxa) malware running on payment processing servers, and siphoning 11 GB of card data from POS terminals, via FTP, to a server in Russia. Again, EMV wouldn't have blocked attackers.

EMV-compatible card readers also aren't immune to physical attacks. Reports of related, in-the-wild skimming attacks -- in which thieves insert a chip into the supposedly tamper-proof devices and harvest card data, including PIN codes -- date from at least 2008.

At Black Hat 2012, meanwhile, two MWR Labs researchers demonstrated a "PinPadPwn" attack in which they programmed a smartcard that looked exactly like a real credit card to exploit a weakness in an EMV-compatible terminal they'd purchased off of eBay. The weakness, which related to how the terminal processed chip and PIN card data, allowed the researchers to not only take control of the device screen -- for example to post fake "transaction approved" messages -- but also install malware that recorded all card data and PIN-pad presses. Later, the attackers plugged the smartcard back into the terminal, at which point the malware automatically copied all harvested card data back onto their smartcard, while flashing another "transaction approved" message on the device's screen.

Now the good news
If EMV wouldn't have stopped the Target breach, one bit of good news to come from the Target debacle is that people are now asking -- with some urgency -- why the United States has yet to adopt the technology. As Nick Selby, CEO of StreetCred Software, wrote this week on GovFresh: "There is now mainstream discussion of finally defeating, as a matter of public safety and policy, the Payment Card Industry's stubborn, silly and cynical, decade-long campaign against chip and PIN cards."

This week, Target CEO Gregg Steinhafel called on other retailers and banks to push for EMV adoption. But a decade ago, EMV's detractors included none other than Target, which pulled the plug on a related, three-year joint pilot with Visa in 2004. "A review of the program led the leadership team to agree that there were potential operational, financial and marketing benefits," Target chief financial officer John Mulligan told The Journal this week. "However, without broad industry adoption of the technology to ensure a consistent guest experience, there weren't enough benefits at that time to continue the test."

Cue what-if scenarios if only Target had afforded its "guests" EMV credit cards. Instead it shelved the project, the Journal reported, because executives were concerned that it slowed checkout speeds and couldn't be marketed in a suitably appealing manner.

Thank Target for putting the sexy into payment-card security.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/31/2014 | 4:44:47 AM
Re: Smartcards are unnecessary. This is the Solution

Mark, that sounds like a very innovative approach. In fact, a version of that system is in use in Europe for online purchases. For every given card, the cardholder registers a password. As part of the payment process, they're then asked to provide the 1st, 3rd, and 6th (or some other combo randomly chosen by the card provider's system) letters of their password, to verify the purchase.

But can you imagine if this was introduced at POS terminals? I'd expect to see waiting times multiply. It also wouldn't work for anyone with vision problems. Related customer-service calls to card issuers would skyrocket. Unfortunately, I don't see the approach you outline being simple enough to succeed.

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Apprentice
1/30/2014 | 11:48:25 PM
Re: Smartcards are unnecessary. This is the Solution
This is why I try to pay with cash whenever possible.  So much easier, so much more secure.  (Indeed, the one time I went shopping at a Target during the affected period, I paid with cash; I'm now VERY glad that I did.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Apprentice
1/30/2014 | 11:45:56 PM
EMV
Another problem with the security of EMV chips is that banks/credit card companies are so delusionally convinced that EMV is imperviously secure that when theft and fraud have occurred, they have given customers who have suffered from ID theft very difficult times, refusing to accept that the fraud occurred without exceptional evidence.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/28/2014 | 12:04:20 PM
Re: Smartcards are unnecessary. This is the Solution
One problem is that the share of purchases made in person with the card in hand is shrinking, or at least coming even with ecommerce. Maybe one answer will incorporate smartphones -- a two-factor method, something you have (the chipped card) and something you know (a one-time-use code sent to your phone to verify the purchase).

However, let's remember that the card issuers really, really want to end fraud because they're the ones on the hook. Meanwhile, as a customer, what's the worst that happens if someone in Russia buys an Olympic tee shirt with my card? I call the issuer to have it removed. So, customers won't tolerate inconvenience; there's no percentage in it.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/28/2014 | 11:36:56 AM
Re: Smartcards are unnecessary. This is the Solution
Not prepared to conceded that smart cards are unncessary. In fact I was gratified to read in a Dallas business news story that Wal-Mart and Kroger already have checkout systems that work with smart cards that are widely used internationally. Too bad Target customers didn't have that option. I don't suspect too many Wal-Mart or Kroger shoppers do either. 
MarkS229
50%
50%
MarkS229,
User Rank: Apprentice
1/27/2014 | 9:21:36 PM
Smartcards are unnecessary. This is the Solution
Since this is the only solution guaranteed to solve the credit card/retailer problem, without causing major system redesigns and disruptions, I'll explain it in detail.

First, the credit card companies give everyone a UserID, which gets put on the credit card, instead of the number.

Next, everyone chooses a keyword, like 'NeimanMarcus' or 'Target' (too soon?).

The POS system connects to the credit card company, as usual but, instead of prompting for a password, it displays a matrix of upper/lowercase alphabets, with a random pattern of 1's and 0's underneath.

The user types the 1's and 0's corresponding to his keyword, which goes to the credit card company for approval. After limit checks, expiry checks etc, the user is approved.

The next time the user makes a purchase, the pattern of 1's and 0's is completely different, so the previously typed code is useless to an attacker. Doesn't matter whether it's malware, network snoopers, or spy cameras, the information is always useless.

For obvious reasons, anything in the retailer's logs is also totally useless.

Now, isn't that easier than redesigning the whole system, adding encryption and buying EMV cards?
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
1/27/2014 | 9:10:05 PM
Re: Smart cards won't stop hackers - but they remove the incentive
The disposable card numbers are really only for online use. You are correct, though, that the retail industry needs better POS security and protection.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/27/2014 | 3:50:26 PM
Re: Smart cards won't stop hackers - but they remove the incentive
Thanks, @jagibbons. Sounds like a reasonable option, though I think a better solution would be for the retail industry needs to be pushed to make more of an investment in smart cards and smart POS terminals.
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
1/27/2014 | 10:33:33 AM
Re: Smart cards won't stop hackers - but they remove the incentive
Our bank, Huntington, provides them. They are actually debit cards connected to a checking account. We can use it once or multiple times. It is possible to get new ones. Some of card brands also offer this service.

It's not a big issue if the card number is invalidated after the transaction when it is skimmed.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/27/2014 | 10:24:17 AM
Re: Smart cards won't stop hackers - but they remove the incentive
@jagibbons. I don't think I'm familiar with the one-time use credit cards you refer to. How prevalent are they and who issues them? Banks, retailers or both. 
Page 1 / 3   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.