Attacks/Breaches
1/24/2014
10:00 AM
Connect Directly
RSS
E-Mail
50%
50%

Target Breach: Why Smartcards Won’t Stop Hackers

"Chip and PIN" smartcard adoption in the United States is long overdue. But the security improvement wouldn't have stopped Target's BlackPOS malware attackers.

Say what you will about "smart" credit cards or EMV card-security technology: None of it would have prevented the recent theft of shoppers' credit card information from Target and Neiman Marcus. But that doesn't mean that it isn't high time our credit cards sported EMV-compatible microchips.

Cards compatible with the EuroPay, MasterCard, and Visa (EMV) standard have been widely adopted in about 80 other countries, and are easily spotted by the microchip on the face of the card. When the card is used for in-person purchases, the cardholder must first insert the card into a point-of-sale (POS) card reader and enter a four-digit PIN code -- verified by the chip -- to authorize the transaction. After three wrong attempts in a row, typically, the chip will lock itself. 

Chip and PIN EMV isn't perfect, but it has been tied to a decrease in overall levels of fraud, once countries stop authorizing payments from an EMV card that's been swiped, says Dan Ingevaldson, CTO of Easy Solutions. Indeed, card-not-present attacks -- via phone, Internet -- comprised the majority of fraud in EMV-using Canada (61%), Germany (70%), and the UK (63%) in 2012.  

In the United States, Visa has been pushing merchants to adopt terminals that are compatible with EMV, for example by exempting merchants from having to prove their PCI compliance. At the same time, however, Visa's PR machine has bent over backwards to try and avoid the impression that it's holding anyone's feet to the fire.

Why the tortured approach? Money is the most likely culprit: US merchants must invest in their own POS terminals, and may only refresh them every five years or more. Furthermore, thanks to a $5.7 billion Dec. 2013 settlement agreement reached after US merchants filed a class suit against Visa and MasterCard,  merchants now have the right, subject to state laws, to add a surcharge to any credit card. They can either do this on a "card brand" basis -- meaning for all Visa, or MasterCard cards -- or else for an individual class of card, such as Visa Signature. (Interestingly, Target was one of many businesses that criticized that settlement amount for being too little, and the future legal protections afforded Visa and MasterCard too great.)

Accordingly, any efforts by Visa or MasterCard to force retailers to adopt EMV-compatible terminals could lead to a merchant backlash, essentially holding the technology requirements hostage unless subsidized by the relevant card brand. Instead, card brands have been pushing "incentives" to drive merchants to adopt EMV. Already, US merchants that process at least 75 percent  of their transactions using EMV-compatible terminals are exempted from having to demonstrate PCI compliance.

Liability shifts 
Beginning in Oct. 2015, a "fraud liability shift" will mean that instead of merchants covering one-third of any card-related fraud (and card issuers the rest), merchants will be on the hook for all fraud that results from an EMV-compliant card being used in a non-EMV-compliant POS terminal, The Wall Street Journal recently reported. Conversely, card brands have promised to cover all fraud that results from the use of any card in any EMV-compliant terminal.

In other words: Visa is hoping retailers will adopt EMV-compatible terminals by 2015, although some industry analysts see that schedule as highly optimistic.

Whenever EMV does come into wide use here, it won't be an information security panacea. While questions remain about how Target got hacked -- many suspect a phishing attack -- the card-data breach appears to have resulted from Windows-compatible BlackPOS (a.k.a. Kaptoxa) malware running on payment processing servers, and siphoning 11 GB of card data from POS terminals, via FTP, to a server in Russia. Again, EMV wouldn't have blocked attackers.

EMV-compatible card readers also aren't immune to physical attacks. Reports of related, in-the-wild skimming attacks -- in which thieves insert a chip into the supposedly tamper-proof devices and harvest card data, including PIN codes -- date from at least 2008.

At Black Hat 2012, meanwhile, two MWR Labs researchers demonstrated a "PinPadPwn" attack in which they programmed a smartcard that looked exactly like a real credit card to exploit a weakness in an EMV-compatible terminal they'd purchased off of eBay. The weakness, which related to how the terminal processed chip and PIN card data, allowed the researchers to not only take control of the device screen -- for example to post fake "transaction approved" messages -- but also install malware that recorded all card data and PIN-pad presses. Later, the attackers plugged the smartcard back into the terminal, at which point the malware automatically copied all harvested card data back onto their smartcard, while flashing another "transaction approved" message on the device's screen.

Now the good news
If EMV wouldn't have stopped the Target breach, one bit of good news to come from the Target debacle is that people are now asking -- with some urgency -- why the United States has yet to adopt the technology. As Nick Selby, CEO of StreetCred Software, wrote this week on GovFresh: "There is now mainstream discussion of finally defeating, as a matter of public safety and policy, the Payment Card Industry's stubborn, silly and cynical, decade-long campaign against chip and PIN cards."

This week, Target CEO Gregg Steinhafel called on other retailers and banks to push for EMV adoption. But a decade ago, EMV's detractors included none other than Target, which pulled the plug on a related, three-year joint pilot with Visa in 2004. "A review of the program led the leadership team to agree that there were potential operational, financial and marketing benefits," Target chief financial officer John Mulligan told The Journal this week. "However, without broad industry adoption of the technology to ensure a consistent guest experience, there weren't enough benefits at that time to continue the test."

Cue what-if scenarios if only Target had afforded its "guests" EMV credit cards. Instead it shelved the project, the Journal reported, because executives were concerned that it slowed checkout speeds and couldn't be marketed in a suitably appealing manner.

Thank Target for putting the sexy into payment-card security.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
1/24/2014 | 10:40:33 AM
Exempted from PCI Compliance?
I was thrown by the reference to some rule that allows merchants not to have to demonstrate PCI Compliance if they do enough transactions with PIN and chip cards. Why does that make sense?
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
1/25/2014 | 8:38:14 AM
Re: Exempted from PCI Compliance?
It doesn't, but that was the outcome of a court case with a settlement approved by a judge. Judges are experts in law, but understandably lack the knowledge of many areas they have to decide on. My guess it was the same in this case. Just look at the many tech patent cases, the verdicts often lack any common sense and typically do not take long term impact into account. It is difficult for a court to find the fine line between acting upon law versus making new laws and political policy decisions.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/24/2014 | 11:19:01 AM
Transactions without the card?
These chipped cards do nothing for online or phone purchases either, right?

In terms of PCI, seems like the carrot part of the carrot/stick duo. PCI audits are costly and of questionable value. So, let retailers spend that money to upgrade their devices.
mdelince
50%
50%
mdelince,
User Rank: Apprentice
1/24/2014 | 12:36:00 PM
When can we expect better online use of chipped cards?
There are many banks in Europe (all the one I deal with) who provide a device which can be used to login to the online banking web site and also to confirm any online transaction on these sites.

So it seems to me that if "the world" adopted such simple technology we could get way better security around online financial transaction (and possibly even for non-financial ones).

The main problem is that there does not seem to be an agreed upon standard for such device and my experience with the banks I refer to above is that each has got its own device and apparently they are not fully compatible.

Another problem is price: someone will have to pay for the device and even if they are not very expensive (I pay a fee of about 50$ to obtain such device and they last 5 years) this cost may be difficult to justify for infrequent use. If "the world" was adopting a standard for such a device, I am sure 3rd party would be building and selling such devices and pricce would drop to a more acceptable 2-5$.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
1/25/2014 | 8:34:07 AM
Re: When can we expect better online use of chipped cards?
As with many things, it is a matter of price but even more so the US typical "not invented here" syndrome. Something that works great in Europe and Asia can by no chance work in the US. For that reason we still endure Never The Same Color TV broadcasts, wall outlets that by design are an electrocution hazard, expensive consumer satellite TV service (no extra charge for Europe on the Astra and Eutelsat systems), slow broadband at twice the price, frequent power outages, new roads that need fixing one year later....the list is long and for every issue there is already an established and proven solution that may cost a bit more upfront, but saves everyone tons of money in the long run. But since it is not invented here or no longer hip with the conservative crowd (e.g. high speed rail and favroing rail freight over trucks) it will never get introduced in the US unless there are constantly high price failures. Another example? Sure, rail cars for oil transport! Since decades much safer rail cars are available and proven to be effective protection in derailments. But I guess for the US it is cheaper to have the few dozen people die and half a town get burned down than spend the money on safety. And in regards to payment security, just look how great TJX is doing. They survived the biggest credit card data breach in history and it was nothing more than a footnote in an annual report. It seems as if one is looking for common sense they need to move away from the US.
rvanderhoof085
50%
50%
rvanderhoof085,
User Rank: Apprentice
1/24/2014 | 1:08:40 PM
Smart cards won't stop hackers - but they remove the incentive
Stopping the hackers is not the purpose of EMV chip cards.  PCI security compliance is supposed to do that, and everyone knows that applying network security only against hackers is an arms race that merchants can't win.  EMV chip card data behind the firewalls erected by merchants to prevent hackers from getting in makes those merchants less of a target.  Remove the magnetic stripe data and replace it with chip data, which can't be counterfeited and lacks all the elements neccesary for online fraud, and you eliminate the incentive to break in.  EMV chip cards is the best defense merchants have to avoid being the next target.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
1/25/2014 | 8:24:11 AM
Re: Smart cards won't stop hackers - but they remove the incentive
Actually, the chip data can be counterfeited, but at a tremendously larger effort than coding a 1 cent mag stripe card. That might just be sufficient to make it not worth while the effort at least for in person purchases. Online fraud would be the preferred option as the numbers clearly show. The alternative approval process as some advertise now would be one option, but even that could be compromised as long as hackers accummulate enough intel on a person. And it puts the burden on the consumer who not only has to do more without getting any more protection (with or without the consumer is only liable for 50$ of a fraudulent transaction) and it requires expensive smartphones with as expensive data plans.
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
1/26/2014 | 8:55:37 AM
Re: Smart cards won't stop hackers - but they remove the incentive
Online fraud typically only includes the primary account number and the CVV code. However, one-time use credit cards can resolve that issue. Moving to EMV for card-present payments and bank-supported disposable one-time use card numbers for online purchases may combine to be the safest solution.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/27/2014 | 10:24:17 AM
Re: Smart cards won't stop hackers - but they remove the incentive
@jagibbons. I don't think I'm familiar with the one-time use credit cards you refer to. How prevalent are they and who issues them? Banks, retailers or both. 
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
1/27/2014 | 10:33:33 AM
Re: Smart cards won't stop hackers - but they remove the incentive
Our bank, Huntington, provides them. They are actually debit cards connected to a checking account. We can use it once or multiple times. It is possible to get new ones. Some of card brands also offer this service.

It's not a big issue if the card number is invalidated after the transaction when it is skimmed.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/27/2014 | 3:50:26 PM
Re: Smart cards won't stop hackers - but they remove the incentive
Thanks, @jagibbons. Sounds like a reasonable option, though I think a better solution would be for the retail industry needs to be pushed to make more of an investment in smart cards and smart POS terminals.
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
1/27/2014 | 9:10:05 PM
Re: Smart cards won't stop hackers - but they remove the incentive
The disposable card numbers are really only for online use. You are correct, though, that the retail industry needs better POS security and protection.
psengupta411
50%
50%
psengupta411,
User Rank: Apprentice
1/24/2014 | 6:21:52 PM
Target Breach: Smartcards
If the perpetratrors had hacked the Target servers, then of course, EMV cards could not have saved the situation. However, a PCI compliant POS terminal with an EPP, would have helped to avoid PIN compromise for EMV cards even if the card numbers were illegally captured. It seems that the obduracy of the US retailers has been the prime cause for the perpetratrors to succeed in this massive onslaught. No wonder, we keep reading about the impending 'death' of retail
pabbott782
50%
50%
pabbott782,
User Rank: Apprentice
1/24/2014 | 7:45:35 PM
The cynical perspective
This is America, and as I understand it, everything is driven by money. This technology reduces fraud/theft, and thereby saves money. Sounds to me like this could justify reduced charges to retailers which should be all it takes to convince them to get on board. Of course I'm ignoring one detail, the bannks will consider the better security to be a benefit and therefore charges will be increased since, as banks have demonstrated on many occasions, the only thing that interests them is more profits. No wonder it's not been adopted yet.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
1/25/2014 | 8:16:46 AM
It all comes down to money
As soon as a breach of the Target scale will be generating so many damage claims and fines that it would even put a big retailer out of business the EMV systems are in place within months. Both the card industry and retailers consider it cheaper to pay the damages and some petty fines in these cases, but otherwise not care if it ruined the lives of thousands of families.

The discussion is a bit misguided if the EMV systems are not as secure as they seem. The card industry and retailers should seek cases like Target as the opportunity for a positiive campaign and design and implement the most secure payment system ever. But I guess Target will be flip flopping on that as well, Target just sucks.
MarkS229
50%
50%
MarkS229,
User Rank: Apprentice
1/27/2014 | 9:21:36 PM
Smartcards are unnecessary. This is the Solution
Since this is the only solution guaranteed to solve the credit card/retailer problem, without causing major system redesigns and disruptions, I'll explain it in detail.

First, the credit card companies give everyone a UserID, which gets put on the credit card, instead of the number.

Next, everyone chooses a keyword, like 'NeimanMarcus' or 'Target' (too soon?).

The POS system connects to the credit card company, as usual but, instead of prompting for a password, it displays a matrix of upper/lowercase alphabets, with a random pattern of 1's and 0's underneath.

The user types the 1's and 0's corresponding to his keyword, which goes to the credit card company for approval. After limit checks, expiry checks etc, the user is approved.

The next time the user makes a purchase, the pattern of 1's and 0's is completely different, so the previously typed code is useless to an attacker. Doesn't matter whether it's malware, network snoopers, or spy cameras, the information is always useless.

For obvious reasons, anything in the retailer's logs is also totally useless.

Now, isn't that easier than redesigning the whole system, adding encryption and buying EMV cards?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/28/2014 | 11:36:56 AM
Re: Smartcards are unnecessary. This is the Solution
Not prepared to conceded that smart cards are unncessary. In fact I was gratified to read in a Dallas business news story that Wal-Mart and Kroger already have checkout systems that work with smart cards that are widely used internationally. Too bad Target customers didn't have that option. I don't suspect too many Wal-Mart or Kroger shoppers do either. 
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/28/2014 | 12:04:20 PM
Re: Smartcards are unnecessary. This is the Solution
One problem is that the share of purchases made in person with the card in hand is shrinking, or at least coming even with ecommerce. Maybe one answer will incorporate smartphones -- a two-factor method, something you have (the chipped card) and something you know (a one-time-use code sent to your phone to verify the purchase).

However, let's remember that the card issuers really, really want to end fraud because they're the ones on the hook. Meanwhile, as a customer, what's the worst that happens if someone in Russia buys an Olympic tee shirt with my card? I call the issuer to have it removed. So, customers won't tolerate inconvenience; there's no percentage in it.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Apprentice
1/30/2014 | 11:48:25 PM
Re: Smartcards are unnecessary. This is the Solution
This is why I try to pay with cash whenever possible.  So much easier, so much more secure.  (Indeed, the one time I went shopping at a Target during the affected period, I paid with cash; I'm now VERY glad that I did.)
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/31/2014 | 4:44:47 AM
Re: Smartcards are unnecessary. This is the Solution

Mark, that sounds like a very innovative approach. In fact, a version of that system is in use in Europe for online purchases. For every given card, the cardholder registers a password. As part of the payment process, they're then asked to provide the 1st, 3rd, and 6th (or some other combo randomly chosen by the card provider's system) letters of their password, to verify the purchase.

But can you imagine if this was introduced at POS terminals? I'd expect to see waiting times multiply. It also wouldn't work for anyone with vision problems. Related customer-service calls to card issuers would skyrocket. Unfortunately, I don't see the approach you outline being simple enough to succeed.

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Apprentice
1/30/2014 | 11:45:56 PM
EMV
Another problem with the security of EMV chips is that banks/credit card companies are so delusionally convinced that EMV is imperviously secure that when theft and fraud have occurred, they have given customers who have suffered from ID theft very difficult times, refusing to accept that the fraud occurred without exceptional evidence.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio