10:00 AM

Target Breach: Why Smartcards Wont Stop Hackers

"Chip and PIN" smartcard adoption in the United States is long overdue. But the security improvement wouldn't have stopped Target's BlackPOS malware attackers.

Say what you will about "smart" credit cards or EMV card-security technology: None of it would have prevented the recent theft of shoppers' credit card information from Target and Neiman Marcus. But that doesn't mean that it isn't high time our credit cards sported EMV-compatible microchips.

Cards compatible with the EuroPay, MasterCard, and Visa (EMV) standard have been widely adopted in about 80 other countries, and are easily spotted by the microchip on the face of the card. When the card is used for in-person purchases, the cardholder must first insert the card into a point-of-sale (POS) card reader and enter a four-digit PIN code -- verified by the chip -- to authorize the transaction. After three wrong attempts in a row, typically, the chip will lock itself. 

Chip and PIN EMV isn't perfect, but it has been tied to a decrease in overall levels of fraud, once countries stop authorizing payments from an EMV card that's been swiped, says Dan Ingevaldson, CTO of Easy Solutions. Indeed, card-not-present attacks -- via phone, Internet -- comprised the majority of fraud in EMV-using Canada (61%), Germany (70%), and the UK (63%) in 2012.  

In the United States, Visa has been pushing merchants to adopt terminals that are compatible with EMV, for example by exempting merchants from having to prove their PCI compliance. At the same time, however, Visa's PR machine has bent over backwards to try and avoid the impression that it's holding anyone's feet to the fire.

Why the tortured approach? Money is the most likely culprit: US merchants must invest in their own POS terminals, and may only refresh them every five years or more. Furthermore, thanks to a $5.7 billion Dec. 2013 settlement agreement reached after US merchants filed a class suit against Visa and MasterCard,  merchants now have the right, subject to state laws, to add a surcharge to any credit card. They can either do this on a "card brand" basis -- meaning for all Visa, or MasterCard cards -- or else for an individual class of card, such as Visa Signature. (Interestingly, Target was one of many businesses that criticized that settlement amount for being too little, and the future legal protections afforded Visa and MasterCard too great.)

Accordingly, any efforts by Visa or MasterCard to force retailers to adopt EMV-compatible terminals could lead to a merchant backlash, essentially holding the technology requirements hostage unless subsidized by the relevant card brand. Instead, card brands have been pushing "incentives" to drive merchants to adopt EMV. Already, US merchants that process at least 75 percent  of their transactions using EMV-compatible terminals are exempted from having to demonstrate PCI compliance.

Liability shifts 
Beginning in Oct. 2015, a "fraud liability shift" will mean that instead of merchants covering one-third of any card-related fraud (and card issuers the rest), merchants will be on the hook for all fraud that results from an EMV-compliant card being used in a non-EMV-compliant POS terminal, The Wall Street Journal recently reported. Conversely, card brands have promised to cover all fraud that results from the use of any card in any EMV-compliant terminal.

In other words: Visa is hoping retailers will adopt EMV-compatible terminals by 2015, although some industry analysts see that schedule as highly optimistic.

Whenever EMV does come into wide use here, it won't be an information security panacea. While questions remain about how Target got hacked -- many suspect a phishing attack -- the card-data breach appears to have resulted from Windows-compatible BlackPOS (a.k.a. Kaptoxa) malware running on payment processing servers, and siphoning 11 GB of card data from POS terminals, via FTP, to a server in Russia. Again, EMV wouldn't have blocked attackers.

EMV-compatible card readers also aren't immune to physical attacks. Reports of related, in-the-wild skimming attacks -- in which thieves insert a chip into the supposedly tamper-proof devices and harvest card data, including PIN codes -- date from at least 2008.

At Black Hat 2012, meanwhile, two MWR Labs researchers demonstrated a "PinPadPwn" attack in which they programmed a smartcard that looked exactly like a real credit card to exploit a weakness in an EMV-compatible terminal they'd purchased off of eBay. The weakness, which related to how the terminal processed chip and PIN card data, allowed the researchers to not only take control of the device screen -- for example to post fake "transaction approved" messages -- but also install malware that recorded all card data and PIN-pad presses. Later, the attackers plugged the smartcard back into the terminal, at which point the malware automatically copied all harvested card data back onto their smartcard, while flashing another "transaction approved" message on the device's screen.

Now the good news
If EMV wouldn't have stopped the Target breach, one bit of good news to come from the Target debacle is that people are now asking -- with some urgency -- why the United States has yet to adopt the technology. As Nick Selby, CEO of StreetCred Software, wrote this week on GovFresh: "There is now mainstream discussion of finally defeating, as a matter of public safety and policy, the Payment Card Industry's stubborn, silly and cynical, decade-long campaign against chip and PIN cards."

This week, Target CEO Gregg Steinhafel called on other retailers and banks to push for EMV adoption. But a decade ago, EMV's detractors included none other than Target, which pulled the plug on a related, three-year joint pilot with Visa in 2004. "A review of the program led the leadership team to agree that there were potential operational, financial and marketing benefits," Target chief financial officer John Mulligan told The Journal this week. "However, without broad industry adoption of the technology to ensure a consistent guest experience, there weren't enough benefits at that time to continue the test."

Cue what-if scenarios if only Target had afforded its "guests" EMV credit cards. Instead it shelved the project, the Journal reported, because executives were concerned that it slowed checkout speeds and couldn't be marketed in a suitably appealing manner.

Thank Target for putting the sexy into payment-card security.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
David F. Carr
David F. Carr,
User Rank: Strategist
1/24/2014 | 10:40:33 AM
Exempted from PCI Compliance?
I was thrown by the reference to some rule that allows merchants not to have to demonstrate PCI Compliance if they do enough transactions with PIN and chip cards. Why does that make sense?
<<   <   Page 3 / 3
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.