Endpoint
2/17/2016
11:00 AM
Chet Wisniewski
Chet Wisniewski
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Today's New Payment Card Security In A Nutshell

Businesses taking their time rolling out EMV card-compatible terminals are putting their data security and financial well-being at risk.

Credit card fraud is a serious issue. According to the 2016 Identity Fraud Study released earlier this month by Javelin Strategy & Research, the number of identity fraud victims increased by three percent (13.1 million consumers) in the US last year, and the total amount stolen was $15 billion. Thieves have stolen more than $112 billion in the past six years.

One way financial institutions are fighting back is by issuing EMV (Europay, Mastercard and Visa) or “chip” cards, which feature an embedded chip to provide a higher degree of fraud protection than older cards that only utilize magnetic stripes. Every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again.

This will not prevent data breaches on the scale we’ve seen over the past two years, but it will better protect personal information. If a hacker steals chip information from one specific point of sale, the standard practice of duplicating the card will not work because the stolen transaction number created in that instance cannot be re-used.

Merchants -- not banks -- now liable for payment card fraud

The primary driver for the issuance of cards with cryptographic chips is to reduce point of sale fraud using stolen card numbers. Card processing companies such as MasterCard, Visa, and American Express, set an Oct. 1, 2015, deadline for businesses to install payment terminals that are able to accept smart card payments. That deadline has passed, so now it’s the merchants that face financial liability unless they upgrade to EMV-compliant payment terminals.

While those businesses that have not installed EMV card-compatible terminals risk being held liable for fraud, they’re not breaking any laws or facing any financial penalties for non-compliance. So the pace at which EMV cards are rolling out to consumers and being accepted at businesses has been slow.

The PULSE 2015 Debit Issuer Survey found that while 90% of financial institutions have begun issuing EMV debit cards or will do so by the end of the year, only 25% of US debit cards (about 71 million cards) will be chip-equipped by the end of this year. The number is expected to rise to 73% by the end of 2016 and 96% by the end of 2017, according to CreditCards.com.

Nevertheless, this forced adoption of cards in the US has rekindled the debate over their efficacy in combatting fraud, finger pointing over liability, and the resistance of card issuers in the US to adopt a PIN rather than stick with the signature verification method in use since the introduction of credit cards in the 1950s.

A brief history of PIN versus signatures

A standard credit card has your name, expiration date, and PAN (Personal Account Number) embossed on the front and a CVV/CVC (Card Verification Value/Card Verification Code) printed on the back. It also contains a magnetic stripe with all of that information except the visible CVV/CVC. Instead, there the stripe contains a separate secret CVV/CVC that can only be read from the stripe.

Early fraudsters only needed the card holder's name and PAN to make a bogus purchase over the telephone or through mail order. The CVV in the stripe was added to make it more difficult to copy a card with only what is visible, and the CVV2 (the one printed on it) made it more difficult to steal the magnetic stripe information and commit CNP (Card Not Present -- like Internet and telephone shopping) crimes.

The cheap price and ubiquity of modern electronics has made both of these security features irrelevant, prompting the card industry to move forward with the modern EMV standard in an attempt at reducing card fraud with minimal inconvenience. Both “chip” cards and tap-and-pay cards comply with specifications defined by EMV.

Implications for the enterprise

So, yes, smart cards are more secure than the traditional magnetic stripe-only cards. If you are responsible for information security at your company, your first order of business should be to install point-of-sale terminals that can accept both chip and tap-and-pay cards, as well as mobile devices such as smartphones and smartwatches that include similar Near Field Communications (NFC) technology.

Even with these new terminals installed, you have not eliminated the risk of fraud. For signature transactions, instruct employees to continue to verify customers’ photo ID. You must also be ready for an increase in online fraud as thieves, discouraged by an inability to use physical cards in stores, will turn to using stolen card numbers on your e-commerce sites. The Aite Group found that in the United Kingdom, online fraud -- known in the industry as "card not present," or CNP, fraud -- rose 79 percent in the first three years after the country switched to to chip cards, and it more than doubled in Australia and Canada.

What will not change is hackers’ resolve to steal financial information, or the fact that they grow more sophisticated and insidious every year. Despite the cost involved in upgrading PoS systems and replacing magnetic stripe cards, the improvement in data security and reduction in liability will be dramatic.

More on this topic:

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Chester "Chet" Wisniewski is a senior security advisor at Sophos with more than 15 years of experience in the security industry. In his current role, Chester conducts research into computer security and online privacy with the goal of making security information more ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/23/2016 | 1:22:55 PM
hampering
Of course, a lot of businesses are purposely being late to fully adopt -- and even slowing down or hampering -- the use of EMV, as Brian Krebs recently reported.  Dipping the chip takes longer to swipe the stripe -- and even longer still when you have to ask card users if they have a chip card, remind them to use the chip, and/or instruct them how to use it.  That slows down lines and thereby hampers transactions -- leading to many retailers, preferring to let consumers learn how to use the chips on someone else's time (and dime) -- to block off the EMV capabilities and keep having their customers swipe the good ol' stripe.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How To Build An Effective Defense Against Ransomware
A compendium of Dark Reading´s best recent coverage of ransomware attacks, as well as best practices for defending your enterprise against them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers