Target Breach: Why Smartcards Won’t Stop Hackers "Chip and PIN" smartcard adoption in the United States is long overdue. But the security improvement wouldn't have stopped Target's BlackPOS malware attackers.
Say what you will about "smart" credit cards or EMV card-security technology: None of it would have prevented the recent theft of shoppers' credit card information from Target and Neiman Marcus. But that doesn't mean that it isn't high time our credit cards sported EMV-compatible microchips.
Cards compatible with the EuroPay, MasterCard, and Visa (EMV) standard have been widely adopted in about 80 other countries, and are easily spotted by the microchip on the face of the card. When the card is used for in-person purchases, the cardholder must first insert the card into a point-of-sale (POS) card reader and enter a four-digit PIN code -- verified by the chip -- to authorize the transaction. After three wrong attempts in a row, typically, the chip will lock itself.
Chip and PIN EMV isn't perfect, but it has been tied to a decrease in overall levels of fraud, once countries stop authorizing payments from an EMV card that's been swiped, says Dan Ingevaldson, CTO of Easy Solutions. Indeed, card-not-present attacks -- via phone, Internet -- comprised the majority of fraud in EMV-using Canada (61%), Germany (70%), and the UK (63%) in 2012.
In the United States, Visa has been pushing merchants to adopt terminals that are compatible with EMV, for example by exempting merchants from having to prove their PCI compliance. At the same time, however, Visa's PR machine has bent over backwards to try and avoid the impression that it's holding anyone's feet to the fire.
Why the tortured approach? Money is the most likely culprit: US merchants must invest in their own POS terminals, and may only refresh them every five years or more. Furthermore, thanks to a $5.7 billion Dec. 2013 settlement agreement reached after US merchants filed a class suit against Visa and MasterCard, merchants now have the right, subject to state laws, to add a surcharge to any credit card. They can either do this on a "card brand" basis -- meaning for all Visa, or MasterCard cards -- or else for an individual class of card, such as Visa Signature. (Interestingly, Target was one of many businesses that criticized that settlement amount for being too little, and the future legal protections afforded Visa and MasterCard too great.)
Accordingly, any efforts by Visa or MasterCard to force retailers to adopt EMV-compatible terminals could lead to a merchant backlash, essentially holding the technology requirements hostage unless subsidized by the relevant card brand. Instead, card brands have been pushing "incentives" to drive merchants to adopt EMV. Already, US merchants that process at least 75 percent of their transactions using EMV-compatible terminals are exempted from having to demonstrate PCI compliance.
Beginning in Oct. 2015, a "fraud liability shift" will mean that instead of merchants covering one-third of any card-related fraud (and card issuers the rest), merchants will be on the hook for all fraud that results from an EMV-compliant card being used in a non-EMV-compliant POS terminal, The Wall Street Journal recently reported. Conversely, card brands have promised to cover all fraud that results from the use of any card in any EMV-compliant terminal.
In other words: Visa is hoping retailers will adopt EMV-compatible terminals by 2015, although some industry analysts see that schedule as highly optimistic.
Whenever EMV does come into wide use here, it won't be an information security panacea. While questions remain about how Target got hacked -- many suspect a phishing attack -- the card-data breach appears to have resulted from Windows-compatible BlackPOS (a.k.a. Kaptoxa) malware running on payment processing servers, and siphoning 11 GB of card data from POS terminals, via FTP, to a server in Russia. Again, EMV wouldn't have blocked attackers.
EMV-compatible card readers also aren't immune to physical attacks. Reports of related, in-the-wild skimming attacks -- in which thieves insert a chip into the supposedly tamper-proof devices and harvest card data, including PIN codes -- date from at least 2008.
At Black Hat 2012, meanwhile, two MWR Labs researchers demonstrated a "PinPadPwn" attack in which they programmed a smartcard that looked exactly like a real credit card to exploit a weakness in an EMV-compatible terminal they'd purchased off of eBay. The weakness, which related to how the terminal processed chip and PIN card data, allowed the researchers to not only take control of the device screen -- for example to post fake "transaction approved" messages -- but also install malware that recorded all card data and PIN-pad presses. Later, the attackers plugged the smartcard back into the terminal, at which point the malware automatically copied all harvested card data back onto their smartcard, while flashing another "transaction approved" message on the device's screen.
Now the good news
If EMV wouldn't have stopped the Target breach, one bit of good news to come from the Target debacle is that people are now asking -- with some urgency -- why the United States has yet to adopt the technology. As Nick Selby, CEO of StreetCred Software, wrote this week on GovFresh: "There is now mainstream discussion of finally defeating, as a matter of public safety and policy, the Payment Card Industry's stubborn, silly and cynical, decade-long campaign against chip and PIN cards."
This week, Target CEO Gregg Steinhafel called on other retailers and banks to push for EMV adoption. But a decade ago, EMV's detractors included none other than Target, which pulled the plug on a related, three-year joint pilot with Visa in 2004. "A review of the program led the leadership team to agree that there were potential operational, financial and marketing benefits," Target chief financial officer John Mulligan told The Journal this week. "However, without broad industry adoption of the technology to ensure a consistent guest experience, there weren't enough benefits at that time to continue the test."
Cue what-if scenarios if only Target had afforded its "guests" EMV credit cards. Instead it shelved the project, the Journal reported, because executives were concerned that it slowed checkout speeds and couldn't be marketed in a suitably appealing manner.
Thank Target for putting the sexy into payment-card security.
Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.