Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/17/2016
11:00 AM
Chet Wisniewski
Chet Wisniewski
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Today's New Payment Card Security In A Nutshell

Businesses taking their time rolling out EMV card-compatible terminals are putting their data security and financial well-being at risk.

Credit card fraud is a serious issue. According to the 2016 Identity Fraud Study released earlier this month by Javelin Strategy & Research, the number of identity fraud victims increased by three percent (13.1 million consumers) in the US last year, and the total amount stolen was $15 billion. Thieves have stolen more than $112 billion in the past six years.

One way financial institutions are fighting back is by issuing EMV (Europay, Mastercard and Visa) or “chip” cards, which feature an embedded chip to provide a higher degree of fraud protection than older cards that only utilize magnetic stripes. Every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again.

This will not prevent data breaches on the scale we’ve seen over the past two years, but it will better protect personal information. If a hacker steals chip information from one specific point of sale, the standard practice of duplicating the card will not work because the stolen transaction number created in that instance cannot be re-used.

Merchants -- not banks -- now liable for payment card fraud

The primary driver for the issuance of cards with cryptographic chips is to reduce point of sale fraud using stolen card numbers. Card processing companies such as MasterCard, Visa, and American Express, set an Oct. 1, 2015, deadline for businesses to install payment terminals that are able to accept smart card payments. That deadline has passed, so now it’s the merchants that face financial liability unless they upgrade to EMV-compliant payment terminals.

While those businesses that have not installed EMV card-compatible terminals risk being held liable for fraud, they’re not breaking any laws or facing any financial penalties for non-compliance. So the pace at which EMV cards are rolling out to consumers and being accepted at businesses has been slow.

The PULSE 2015 Debit Issuer Survey found that while 90% of financial institutions have begun issuing EMV debit cards or will do so by the end of the year, only 25% of US debit cards (about 71 million cards) will be chip-equipped by the end of this year. The number is expected to rise to 73% by the end of 2016 and 96% by the end of 2017, according to CreditCards.com.

Nevertheless, this forced adoption of cards in the US has rekindled the debate over their efficacy in combatting fraud, finger pointing over liability, and the resistance of card issuers in the US to adopt a PIN rather than stick with the signature verification method in use since the introduction of credit cards in the 1950s.

A brief history of PIN versus signatures

A standard credit card has your name, expiration date, and PAN (Personal Account Number) embossed on the front and a CVV/CVC (Card Verification Value/Card Verification Code) printed on the back. It also contains a magnetic stripe with all of that information except the visible CVV/CVC. Instead, there the stripe contains a separate secret CVV/CVC that can only be read from the stripe.

Early fraudsters only needed the card holder's name and PAN to make a bogus purchase over the telephone or through mail order. The CVV in the stripe was added to make it more difficult to copy a card with only what is visible, and the CVV2 (the one printed on it) made it more difficult to steal the magnetic stripe information and commit CNP (Card Not Present -- like Internet and telephone shopping) crimes.

The cheap price and ubiquity of modern electronics has made both of these security features irrelevant, prompting the card industry to move forward with the modern EMV standard in an attempt at reducing card fraud with minimal inconvenience. Both “chip” cards and tap-and-pay cards comply with specifications defined by EMV.

Implications for the enterprise

So, yes, smart cards are more secure than the traditional magnetic stripe-only cards. If you are responsible for information security at your company, your first order of business should be to install point-of-sale terminals that can accept both chip and tap-and-pay cards, as well as mobile devices such as smartphones and smartwatches that include similar Near Field Communications (NFC) technology.

Even with these new terminals installed, you have not eliminated the risk of fraud. For signature transactions, instruct employees to continue to verify customers’ photo ID. You must also be ready for an increase in online fraud as thieves, discouraged by an inability to use physical cards in stores, will turn to using stolen card numbers on your e-commerce sites. The Aite Group found that in the United Kingdom, online fraud -- known in the industry as "card not present," or CNP, fraud -- rose 79 percent in the first three years after the country switched to to chip cards, and it more than doubled in Australia and Canada.

What will not change is hackers’ resolve to steal financial information, or the fact that they grow more sophisticated and insidious every year. Despite the cost involved in upgrading PoS systems and replacing magnetic stripe cards, the improvement in data security and reduction in liability will be dramatic.

More on this topic:

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Chester "Chet" Wisniewski is a senior security advisor at Sophos with more than 15 years of experience in the security industry. In his current role, Chester conducts research into computer security and online privacy with the goal of making security information more ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/23/2016 | 1:22:55 PM
hampering
Of course, a lot of businesses are purposely being late to fully adopt -- and even slowing down or hampering -- the use of EMV, as Brian Krebs recently reported.  Dipping the chip takes longer to swipe the stripe -- and even longer still when you have to ask card users if they have a chip card, remind them to use the chip, and/or instruct them how to use it.  That slows down lines and thereby hampers transactions -- leading to many retailers, preferring to let consumers learn how to use the chips on someone else's time (and dime) -- to block off the EMV capabilities and keep having their customers swipe the good ol' stripe.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...