EMV a positive step, but not the end of fraud as we know it
Every time word gets out about a security breach, the usual response is that the adoption of the EMV chip card in the United States in late 2015 will prevent future occurrences.
Or maybe not.
Before you begin panicking, do note that the EMV chip card will be a huge improvement over the old standby magnetic strips. The United States is at least a decade behind with the magnetic strips – which were junked in Europe because they were too easy to hack.
Think about it: Who checks a customer’s signature to make sure it matches the one on the back of the credit or debit card (if that signature even appears on the card)? And how difficult is it for a checkout staffer to quickly swipe it through a card-copying machine or just copy down your number?
Let’s talk a little about EMV, which stands for Europay, MasterCard and Visa. It’s a joint effort conceived by the three payment conglomerates to ensure that chip-based payment cards are secure and operate across the globe.
EMV is a global standard for the inter-operation of chip cards and chip card-capable point of sale (POS) terminals and automated teller machines (ATMs) for authenticating credit and debit card transactions.
The EMV chip card should be safer, since checkout staff won’t be handling your card. Instead, they’ll simply hand you the point-of-interaction device; the customer will insert the card and verify the payment themselves with their PIN.
Even if an EMV chip card is stolen, the chip number by itself is useless. The PIN also is needed — and can be changed at any time.
In 2011, the UK Cards Association and Financial Fraud Action UK published a card fraud report which concluded that U.K. counterfeit fraud losses fell by more than 63 percent since 2004 thanks to the EMV chip card (also known as “chip and pin”).
Even better – once merchants upgrade to EMV, it’s not difficult to make the jump to point-to-point encryption (P2PE), which establishes a hardware to hardware connection. That’s important because hardware – unlike software – can’t be infected.
Sounds good so far, right?
It’s definitely a step forward, but it isn’t foolproof.
For one thing, hackers and other bad guys never stop looking for an edge. If there’s a weakness to exploit, they’ll eventually find it.
And while in-store fraud may decline, online fraud may increase, according to security experts.
Instead of using stolen credit-card numbers at stores, criminals will intensify such activity online.
“Fraud is much like natural phenomenon, whether that be the flow of water or electricity, in that it moves to the path of least resistance,” Al Pascual, analyst for Javelin Strategy & Research, told www.csoonline.com.
Although websites will require the PIN to complete a transaction, hackers could likely steal that, as well as a card number. Considering how many people have pins of “1234”or “4321” or “1111,” it isn’t a stretch to think hackers will be able to collect PINs.
Meantime, in 2012, a Cambridge University study reported that payments can be compromised if merchants use incorrect terminals that don’t follow best practices guidelines.
Also in 2012, two MWR Labs researchers demonstrated a “PinPadPwn” attack. They programmed a smartcard that looked like a real credit card and exploited a weakness in an EMV-compatible terminal they’d bought off of eBay. The weakness allowed them to take control of the device screen and install malware that tricked the terminal into believing that any PIN was correct.
The point here isn’t to scare you into a state of panic, but to let you know that security is a never-ending battle – a battle that FreedomPay is fighting with our best-in-class platforms, especially in the aforementioned P2PE market. Together with our industry partners we work to provide the most secure commerce platforms in North America.