In the aftermath of the Target financial breach, it seems as if a new instance of credit card fraud has popped up in the news every week. In the past year alone, we've seen major breaches at Michaels, Sally Beauty Supply, Experian, eBay, P.F. Chang's, Goodwill and numerous other major businesses.
It's no secret that credit card fraud is a major problem. The major card companies are attempting to prevent future fraud with a drastic change to how our cards work by next year.
The credit cards currently in our pockets are technologically behind the curve compared with the plastic found in Europe. American cards typically store all their data on the embedded magnetic stripe. An enterprising fraudster merely needs to copy this unencrypted data - usually through the use of a skimmer - and rewrite it to another card with a magnetic stripe, essentially cloning the original card.
European cards, on the other hand, follow the EMV (Europay, Mastercard, Visa) standard, which contains an integrated circuit of the same type found in cell-phone SIM cards. In theory, EMV cards offer a safer alternative to magnetic stripes. The data contained within is encrypted, and a four- to six-digit PIN is required at the time of a transaction. While this technology is not foolproof, it is at least somewhat more secure than the magnetic stripe.
Today, if a person's credit card is harvested by a skimmer and then used for fraudulent purchases, the financial liability falls upon the credit card company. That is about to change. According to Dawn Justice, president and CEO of the Idaho Bankers Association, while this switch to EMV cards is not mandatory, it will become a de facto standard by 2015 because of the way the credit card companies will treat future liabilities associated with fraud. New cards will be issued with both an EMV chip and a magnetic stripe for use in older hardware, thus allowing retailers to use their old point-of-sale terminals without any sort of upgrade. However, if a customer's credit card data is compromised, the liability will now fall upon the retailer and not the credit card company.
Technically, retailers are not being forced to upgrade their hardware to accept EMV cards. However, this new shift in liability for the use of magnetic stripe equipment will all but force their hand.
The real question is this: Are these cards as foolproof as the credit card companies would like to believe? Unsurprisingly, the answer is no.
From a security perspective, they are a better alternative than having only a magnetic stripe present, but there are still a number of vulnerabilities that consumers need to be aware of.
First, as mentioned above, new cards will still be issued with a magnetic stripe, which means cards will still be vulnerable. Once the EMV hardware has been universally adopted, this will not be as much of a problem. If a person clones the magnetic stripe but has nowhere to use it, it will do the cloner little good.
EMV point-of-sale terminals will not require you to hand a card to a clerk. But if someone replaced a point-of-sale terminal with a compromised unit that also skimmed the magnetic stripe - a common tactic in the world of credit card fraud - the card could still be cloned.
Furthermore, the EMV chip will not protect the card user from fraud in card-not-present transactions like online shopping. Unless we reach the point where every computer has an embedded smart-card reader, users will still have to enter human-readable data found on the card into a website to make a purchase. That data - card numbers and security codes - can be intercepted by a keylogger or other piece of malware and used for fraudulent online purchases.
Finally, even one of the biggest fundamentals of the EMV system - the PIN - has proved to be less than secure in the past. A 2010 study by Cambridge University researchers revealed that certain implementations of the EMV chip-and-pin system were vulnerable to what they dubbed a "wedge" attack, which allows an electronic device to essentially "wedge" itself into the transaction and send the "PIN Accepted" command to the terminal, regardless of the PIN entered. This would allow stolen EMV cards to be used without knowledge of the owner's actual PIN. Through a wedge attack, a pickpocket could use "0000," "1234" or any other numerical arrangement and the system would accept it as a valid PIN.
From the consumer's perspective, it is important to recognize what the new cards are, and what they are not. The illusion of security can oftentimes be more dangerous than a lack of security entirely. If consumers have the false idea that their new cards are fraudproof, they might engage in online transactions on shady websites or otherwise not treat their cards with as much security as they would for an older magnetic-stripe card.
The fact is, the EMV upgrade will not prevent credit card fraud - it will simply change the way it is conducted. In-store carding will likely see a decline, much as it has in Europe, so criminals will instead focus more of their efforts online. For business owners who operate both physical and online storefronts, this new technology will merely represent a shifting in fraud-prevention priorities.
Written in collaboration with information security expert Dylan Evans, Reveal's vice president of operations.