About Adam K Levin | Contact | Videos

Here’s How the New Chip-and-PIN Credit Cards Could Be DOAColumnData SecurityBlog



A recent Gallup survey found that 69% of Americans worry “frequently” or “occasionally” about having a credit card compromised by computer hackers. It’s not shocking. Consumers are becoming more educated on the topic, and financial institutions are beginning to do more to combat fraud, including introducing new types of credit cards. One example of the latter is chip-and-PIN technology, which everyone from consumers to the president has hailed for its ability to help prevent fraud. But is it the panacea that it’s been made out to be?

Let’s take a closer look at exactly what this technology entails. Unlike cards that use a magnetic stripe containing a user’s account information, chip-and-PIN credit cards implement an embedded microprocessor that contains the cardholder’s information in a way that renders it invisible even if hackers grab payment data while it is in transit between merchants and banks. The technology also generates unique information that is difficult, but not impossible, to fake. There is a cryptogram that allows banks to see if the data flow has been modified and a counter that registers each sequential time the card is used (sort of like the numbers on a check), so that a would-be fraudster would have to guess the exact historical and dynamic transaction number for the charge to be approved.

Already used in every other G20 country as a more secure payment method, chip-and-PIN cards can be found on the consumer side of a global payment system known as EMV (short for Europay, MasterCard and Visa). The system will be rolled out in the U.S. in 2015, and many of us in the banking and data-security industries believe that it will stanch the flow of money lost to hackers while simultaneously cutting down on credit and debit card fraud.

MasterCard, Visa and American Express have already begun sending out chip cards to their American cardholders. While the technology is expensive—the rollout of chip cards in the U.S. will cost an estimated $8 billion—it’s crucial to point out that this cost may balloon exponentially if the implementation of the new technology is done incorrectly, as a recent spate of fraudulent charges using chip-and-PIN-based technology shows.

This recent trend is one early sign that chip-and-PIN may not be the cure-all many consumers were hoping for, at least during the rollout phase. According to Brian Krebs, during the past week, “at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.”

The curious part about this spate of credit and debit card fraud is that fraudsters used account information pilfered from old-school magnetic stripe cards skimmed in that attack and ran them as EMV purchases in what’s called a “replay” attack. “After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly,” Krebs reported. It sounds confusing but the bottom line is money was stolen.

As with many scams, this particular evolution in the world of hacking for dollars cannot succeed without human error, which is probably the biggest liability in the coming chip card rollout. Krebs spoke with Avivah Litan, a fraud analyst with Gartner Inc. who said, “It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it.” In a similar attack on Canadian banks a few months ago, one bank suffered a large loss because it was not checking the cryptogram and counter data, essential parts of the protocol.

As with all solutions in the realm of data-security, there is no such thing as a sure thing. Whether the hackers banked a false sense of security at the institutional level, knowing that the protocols might be deemed an unnecessary expense, or the recent attacks are merely part of the chip card learning curve, this latest technology is only as good as its implementation.