Chip and PIN, or EMV Cards: Are They The Answer?

In an attempt to combat the epidemic of data breaches, and to save themselves from liability, most of the credit card industry will be moving to the Chip and PIN card, also known as the EMV card, by October of this year.  But will this really have any effect on our personal data security?

The new cards will have embedded microchips in them that will identify them as legitimate, authorized bank cards.  The chip will contain the data that used to be stored in the old magnetic strip.  Every time a consumer makes a purchase, a one-time-only transaction code will be generated and cryptographically signed. Combined with the traditional PIN, the random code is meant to thwart skimmers, or other thieves who collect data from the cards.

There are some credit card companies who are planning to bypass the PIN piece of the puzzle in favor of a simple signature. This seems to be because they’re concerned that consumers will forget their pin, and be inconvenienced.  Wouldn’t you be more inconvenienced if your card was compromised?  How many times have you had your signature checked or verified after signing a receipt?

If there’s one thing we should have learned by now, it’s that it is always only a matter of time before a new technology is broken.  Ultimately, security is a race between the attackers and the defenders.  Sometimes the attackers are ahead(Hello, 2014), and sometimes the defenders are(Fingers crossed, 2015).

As excited as U.S. banks seem to be getting about the Chip and PIN(or signature) cards, the reality is that the attackers have already beaten it.

In November of 2014, researchers from Newcastle University announced that they had discovered a flaw in the new system that would allow the cards to be used to make fraudulent transactions without ever having been physically used or seen.  Since the Chip and PIN cards have a the ability to make contactless transactions to save time, an attacker could carry a mobile phone with a fake PoS terminal and simply pull money from the card through a person’s purse or wallet, without even needing the PIN.  The flaw would allow fake purchases to be made, in any foreign currency, up to 999,999.99.

How about the ‘replay’ attack Brian Krebs unearthed back in October of 2014?  In this case, attackers used card accounts stolen in the Home Depot breach as if they were Chip and PIN accounts, and ran them successfully!

Then there’s the fact that microchips are programmable.  All the way back in August of 2014, researchers demonstrated at Blackhat that the Chip and PIN cards could be programmed to drop malware on to the PoS systems, telling them not to encrypt the transactions and not to forget them.  Then the attackers could swing by with another reprogrammed card, and pull all of that information from the machine.

These are only the flaws that we already know about.  What about the workarounds that haven’t come to light yet?  All Chip and PIN does is give credit cards the ability to not take any kind of responsibility in the event of a breach.  They get to claim that a breach wasn’t their fault.

Realistically, what can be done? In a constant tug-of-war between the attackers and the defenders, the attackers attempt to keep their methods secret, while the defenders have to announce their breakthroughs. It’s probable that we’ll never reach a fully secure state.

So, what can we do?  We can implement the best and most up-to-date security.  We can educate ourselves and the rest of the world, so that we are not just sheep lining up for the slaughter.  We can mitigate the damage by separating data and devices, so that if they’re ever compromised they can’t infect others.

 

For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *