The transition to EMV (EuroPay, MasterCard and Visa) credit and debit card transactions in the U.S. has been a bit rocky to say the least. Many retailers, some of whom were already experiencing sticker shock at the cost of upgrading their point-of-sale terminals to support chip-enabled payment cards, are now questioning the benefits of using the technology without requiring two-factor authentication in the form of a PIN. This was one of the primary concerns of security experts in the months leading up to last October’s EMV liability shift, which places the burden of covering the costs associated with a breach back onto retailers who have not implemented the technology.
In June, Home Depot filed a lawsuit against Visa and MasterCard claiming that chip-and-signature provides inadequate protection against the threat of hackers and accuses the companies of colluding to prevent the adoption of chip-and-PIN as part of an effort to protect the higher fees they collect from signature-based transactions. MasterCard told the Wall Street Journal that it leaves the decision on how to verify cardholder identity up to the retailer and the banks who issue the cards.
Dick Mitchell, solutions director for Randstad Technologies, which has been working to help retailers make the transition to EMV, says that while the switch to chip-based cards is in of itself a good first step, the use of both a chip and PIN is needed to make transactions inherently more secure.
“As it’s easy to spoof a signature, the security of the chip can be undercut,” Mitchell says. “Chip-and-PIN cards are more expensive to issue, but if security is the primary aim, chip-and-PIN is the way to go.”
If the legal wrangling wasn’t bad enough, there may be even deeper flaws with the way U.S. retailers have deployed their new EMV-compliant payment terminals. In a presentation at this week’s Black Hat conference in Las Vegas, a pair of researchers from NCR showed how thieves could rewrite the magstripe on the back of a chip card to bypass the new safeguards. The problem, according to the researchers, is that retailers are not encrypting transactions which leave the door wide open to hackers.
However, according to Raj Samani, chief technology officer for Intel Security in Europe, the Middle East and Africa, what the Black Hat presentation shows is not so much that the EMV technology itself is vulnerable but rather the way they’re architected.
“In effect, what they’re showing is the fact that between the PIN entry device and the point-of-sale software is that, first of all, there is absolutely no authentication. There is no way to say, ‘Hey listen, are you the actual device I should be communicating with?’ Second of all, even between the transactions between those devices there is no encryption and so it is showing us, fundamentally, is it is more an issue with regards to the architecture,” Samani explains.
Samani says it is also worth noting that to be able to compromise cards in this way; hackers would still have to construct what is known as a “man-in-the-middle” attack in which the malicious actor would have to insert themselves into communications between the reader and the PoS system. While it has been done in the past, it is not an easy feat to accomplish.
And so long as magstripes exist on payment cards, Mitchell says they will always present a security threat to the industry. “Any chip card has the potential to be more secure than a magstripe,” he says. “I think that chip-and-PIN is better, of course, but so long as the magstripe exists, card data security is at risk.”
Samani says this vulnerability also shows retailers that they can’t expect all of their data security problems to go away by just installing these terminals in their stores and that they have to take steps to ensure that each part of the process is secure.
“It shows us that the bad guys will try to find alternative mechanisms to be able to extract the data they need,” Samani adds. “It’s not just a simple case of saying, ‘Well, now I that I’ve got this point-of-sale EMV-reading capability that’s all that I need.’ In fact, it’s a start with regards to what you need. The reality is criminals are innovating, it is a process and, quite frankly, just going out and saying now that I have purchased product ‘X’ or product ‘Y’ doesn’t necessarily mean it eliminates risk. It certainly reduces risk but it doesn’t eliminate it.”
While some retailers may have had their reputations severely impacted or had their sales slump as the result of a data breach, we’ve haven’t reached the point yet where consumers en masse have flat out refused to do business with a particular store over their cybersecurity posture, however, Samani believes that could eventually happen somewhere down the line.
“I would urge retailers out there to recognize trust as an important commodity in not only gaining customers but also retaining them as well,” he says.
Regardless of whether or not chip-and-PIN is enacted at every U.S. merchant, Samani says criminals will continue to innovate and try to find ways to exploit whatever current generation of security technology might be in place.
“One of the last campaigns we were able to uncover was a ransomware attack that netted the criminals $300 million and what we saw was their reinvestment into new methods of extracting PIN numbers or card data from people,” he adds. “We’ve been using chip-and-PIN (in Europe) for some time now and it doesn’t eliminate the risk because I can still buy credit cards from countries that have chip-and-PIN enabled but it does certainly reduce the risk and it makes it more difficult for criminals to go and do this. We’ve got to start putting a dent in this because the cost of financial fraud is significant globally.”
Joel Griffin is the editor of SecurityInfoWatch.com.