US switch to chip-and-PIN cards not a panacea for fraud
Posted on 11 August 2014.
The massive breach that Target suffered late last year was the proverbial straw that broke the camel's back and made the company decide to move to chip-and-PIN card technology.


But they are not the only ones that decided to do switch magnetic-stripe cards with chip-enabled ones. Major payment card issuers have announced back in 2012 that they will begin migration to the chip-and-PIN (i.e. EMV) system in the US, and multiple US-based banks and card issuers have announced the move to cards with EMV chip-and-sign technology.

Retailers were initially reluctant to add support for it, but many are now rushing to effect the transition before October 2015, when the major card issuers (AmEx, MasterCard, Visa, Discover) plan to implement a liability shift that will make retailers who haven't deployed EMV technology liable for any and all fraudulent transactions.

While the change is welcome, it is by no means a panacea for payment card fraud. The chip-and-PIN system definitely has its (exploitable) flaws, and only some of them have been addressed, Ross Anderson, a security engineering professor at the University of Cambridge in the UK, who along with his colleagues has been testing the security of payment systems for years, noted in his presentation at the Black Hat security conference.

It is also a well known fact that when the chip-and-PIN system was rolled out in Europe, the fraudsters shifted to making card-not-present transactions, i.e. placing orders online or over the phone with retailers that don't ask for the card's security code and/or don't verify the billing address.

In addition to this, in some cases EMV transactions are not immune to RAM-scraping malware, so we can expect cyber crooks to continue compromising PoS terminals.

Nevertheless, the change is set to happen and, according to Anderson, it will be great to see which system will turn out to be better: the chip-and-PIN, or the chip-and sign. Also, if the EMV system is, indeed, safer than the magnetic-stripe card technology.

He is only worried that the banks will try to shift fraud costs onto the consumer if the fraudulent transaction is authorized with the correct PIN, but hopes that US consumer protection organizations will step in and prevent this turn of events.











Spotlight

Email scammers stole $215M from businesses in 14 months

Posted on 29 January 2015.  |  In 14 months there have been nearly 1200 US and a little over 900 non-US victims of BEC scams, and the total money loss reached nearly $215 million.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Jan 30th
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //