That Big Security Fix for Credit Cards Won’t Stop Fraud
Tomorrow is the deadline that Visa and MasterCard have set for banks and retailers across the US to roll out a new system for more secure bank cards with microchips embedded in them.
Over the last few years, card issuers have spent between $200 million and $800 million to distribute new debit and credit cards to accountholders, while large retailers like Target, Home Depot and Walmart have spent more than $8 billion to install new card readers capable of reading the chips.
Despite this effort, retailers say the new system is highly flawed because instead of issuing the so-called chip ‘n’ PIN cards that offer two-factor authentication, banks and other card issuers are distributing chip ‘n’ signature cards, which thieves can easily undermine.
“Chip and PIN has been proven to combat fraud dramatically,” says Brian Dodge, executive vice president of the Retail Industry Leaders Association. “But that’s not what American consumers are getting, and thus far banks have gone to great lengths to blur the lines between the two distinctly different transactions.”
Even with PINs, however, the new technology will not eliminate fraud, but will simply shift the type of fraud that occurs.
The Hope of a More Secure System
The new technology—called EMV for Europay, MasterCard and Visa—consists of cards with a microchip that contains data traditionally stored in the card’s magnetic strip. These work with new point-of-sale readers that scan the chip and process payment transactions in a secure manner using encryption.
The chip reduces fraud because it contains a cryptographic key that authenticates the card as a legitimate bank card and also generates a one-time code with each transaction. This means thieves can’t simply take account numbers stolen in a breach and emboss them onto the magnetic strip of a random card, or program them onto the chip of a random chip card, to make fraudulent purchases at stores or unauthorized withdrawals at ATMs.
The dictum to switch to chipped cards in the US came from Visa and MasterCard in response to an increase over the last decade in high-profile breaches involving bank card data. The companies imposed an October 1 deadline to transition to the new technology, after which any business that accepts credit and debit card payments but doesn’t have EMV readers in place could face increased liability for fraudulent transactions conducted with stolen cards or data. The same goes for an issuer who hasn’t distributed secure cards to accountholders. Gas stations received a reprieve and have until 2017 to replace readers at fuel pumps.
The move to EMV technology was prompted by the fact that the cards and readers have been used in the UK and Canada for years to great effect, reducing certain types of fraud by 67 percent, according to the UK Cards Association. But both of these countries use chip ‘n’ PIN cards, which require customers to enter a four-digit PIN when conducting transactions. Many banks and other card issuers in the US, however, are foregoing the PIN and simply requiring cardholders to use a signature for in-store debit and credit card transactions. They can do this because the new EMV readers retailers are installing still have, in addition to a PIN pad, a signature pad and magnetic-strip reader to accommodate customers who haven’t yet migrated to the new chip cards. Out of the estimated 1.2 billion credit and debit cards currently in circulation in the US, only about 200 million are chip cards as of the end of August, according to Randy Vanderhoof, director of the EMV Migration Forum. This leaves the majority of accountholders still using old magnetic-strip-only cards until the rollout is completed next year.
Signature Cards Just Don’t Cut It
The retail industry says the use of signatures with chip cards is less secure because signatures are easy to forge, and card readers don’t make any attempt to authenticate them.
The card industry defends the use of signatures, however, saying the power to combat fraud lies in the chip, not the PIN or the signature. PINs add an extra layer of protection only for cards that are lost or stolen, says Vanderhoof. They’re not needed to protect against counterfeit-card fraud, whereby a hacker steals a lot of card data from a retailer’s network then embosses it onto counterfeit cards to make fraudulent purchases in stores.
But retailers say that fraud from lost or stolen cards is not trivial. “I’ve seen as much as 30 to 35 percent [quoted],” says Mark Horwedel, CEO of the Merchant Advisory Group. “Most of the cost of counterfeit card fraud is eaten by the banks themselves, while the cost of lost and stolen card fraud is divided between merchants and the financial institutions.”
Merchants also say they fear that if thieves find a way to clone or otherwise subvert the chip in EMV cards, there will be nothing to prevent them from using the card data if a PIN isn’t required for transactions. Researchers have already found a vulnerability that would allow an attacker to generate the supposedly secure unique transaction code (.pdf) the chips generate, and retailers say it may only be a matter of time before they can clone the chip as well.
“If you only have one way of stopping the cyber thief, they’re going to put all their energy into getting around that,” says Jason Brewer, spokesman for the Retail Industry Leaders Association. “By not having the PIN, you’re only forcing them to figure out a way to get around the chip. There are already skimmers [devices placed on card readers to sniff data] trying to figure out how to get around the chip. Why not do the two-factor authentication?”
Banks Are Dragging Their Feet
Visa and MasterCard could have resolved this problem by forcing card issuers to use chip ‘n’ PIN only; but they never did.
Why some card issuers have chosen to require only a signature instead of a PIN is up for interpretation. “We can’t speak for all banks but one reason a bank may be issuing signature-preferring cards today is because cardholders are used to signing for most card purchases and adding a PIN would add cost and complexity,” Vanderhoof told WIRED. “This approach allows them to get chip cards in consumers hands quickly and start protecting against counterfeit card fraud, and then they may take the opportunity to introduce PIN-preferring cards later down the line.”
Avivah Litan, an analyst with Gartner Research who specializes in card fraud among other things, says this argument is bogus.
“This argument that [signatures are] more convenient for consumers is … not a legitimate argument if you look at the evidence with the consumer experience in Canada and other countries. The PIN has not been a barrier,” she notes.
Not to mention, Brewer adds, that cardholders are already used to using PINs at ATMs and four-digit passcodes to unlock their mobile phones. If there’s any confusion on the part of cardholders about using the new cards, he notes, it’s due to the fact that card issuers have been poor at communicating how the chip cards are different from old cards. According to a recent survey of 1,000 cardholders, the majority who received new chip cards from their card issuers didn’t know why they had received them. And only about 30 percent were even aware that the US was in the process of migrating to EMV technology.
Instead, Litan suggests there’s another reason why banks in particular want to use signatures with the new cards instead of PINs. “Because if the PIN [and card are] stolen, then that PIN [and card] can be used at the ATM machine, where banks are responsible for the fraud,” she told WIRED. Cards that don’t have a PIN associated with them can’t be used at ATMs, but can be used in stores, where the merchants share liability. “They’re more interested in protecting themselves than they are in helping the retailers out.”
The Problem With Even Chip ‘n’ PIN Cards
But even if card issuers were to require PINs instead of signatures, there’s still another problem with the new chip cards: they won’t stop fraud, they’ll simply shift where it occurs. In the UK, where chip ‘n’ PIN cards have been used since 2003, card-present fraud—transactions done in person with a card—have dropped since thieves are unable to use counterfeit cards with stolen data embossed on them anymore. But fraud involving card-not-present transactions—that is, transactions by phone or online—has increased, according to the UK Payments Administration. Neither a PIN nor a signature is required when customers use their cards online, so simply stealing card numbers is sufficient to use them for fraud.
This is bad news for retailers since they, and not card issuers, take the losses for this kind of fraud. “Merchants are fitting the bill for 75 percent of this costly conversion to EMV,” Horwedel says. “And even though merchants are paying 75 percent of the cost to do this, they aren’t getting any relief from counterfeit fraud expenses.”
Retailers and other businesses can thwart this type of fraud by requiring cardholders to provide the three-digit security code—known as the card verification value or CVV—printed on the back of their card. But thieves can defeat this as well by obtaining the security codes through phishing attacks that trick users into relinquishing the codes or by installing malware on a victim’s computer or on less secure ecommerce sites and recording the security codes as consumers type them into web forms.
“Every market [where EMV has been adopted] has seen an explosion with ecommerce fraud despite the fact that CVVs are used, and it will happen here too,” Horwedel says. “It’s very predictable. In a couple of years you’ll see that the merchants are going to be responsible for more fraud than they’re bearing today because internet fraud is going to explode because we have no real solution to prevent ecommerce fraud.”