New payment technology will make cards harder for data thieves to hack, but the protection features have holes.
As the United States lumbers toward a new credit card technology to thwart data thieves like the ones who struck Target Corp., payment security experts say the new system is far from foolproof.
The chip-based smart cards, already in use in much of the world, make it much harder to produce counterfeit cards. But the cards are less effective against the widespread and growing threat of bogus online transactions that require only account information.
EMV, as the technology is known, changes the game but won’t prevent all fraud.
“It’s not a panacea,” said Paul Tomasofsky, an electronic payments expert who heads Two Sparrows Consulting in Montvale, N.J.
EMV, which stands for Europay/MasterCard/Visa, is a fairly old approach rooted in experiments to deter fraud with microprocessor chips embedded in payment cards in France in the 1980s. It spread throughout Europe and became a global standard.
But because of the sheer size of the fragmented U.S. payments system, and the huge cost to convert, the United States is one of the last countries in the world to make the change.
There’s general agreement that EMV alone would not have prevented the Target breach, in which thieves accessed data from as many as 110 million customer accounts. But EMV would have reduced the value of the information by making it almost impossible to clone the cards.
That’s EMV’s biggest boast, that it prevents counterfeit card fraud. “It does that spectacularly,” said Jeff Hall, a security consultant in the Twin Cities for Overland, Kan.-based FishNet Security.
However, that’s only part of the challenge. Online fraud that doesn’t require the presence of an actual card now accounts for nearly half of all credit card fraud in the United States, according to Fair Isaac Corp., and studies show that adopting EMV drives crooks to this card-not-present fraud.
EMV has a vulnerability
EMV has a weakness at the point of sale. While data in the card’s memory chip is encrypted when the card isn’t in use, the data is momentarily vulnerable when customers pay.
Proponents of EMV say this isn’t a big flaw because the chip spits out a unique, one-time-only security code to encrypt the data for transmission.
But critics say that if thieves compromise the card terminal or the register at just the right point, they can access the data before transmission, circumvent the one-time security code and get access to the information they want. The bulk of online merchants don’t ask for the 3- or 4-digit security code on a card, Hall said.
There are other security concerns. In the U.S. rollout, banks issuing EMV cards are not required to put a personal information number, or PIN, on either the debit or credit cards. A PIN, which only the cardholder knows, makes transactions more secure.
More important, magnetic stripes aren’t going away. In an effort to ease the conversion, the new EMV cards will still have magnetic stripes so they will work in stores that lack EMV equipment.
But magnetic stripes are easy to copy and clone. Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research, called the existence of magnetic stripes on EMV cards “a very big security threat.”
U.S. companies are grappling with these issues as the country’s gargantuan payments system undergoes the seismic shift from magnetic stripes to chips. Retailers, banks and myriad other payments players face an October 2015 deadline to be ready.
At that point, Visa, MasterCard, American Express and Discover are shifting the liability for fraud that happens in stores from the card-issuing banks to the merchants, unless the merchant is equipped for EMV.