Posted by Kevin on April 20, 2015.
Jeremy King, EMEA director of the PCI Security Standards Council, was talking to senior CISOs from major US finance, retail and pharmaceutical companies. His subject was the EMV chip and pin bank cards now coming to the US. The massive heists from Target, Home Depot and other US retail giants has made this inevitable, although it won’t happen overnight. Nevertheless, the reality is that mag stripe bank cards just don’t cut it anymore.
The US is late coming to EMV cards. The cause has much to do with the sheer size of the bank card market in the US – some 12 times the size of the UK market. Because of the size of this market, the migration will take five years to get to something like 85% coverage. As it happens, however, the US will transform from a center for bank card fraud to one of the most secure areas in the world.
That’s because EMV technology doesn’t stand still. UK cards are replaced every three years. King noted that every time he has received a new card, he has received new technology held on that card. The US will benefit from many years of continuous security development and will receive the very latest technology.
That doesn’t mean that EMV cards will solve all US card fraud. The experience from Europe is that it dramatically reduces face-to-face (F2F) fraud, but it has less effect on card not present fraud. The reason is fairly obvious. For F2F transactions the card details are held cryptographically secure within the chip, while the transaction is further supported by the second factor of the PIN.
King noted that there are two options for that second factor: a PIN (something you know), or a signature (basically a biometric). The weakness in the PIN is that if both the card and the PIN are simultaneously stolen, there is nothing to prevent the criminal from emptying the associated bank account via ATM machines. However, exactly the same applies if a signature can be forged. King himself sees little difference in security between the two options, but prefers the PIN because it is very much simpler for the user.
The criminal attacks that breached Target et al simply scraped the unencrypted card data from the POS terminal’s RAM before it was encrypted and sent on to the bank. That unencrypted data from the mag stripe was then forwarded, ultimately, to the criminals. Criminals can use the data in card not present frauds, or use it to create cloned cards.
The difference with EMV technology is that encryption begins in the chip on the card itself. Currently, some of the routing data is not encrypted (although it will be as PCI’s SRED point-to-point crypto becomes more prevalent). Nevertheless, the same attack on an EMV card as that on a mag stripe card will simply not acquire enough data for an easy fraud.
Where EMV technology doesn’t help is in card not present internet fraud. Here all the fraudster requires are the card details together with the 3, sometimes 4, digit security code – the second factor part of the card (the PIN or signature) is not required for the transaction. EMV technology makes it more difficult for criminals steal the data from the point-of-sale terminal, but not necessarily so from the merchant’s database.
This, suggested King, is why conformance to PCI DSS is so important in partnership with EMV cards to prevent online fraud. Together, EMV cards (at the point of sale) and improved online security (for the databases), will make the theft of useful bank card details online very, very difficult.
But he came with a warning. Improving security doesn’t get rid of criminals – it just sends them elsewhere. In this case he suggested that although fraud activity in Europe has decreased dramatically since the launch of chip and pin cards, it will quite possibly increase again following the introduction of the latest and improved technology in the US. Faced with increasing difficulties in the US, the criminals will simply move somewhere else. It could be the Middle East, Asia, South America or even back to Europe; and those markets should prepare for increased criminal activity following the introduction of EMV to the US.
With greater certainty, however, we can predict that criminal attempts to steal unencrypted card details for use in card not present fraud will almost certainly increase on both sides of the Atlantic. This will likely see a dramatic rise in phishing and spear-phishing attacks – and as we will see next week, spear-phishing is almost impossible to prevent.
see also: Phishing: detection and prevention
Insights is a unique commentary inspired by and drawn from the peer-to-peer conversations of some of the most senior CISOs and CIOs in the world. All are members of the gated Wisegate community where they meet virtually to discuss issues and problems in information security.Submitted in: Insights |