Here in the US, October 1, 2015 was the deadline for US-based banks and retailers to roll out chip-embedded payment terminals that can accept payment cards equipped with chips. Otherwise, they are responsible for credit card fraud.
Designed to make transactions more secure, the so-called EMV (for Europay, MasterCard, and Visa) cards store your data in encrypted form and only transmit a one-time-use token for each transaction. This two-factor authentication method makes it harder for hackers to counterfeit the cards… but not impossible.
Despite the fact that 60% of customers still have old-style credit cards and many merchants aren’t accepting the chip-and-PIN cards yet, cybercriminals are already hard at work hacking the new cards.
Here are some of the hacks on chip-and-PIN cards that have made headlines in recent weeks:
- Back in 2012, crafty cybercriminals in France jury-rigged the chips in stolen credit cards to create an ingenious “man-in-the-middle” attack.
- Researchers in the UK were able to exploit the “contactless transaction” function in the card system developed by VISA, such that a thief carrying a homemade card reader could conduct fraudulent transactions just by getting close to the victim’s wallet or purse. “With just a mobile phone, we created a PoS terminal that could read a card through a wallet,” said the lead researcher.
- Exploiting poor cryptography in ATM machines, researchers have been able to predict the random numbers required by the EMV protocol, and from there “clone” credit and debit cards for future fraudulent transactions.
Banks and payment processors refer to the October 1 deadline as “liability shift.” If you haven’t upgraded to EMV readers and someone pays with a fraudulent chip card, the liability falls on you—not the card issuer. As VISA puts it: “The party that is the cause of a contact chip transaction not occurring will be financially liable for any resulting card-present counterfeit fraud losses.”
Affected businesses should switch to EMV-ready terminals ASAP in order to eliminate that potentially huge risk. Switching to the new terminals is also a way to offer security and convenience to customers who want to use mobile payment methods like Apple Pay and Google Wallet.
That said, industry experts uniformly expect the transition to EMV in the US to be gradual. Canada, Mexico, much of Europe and other countries have been using EMV technology for up to fifteen years.
Without a holistic, comprehensive approach to information security management, there’s no way most businesses can stay ahead of hackers. Contact Pivot Point Security to talk about your unique situation and how we can help.