US switch to chip-and-PIN cards not a panacea for fraud
The massive breach that Target suffered late last year was the proverbial straw that broke the camel’s back and made the company decide to move to chip-and-PIN card technology.
But they are not the only ones that decided to do switch magnetic-stripe cards with chip-enabled ones. Major payment card issuers have announced back in 2012 that they will begin migration to the chip-and-PIN (i.e. EMV) system in the US, and multiple US-based banks and card issuers have announced the move to cards with EMV chip-and-sign technology.
Retailers were initially reluctant to add support for it, but many are now rushing to effect the transition before October 2015, when the major card issuers (AmEx, MasterCard, Visa, Discover) plan to implement a liability shift that will make retailers who haven’t deployed EMV technology liable for any and all fraudulent transactions.
While the change is welcome, it is by no means a panacea for payment card fraud. The chip-and-PIN system definitely has its (exploitable) flaws, and only some of them have been addressed, Ross Anderson, a security engineering professor at the University of Cambridge in the UK, who along with his colleagues has been testing the security of payment systems for years, noted in his presentation at the Black Hat security conference.
It is also a well known fact that when the chip-and-PIN system was rolled out in Europe, the fraudsters shifted to making card-not-present transactions, i.e. placing orders online or over the phone with retailers that don’t ask for the card’s security code and/or don’t verify the billing address.
In addition to this, in some cases EMV transactions are not immune to RAM-scraping malware, so we can expect cyber crooks to continue compromising PoS terminals.
Nevertheless, the change is set to happen and, according to Anderson, it will be great to see which system will turn out to be better: the chip-and-PIN, or the chip-and sign. Also, if the EMV system is, indeed, safer than the magnetic-stripe card technology.
He is only worried that the banks will try to shift fraud costs onto the consumer if the fraudulent transaction is authorized with the correct PIN, but hopes that US consumer protection organizations will step in and prevent this turn of events.