Electronic payments are how the majority of the American consumers pay for their goods and services and yet it’s one of the least secure doors to people’s financial data. In the United Sates the plastic themselves are years behind in security features that are used in over 80 other countries around the world. Ironically it was the United States that came up with the technology but one slowest to adopt them. The technology I am referring to is EMV or smart cards.
Today all the information required to access an account is on the card unencrypted with no additional hardened security around it. All you need to have is the card or the data off the card that can be captured through a Point of Sale terminal (POS) or a card skimmer. With the information on the card a new card can be counterfeited and used draining a person’s account and costing the retailer and banks billions in fraud each year.
What smart cards are designed for is to reduce the ability to skim and copy a card. Containing a small chip on the card itself the technology enhances the security around the cards use and this technology is not new, it has been around for over 10 years. Smart cards opens the doors to protect the data in three key areas:
- Card Authentication – This makes copying a card virtually impossible. Smart cards use dynamic data at the time of the transition, meaning the number changes each time the card is used. That number is based off a cryptogram setup by the card issuer, the bank, and verified at each use.
- Cardholder verification – Making sure the card’s user is authorized. This can be done through an online PIN, offline PIN, signature or no verification. The card’s issue can determine when a user should be authorized.
- Transaction authorization – The card itself can be setup to allow or not allow certain kinds of transitions. Like any amount over XXX$. The transaction could be denied before the fraud occurs.
Today all of the verifications are done manually by the retailer or any fraud detection is found after the transaction is completed. The UK have been using smart card technology for the past 10 years and from 2008 to 2010 they UK saw a 38% reduction in credit card fraud. In the United States less than 1% of credit card transitions are using EMV smart cards primarily because most retailers are not equipped yet to handle EMV cards and it is estimated that $5 billion in credit card fraud occurs each year.
Over the next 3 years this will change. In October 2015 Visa and Mastercard are putting forward a liability shift policy that any retailer that does not have EMV abilities will start to be liable for fraudulent transactions not the credit card companies. A good motivator to invest in EMV. Of course this transition will take time, education, and adjustment of the end users but in the long run it’s a big step forward to protecting people’s financial data and in some cases their livelihoods. Identity Theft is a growing problem and the more connected we get as a technological society the more damage can be done with the same information.
Unfortunately it has to come down to penalty based policies against retailers and banks to do motivate them to do the right thing, the millions of credit cards that have been lost to breaches over the years apparently haven’t been enough to motivate change. Smart cards won’t solve the problem, criminals will find a way to be criminals, but a reduction of a billion dollar problem by 30% or more and bringing awareness down to the consumers is a good improvement.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.