Computer & Network Security|Compliance>PCI|Research

The Switch to Chip and PIN. Will it change anything?

Chip & PIN, the future of credit cards

Late next year the U.S. will finally catch upto the rest of the world when it comes to credit card transactions.  Customers will no longer be signing credit card receipts, instead they will enter a PIN, similar to making a debit transaction.  The U.S. is the last major market to still use the old-fashions signature system, which is the primary reason why about half of the world’s credit fraud happens in the U.S.

What is Chip & PIN?

Basically, we are replacing our signature with a PIN code.  Each card will include a microchip that is matched to a PIN code. When inserted into the POS system, the Chip is read and the PIN code authenticates the card.  Already flaws in the system have been reported since 2010, not to mention how incredibly vulnerable 4 digit PINs are to social hacking as discussed in this article.  If most of the fraud occurs in the US where we don’t use this system, is it logical to think that most of the effort to commit fraud is not focused on finding flaws in the Chip & PIN system?  A British research firm has released a paper detailing a new vulnerability with Chip & PIN.  According to the paper, “EMV did not cut fraud as its proponents predicted. While using counterfeit and stolen cards did become more difficult, criminals adapted…”  According to their research, it does not appear that Chip & PIN technology reduced cyber-related fraud.

Will this really make our information safer?

Let’s take the Target breach for example.  This data was compromised because of malware installed on their POS system which gathered information as it was in transit.  Would having a chip & pin system in place have prevented the loss of the information?  It doesn’t appear that way.  So the question is, then, will the new system, in the event of data loss, prevent the abuse of that information and protect consumers from fraud?

The problem in the Target breach was not a result of fraud; that was the outcome.  The result was the lack of comprehensive security policies and programs at place in the organization or at the very least the lack of diligence in enforcing them.  This is an issue that is not unique to Target or retail or any other industry.  If the problem is not fraud, but broken security why are we poised to spend billions as a total economy to shift to a solution that doesn’t solve the problem?  Is it really to protect consumers from fraud?

UPDATED: PayPal President’s credit card was stolen and used fraudulently.  “Marcus noted that his credit card had EMV chip technology, a more secure system currently in use in Europe. But that didn’t stop the data from being stolen and used for a “ton of fraudulent” transactions, according to the PayPal chief.” Source: USAToday

What does the Chip & PIN system solve?

The WSJ article announcing the shift says it best, Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs…So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.

The new system is not about protecting consumers, it’s about protecting credit card companies and shifting the liability to the merchant and the consumer.  There are benefits to the consumer, and it will reduce fraud.  It will require a higher level of sophistication to commit fraud with any data that is gathered.  That is just it though, there are still ways to commit fraud and we know there are ways to get the data, its just a matter of time.

So should we be spending the effort and the capital to invest in this new system while creating a false sense of security?  This system should not be touted as the be all and end all of credit card fraud.  It is a step to mitigating the risk.

Where should we start?

As I was writing this, I discovered this article, by CSOOnline.  This articles takes a very strategic approach to analyzing the situation I am discussing. I strongly suggest reading it.

Companies should stop trying to only meet compliance requirements and instead focus on comprehensive security.  Many industry standard compliance requirements focus so much on privacy they often neglect general security, such as segregation of networks like environment and protected data.  Organizations must focus on general, overall security, and data will become protected within, otherwise, regardless of the protections we put in place at the point of sale, breaches will continue to happen.

Why is it hard to do this?  It’s often not visible and it’s expensive.  Consumers don’t see the results of a secure network, they only see the results of an insecure network or of changes at the POS.  This is a difficult position for CISOs and CIOs to compete in, and in the end the consumer loses.