Industry News

EMV hackers show chip-and-PIN no security panacea

chip-cardThe mobile payments revolution is often seen merely as a battle for convenience. But giving consumers an easier way to shop and pay is only one side of the equation. The other is the promise of radically improving the level of security enjoyed by consumers, merchants and financial institutions alike.

Over the past year, several mass security breaches have shown just how vulnerable users of traditional credit and debit cards are to fraud. But this past month, a lesser-known case showed how even the most secure form of physical cards – so-called “EMV” or “chip-and-PIN” cards – are not airtight.

As explained in articles by Infosecurty magazine and independent security expert Brian Krebs, the problem involved hundreds of thousands of dollars in unauthorized charges on EMV debit cards issued by banks in North America, and allegedly made by fraudsters in Brazil.

For the banks, the attack was especially worrying because, unlike with traditional cards, they cannot effectively mitigate their liability for fraudulent charges on chip-enabled credit/debit cards via the normal dispute mechanisms of Visa and MasterCard. Instead, they are finding themselves on the hook for the charges.

Ironically, the fraud may have been enabled by the sense of security EMV cards can offer, with one impacted bank “rubber-stamping” transactions with incomplete information. More oddly, the charges were apparently submitted through Visa and MasterCard’s payment networks as chip-enabled transactions – despite the fact that the physical cards involved had never been sent out to customers.

Overall, the “Brazil breach” was made possible by lapses in implementation, rather than any inherent flaw in chip-and-PIN technology.

“Implementation is always critical – even if I have the best standard, if I make mistakes in implementing it there will be problems,” explains Zoltán Ács, director of research and development at Cellum, which was making advances in the area of cryptography even before it began work on mobile payments.

For sure, properly-implemented technology solutions and rigorous anti-fraud processes can make EMV much safer than normal cards. (Ács says that if chip-and-PIN had been used instead of magnetic strips in the point-of-sale terminals at Target, the huge breach suffered by the American retailer might have been avoided.)

Still, even a perfectly-run system of chip-and-PIN is vulnerable, especially in so-called “card-not-present” transactions, when users are not physically present – a use case that is becoming ever more common as the mobile revolution gathers steam. All of which puts a brighter spotlight on the “split secret” mobile payment systems being developed by firms like Cellum, which, if properly implemented, hold the promise of 100% security, 100% of the time.