In light of the Target and Neiman Marcus breaches, many are pointing to EMV “chip and pin” technology as the silver bullet that could have saved Target and its customers a lot of heartache. However, while EMV is a good step forward for card security, it’s inaccurate to say that EMV would have stopped the Target breach.
The Truth about EMV
- EMV would not have prevented the Target breach from happening.
EMV began as a joint effort conceived by Europay, MasterCard and Visa to replace the mechanism to provide customer identifiable information (Account number, CVV, etc.) to the terminal initiating a transaction. Instead of a magnetic strip for this purpose, EMV cards use a smart chip and require the entry of a PIN number that only the customer should know (hence the term “chip and PIN”). Once the information has been passed into the terminal, the transactional process remains the same - the account information is loaded into the terminal’s memory, a transaction frame is built to request authorization, and so on.
The malware that affected Target was looking for account information in the memory inside point-of-sale (POS) devices, where it’s unencrypted. Therefore, the criminals would have been able to obtain this information even if it came from chip and PIN cards, since the stolen information was not directly taken off the cards themselves.
- There are still weak points in the EMV system that will be exploited in fraud attacks.
In a “card present” fraud attack, a criminal steals information from a card that was physically swiped on a POS terminal to complete a transaction. EMV does make it harder for criminals to clone a card, since the technology used to create the microprocessors in the chip on EMV cards is much more difficult to duplicate than the relatively simple information stored on a card’s magnetic stripe.
But the EMV standard must be implemented to successfully prevent fraudulent card-present transactions. In the US, it won’t be mandatory for most merchants to adopt the EMV system until October 2015. This not only means that many U.S. customers are still vulnerable to “card present” fraud attacks; it also means that foreign customers using EMV cards in the country are also at risk, since most POS devices in the U.S. still don’t have the necessary technology to accept payments through EMV card chips, and most merchants still just use the magnetic stripe of the EMV card instead. This leaves even EMV cards vulnerable to subsequent attacks if the criminals decide to monetize stolen card information via online transactions or clone the card for use in a non-EMV country.
Even nations where EMV is becoming standardized are not immune to “card present fraud”. In the country of Colombia, where EMV cards were meant to be mandatory by the end of 2013, local police are actually reporting a 25% increase in card cloning complaints from 2012 to 2013. Many merchants still simply swipe the magnetic stripe of the card when processing a transaction instead of using EMV-compliant technology to do it, rendering the EMV cards in the transactions just as vulnerable to cloning as the insecure cards they were meant to replace.
- Two-thirds of credit card fraud attacks involve card not present transactions, which EMV provides no additional protection against.
If you have an EMV card, and the merchant uses a POS terminal that scans the chip in the EMV card for the transaction, you are much more secure than if you were just using a card with a magnetic stripe in the same situation. Unfortunately, that only describes the circumstances of about one-third of the fraud involving credit and debit cards. Two-thirds of the fraud involving cards happens when no card is presented at all, for example when buying on the internet or via telephone. There is no place to enter a PIN number when buying online, and no way to scan the chip the card contains. In the case of the Target or Neiman Marcus breaches, information that was stolen from a chip and PIN card could still be used online to make fraudulent purchases. While EMV will change the structure of breaches and related fraud, it will not stop them. To cite just one example of how EMV changes fraud perpetration patterns, France saw online card-not-present fraud quadruple in the four years following its implementation of an EMV compliant system, even as chip and PIN technology was simultaneously reducing fraud that involved the physical presence of the card.
Stopping “card not present” fraud with Detect Monitoring Service
Easy Solutions provides monitoring of black markets for credential harvesters and traffickers in stolen credit and debit card information as part of Detect Monitoring Service (DMS), a comprehensive, cloud-based anti-fraud monitoring solution. This gives organizations prompt notice when breaches caused by compromised POS terminals occur, allowing them to quickly prevent fraudulent transactions with stolen cards and control losses before money leaves user accounts.
For more information, visit http://www.easysol.net/newweb/Products/detect_monitoring_service