Chip and PIN technology more secure, but not completely invulnerable
Chip and PIN technology offers substantial security improvements in the face of the growing insecurity of older magnetic stripe-based card systems. However, the preventative security of the new system is not infallible.
Chip and PIN bank card systems refer to the computer chip embedded in a smartcard, and the personal identification number (PIN) that the customer must supply to authenticate transactions. This generic term applies to any smart card technology based on the Europay, MasterCard and VISA (EMV) global standard. In South Africa, chip and PIN technology has a surprisingly long history, pioneered in the early 1990’s, arguably pre-dating popular uptake in much of the rest of the world. The EMV standard has been employed particularly successfully in Europe, and is now set to become the new standard in the United States, as growing incidences of ‘card skimming’ and card cloning fraud which exploited weaknesses in the old magnetic-stripe card systems has propelled uptake of the chip and PIN system.
While the two-factor authentication process of chip and PIN bank card systems is secure against the card-skimming criminal techniques that targeted magnetic-stripe cards, there are still vulnerabilities to the system which should to be considered and guarded against.
Mechanical and magnetic stripe card systems are vulnerable to data theft.
Before integrated circuit (IC) cards and PINs, financial transactions by card required magnetic stripes or mechanical imprints to read and record account data. That data was then authenticated by a signature. The verification of ownership of the account rested largely on matching up the presented signature with the signature on the back of the card. Offline mechanical card readers required telephoning the card issuer in order to verify large transactions. Magnetic stripe technology allowed for the card issuer to be contacted electronically. In both cases, the fundamental flaw of the system was a lack of, or weakness in the authentication of the transaction. Worse, the magnetic stripe itself was particularly vulnerable to data-theft. That meant that such cards could be easily cloned.
Illegal technology developed to allow magnetic cards to be ‘skimmed’, which involved surreptitiously swiping the card through another read-capable device to effectively steal the account data attached to the card. One major weakness of early electronic magnetic scanners was that they were necessarily fixed at a central point of communication, for instance, at a telephone plug point at the front desk of a hotel or restaurant. This meant that cards commonly left the sight of their owners during authentication. Even wireless-capable mobile card readers do not ensure against card skimming however. The proliferation and improvement of skimming technologies has reached a point that card skimming can occur in the presence of the owner, without their knowledge. The fundamental problem is that stealing the data remains easy, as does exploiting that data because of a lack of stringent authentication methodologies.
Chip and PIN card systems are more secure against data theft
Chip-based cards are far harder to clone. First, the data on a chip can be heavily encrypted, requiring substantial capabilities on the part of the criminal to decrypt. Second, cloning the card requires cloning the chip, which is significantly more difficult than cloning a magnetic-stripe card. The introduction of chips is only a part of the EMV system. These cards operate in conjunction with point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions. That PIN renders stolen cards effectively useless without knowledge of the code.
Chip and PIN is more secure, but not infallibly so.
Chip and PIN technology mitigates the security flaws of magnetic stripe cards, particularly at cash tills. However, the EMV system is not immune from potential fraud. Specifically, card-not-present (CNP) transactions, such as internet or phone-based transactions are increasingly targeted. Global uptake of chip and PIN technology will plausibly lead to an increase in the targeting of internet-based transactions in particular.
Software solutions for online transactions that involve interaction with the card-issuing bank or network’s web site, such as Verified by Visa and MasterCard’s SecureCode are efforts to protect against the targeting of digital transactions. Chip and PIN systems are able to leverage multi-step and multi-factor authentication to mitigate the risk of criminals exploiting compromised user data. Such systems send single-use uniquely generated PINs to the card holder via, for instance mobile phone when they are attempting to make a transaction. Another multi-factor or multi-step authentication approach involves additional hardware in the form of a keypad and screen with which the user can use to produce a one-time password as part of a multi-factor authentication process.
Chip and PIN is becoming more prevalent globally.
The US has been slow to embrace EMV. While Europe and other parts of the world has been using chip and PIN systems since, in some cases, the 1990s, the security threat to magnetic-stripe card systems in the US was not sufficient to warrant upgrading the existing systems. Increasing attention from fraudsters has however changed that view. The recent large-scale theft of credit card data from retailers including Target and Neiman Marcus, which resulted in a Senate Judiciary Committee has given added impetus to fraud prevention measures, including the microchip-embedded dual-authentication systems.
MasterCard and Visa have roadmaps for a US-wide changeover to chip and PIN cards, aimed at October 2015. That roadmap entails the installation of chip and PIN compatible card readers by retailers and the issuing of chip-equipped cards by banks. It appears that the October 2015 deadline is not absolute, but there is certainly new momentum behind the changeover. Legislation that will hold merchants liable for and fraudulent charges arising out of the misuse of magnetic-stripe cards, is now gaining momentum in the US, and will serve to compel the quicker embracing of chip and PIN technology.
While chip and PIN systems are not infallibly secure, they offer a significant improvement over previous physical systems, both in terms of complexity which hinders data theft and cloning, and also because of their capability in terms of sophisticated authentication. Such authentication technology and methodology is of particular importance given the prevalence of online transactions.
Gara, T., ‘October 2015: The End of the Swipe-and-Sign Credit Card’, Corporate Intelligence Blog – The Wall Street Journal, 6 February 2014. Available at: http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/