Many of you may be wondering why credit card companies have been sending out new credit cards that contain a small chip in them. Are they more secure? Can’t “hackers” just counterfeit these cards as well? Why do some credit card readers accept the magnetic strip and others require the card to be inserted?
These “chips”, commonly referred to as EMV (Europay, MasterCard, and VISA – the companies responsible for the standard), encrypt the transaction as well as generate a one-time use code for each purchase. On the contrary, using the traditional magnetic strip, a static code is generated and exchanged with a merchant in a credit card transaction. This enables an attacker to create a physical copy of the credit card after intercepting this code. While EMV cards are not a show stopper for credit card fraud, it has been proven in Europe to result in a significant reduction.
Security Magazine reports that “According to a new report from Barclays, 47% of the world’s credit card fraud happens in the United States, even though Americans only account for 24% of the total credit card volume.” In the United States, the preferred method for hackers operating in this arena is to remotely install malware onto a credit card terminal (at the register) to capture and transmit credit card numbers. Once the number is stolen, it is often sold online to the highest bidder. When you think about why this is a preferred method, it is simple: Minimize risk. This is a common theme among security professionals but is shared with criminals as well. This is similar to credit card skimmers commonly found at gas pumps and ATMs; however, there is significantly less risk of being caught in the act remotely. Some of the countries these attackers reside in may also have lax punishments, if any, for crimes such as these.
As we transition to using EMV cards in the United States, you will notice that sometimes a credit card terminal will permit you to swipe even with your EMV enabled card. This is because merchants are slowly transitioning to new terminals and incur a cost in doing so of up to $1,000 per terminal. Another security feature that is an industry best practice is the concept of “two factor”. The “chip and pin” system is based on something you have (the chip in the card) and something you know (the pin). This is extremely common in Europe, but in the United States, chip and signature has become the norm. There are many benefits to moving to this “new” type of card, originally developed in 1993-1994. Hopefully, people will focus less on the additional few seconds that the card sits in the processing terminal and more on the importance of switching to this more secure technology.
Chippewa Security 