Tag Archives: cryptogram

card

Chip Cards Will Cut Cyber Fraud — for Now

Visa has released data showing adoption of Visa chip cards by U.S. banks and merchants is gathering steam.

But the capacity for Europay-Mastercard-Visa (EMV) chip cards to swiftly and drastically reduce payment card fraud in the U.S. is by no means assured.

Just look north to Canada, where EMV cards have been in wide use since 2011. Criminals have simply shifted fraudulent use of payment card accounts to online purchases—where the physical card does not come into play. Security and banking experts expect a similar pattern to play out in the U.S., where banks and merchants are under an October 2015 deadline, imposed by Visa and MasterCard, for adopting EMV systems.

Free resource: Putting effective data risk management within reach

Heeding that deadline, major retail chains and big banks are driving up adoption numbers in the U.S. However, thousands of small and mid-sized businesses continue to remain on the fence.

SMBs slower to switch

SMBs are methodically assessing the risk vs. reward of racing to adopt EMV, Brian Engle tells ThirdCertainty. Engle is executive director of the newly founded Retail Cyber Intelligence Sharing Center, or R-CISC.

Brian Engle, Retail Cyber Intelligence Sharing Center executive director
Brian Engle, Retail Cyber Intelligence Sharing Center executive director

 

Company decision-makers are doing their due diligence, factoring in the potential for fraud, the cost of implementing EMV technology and the risk of chargebacks, he says.

“From a transactional volume perspective, some are going to accept risks and move at a rate that’s more appropriate for the size of their organization,” Engle says.

There’s no question the U.S. is in EMV saturation mode. As of the end of 2015, Visa tells us:

  • The volume of chip transactions in the U.S. increased from $12.1 billion in November to $15.8 billion in December, a 30% pop.
  • Seven out of 10 Americans now have at least one chip card in their wallet.
  • 93% of consumers are aware that the transition to EMV is happening.

Cryptogram makes things more complicated

Unlike magnetic-stripe cards, EMV cards are more difficult to counterfeit because the chip contains a cryptogram. When the card is inserted into the point of sale (POS) terminal—vs. being swiped—the cryptogram creates a token that’s unique to each transaction, and all the information is encrypted as it’s transmitted to the terminal and the bank.

This process actually takes a few seconds, during which the consumer must leave her card inserted in the POS terminal. U.S consumers are in the process of modifying their behavior at the checkout stand. Patience for a few seconds is required. Those precious seconds of inconvenient waiting represent an investment in tighter security.

But not as tight as when you use a chip card in Canada or Europe. That’s because EMV cards not only generate a one-time authorization token, they are also designed to require the user to enter a PIN as a second factor of authentication. However, PIN compliance was not part of the October 2015 deadline. Thus, most EMV in-store transactions in the U.S. still require only a signature, which, of course, any impostor can forge.

Criminals, on the other hand, won’t be able to hack into store networks and steal any useful transactions data, at least not any in which chip cards were used.

“Even if you steal the information, it becomes very difficult to use it. You’d get a long string of letters and numbers that can’t do anything,” explains Ben Knieff, senior analyst for retail banking at Aite Group, an independent research and advisory firm that specializes in financial services.

Criminals reportedly were able to breach Wendy’s customer magnetic strip payment card data, recently. That data breach was disclosed after numerous stolen card numbers were subsequently used at other merchants, and the trail led back to Wendy’s.

This kind of credit card fraud is exactly why U.S. financial institutions are migrating from the magnetic-stripe cards to new technology that uses a much more secure chip.

Aite Group estimates that EMV will significantly reduce U.S. counterfeit card fraud—from an estimated peak of $3.61 billion in 2015 to $1.77 billion in 2018.

Scott Schober, Berkeley Varitronics Systems Inc. president and CEO
Scott Schober, Berkeley Varitronics Systems Inc. president and CEO

 

Even so, the technology is not foolproof because bad actors can use other tricks. “The EMV technology is still hackable,” says Scott Schober, president and CEO of Berkeley Varitronics Systems Inc., which specializes in wireless threat detection. “However, hackers are going to go after the simple hack.”

Identity theft experts anticipate that fraudsters will simply shift their attention to merchants that use mobile payments—or don’t use a physical POS terminal at all.

“For bad actors, when one avenue dries up, they will look for other ways,” says Numaan Huq, a Canada-based senior threat researcher with Trend Micro’s Forward-Looking Threat Research Team.

Some transactions safer than others

In Canada, where point-to-point encryption is now standard for retailers, Huq says he feels very safe when using a credit card in stores. But at places like hotels? Not so much.

That’s because hotels collect credit card information for reservations, and, when that system is hacked, all the data is compromised. The same goes for various service providers, like medical offices.

“Bad actors will find new avenues, and I expect, over time, the fraud levels (in the U.S.) will go up again,” Huq says.

That’s what happened in Canada, the U.K. and other countries that have adopted EMV. Canada, for example, saw a 54% decline in counterfeit cards and 133% jump in “card-not-present” (CNP) fraud between 2008 and 2013, according to Aite Group research.

“In the past, most of the tools hackers used were extremely crude,” Schober says. “But advances in technology are making it much easier to compromise people online.”

Aite estimates that CNP fraud in the U.S. will grow from $2.9 billion to $6.4 billion, as hackers shift their tactics.

But, Knieff says, criminals have one thing going against them—online credit card fraud is not a scalable “business.” Criminals can’t buy 40 TVs from Amazon.com, for example.

“Application fraud—using stolen or synthetic identities to open new accounts … becomes much more attractive,” he says. “Yes, CNP will increase, but it will not increase geometrically because it’s hard to scale.”

Many organizations may not even be ready to focus on securing their online systems. Engle, of R-CISC, uses a hockey analogy, saying retailers are “trying to skate to where the puck is going.” That is, at the moment they’re still trying to figure out the transition to EMV.

SMBs particularly vulnerable

In the meantime, smaller businesses face an increased risk.

“The fraudsters will utilize POS malware until they can’t, and those smaller retailers are going to continue to be in their cross-hairs,” he says. “The ability to affect small retailers at a high rate is very profitable for them.”

Attacks on large retailers take a lot more time and resources, Huq says.

“A small mom-and-pop shop is a no-brainer to hit,” he says, adding that mobile payments, especially, are a concern because of proliferation of malware, particularly for Android systems.

“It’s easy to use for small businesses because it costs less,” he says. “But in the future, I think this will be a new way for bad actors to steal credit card data.”

This post was written by Rodika Tollefson.

‘Safer’ Credit Cards Already Vulnerable

A recent Gallup survey found that 69% of Americans worry “frequently” or “occasionally” about having a credit card compromised by computer hackers. It’s not shocking. Consumers are becoming more educated on the topic, and financial institutions are beginning to do more to combat fraud, including introducing new types of credit cards. One example of the latter is chip-and-PIN technology, which everyone from consumers to the president has hailed for its ability to help prevent fraud. But is it the panacea that it’s been made out to be?

Let’s take a closer look at exactly what this technology entails. Unlike cards that use a magnetic stripe containing a user’s account information, chip cards implement an embedded microprocessor that contains the cardholder’s information in a way that renders it invisible even if hackers grab payment data while it is in transit between merchants and banks. The technology also generates unique information that is difficult to fake. There is a cryptogram that allows banks to see if the data flow has been modified and a counter that registers each sequential time the card is used (sort of like the numbers on a check), so that a would-be fraudster would have to guess the exact historical and dynamic transaction number for a charge to be approved.

Already used in every other G20 country as a more secure payment method, chip-and-PIN cards can be found on the consumer side of a global payment system known as EMV (short for Europay, MasterCard and Visa). The system will be rolled out in the U.S. in 2015, and many of us in the banking and data-security industries believe that it will stanch the flow of money lost to hackers while simultaneously cutting down on credit- and debit-card fraud.

MasterCard, Visa and American Express have already begun sending out chip cards to their American cardholders. The technology is expensive—the rollout of chip cards in the U.S. will cost an estimated $8 billion—and this cost may balloon exponentially if the implementation of the new technology is done incorrectly, as a recent spate of fraudulent charges using chip-and-PIN-based technology shows.

This recent trend is one early sign that chip-and-PIN may not be the cure-all many consumers were hoping for, at least during the rollout phase. According to Brian Krebs, during the past week, “at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit- and debit-card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.”

The curious part about this spate of credit- and debit-card fraud is that fraudsters used account information pilfered from old-school magnetic stripe cards skimmed in that attack and ran them as EMV purchases in what’s called a “replay” attack. “After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly,” Krebs reported. It sounds confusing, but the bottom line is money was stolen.

As with many scams, this particular evolution in the world of hacking for dollars cannot succeed without human error, which is probably the biggest liability in the coming chip card rollout. Krebs spoke with Avivah Litan, a fraud analyst with Gartner, who said, “It appears with these attacks that the crooks aren’t breaking the EMV protocol but taking advantage of bad implementations of it.” In a similar attack on Canadian banks a few months ago, one bank suffered a large loss because it was not checking the cryptogram and counter data, essential parts of the protocol.

As with all solutions in the realm of data-security, there is no such thing as a sure thing. Whether the hackers banked a false sense of security at the institutional level, knowing that the protocols might be deemed an unnecessary expense, or the recent attacks are merely part of the chip card learning curve, this latest technology is only as good as its implementation.

So, despite the best efforts of those in the financial services industry, the truth is I can’t blame anyone for worrying a bit about credit card fraud. The good news is that in almost all cases, the consumers aren’t responsible when they’ve been hit with fraud. The banks take care of it (though it can be trickier with debit cards, because money has actually left your account). These days, though, the reality is that you are your own first line of defense against fraudulent charges. That means pulling your credit reports at least once each year at AnnualCreditReport.com, monitoring your credit scores regularly for any sudden and unexplained changes (you can do that for free using free online tools, including those at Credit.com), keeping a close eye on your bank and credit card accounts daily and signing up for transactional monitoring programs offered by your financial institutions.

Solution for Biggest Cyber Risk Is Emerging

As the demand for cyber insurance has skyrocketed, so, too, has the cost. One broker estimates that sales in 2014 will double from the $1 billion premium collected in 2013. Much of the increase in demand and cost has been a result of the widely publicized hacks of the point-of-sale systems at large retailers, and the primary emphasis of most cyber policies is to address liability arising from such events.

New payment technologies, however, will change the need for this type of cyber insurance. American Express recently announced a token service; Apple incorporated ApplePay into its new iPhones; and a group of retailers, the Merchant Customer Exchange, is working on the release of a new payment technology, as well. These technologies, although different in detail, eliminate the need for merchants to collect unencrypted payment card information from customers, significantly reducing the risk created by point-of-sale malware.

These technologies work by generating tokens or cryptograms for use at the point of sale. Financial institutions are able to determine whether the tokens or cryptograms are associated with a customer’s account, even though it is virtually impossible for a third party possessing the token or cryptogram alone to identify the account. The specifics of the technologies vary, but the result is that the merchant does not need access to the customer’s unencrypted account information, and any data obtained through the point-of-sale malware becomes virtually worthless.

As these payment technologies become prevalent in the U.S., the need for cyber insurance protecting retailers against point-of-sale malware should plunge.

There still will be a need for coverages protecting against other cyber risks, including other forms of malware and security breaches as well as against business interruptions arising from cyber events. However, the need and demand for cyber insurance covering privacy breaches should be reduced and the pressure on much of the current cyber insurance market removed.

This article first appeared on the Privacy and Information Security Law Blog.