Tag Archives: EMV

card

Chip Cards Will Cut Cyber Fraud — for Now

Visa has released data showing adoption of Visa chip cards by U.S. banks and merchants is gathering steam.

But the capacity for Europay-Mastercard-Visa (EMV) chip cards to swiftly and drastically reduce payment card fraud in the U.S. is by no means assured.

Just look north to Canada, where EMV cards have been in wide use since 2011. Criminals have simply shifted fraudulent use of payment card accounts to online purchases—where the physical card does not come into play. Security and banking experts expect a similar pattern to play out in the U.S., where banks and merchants are under an October 2015 deadline, imposed by Visa and MasterCard, for adopting EMV systems.

Free resource: Putting effective data risk management within reach

Heeding that deadline, major retail chains and big banks are driving up adoption numbers in the U.S. However, thousands of small and mid-sized businesses continue to remain on the fence.

SMBs slower to switch

SMBs are methodically assessing the risk vs. reward of racing to adopt EMV, Brian Engle tells ThirdCertainty. Engle is executive director of the newly founded Retail Cyber Intelligence Sharing Center, or R-CISC.

Brian Engle, Retail Cyber Intelligence Sharing Center executive director
Brian Engle, Retail Cyber Intelligence Sharing Center executive director

 

Company decision-makers are doing their due diligence, factoring in the potential for fraud, the cost of implementing EMV technology and the risk of chargebacks, he says.

“From a transactional volume perspective, some are going to accept risks and move at a rate that’s more appropriate for the size of their organization,” Engle says.

There’s no question the U.S. is in EMV saturation mode. As of the end of 2015, Visa tells us:

  • The volume of chip transactions in the U.S. increased from $12.1 billion in November to $15.8 billion in December, a 30% pop.
  • Seven out of 10 Americans now have at least one chip card in their wallet.
  • 93% of consumers are aware that the transition to EMV is happening.

Cryptogram makes things more complicated

Unlike magnetic-stripe cards, EMV cards are more difficult to counterfeit because the chip contains a cryptogram. When the card is inserted into the point of sale (POS) terminal—vs. being swiped—the cryptogram creates a token that’s unique to each transaction, and all the information is encrypted as it’s transmitted to the terminal and the bank.

This process actually takes a few seconds, during which the consumer must leave her card inserted in the POS terminal. U.S consumers are in the process of modifying their behavior at the checkout stand. Patience for a few seconds is required. Those precious seconds of inconvenient waiting represent an investment in tighter security.

But not as tight as when you use a chip card in Canada or Europe. That’s because EMV cards not only generate a one-time authorization token, they are also designed to require the user to enter a PIN as a second factor of authentication. However, PIN compliance was not part of the October 2015 deadline. Thus, most EMV in-store transactions in the U.S. still require only a signature, which, of course, any impostor can forge.

Criminals, on the other hand, won’t be able to hack into store networks and steal any useful transactions data, at least not any in which chip cards were used.

“Even if you steal the information, it becomes very difficult to use it. You’d get a long string of letters and numbers that can’t do anything,” explains Ben Knieff, senior analyst for retail banking at Aite Group, an independent research and advisory firm that specializes in financial services.

Criminals reportedly were able to breach Wendy’s customer magnetic strip payment card data, recently. That data breach was disclosed after numerous stolen card numbers were subsequently used at other merchants, and the trail led back to Wendy’s.

This kind of credit card fraud is exactly why U.S. financial institutions are migrating from the magnetic-stripe cards to new technology that uses a much more secure chip.

Aite Group estimates that EMV will significantly reduce U.S. counterfeit card fraud—from an estimated peak of $3.61 billion in 2015 to $1.77 billion in 2018.

Scott Schober, Berkeley Varitronics Systems Inc. president and CEO
Scott Schober, Berkeley Varitronics Systems Inc. president and CEO

 

Even so, the technology is not foolproof because bad actors can use other tricks. “The EMV technology is still hackable,” says Scott Schober, president and CEO of Berkeley Varitronics Systems Inc., which specializes in wireless threat detection. “However, hackers are going to go after the simple hack.”

Identity theft experts anticipate that fraudsters will simply shift their attention to merchants that use mobile payments—or don’t use a physical POS terminal at all.

“For bad actors, when one avenue dries up, they will look for other ways,” says Numaan Huq, a Canada-based senior threat researcher with Trend Micro’s Forward-Looking Threat Research Team.

Some transactions safer than others

In Canada, where point-to-point encryption is now standard for retailers, Huq says he feels very safe when using a credit card in stores. But at places like hotels? Not so much.

That’s because hotels collect credit card information for reservations, and, when that system is hacked, all the data is compromised. The same goes for various service providers, like medical offices.

“Bad actors will find new avenues, and I expect, over time, the fraud levels (in the U.S.) will go up again,” Huq says.

That’s what happened in Canada, the U.K. and other countries that have adopted EMV. Canada, for example, saw a 54% decline in counterfeit cards and 133% jump in “card-not-present” (CNP) fraud between 2008 and 2013, according to Aite Group research.

“In the past, most of the tools hackers used were extremely crude,” Schober says. “But advances in technology are making it much easier to compromise people online.”

Aite estimates that CNP fraud in the U.S. will grow from $2.9 billion to $6.4 billion, as hackers shift their tactics.

But, Knieff says, criminals have one thing going against them—online credit card fraud is not a scalable “business.” Criminals can’t buy 40 TVs from Amazon.com, for example.

“Application fraud—using stolen or synthetic identities to open new accounts … becomes much more attractive,” he says. “Yes, CNP will increase, but it will not increase geometrically because it’s hard to scale.”

Many organizations may not even be ready to focus on securing their online systems. Engle, of R-CISC, uses a hockey analogy, saying retailers are “trying to skate to where the puck is going.” That is, at the moment they’re still trying to figure out the transition to EMV.

SMBs particularly vulnerable

In the meantime, smaller businesses face an increased risk.

“The fraudsters will utilize POS malware until they can’t, and those smaller retailers are going to continue to be in their cross-hairs,” he says. “The ability to affect small retailers at a high rate is very profitable for them.”

Attacks on large retailers take a lot more time and resources, Huq says.

“A small mom-and-pop shop is a no-brainer to hit,” he says, adding that mobile payments, especially, are a concern because of proliferation of malware, particularly for Android systems.

“It’s easy to use for small businesses because it costs less,” he says. “But in the future, I think this will be a new way for bad actors to steal credit card data.”

This post was written by Rodika Tollefson.

The State of Cyber Insurance

Cyber attacks are escalating in their frequency and intensity and pose a growing threat to the business community as well as the national security of countries. High-profile cyber incidents in 2014 reflected the expanding spectrum of cyber threats, from point-of-sale (POS) breaches against customer accounts to targeted denial-of-service (DoS) attacks meant to disable a company’s network. Businesses in ever-greater numbers sought financial protection through insurance, buying coverage for losses from data breaches and business outages.

Boost in Cyber Insurance Demand Drives Insurers’ Response

Healthcare facilities, universities and schools continue to be on cybercriminals’ radar, but attacks in the hospitality and gaming, power and utilities and other sectors reveal that no organization is immune to a cyber attack or failure of technology.

Healthcare and education clients had the highest cyber insurance take-up rates in 2014, followed by hospitality and gaming and services. Universities and schools present attractive targets because they house a vast array of personal information of students, parents, employees, alumni and others: Social Security numbers, healthcare information, financial data and research papers can all be compromised.

The broader scope of hacktivists contributed to the increase in cyber insurance purchases in 2014. Sectors that again showed notable year-over-year increases in the number of clients purchasing cyber coverage included hospitality and gaming and education. Other areas that stood out in 2014 included the power and utilities sector, with more clients buying standalone cyber coverage. Power and utilities companies frequently cite the risks and vulnerabilities associated with the use of supervisory control and data acquisition networks — which control remote equipment — and the cost of regulatory investigations as driving factors behind their cyber coverage purchases.

The reasons for purchasing cyber coverage vary from board mandates seeking to protect corporate reputations to companies looking to mitigate potential revenue loss from cyber-induced interruptions of operations. Insurers responded to this demand by offering broader cyber insurance coverage in 2014, including coverage for contingent business interruption and cyber-induced bodily injury and property damages. They also expanded availability of loss-control services, including risk-assessment tools, breach counseling and event response assistance.

Cyber Limits Rise

Companies with revenues of more than $1 billion have increased their cyber insurance limits worldwide by 42% on average since 2012, according to Marsh Global Analytics estimates. Over the same time period, healthcare companies have bought 178% more cyber insurance, and power and utilities firms have expanded their coverage by 98%.

Rising spending on cyber insurance

Source: Marsh Global Analytics. Percentage increase in spending by companies with more than $1 billion in revenues on cyber-risk insurance from 2012 through 2014.

Cyber Rates and Coverage

Increases in the frequency and severity of losses and near-constant headlines about attacks and outages kept cyber insurance premiums generally volatile in 2014. Average rate increases at renewal for both primary layers and total programs were lower in the fourth quarter than in the first. The increased loss activity prompted pricing challenges for some insureds, particularly retailers, where renewal rates rose 5% on average and as much as 10% for some clients.

Market capacity also varied according to industry. Most industries were able to secure cyber coverage with aggregate limits in excess of $200 million, while the most targeted industries, like retailers and financial institutions, faced a challenging market.

Insureds also face heightened due diligence from underwriters seeking to drill down beyond simple reviews of the company’s general information security policies. For example, insureds in the retail sector are being asked about their deployment of encryption and EMV (credit card) technology. And all insureds are now routinely asked whether they have formal incident response plans in place that outline procedures for protecting data and vendor networks and, more importantly, if such plans have been tested.

A Growing Concern

In 2015, managing cyber risk is clearly a top priority for organizations. For example, business interruption (BI) drew a lot of attention in 2014, a trend likely to continue throughout 2015. While BI has historically been thought of as the effect of a critical system going down for an extended period, technology failures and cyber attacks can create far-reaching outages affecting secondary systems, clients and even vendors. Such events can also lead to higher recovery costs, which are becoming a concern for boards of directors and senior management.

There is also concern stemming from the expansion of regulation and litigation. Regulators were active in policing cyber risks in 2014, and oversight is likely to expand significantly in coming years. With cyber risk seen as a critical issue on both sides of the aisle in Washington, D.C., companies will face regulatory challenges in 2015 and beyond.

Sectors that have already seen significant regulatory activity — for example, healthcare, financial services and education — will likely face more stringent regulations and larger fines. All industries should pay attention to existing and impending regulations, tighten controls and prepare to present and defend their compliance regime. Civil litigation in the wake of a breach or disclosure of a cyber event also escalated in 2014, with class actions at times following the disclosure of a breach by mere hours.

As demand for cyber insurance grows, remember that risk transfer is only part of the solution. Enhanced information sharing between industry and government is another step toward having a comprehensive risk-mitigation strategy. Insurers and brokers are expanding the availability of loss-prevention and risk-mitigation services such as risk-assessment tools, breach preparation counseling and breach response assistance. The expanded roster of services and enhanced coverage can provide additional value from policies, usually without a specific added premium.

‘Safer’ Credit Cards Already Vulnerable

A recent Gallup survey found that 69% of Americans worry “frequently” or “occasionally” about having a credit card compromised by computer hackers. It’s not shocking. Consumers are becoming more educated on the topic, and financial institutions are beginning to do more to combat fraud, including introducing new types of credit cards. One example of the latter is chip-and-PIN technology, which everyone from consumers to the president has hailed for its ability to help prevent fraud. But is it the panacea that it’s been made out to be?

Let’s take a closer look at exactly what this technology entails. Unlike cards that use a magnetic stripe containing a user’s account information, chip cards implement an embedded microprocessor that contains the cardholder’s information in a way that renders it invisible even if hackers grab payment data while it is in transit between merchants and banks. The technology also generates unique information that is difficult to fake. There is a cryptogram that allows banks to see if the data flow has been modified and a counter that registers each sequential time the card is used (sort of like the numbers on a check), so that a would-be fraudster would have to guess the exact historical and dynamic transaction number for a charge to be approved.

Already used in every other G20 country as a more secure payment method, chip-and-PIN cards can be found on the consumer side of a global payment system known as EMV (short for Europay, MasterCard and Visa). The system will be rolled out in the U.S. in 2015, and many of us in the banking and data-security industries believe that it will stanch the flow of money lost to hackers while simultaneously cutting down on credit- and debit-card fraud.

MasterCard, Visa and American Express have already begun sending out chip cards to their American cardholders. The technology is expensive—the rollout of chip cards in the U.S. will cost an estimated $8 billion—and this cost may balloon exponentially if the implementation of the new technology is done incorrectly, as a recent spate of fraudulent charges using chip-and-PIN-based technology shows.

This recent trend is one early sign that chip-and-PIN may not be the cure-all many consumers were hoping for, at least during the rollout phase. According to Brian Krebs, during the past week, “at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit- and debit-card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.”

The curious part about this spate of credit- and debit-card fraud is that fraudsters used account information pilfered from old-school magnetic stripe cards skimmed in that attack and ran them as EMV purchases in what’s called a “replay” attack. “After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly,” Krebs reported. It sounds confusing, but the bottom line is money was stolen.

As with many scams, this particular evolution in the world of hacking for dollars cannot succeed without human error, which is probably the biggest liability in the coming chip card rollout. Krebs spoke with Avivah Litan, a fraud analyst with Gartner, who said, “It appears with these attacks that the crooks aren’t breaking the EMV protocol but taking advantage of bad implementations of it.” In a similar attack on Canadian banks a few months ago, one bank suffered a large loss because it was not checking the cryptogram and counter data, essential parts of the protocol.

As with all solutions in the realm of data-security, there is no such thing as a sure thing. Whether the hackers banked a false sense of security at the institutional level, knowing that the protocols might be deemed an unnecessary expense, or the recent attacks are merely part of the chip card learning curve, this latest technology is only as good as its implementation.

So, despite the best efforts of those in the financial services industry, the truth is I can’t blame anyone for worrying a bit about credit card fraud. The good news is that in almost all cases, the consumers aren’t responsible when they’ve been hit with fraud. The banks take care of it (though it can be trickier with debit cards, because money has actually left your account). These days, though, the reality is that you are your own first line of defense against fraudulent charges. That means pulling your credit reports at least once each year at AnnualCreditReport.com, monitoring your credit scores regularly for any sudden and unexplained changes (you can do that for free using free online tools, including those at Credit.com), keeping a close eye on your bank and credit card accounts daily and signing up for transactional monitoring programs offered by your financial institutions.