EMV is Not a Solution
Last month we wrote about the way that credit card fraud has evolved in Europe since the introduction of EMV, or chip and PIN cards. The consensus was that while chip and PIN cards helped to reduce fraud in some areas, it also seemed to have caused a spike in others. This critique isn’t unexpected—hackers aren’t going anywhere so it makes sense that they would refocus their attacks rather than give up in the face of new technology.
In the past few years however, Ross Anderson of Cambridge has done some serious research into the weaknesses of chip and PIN and it turns out it has some technical problems—namely the fact that it’s broken.
In 2010 Anderson published a paper about a discovery he and his colleagues made regarding how easy it is to actually pay with a chip and PIN card without having the PIN number. According to Anderson:
“The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.
This apparently works online as well as offline, meaning even when the merchant is verifying online with the bank, the transactions still go through.
There have also been issues with the nature of the liability shift related to chip and PIN cards. Anyone who has ever had a mag-stripe credit card stolen knows that while it’s a pain to deal with, the process is pretty simple. Call the bank, report fraudulent charges, end of story. With chip and PIN cards however, fraud becomes the cardholder’s fault. In Europe, many people who were victimized ended up being blamed for not being careful enough with their PIN. Even though as explained above, that doesn’t necessarily have to be the case. Chip and PIN isn’t bulletproof. And since banks have no financial repercussions for fraud, they feel less motivation to go out of their way to be secure.
Let’s be clear—EMV cards are more secure than magnetic stripe cards, no contest. It’s an important step for the US to take, but we—merchants, payment processors, banks and cardholders alike—shouldn’t see EMV as an all-encompassing solution.
Payment security is a marathon, not a sprint.