The card industry has been battling the instance of payment card fraud ever since the first credit and debit cards were issued years ago. From the 1960's to around 2003 the magnetic stripe on the back of the card was the means by which card information was exchanged with the networks to effect a transaction. Over the years, criminals learned that the magnetic stripe was easily compromised and so the industry sought a more secure solution. Enter EMV (Europay, MasterCard and Visa, also known as chip and pin) technology. Is EMV the secure solution it is claimed to be? Don't bet your bank balance on it!
The move to smart cards came late to the United States. After years of debating the merits and cost of the changeover, the technology has finally been adopted nationwide. And with the new rules that recently took effect shifting liability for card fraud to a merchant, the roll-out to an all EMV landscape has accelerated rapidly. The public is now being sold on a campaign of how smart card technology is about to make their cards and their money more secure. Not so fast. As other countries have discovered, chip and pin technology can be compromised in several ways. In order to see what we in the US need to be aware of to protect our card base against new types of fraud we need only look at how other countries have faired in their initial roll-out period.
When chip and pin card technology was first introduced in the United Kingdom around 2003, fraud at merchant locations initially did decline. But at the same time online fraud went up! So no big gain right there. And then a curious thing happened. Although counterfeit card fraud declined in the first months of introduction, shortly it too shot up. How could that be? Weren't the chip and pin cards harder to counterfeit? It seems that very quickly the bad guys figured out that they didn't need to counterfeit the chip and pin card itself. They figured out they could simply alter the new chip and pin merchant card readers, steal the card details, and then easily create an old-fashioned counterfeit magnetic stripe card that was still accepted almost everywhere. The transition period had left a big hole in security! So how did the crooks hack the equipment?
The initial means to cheat the new card reading devices took two forms. The first was sort of an old fashioned smash and grab scenario. The criminal would physically alter the device by drilling in and wiring the electronics to steal and divert the card data when a card was inserted. Then he would collude or trick a merchant into installing the compromised unit in their store. Crude, but effective.
The second form was a bit more clever. Criminals intercepted shipments of new terminals coming from Asian manufacturing centers at a transit-point warehouse. There they would install a tiny cell phone that would later text card and pin details from a reader device destined for unsuspecting merchant locations in the UK and the Netherlands. These terminals came in to the merchant's store new-in-the-box so there was no reason to suspect they were altered. When this ruse was finally discovered it was so embarassing that the banks declined to prosecute the crooks. But wait... there's more!
One of the main benefits claimed of smart cards is that if they are lost or stolen, without the PIN they cannot be exploited. Once again, clever crooks found a way around that so-called protection. Around 2010 an electronic device was developed to use in-between a stolen card and a legitimate card reader. The device would act as a man-in-the-middle, and alter the transaction messages between the card and the network. In doing so it would trick the network into accepting the card transaction - no PIN required! Very simply the transaction message was fraudulently delivered as a signature verified transaction, by-passing the need for the PIN. And there's more bad news on this particular gaffe. A tiny SIM card with all the necessary progamming has been developed that can be inserted into a legitimate device and replace the larger devices that first appeared, making this particular hack more accessible and harder to spot. Let's call it a slim-shim-sim.
EMV card readers are clearly the weak link in the security chain. Our fourth and final security flaw takes advantage of the technology of the device itself. The latest scam on an unsuspecting public relies first on simple programming techniques and a little bit on human nature. Re-programmed smart card readers have been discovered in several countries throughout Europe. The crooked device is programmed to display the legitimate transaction on screen, while passing a substantially larger transaction to the network. Think you just spent $100? You may be shocked when you see the transaction was for $3000! And here is where human nature comes in. These re-programmed units are appearing in some very unsavory locations, such as strip clubs! These places are a little shady to begin with. And many times male patrons are there without their wives knowing. So the poor sucker may may be reluctant to dispute a transaction that could cause havoc at home, and can be explained by the establishment as "that's what it costs!" CurrenScene will simply say "no comment" on this one.
The lesson for banks, merchants and consumers here in the United States is one we learn again and again. As soon as the good guys come up with a more secure technology the bad guys find a way around it. Does that mean we shouldn't keep trying? Not at all. It means that we must always remain vigilant. Merchants must protect the integrity of the equipment they are using. Banks must take steps to monitor transactions and detect fraud where possible. And we as consumers must keep an eye on our cards and our accounts at all times. Time will tell if EMV is the final security solution in a continuing battle or just the next stop along the way.