Consumers and merchants in the U.S. are gearing up for the upcoming changeover from magnetic strip-based payment cards to Europay, MasterCard and Visa (EMV) or chip and PIN. The chip and PIN, which is widely used in Europe, is believed to be more superior to a swiped magnetic card. Though this can be true for several reasons, it doesn't totally eradicate fraud in the payment system.
The EMV standard is accepted around the world. In Europe, it has been the de facto payment card system for the past decade. Otherwise known as chip and PIN, the cards contain a combination of customer PIN and information. These are securely stored on an integrated circuit. Information is authenticated in ATMs and payment terminals.
In order for the EMV system to be adopted in the US, the credit card companies plan to change liability by October 2015. Parties which haven't deployed the system beyond this date will be held liable on the event of a fraudulent transaction.
Security engineering professor at Cambridge University and cryptography expert Ross Anderson says that the EMV specification face both regulatory and security issues. Recently, his team at Cambridge discovered that several EMV-capable ATMs and payment terminals produce random numbers in a manner that can be easily predicted. This would allow anyone who has temporary access to the card to make educated guesses of the authentication codes and use these codes in future transactions. A compromised POS terminal can also produce authentication codes when a card is inserted in it. These codes can be used when authorizing more rogue transactions.
"We've been using EMV in the U.K. for 11 years and have a lot of experience understanding how these things break," said Anderson. "When this started, we thought we knew what the shortcuts were and what fraud would be, but reality was quite different."
Enterprise defense architect Lucas Zaichkowsky of AccessData agreed with Anderson's statement. "People think that if we switch to EMV, these breaches will go away, but that's not true," said Zaichowsky.
In an EMV transaction, the credit card number and its expiration date can be generated in a compromised POS terminal. Many places only require these two details to place an order since there's no need to get the three-digit security code or confirm the billing address.
With this in mind, cybercriminals will always have the reason to compromise POS terminals in the midst of widespread EMV deployment. Security experts are recommending merchants to adopt an end to end encryption for card-present payments.
