CHIP CARDS: WILL THEY PREVENT FRAUD?

Transcription

1 EMV cards named for Europay, MasterCard, and Visa, the three companies that originally developed the specifications for the technology represent a significant improvement over magnetic strip cards, but they still have fraud-related vulnerabilities. This session will explore how the cards work, why they are an improvement over magnetic strip cards that are still being used, the current state of the implementation of the use of EMV cards, and common scams connected to the cards. STEVEN WEISMAN, J.D. Professor Bentley University Steve Weisman is a lawyer, college professor at Bentley University, author, and one of the country's leading experts in cybersecurity, identity theft, and scams. He writes the blog Scamicide where he provides daily updated information about the latest scams and identity theft. He is the author of nine books including his latest book, Identity Theft Alert. His book The Truth About Avoiding Scams was chosen by Smart Money Magazine as one of the ten best money books of Weisman is also a columnist for USA Today and Bankrate.com as well as a weekly commentator on cybersecurity, scams and identity theft for WGGB, the Springfield, Massachusetts ABC affiliate, and regular commentator on New England Cable News and NewsMax. Association of Certified Fraud Examiners, Certified Fraud Examiner, CFE, ACFE, and the ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of this paper may not be transmitted, republished, modified, reproduced, distributed, copied, or sold without the prior consent of the author. 2016

2 How Did We Get Here? The technology that enabled magnetic strip credit cards was first developed in the 1960s, but was not widely used in credit cards until 1980 when MasterCard and Visa adopted the technology for their credit cards. The account number for the particular card and other personal information was stored on a magnetic strip on the back of the credit card and provided for a quick consumer transaction when the card was swiped through credit card processing equipment at various merchants. Unfortunately, this advance in technology was met by advances in technology used by criminals who were able to either install skimmer devices over the merchant s card readers and steal the credit card information or install software in the merchant s processing equipment that enabled the hackers to steal information of vast amounts of credit cards. This stolen credit card information was then sold by the hackers to other criminals on what has come to be referred to as the Dark Web, that part of the Internet where cybercriminals communicate and do business. Fighting sophisticated criminal technology of the 2000s with security technology of the 1960s was not much of a fight as was exemplified by the 2013 hacking of Target, when, using credentials stolen through social engineering phishing to access the credit card processing network of hackers stole account information for 40 million debit and credit cards using magnetic strip technology. This major data breach followed by many more hastened the move to computer chip credit cards, a technology used in much of the world since the 1990s and now used uniformly in other countries

3 What Is the EMV Card? EMV stands for Europay, MasterCard, and Visa. EMVCo is the company formed by these credit card companies to manage EMV standards for EMV chips and tokenization. EMV cards are more secure than magnetic strip cards because the computer chip generates a unique, randomly generated token for each transaction such that skimming a card processor to steal the processing information for a particular transaction would be useless. Nor would hacking the data processing network provide information usable to a criminal for the same reason. EMV card use by consumers takes a few extra seconds at the point of sale (POS) terminal, as the consumer inserts their EMV card into the card processor and waits for the transaction to be completed. Rules Encouraging Migration to EMV It is important to note that the regulations encouraging the use of EMV technology were created by the banks and credit card companies which process credit card payments. These companies do not have the authority to mandate the switch from magnetic strip technology to EMV technology enforced by fines or other penalties. Rather, the inducement for companies to switch to EMV technology came from a shift in the liability for credit card fraud. Previously, if a credit card number was fraudulently used, the banks would refund the cost to the merchant. However, after October 1, 2015, the liability for misused credit cards passes to either the credit card companies, if they did not issue EMV cards or the merchant, if they did not upgrade their card processing equipment to EMV terminals. The liability shift applies only to fraud occurring at the POS when counterfeit or

4 stolen credit cards are used, and it does not apply when the merchant s network has a data breach. Some medium to small businesses have been slower to switch to EMV cards as they have balanced the risk of loss for fraudulent credit card use with the cost to them of switching to the new technology. The deadline for ATMs and gas station pumps to switch to EMV processing to avoid liability is October 1, Transition to EMV Usage Presently, approximately 70 percent of American credit card holders have EMV cards, while less than 37 percent of retailers have adopted the technology, according to surveys by Creditcards.com and the Strawhecker Group. 2 Some major retailers, most notably Walmart and Target, were early converts to EMV technology. Merchants that sell popular, expensive items that are easy to resell, such as electronics and jewelry, are always big targets of credit card fraud and should be the most concerned about complying with the EMV rules. While many companies have been dragging their feet on updating their credit card processing equipment, others are still waiting for the credit card companies to certify their new card processing equipment. Certification through the bank for each credit card network used by the merchant is required before the EMV processing equipment can be made operational. 1 lp.verifone.com/media/ /emv_key_dates_chart_ pdf 2 and preview/tsg%20ereport%20- %20EMV%20Aftermath%20PREVIEW.pdf

5 Meanwhile, it can be expected that as more businesses in the United States shift to using EMV cards that credit card fraud will migrate to online purchases, often referred to as card not present purchases (CNP), as occurred in the United Kingdom, Canada, Australia, and other countries when they started using EMV cards. This is because the EMV and its internal chip provide no security advantages to online purchases where the card number and the security number on the back of the card are all that is required to make a purchase. 3 Weakness of American EMV Usage The key weakness in the implementation of EMV technology in the United States is that the regulations encouraging their usage do not require the use of a PIN as is required elsewhere throughout the world. Instead, most American credit card issuers only require the EMV to be combined with a signature rather than a PIN, which is relatively easy to counterfeit and is often ignored by clerks at the point of sale. While the retail industry has generally encouraged EMV cards with PINs, often referred to as chip-and-pin technology, the card issuers take the position that EMV cards with a signature used for verification is sufficient to protect the security of the credit card transaction. The additional cost of incorporating PIN technology into EMV card processing equipment and concerns of the additional time to process transactions requiring a PIN to the already longer processing time of the EMV card contribute to the resistance of the American credit card industry to use chip-and-pin technology. Meanwhile, many merchants rarely compare signatures or require

6 secondary identification when processing a signature verification credit card transaction leading to the possibility of greater card fraud with stolen EMV cards. Also, as American companies transition to the EMV card, the credit card companies issue credit cards with both the magnetic stripe and the EMV technology so that transactions being processed at companies still using the magnetic stripe are just as vulnerable to credit card fraud as they were before the new technology was introduced. In 2014, President Obama issued an executive order requiring that chip-and-pin technology is used for credit card transactions done by federal executive departments and agencies. 4 The Federal Reserve has indicated that chip-and-pin cards are 700 percent more secure than chip-and signature cards. 5 On October 8, 2015 the FBI issued a public service announcement in which they noted that EMV cards with PINs offered increased security over EMV cards that only used signatures for verification. Additionally, the FBI announcement warned that the EMV chip will not likely stop stolen or counterfeit cards from being used for online or telephone purchases where the card is not physically seen by the merchant and where the EMV chip is not used to transmit transaction data pdf

7 Research and consulting company, the Aite Group, has predicted that online credit card fraud will increase from approximately $3.3 billion in 2015 to $6.6 billion by Additionally, in 2015 nine state attorneys general sent a letter to the banks and credit card networks urging the adoption of the more secure chip-and-pin technology rather than the chip and signature technology presently being implemented. 8 In a speech delivered at a Federal Reserve Bank of Kansas City conference, Federal Reserve Governor Jerome Powell said new approaches to authentication increasingly offer greater assurance and protection. Given the current technologies that we have at our disposal, we should assess the continued use of signatures as a means of authenticating card transactions. 9 Vulnerabilities of EMV Technology No technology is foolproof. Never underestimate the power of a fool or the technological savvy of cybercriminals. Although EMV technology would seem to be perfect, no technology is perfect either in its design or its implementation and EMV technology has been shown to be vulnerable although certainly nowhere near as vulnerable as magnetic strip technology. One of the attacks already used against EMV cards is called a replay attack. In 2014, it was reported that ltistateletter.pdf

8 some American banks had losses from fraudulent credit card use in Brazil using credit card numbers compromised in American company data breaches, including many from the Home Depot data breach of What was most interesting about the fraudulent use of these cards is that they were processed as EMV transactions even though the credit cards used in the fraud were old styled magnetic stripe cards and not EMV cards. It was hypothesized that criminals in control of POS terminals were able to steal data from legitimate EMV transactions and then use that data to put through sales using the information from stolen magnetic strip cards with the EMV transaction data making it appear that the sale was an EMV transaction copying the one time security code created for the previously legitimate use of the EMV card. This scam takes advantage of the fact that during the prolonged period of banks adapting to processing the new EMV cards many banks are not yet effectively checking the security codes used for the transactions and merely note a transaction coming in with a security code without having a protocol for confirming its accuracy. As noted by Krebs On Security, there are several checks that banks can use to validate the authenticity of chip card transactions. The chip stores encrypted data about the cardholder account as well as a cryptogram that allows banks to tell whether a card or transaction has been modified in any way. The chip also includes an internal counter mechanism that gets incremented with each sequential transaction so that a duplicate counter value or one that skips ahead may indicate data copying or another fraud to the bank that issued the card. Thus, what appears to have happened in these instances of Brazilian card fraud was that the banks had not adopted the protocols necessary to confirm that

9 the security codes or cryptograms being reported were valid. 10 Meanwhile, enterprising cybercriminals have developed software programs to enable other less computer knowledgeable criminals to perform this scam. This software is sold on the Dark Web where criminals converse as well as buy and sell such malware. In this case, the malware is sold along with a list of American financial institutions that have not yet fully implemented proper protocols for validating EMV transactions. According to Gartner, Inc. fraud analyst Avivah Litan, the reason I think they bother to fake EMV transactions is that they know the EMV card issuing banks relax their fraud controls on them and don t have it implemented properly, and therefore they do not properly check the dynamic EMV data. 11 Researchers from France s Ecole Normale Superieure and the Centre Microelectronique de Provence have described a technique used in 2011 by which criminals stole EMV cards and managed to take the chip from the stolen card and attach it to a counterfeit card containing a counterfeit chip that would be used to accept any PIN entry. The stolen chip enables the transaction to appear legitimate to the processing equipment while the second card provides a usable PIN. 12 According to other researchers at the Computer University of Cambridge: 10 krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-cardcharges/ 11 krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-cardcharges/ 12 eprint.iacr.org/2015/963.pdf

10 Again and again, customers have complained of fraud and been told by the banks that as EMV is secure, they must be mistaken or lying when they dispute card transactions. Again and again, the banks have turned out to be wrong. One vulnerability after another has been discovered and exploited by criminals and it has mostly been left to independent security researchers to find out what s happening and publicize it. In this paper, we report the shocking fact that many ATMs and point-ofsale terminals have seriously defective random number generators. These are often just counters, and in fact the EMV specification encourages this by requiring only that four successive values of a terminal s unpredictable number have to be different for it to pass testing. The result is that a crook with transient access to a payment card (such as the programmer of a terminal in a Mafia-owned shop) can harvest authentication codes which enable a clone of the card to be used in ATMs and elsewhere. We now also disclose that the pre-play attack is not limited to terminals with defective random number generators. Because of the lack of end-to-end transaction authentication, it is possible to modify a transaction made with a precomputed authentication code en route from the terminal to the acquiring bank to edit the unpredictable number to the value that was used in the precomputation. This means that as well as inserting a manin-the-middle device between the payment card and the terminal, an attacker could insert one between the

11 terminal and the acquirer. It also means that malware in the terminal can attack the EMV protocol even if the protocol itself is implemented in a tamper-resistant module that the malware cannot penetrate. 13 Improvements to EMV Technology Although an immediate change to the use of a PIN for authentication would be a distinct improvement over the present American signature verification, the use of biometrics, such as fingerprints for authentication, is something that is already well established and should be considered for incorporation into EMV cards for increased security over the PINs. Additionally, the EMV protocol itself should be redesigned to prevent man-in-the-middle attacks as described earlier EMVcardswiththepre-playattack.pdf