High-profile credit card hacks, such as the one at Target last holiday season and more recently at Home Depot, highlight the security failings in the classic one-step, card-present payment systems.
Plus, we all know that the signature on the magnetic swipe cards are pretty pointless. I can’t remember a time when a sales clerk ever looked at my barely legible, laundry-faded scribble in the U.S.
What should be a kind of quasi two-step authentication of card-present and unique signature isn’t two-step authentication at all. It’s just a leaky one-step, card-present system.
The logical answer to the problem is to introduce more secure systems, right? Two-step authentication, via chip-and-pin, makes sense.
Unfortunately, the problem with that, though, is that fraudsters have gotten a handle on that one too, according to a recent BBC report.
What is chip-and-pin
Chip-and-pin EMV, or Europay, MasterCard and Visa, is the de facto standard in Europe. It replaced the magnetic-stripe card there about 10 years ago. That magnetic-stripe technology was developed by IBM way back in 1969, by the way.
A printed circuit in the chip-and-pin card along with the ATM-like pin makes the card more secure than just a stripe because, theoretically, for one thing, only the user knows the second-step pin.
So it should be very difficult to steal from the card, unless of course you can capture the data at the point-of-sale — which is indeed how skimming thefts work.
Skimming fraud is on the horizon
Recently, a BBC reporter named Jonathan Gibson went undercover in the UK to investigate credit card fraud. What he found was startling.
Gibson found that a gang of criminals had loaded their own software onto authentic point-of-sale terminals. That software captured customer data and sent it to the bandits, who then used it to clone cards and raid accounts via ATMs in other countries.
It’s a form of skimming, the capturing of card data using physical readers.
Skimming techniques used in the past have included the unwieldy capturing of card data with a physical device mimicking the actual card slot, and getting the pin with an often-obvious camera.
What’s clever about this new method, discovered by the BBC, is it’s pretty elegant.
How chip-and-pin works
Essentially, unlike in the U.S., the European-issued card remains with the card owner at all times.
In a restaurant, say, the staff will bring a wireless terminal to the table, rather than take the card to a fixed terminal outside of the customer’s vision. The customer enters the ATM-like pin at the table, and the card data, along with the pin, is processed electronically.
The system is theoretically more secure than a simple magnetic swipe because, for one thing, the card never leaves the customer’s paws, and only the customer knows the pin.
In the U.S., generally, a less expensive chip-and-signature card will be implemented soon, rather than the more secure chip-and-pin technology.
Gibson’s discovered fraud
In the chip-and-pin fraud that Gibson discovered, the gang recruits sales assistants and restaurant workers to collude.
The portable, wireless terminal used is identical to the legitimate terminal because it is indeed a legitimate terminal — it just has different software loaded.
It’s so authentic-looking that even a restaurant receipt on the bogus machine can be customized with the restaurant’s name. That air of legitimacy is one way the customer doesn't discover the fraud until he’s long gone from the scene of the crime.
The fraud ring then takes the data and fabricates cloned cards to use in overseas ATM machines.
Gibson, during the sting, found his cash-loaded test cards were emptied in the Philippines.
VeriFone, the maker of the machine that the thieves used in the BBC sting, has denied that its machines are tampered with, according to the BBC.
Gibson says that the particular gang he came across operated its scams in Europe and Canada.
As we await delivery of our chip-and-signature cards here in the states, I’m going to speculate that it won’t be long before you can add the U.S. to that list.
This article is published as part of the IDG Contributor Network. Want to Join?