Just what we don't need…"anarchy" during the holiday shopping season. But a top payment executive at Walmart claimed that is what could happen due to the timing of regulations forcing merchants to have chip-and-pin credit card payment terminals.
U.S. banks replaced hundreds of millions of credit and debit cards that rely on magnetic strips, which store data, with new cards that contain a small gold EMV microchip. The new cards are considered by many to be much more secure, even though the cards have been hacked through man-in-the-middle attacks. French scientists also discovered how criminals altered stolen credit cards that were supposed to be protected by a security chip and a PIN code the crooks didn't know.
Even the FBI issued a public service announcement warning that "an EMV chip does not stop lost and stolen cards from being used in stores, or for online or telephone purchases when the chip is not physically provided to the merchant, referred to as a card-not-present transaction."
October 1 was the deadline for retailers to have purchased chip-and-pin payment terminals. Merchants that failed to meet the deadline will be liable for financial losses due to card fraud. Banks which failed to issue the new cards could be liable as long as a merchant has updated the payment terminal to accept such cards.
During a panel discussion at Money20/20, a conference which is focused on payments and financial services innovation, Walmart payments executive John Drechny expressed his unhappiness with the timing of the credit card industry's transition to chip-enabled credit cards. Black Friday will be here before you know it, but this year shoppers will have the option to pay with older credit cards and newer "chip-and-pin" credit cards. Drechny said, "We're forcing anarchy" on the payments world.
He said Walmart has cut down the time a customer needs to check out with a chip card to one second, compared to 12 seconds a year ago. Yet he doubts smaller chains that just made the Oct. 1 switch-over will be as fast, and that could lead to longer checkout wait times during the holiday shopping season.
Security via biometric authentication
Due to skimmers, online fraud, and even our habit of choosing horribly insecure passwords, many experts believe the key to better security is found in biometrics. Many new products and services unveiled at Money20/20 included different flavors of biometric authentication. Take the voice e-Signature solution as an example; Enacomm and VoiceVault launched voice e-Signatures to enable the "implementation of legally binding transaction authorization applications," meaning your voice replaces the need for your signature. Your voiceprint verifies your identity and can be stored for up to 10 years in case it is needed, such as for court proceedings.
The e-Signature service was lauded as "a key for higher security and fraud protection today," and it might be. However, researchers recently warned how easily voice hackers can steal your voiceprint, use a morpher and then trick authentication systems.
At the Money20/20 session Biometric Identity & Its Applications in Financial Services & Payments, industry experts discussed the ancient spoofing method of gummy bear hacks and methods to prevent attacks via multifactor authentication and tokenization.
"Spoofing is not scalable, but biometric security on mobile devices is." Regarding multifactor authentication, FindBIometrics reported that Daon CEO Connor White said, "A fingerprint is just a piece of a human. It's not the whole human. So if you're worried about the risk, yes, the most important part is that you have to have the phone. And if I have the phone, and I have the fingerprint, and I'm doing the gummy bear correctly and, and, and… Then yes. If I'm worried that there is such a risk, then that's a concern. Authenticate a human. Add in the face, ask them to speak a phrase, randomize the phrase so it can't be recorded."
White added, "Biometrics is not about fingerprint, or face or voice or iris or… you know, earlobe. It's about all of that. And you can bring all of that together. Today, on your phone, you have GPS location, you have secure keys, crypto, you have – every smartphone I know of – you have face and voice, and you have fingerprint on most of the next generation phones. In Japan you have iris. So there's a lot more we can do around a human being."
Bob Reany, Group Head & SVP of Identity Solutions at MasterCard, said bad guys use fraud as their business "because they can simply send an email to militarized places and get 700 million passwords and credentials and sell them on the dark web." That's something MasterCard is trying to stop. "And the fact that you can take a gummy bear and make a fingerprint and stick it on an iPhone – and you have to steal his phone, break into his house, ping his location, have the same behavioral analysis that he does, then okay you win. But it really defeats the [purpose]."
MasterCard's new program to allow payments with ‘any' smart device
Speaking of MasterCard…
A plethora of new products and services were announced at Money20/20. MasterCard's newest program will "turn any consumer gadget, accessory or wearable into a payment device." It might be "fun" to watch this unfold, considering that about 127 devices are added to the Internet each second and the seemingly endless stream of vulnerabilities in IoT devices. Yet this new program "will bring MasterCard payments to a wide array of consumer products across the automotive, fashion, technology, wearables, and yet to be imagined categories."