Is EMV an Expensive Security Misstep for the Payments Industry?

Dec 8, 2014 10:04:28 AM

There is no disagreement that the current mag-stripe technology used in the USA and other countries outside of the EU is antiquated and lends itself to fraud. The data is easily copied using various methods from manual card data copying and shoulder surfing, to database compromise and POS terminal malware.  Cards can be reproduced with off-the-shelf plastic blanks and a simple machine you can buy on the Internet.

Card fraud worldwide is on track to grow by approximately 19% over 2013. In one recent article, the author that the US accounted for 51% of the credit card fraud by dollars lost, reaching to about $7.1B in 2014 with other estimates reaching as high as $8.6B and growing to $10B in 2015.  Magnetic stripe card fraud is an epidemic for several reasons.

  1. Most of the developed world is marching towards being a cashless society, so credit and debit cards are being used more extensively each year.
  2. Card-data breaches have exposed hundreds of millions of cards that can be readily purchased given that you know where to go, which fraudsters do.
  3. Mag stripe cards are easy to replicate and execute.
  4. Ultimately, there is little risk to the fraudsters for being arrested so long as they exploit card holders across international boundaries (especially between countries without extradition treaties).

With all of this going on, the payment card brands and the issuing banks had to do something, so they came up with the EMV standard which has been rolled out in the EU and is mandated for roll out in the US by October 2015. EMV stands for Europay, MasterCard, and Visa, and has successfully reduced fraud in the EU, so it obviously has merits. EMV cards replace the magnetic stripe with a microchip, like those used in smartcards, that has hardware and cryptographic defenses to protect it from alteration. The chip makes the cards significantly harder (though not impossible) and more costly to replicate. To aid in user validation, the chip uses a PIN that replaces the security (CCV/CVV) code printed on the back of most magnetic stripe cards (American Express has the code on the front). The transition cost for retailers is estimated to cost about $8.6B.

Despite all the safeguards in place, EMV cards are not 100% secure (but then again, what is?). There is still fraud against individuals using those cards. This can happen in several ways.

  1. Theft of Card & Extortion of PIN, Shoulder Surfing – Same as theft of a debit card. It is rare, and has a small overall market impact, but had to be mentioned.
  2. ATM Skimming – More significant, but still a small portion of overall market impact.
  3. Credit Card Database Compromise – This happens if the PIN is held with the card data, which is against best practices that are similar to current magnetic card regulations.
  4. Point of Sale (POS) – This is when terminal malware captures data in memory or in transit to the card authorizer. This is the same as theft of a debit card, which I will explain further below.
  5. Any Card-Not-Present Transaction – This is the same as theft of a debit card, which I will explain further below.

Let’s get into some details. As I mentioned before, card duplication is very difficult due to the microchip. Using captured data to create a card to use at a register is also thwarted unless the chip can be compromised because the chip produces a unique transaction number that is recorded at the terminal for each use. Reusing the transaction number in a POS terminal will result in failure. Given that you may ask, “How can POS malware be successful?” It can be successful because it captures the card account information and, if used, the user’s PIN. With those two pieces of information, a fraudster can use the EMV card in an online card-not-present transaction just like a regular magnetic stripe card. Then, using a drop-off address or a merchandise mule or a sacrificial middleman to receive the goods, they can collect on the theft. This also explains Item 5 on the list above.

With current estimates, it will cost retailers and the payments industry somewhere around $8.6B, mostly paid by the retailers and then passed on to the consumers, to upgrade the card reading and processing infrastructure in the US to accept the EMV cards. This cost is approximately equal to the card fraud in the US for 2014. Since it does not reduce card fraud to zero there is a 2-4 year return on investment for the retailers. The larger the retailer the more fraud they will likely experience, so their return on investment will come more quickly. However, the proliferation of EMV cards is also expected to shift card fraud more heavily to online transactions. This negates the benefits of the chip and PIN architecture because there is no card present.

It took a page to make the wind-up and the pitch, but there you have it. EMV does reduce at-the-store fraud, but it cannot reduce online transaction fraud. “But what will??” you ask. I thought that you might, so I have a suggestion.

If the cards moved to a one-time password (OTP) instead of, or to use with, a fixed PIN, the problems that we currently face are solved. The problem with both EMV and magnetic stripe transactions is the static user input of the CVV or PIN. They are required for card-not-present transactions, but because PINs and CVV codes don’t change, once a fraudster has captured them it’s game over for that card. This was somewhat addressed with the chip-generated transaction ID for terminal transactions, but that falls short because the user has no access to it so it does not come into play for an online/card-not-present transaction.

An OTP is a password generated at each use for that single use and verified between the front-end system (card) and a corresponding back-end system (authorizer) by using the same algorithm and a shared secret to generate the same code independently. The shared secret is a seed (starting) value for the algorithm so both systems begin the password generation with the same value, and thus the passwords are synchronized between the card and the authorizer.  In this case, the seed value could be a PIN provided by the card owner at time of card registration. The cool thing is the user PIN is never exposed in any payments system and if the card number is deemed as possibly compromised, it really isn’t an issue because the thief still doesn’t have the next transaction password. If desired, the card owner or the authorizer can change the PIN and restart the algorithm as an additional precaution.

For magnetic stripe cards this system would require a change to add the OTP functionality to the back-end and the update of cards with a microchip and a display. The LCD would output a randomly changing code just like OTP tokens used for remote application and web login.  These types of cards already exist in multiple form factors and are in use in some areas. The POS terminals would only require software upgrades and not hardware because all cards would be treated similarly to a current debit card transaction, which requires a PIN.  Though the card data could still be maintained in the stripe, the addition of a variable user input that is synchronized with the back end authorizing system negates any risk of fraud if the card number is compromised. I have more details on that process later in the post.

For EMV cards, the OTP could be a display of a portion of the transaction ID that the chip generates.  The card would need a small LCD on it to show the least significant 4+ digits, then the user could input those numbers and their PIN into the POS terminal. The back-end authorizer would validate that input with the transaction ID it generated and the known PIN, like a current debit transaction, using the similar algorithm and seed value. The seed value for starting the OTP generation could initially be a unique embedded chip ID or it could be a user-defined value.

With these additional controls in place, the card cannot be used in a fraudulent card copy from data theft in any manner. It is also not susceptible to card-not-present transactions because possession of the card for the random password is required. Even stealthy, in-person card theft is stopped because the validation mechanism required the card owners secret PIN.  The only attack that will work is physical theft with extortion for the PIN. If that happens, the card owner has larger problems at that moment and (s)he can report the card stolen as soon as (s)he is out of danger. This seems like a significantly better option for reducing payment card fraud and avoiding the unintended consequence of shifting more fraud from in-store to online.

Ultimately this sort of a system would cost less for retailers still on magnetic stripe cards because they wouldn’t have to rip and replace all of their POS terminal hardware. Because it’s pretty clear that that ship has already sailed and EMV terminals will be deployed, the card industry should seriously look at these OTP suggestions as an EMV 2.0. The one piece of hardware that service organizations like restaurants would have to invest in are wireless POS terminals because the transaction would need to take place at the consumers’ table because the card owner would need to be present for the transaction.

The last general hurdle is the conversation about the card form factor being more expensive and the card issuers not wanting to take on that expense. There is probably not a significant difference in cost increase between an EMV card and a OTP card and even if there was, at the scale they would be produced the replacement cost would be so low that the cost savings in reduced fraud would more than cover them. I for one would be willing to pay the $1 -$3 dollars it might cost to replace the card if I broke it to have the higher/highest level of assurance that my credit accounts were not going to be compromised. The card issuers should be more than happy to pay the cost of replacement every three to five years when the battery dies or for normal wear and tear if the system stops issued-card

 

David Monahan

Written by David Monahan

David is a senior information security executive with several years of experience. He has organized and managed both physical and information security programs, including security and network operations (SOCs and NOCs) for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse audit and compliance and risk and privacy experience such as providing strategic and tactical leadership to develop, architect, and deploy assurance controls; delivering process and policy documentation and training; and working on educational and technical solutions.

    Lists by Topic

    see all

    Posts by Topic

    see all

    Recent Posts