Email
Password
Remember meForgot password?
    Log in with Twitter

article imageOp-Ed: EMV vulnerabilities for IT professionals

By Jacki Viles     Nov 15, 2014 in Technology
Atlanta - 2015 has a few payment processing milestones that merchants will need to address. If you are an IT project manager working in retail management and haven’t been defining projects for new hardware and software; you are way late my friends.
In an effort to accelerate the adoption of EMV (“chip and pin” or “smart chip”) technology in the US, Visa and MasterCard has instituted a deadline for merchants to be capable of accepting the new smart cards with the EMV chip by October 15th 2015. If a merchant cannot read the new technology at the point of sale and the transaction is fraudulent, there will now be a liability shift where the merchant may be responsible for the fraudulent charges.
The EMV chip is an extra level of security to protect the issuing bank and the customer. Think of it as a very small app on your credit card or mobile wallet that starts up when it is enabled at a point of sale. It has no resemblance to the old fashioned magnetic stripe track data that Americans are used to.
These chips are very smart. Depending on the bank who issues the card it can have plenty of functionality. For example this card will, if coded, be able to authorize transactions and allow offline transactions of a certain amount. Depending on the setup you may or may not be asked for a PIN as an extra level of security. Expect transactions to take a bit longer as your card will be ‘"talking" to the point of sale or pin pad and then authenticating itself to a payment processor.
Over the past 10 years in Europe, financial institutions found that as their smart card technology began to saturate the customer base, there was a tremendous fall off in the amount of "in person" point of sale fraud. However, there was a significant increase in the "cardholder not present" or E Commerce transactions.
I think we can all agree that we don’t need another Target or Home Depot style breach. And this move will clearly help prevent credit card cloning fraud. But I can’t help waiting for the other shoe to drop.
When this technology was created there were no smartphones with the type of technology we rely on today. The amount of personal data that is stored on mobile phones today is as scary as the amount of applications available to steal them. And people today seem to be more distracted than ever.
EMV card readers and software development kits are very easy to get your hands on. You can literally download the contents of a mobile phone, chip data and all. Especially with NFC (Near Field Communication) enabled. Let’s not kid ourselves. The hacker organizations today are a lot better funded than they ever had been. And they have had years of experience with the rest of the global EMV market.
In 2011 there were rumbles in the financial software community about "pre-play" attacks on chip and PIN technology. The premise is that the UN or ‘unpredictable number’ that EMV relies on for the secure transaction identifier isn’t so unpredictable after all! If a hacker can predict the number series it is absolutely possible that a smart card can be cloned. Cambridge University reported that the random number generators that were used at the point of sale level were easily numerated.
As early as August of this year at Black Hat 2014, the digital security conference in Las Vegas, the Cambridge University team presented their findings once again on ‘lazy random number generators’ and various PIN and signature vulnerabilities.
It isn’t too crazy to think that there are more bad guys testing vulnerabilities than there are good guys.
As new smart cards start showing up in customer’s hands next year, I know two things for sure. Customers need to pay more attention to their credit card bills and IT professionals need to be even more diligent about their data.
This opinion article was written by an independent writer. The opinions and views expressed herein are those of the author and are not necessarily intended to reflect those of DigitalJournal.com
More about EMV, Smart chips, Credit card fraud
More news from
Latest News
Top News