In the wake of recent retailer payment systems attacks at US stores Target, Neiman Marcus and Michaels, awareness of card fraud in the US and how its security measures compare to those in the rest of the world, is at an all-time high. Unlike the US, countries around the world started introducing chip based bank cards based on EMV standards over ten years ago to fight card cloning, and chip and PIN has long been the de facto payment method in Europe.
Firstly, let’s start with the card. Magnetic stripe based card fraud is not new because it is relatively easy. The data from a magnetic stripe card can be skimmed by a reader and then copied onto another blank card in a matter of minutes. The cards can be used to make purchases in retail facilities, even in ATMs (see 2013 $45 Million Heist), or Internet retail.
Non-US markets migrated away from swipe and sign some years ago, the driving factor being increasing fraud. The effort was driven by an association of banks in each country so was relatively easy to coordinate. The complex state of the players in US financial market has made the business case for a switchover more difficult to establish until now.
The difference between chip card transaction and magnetic stripe transaction is how the ‘secret’ information is stored and shared. Magnetic stripe cards have no way of keeping its ‘secret.’ Cloning is always possible. With a chip card the ‘secret’ in the case of a PIN (Personal Identification Number) can be stored on the card itself and not only in the back-end database. Therefore, the user confirms that card belongs to them as well as confirming that the card is real – not copied or counterfeit – when entering a PIN. Additionally, securing the front-door with a chip card but still leaving the back-door, in this case with a magnetic stripe, still leaves open the door for card skimming in combination with card-not-present transactions.
In the Target case, readers were attacked using malicious software which was uploaded into the system and not in an individual store. The malware copied credit-card numbers from point-of-sale machines’ RAM, in the instant after the cards are swiped and before the numbers are encrypted.
One way to combat this would be with an embedded security element integrated into the point-of-sale (POS) equipment. An Embedded Secure Element can directly encrypt the critical account information before passing the encrypted data further to the POS host processor, and finally to the backend system. Such an implementation is highly efficient and prevents malware attacks host POS systems, providing additional effective preventative measures. Even in the weakness in the POS and ATMs found by the University of Cambridge study in the UK in 2012 can be addressed with such approaches.
At NXP we understand how information is communicated, providing security on both the reader and chip side – whether on a card or a mobile phone. The results are already noticeable in China, where smartphones are already being used for secure public transport payments. And in Korea, where pre-loaded amounts of money are used for payments in convenience stores, providing an extra layer of security.
End-to-end encryption is the only way to approach security. Improper storage of customer data and failure to encrypt customer account data at the back-end can lead to disaster. This was the case with the Sony PlayStation hack in 2011, where improperly stored data allowed the personal information of millions of users to be lifted in an instant.
Securing access to back-end applications requires a combination of both hardware and software solutions. Most networks have put in place software to detect fraud through recognizing unusual patterns. While these are important measures, they sometimes provide a false sense of security as patterns may only be discovered after months and after data has been compromised. By combining this with hardware measures, further steps can be made to ensure the protection of access into a network and subsequently databases. Storing the data in an encrypted or coded manner also creates another hurdle in collecting and using the data.
Security is not only about secure protocols but also about secure implementations, which is where Security Certifications like EMV, play a crucial role. What is clear is that focusing only on one aspect of security is not the solution, but instead building strategic defenses at all levels.
Individuals also need to have a stake by at least controlling their card data. In all of the cases mentioned, the number of individual’s data exposed runs in the tens of millions – 70 million at Sony and 110 million at Target.
In September of last year, we announced that NXP has now shipped over two billion SmartMX secure microcontroller chips to the chip-enabled payment and government identity markets, demonstrating the trust institutions and governments globally place in NXP to provide convenient and secure interactions.
NXP is now securing transactions on over one third of all chip-based payment cards in circulation; by far the largest provider of EMV-based chip solutions. Our SmartMX products are also the core component in a wide variety of digital identity schemes and are deployed in close to 100 countries implementing government electronic ID programs. Used in many sovereign electronic documents such as ePassports, citizen cards, national ID cards, driving licenses, social security cards and, health cards, SmartMX-based solutions protect citizens from identity theft and reduce fraud via the products’ world class security features.
Stay tuned as next we’ll take a technical deep-dive into how EMV technology will reduce fraud in the US payment system.