In October 2015, US financial institutions implemented the EMV Liability Shift, which transfers the liability to the merchants in certain cases unless they replace their payment processing systems to chip-enabled cards. The move was a strategy designed to mitigate point-of-sale (PoS) fraud by using EMV Chip-and-PIN cards, which was deemed to be more secure than traditional cards that relied on a magnetic stripe.
EMV, the current global standard for cards, stands for Europay, MasterCard, and Visa, representing the three companies that established the payment technology. For security, EMV cards are equipped with a chip that stores a cryptogram that allows banks to determine if the card or transaction has been modified. It also stores a counter that gets incremented with each transaction. These measures ensure that there are no duplicate or skipped counter values—signs of possible fraudulent activity.
EMV cards are already widely used in Europe, Canada, Mexico, South America, and Asia. According to UK credit card statistics, losses related to card-not-present in fraud dramatically increased in volume. The numbers show that criminals are using stolen credit card data for online purchases as opposed to manufacturing and using counterfeit cards.
On the surface, the move to EMV technology seems to have helped boost the security of card transactions. However, EMV does have its share of security challenges. Prior to its implementation, researchers have suggested that the technology may inadvertently open the door to increased cybercrime. While the data embedded on a chip uses a level of encryption that makes a chip extremely difficult to counterfeit, it is not impossible. This is true even with a card that is physically stolen or manufactured with information swiped from data breaches, as seen in the Target hack.
Previously, it was outlined that because EMV’s payment method stores the data on the chip rather than on a magnetic stripe, it is virtually impossible to duplicate and create fake EMV cards. Despite these features, however, the EMV payment standard still has its weaknesses. The following are some security challenges that EMV faces:
Implementation – the adoption rate for chip-and-PIN was projected to be slow even before it was implemented. Unfortunately, most banks in the US have given out EMV cards to their clients but don’t require PINs during transactions; instead, they still use signatures—as the card industry insists that the power to combat fraud lies in the chip, not the PIN or the signature. PINs add an extra layer of protection only for lost or stolen cards, and are useless for defending against counterfeit-card fraud. In this case, an attacker could steal card data from a retailer’s network then etch it onto counterfeit cards to conduct fraudulent purchases in stores.
Technology vulnerability - in the recent Black Hat 2016 Conference, engineers demonstrated how EMV cards are just as easy to clone as their mag-stripe predecessors. In the live demo, researchers used a simple chip-and-PIN hack to withdraw up to $50,000USD in cash from an ATM in America in just under 15 minutes. The hack only required two processes to execute an attack. First, a small device called Shimmer is added to a PoS machine that allowed a man-in-the-middle (MiTM) attack against an ATM. The device can sit between the victim’s chip and the ATM's card reader, recording the data on the chip, including the PIN, as the ATM reads it. It then transmits the data to the attackers. The attackers only need a smartphone to download the stolen data and recreate the victim’s card in the ATM, commanding it to eject cash continuously.
Online threats – PoS malware popped into the limelight with the Target hack and other similar high-profile attacks. Researchers from the University of Cambridge showed that cybercriminals could cheaply construct special devices that intercept and modify communications between EMV credit cards and PoS terminals, fooling the latter into accepting fake successful PIN verifications. Another attack method observed is the EMV ‘replay’ attack, which victimized a Canadian bank that had incorrectly implemented their EMV transaction handling code and wasn’t checking either the cryptogram of the counter values. Cybercriminals spoofed EMV transaction requests to this bank and got the fraudulent charges approved.
Better Payment Security, But Needs Beefing up
There are still ways to address EMV security issues. Some of these challenges can be addressed by the use of strong encryption in the payment process, and allowing firmware updates that are signed only by the vendor. For consumers, it is recommended that they be wary of any unusual prompts and to avoid re-entering their PIN number. App-based payment systems like Apple Pay and Android Pay are also recommended since they often utilize better security.
Ultimately, no security technology is impervious to compromise. However, the EMV liability shift and the ensuing implementation of more secure card technology is still a significant step towards the improvement of payment technology. However, both merchants and consumers need to be aware of the security gaps in current US EMV technology.
Defending Against Payment Card Fraud
Since most attacks target mostly retail and hospitality industries, it is critical for merchants to take preventive measures. Here are some best practices that companies and their customers can do to protect against payment card fraud:
Secure PoS devices and networks
Comply with Payment Card Industry (PCI) security guidelines
Strengthen anti-malware security
Deploy patches accordingly
Customers must also take some steps to ensure that their accounts are not at risk:
Regularly check bank and credit statements. Reviewing transactions can help you monitor and spot fraudulent transactions.
Make sure all operating systems across all devices are up-to-date
Install security software on devices used for online transactions