Smart-chip cards safer, but hardly foolproof


About this series

We live in a consumer society, conducting dozens of transactions each week, if not each day. Five years from now, thanks to smartphones, the way those transactions happen may be radically different. Starting yesterday and running through Wednesday, Atlanta-Journal Constitution cyber-security reporter Sean Sposito decodes the dizzying array of emerging technologies and the hidden workings of the banking system to show you what that future may look like. Think: merchant-controlled payment networks, credit and debit cards with computer chips embedded, verification via tokenization, even crypto-currencies. Buckle up, it’s going to be quite a ride.

Target may have lost our data, but it gave us some new vocabulary words: “EMV card,” or, perhaps, “smart-chip card.”

In urgent conversations around dinner tables and in the halls of Congress, two points have gained almost universal acceptance:

No. 1: Collectively, merchants, banks and the payment networks must do more to safeguard our identities.

No. 2: Chip-embedded cards, widely used nearly everywhere outside the U.S., are the quickest way to do that.

But wait, there’s a crucial No. 3: EMV is only a partial answer, designed to protect banks much more than us consumers.

“What EMV does is it authenticates the card,” said Philip Andreae, who helped create the standard in the early ’90s while working in Europe. Andreae now is a director of marketing for French card-maker Oberthur, which sells the technology to American banks and credit unions. He lives in Atlanta.

In short, he said, it tells the merchant, the payment network and the issuing bank that “the rightful person is holding the card.”

That’s good for all concerned. If someone is standing at the checkout counter using your card, you would certainly rather that it be you.

But you’re not the one who’s going to actually take the loss if it’s some crook who’s stolen your card or counterfeited it. Today, the merchant and the bank are the losers. And although fraud is at historic lows (only 6 cents of every $100 spent, about half what it was 20 years ago) the losses still come to more than $11 billion a year worldwide.

Chip cards make it harder, if not impossible, for criminals to create bogus cards by placing your personal information, which they’ve stolen, on a piece of plastic. So EMV definitely cuts down on fraud that takes place at brick-and-mortar stores.

That’s great, but …

It does nothing to actually protect your personal information. Even though you might have to enter a four-digit PIN to complete a transaction, that 16-digit code embossed on the front of your card will still pass through merchants’ systems just as it does today.

“Chip cards don’t protect your data any better,” said Rick Dakin, the chief executive, co-founder and chief security strategist of cyber security auditor Coalfire Systems.

Crooks will still be able to exploit merchants that don’t safeguard their payment terminals or that store some of your information in their systems. Once the thieves have got your name, card number and address, they’ll still be able to buy stuff online.

The standard is called EMV for its founders: Europay, MasterCard and Visa.

Eighty countries already are in some stage of moving toward it and away from the “mag stripe” cards Americans use today. Some of them have already seen fraud shift from the counter to the Internet.

A majority of cards in those countries contain both a magnetic stripe and a chip, but in-store terminals are programmed to alert employees that they should be used as chip cards, said David Abouchar, the senior director of corporate development at payments security and compliance company ControlScan. That should foil thieves with counterfeit cards bearing only a stripe.

When chip cards hit the mainstream in the US, that will be the case here, as well.

Visa and MasterCard are pushing it hard. They’ve said that all merchants except gasoline retailers who do not have the equipment to accept EMV cards by October, 2015 will become liable for any fraudulent chip card transactions made on their terminals.

How it works

Bank of America, Wells Fargo and other card issuers already offer EMV to customers who frequently travel overseas.

There are two flavors: chip-and-PIN and chip-and-signature. The biggest change you’ll probably notice is that you’ll plug your card into a slot in the terminal rather than swiping it.

But behind the scenes there’s a world of difference. Unlike mag stripe cards, which transmit your personal identifying information in plain text, EMV cards generate a special, one-time signature that the terminal authenticates.

The beauty is that the signature is different every time, in a precise way that the authenticating computer is primed to expect. A thief could steal that electronic signature, but it would be useless for making future purchases.

You might think of it this way: Your friends recognize you from day to day although some details change, such as your hair or clothes. If you looked absolutely identical every time they saw you, they would find it suspicious.

In that regard, EMV does represent a big improvement over our current authentication process. Today’s system relies on analytics: comparing what you’re attempting to buy today with what you’ve bought and where you’ve shopped in the past.

The reason the U.S. is so late in switching to EMV, experts say, is that we've got many more banks and credit unions (more than 13,000 of them) and many more merchants. Each of them will have to spend money to convert to the new technology.

EMV cards cost as much as $3 apiece; mag stripe cards cost as little as 25 cents. And the new payment terminals merchants must install to fully convert to EMV can cost them a bundle, especially for big box retailers that have to upgrade both their terminals and their point of sale software.

Beyond EMV

Already, Visa and MasterCard are working together, at the behest of the country’s biggest banks, to shore up EMV’s flaws.

Last month they said they are dedicated to adopting tokenization and point-to-point encryption — the former is especially good at curbing online fraud. With tokenization, your card number is never transmitted at all to the merchant. In its place, the merchant receives a numerical token, a random string of numbers generated by the card issuer or another service provider for that single transaction.

Tokens can also be issued with limits on where and for how long they can be used, according to congressional testimony by Ellen Richey, Visa’s chief legal officer.

“It’s not about just the economics of preventing fraud … it’s about protecting the security of people’s information by devaluing it so that criminals will no longer be able to use it,” she told The Atlanta Journal-Constitution.

Another way to solve for fraud is encryption, which can scramble your sixteen digit card number at the point of sale using a mathematical code.

“We can do that. The technology is within our reach to do that,” Richey said, referring to tokenization, encryption and EMV.

For Jordan Kummer, a 24-year-old student studying TV production at SCAD Atlanta, all this new technology doesn’t amount to much.

He’s been the victim of five separate card breaches. (Somehow, though, he was unscathed by the recent snafus at Target and Neiman Marcus.)

Kummer only keeps a bank card. Each time it’s compromised, he just visits his bank in Midtown and waits for about a week for a new card.

He’s got it down to a rhythm: Order a new card and sign up for a credit monitoring service.

“It’s a fact of life on the Internet, you give someone your information, and there is a chance that it’s going to be breached,” Kummer says.

“Anyone who says otherwise is basically lying.”