Americans have spent much of 2016 lamenting the addition of chips into their credit and debit cards. In exchange for the extra few moments consumers spend checking out, however, they are promised enhanced security to protect their accounts.
But a new discovery unveiled Wednesday by professional hackers at the Black Hat USA summit in Las Vegas called into question the supposed ironclad security of the new chips, which are referred to as EMV technology.
Retailers and banks began replacing regular magnetic stripe card readers with EMV last October after credit card companies like Visa and Mastercard threatened to hold them responsible for false charges made on cards during magnetic strip transactions. The mandate came amid high-profile breaches of retailers like Home Depot and Target.
In spite of industry assurances that EMV guarantees more security, computer security experts at the payment technology company, NCR, unveiled a basic, albeit glaring, security flaw.
According to CNNMoney, which first reported the discovery, when a consumer swipes the magnetic stripe of a card with a chip in it, the magnetic reader is programmed to alert the payment machine. The machine then prompts the consumer to insert their card into the chip reader, instead. But according to NCR, hackers can rewrite the code of the magnetic stripe so the card appears to be chipless.
As CNNMoney noted, “This allows them to keep counterfeiting — just like they did before the nationwide switch to chip cards.”
The reason for this security hole, according to the experts, is that retailers are not encrypting their transactions. “There’s a common misperception EMV solves everything. It doesn’t,” said Patrick Watson, one of NCR’s researchers.
Indeed, retailers grumbled at the roughly $25 billion they were forced to spend upgrading their machines to comply with Visa and Mastercard’s demands for chip readers. In fact, according to MarketWatch, in March retailers in California filed a federal lawsuit claiming the banking industry was attempting to shift the costs of identity theft onto retailers. Identity theft is a pervasive problem in America, where in 2016, as much as $15 billion has already been stolen from consumers, according to the Insurance Information Institute.
Part of the problem with the new EMV readers is that retailers aren’t encrypting transactions conducted on their new machines. But much of the blame belongs to the companies that make the EMV readers.
The two main manufacturers, Ingenico and Verifone, said their products come with point-to-point encryption options but noted retailers must turn them on.
But as CNNMoney pointed out:
“[P]ayment terminal makers keep producing machines that don’t have the encryption by default. And vendors who sell and install these machines at shops don’t simply flip the switch and turn on encryption. Retailers have to pay extra for basic security.”
Currently, retailers focus their attention on protecting their computer systems. “But that leaves the actual conversation between your credit card and the machine in plain text, readable to any hacker who breaks into the system,” CNNMoney explained.
Randy Vanderhoof, director of the U.S. Payments Forum, admitted, “If the data on the magnetic stripe is altered it might fool the terminal.” But he added that the system would “reject the transaction” on the backend.
Vanderhoof’s reassurances are questionable considering the new finding is only the latest to question the efficacy of chip technology. Security experts have continually poked holes in it, and even the European version of the technology, referred to as Chip-n-Pin and regarded as superior to its American counterpart, has deeply-rooted flaws.
In March, prior to the NCR researchers’ discovery of the latest security shortcoming, “two small Florida stores filed a lawsuit seeking class action status, saying their bill for fraudulent transactions has increased perhaps 20-fold since the October deadline and the EMV delay — playing out in smaller stores across the country — is costing them big money,” MarketWatch reported.
In fact, as of March, the majority of retailers who had purchased the new card readers were yet to actually employ the technology, opting to stay with the magnetic stripe reader, instead. Though five million EMV readers had been purchased, only one million were in use.
As credit card security efforts continue to fall short, CNNMoney reported the experts from NRC “advised shops to ‘encrypt everything’ in a transaction. They also said consumers should pay with special apps on their phones and watches whenever the high tech option is available.”