Chip-and-PIN is often touted as the solution to the vulnerabilities of swiping magnetic strips at the point of sale. Though already common outside of North America, as the system has continued its rocky roll-out in the United States, many have doubts that EMV will eradicate fraud – and the system has vulnerabilities of its own.
Problems at POS
Of course, encryption and tokenization as part of a layered security strategy might protect merchants from losing sensitive customer data from their own databases, but that doesn't stop POS fraud. In fact, the U.S. implementation of EMV cards are less secure than the global standard since many issuers have opted to use chip-and-signature verification instead of chip-and-PIN, WIRED reported.
Chip-and-signature's two factor authentication method isn't as secure as using a PIN. Unfortunately, many merchants fail to verify signatures, so chip-and-sig might as well be just chip. It seems as if banks implementing chip-and-signature do so more to reduce the consumer irritation of learning a new system.
"Many merchants fail to verify signatures, so chip-and-sig might as well be just chip."
Or, as WIRED noted in an interview with Gartner Research Analyst Avivah Litan, issuing banks using chip-and-PIN can be liable for fraud at their ATMs if both the card and PIN are stolen. Chip-and-signature cards can't be used at an ATM, but can be used at merchants.
"Because if the PIN [and card are] stolen, then that PIN [and card] can be used at the ATM machine, where banks are responsible for the fraud," Litan explained in an interview with the source. "They're more interested in protecting themselves than they are in helping the retailers out."
Regardless of the reason for using signatures instead of PIN, the chip only makes "cloning" a card more difficult, and chip-and-PIN systems can only prevent card-present fraud.
Scammers will always resort to the path of least resistance. Once cloning a card becomes sufficiently difficult, thieves will start looking to the next security hole. So, they have turned increasingly to fraud over e-commerce channels.
EMV is not resistant to card-not-present fraud, a practice in which scammers can use stolen card data to make transactions online or over the phone. ACI Worldwide reported that CNP fraud attempts have jumped 30 percent worldwide in just the past year. This is likely owed to the increased difficulty in counterfeiting smart cards.
However, merchants looking to curb CNP fraud use tools like 3D Secure, which adds an extra authentication layer to online transactions. The 3D Secure model, so named because it authenticates a purchase over three domains, routes users going through the checkout process to a secure page owned by the issuer to input a separate password.
After the issuer validates the transaction with the merchant, the purchase goes through. This way, merchants can ensure that purchases are legitimate, and don't have to worry about keeping another piece of sensitive customer data on file. Without 3D Secure, it's harder to determine the identity of purchasers and ensure that a transaction is genuine.
Breaking the unbreakable chip
Even accepting the CNP fraud loopholes of EMV cards, security researchers and law enforcement have identified security vulnerabilities within the system. Ars Technica reported on a fraud ring that used stolen chip-and-PIN credit cards to steal €600,000 in Belgium in 2011.
According to the source, an engineer was able to alter the smart card's authentication process with the addition of a second chip that allowed a PIN request to accept any input. This way, the thieves did not need to know the stolen card's PIN. The source said that EMVco has fixed the holes in the card system that led to the hacks, but it's difficult to know whether a similar counterfeiting attack is still possible.
The attack may have been incredibly sophisticated, as Ars Technica noted, but Cambridge University researchers independently devised a similar method of hacking chip-and-PIN around the same time.
Chips combat card copying
EMV does have some benefits for merchants. Namely, EMV-based cards make the barriers to card counterfeiting so high that most scammers won't attempt it. It's an improvement on the more than four decades-old magnetic stripe payment technology.
But it is not a cure-all. EMV only protects against certain kinds of malfeasance, so merchants need to constantly be up to date with the latest security technologies such as tokenization and 3D Secure and aware of the constantly-shifting payment card security landscape in order to best protect their business.