Unconventional Wisdom on EMV

Posted on November 24th, 2014 by Dan Rampe

EMV

Two Javelin Analysts Argue EMV Will Not Shift Cybercriminals’ M.O.s From P.O.S. to Online

Everybody knows that when EMV becomes the American standard next October, beaten cybercriminals will drop Point of Sale theft like a hot rock and take to the hills or try their collective hands at online fraud and thievery. P.O.S. crime goes down, online crime goes up. Everybody knows that, right? Wrong.

Two Javelin Strategy & Research analysts, Nick Holland, retail payments practice lead and Al Pascual, fraud and security practice lead just don’t buy into the conventional wisdom. In his piece on digitaltransactions.net, John Stewart explains the analysts’ reasons for bucking convention. The following has been excerpted from his piece and edited to fit our format. You may find the complete, unedited article by clicking on this link.

Sticking a pin in the balloon

“The balloon-squeezing mythology [squeeze a balloon at one end and it expands at the other] needed to be revisited with a fresh set of eyes. Does this idea that EMV forces fraud to other areas still hold water? We had our doubts.”

They’re heeere (Think the classic line from Poltergeist)

The “missing” factor, argue[d] Holland and Pascual…is the explosive growth of e-commerce. In other words, rapidly rising volume in this channel has already attracted plenty of fraudsters in recent years, a trend that will only continue with or without EMV in physical stores. “They’re already there,” [said] Holland. “They already leapt online years ago.”

Half of all transaction fraud online

To buttress their point, Holland and Pascual point to current e-commerce fraud statistics. In the United States, online traffic accounts for just 8.5% of all electronic-transaction volume, yet nearly half of all transaction fraud occurs online.

Multitasking

Fraudsters, in their nefarious way, tend to be multitaskers, attacking all forms of payments in all channels opportunistically. EMV has proven itself effective in other countries against counterfeit-card fraud at the point of sale. But to Holland and Pascual, the idea that criminals confine themselves to just that form of fraud, and then move on to card-not-present crime only when frustrated by EMV, is naïve.

e-Commerce fraud soaring

[e-Commerce] fraud in the United States is due to soar, even if the move to EMV will have little to do with it. If volume drives fraud, and if, as predicted by Javelin, online volume grows to more than 10% of all e-payments within three years, then card-not-present fraud can only grow much worse. “Card-not-present fraud is already very big and will get bigger,” warns Holland.

Same-day delivery delivers fraud

Exacerbating this problem, he says, is the nascent trend toward same-day or even faster delivery. While this trend promises greater convenience for consumers, it opens new opportunities for fraudsters with stolen payment credentials, Holland warns.

“Increasingly, you’ve got this situation where you’re shopping locally but accessing inventory globally,” he notes. “[There’re] clearly avenues of fraud there, particularly when you’re getting the goods within hours. Certainly, the time between instigating payment and the delivery of the goods is short and rapidly truncating. The fraud-mitigation response needs to be tailored to that.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

The EMV Cards That Never Were

Posted on October 29th, 2014 by Dan Rampe

EMV

U.S. Banks Received Tens of Thousands of Dollars Charged on EMV Cards — Despite Not Having Sent Customers Chip-Enabled Cards!

During World War II, British intelligence used a real dead body to create a fictitious Royal Marine Major William Martin. The body was dropped in the sea by a submarine and washed ashore on a Spanish beach where it was hoped it would fall into the hands of German intelligence. Attached to the body was a briefcase containing letters falsely stating that an Allied attack would be launched against Sardinia and Greece rather than Sicily, where the invasion took place.

Operation Mincemeat, the macabre name given to the highly successful ruse which may have saved thousands of Allied lives, was turned into a book and movie titled, The Man Who Never Was. Now, Brian Krebs on his blog, KrebsonSecurity.com, relates the story of the EMV Cards that never were and the very real fraudulent credit and debit card transactions that could cost financial institutions in the USA and Canada tens of thousands of dollars. The following has been excerpted from Krebs blog and edited to fit our format. You may find the complete, unedited article by clicking on this link.

Card data compromised as part of Home Depot breach

[At] least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

[All the charges were] submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards [hadn’t] begun sending customers chip-enabled cards.

Charges difficult to dispute

Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.

Replay attacks

According to [one bank Krebs spoke with], MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Bad EMV implementation at Canadian bank

Avivah Litan, a fraud analyst with Gartner Inc., said banks in Canada saw the same EMV-spoofing attacks emanating from Brazil several months ago. One of the banks there suffered a fairly large loss, she said, because the bank wasn’t checking the cryptograms or counters on the EMV transactions.

“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan said. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”

Litan said the fraudsters likely knew that the Canadian bank wasn’t checking the cryptogram and that it wasn’t looking for the dynamic counter code.

It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it.

Cybercriminals kept doubling down

[It] appears that the largest share of those phony transactions were put through using a payment system called Payleven, a mobile payment service popular in Europe and Brazil that is similar in operation to Square. Most of the transactions were for escalating amounts — nearly doubling with each transaction — indicating the fraudsters were putting through debit charges to see how much money they could drain from the compromised accounts.

Important to set up EMV properly

[Litan observes] “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly. They won’t expect the point-of-sale codes to be manipulated by fraudsters.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Chips Ahoy! It’s in the Cards.

Posted on June 19th, 2014 by Dan Rampe

EMV

By the end of 2015, microchips will be embedded in most U.S. credit cards as issuers go full-speed ahead to EMV standard

EMV chips are on the horizon. By the end of 2015, they’ll be in the hands of the majority of Americans. The Aite Group, an independent research and advisory firm that focuses on business, technology and regulatory issues, projects that 70 percent of all U.S. credit cards, and roughly 41 percent of debit cards (1.1 billion total) will be EMV-enabled by the end of 2015.

As reported by Jaikumar Vijayan, who covers data security and privacy issues; security legislation and regulations; online, mobile and wireless security and more for Computerworld, 18 of the top 40 credit and debit card issuers, including 7 of the top 10 banks, are going ahead with EMV implementation plans.

The Aite Group’s research director, Julie Conroy, observes that “A majority of Americans will have EMV cards in their wallets by the end of 2015.”

While replacing striped credit and debit cards with new EMV credit and debit cards on the surface appears straightforward, there’s a lot more to it. In his story on computerworld.com, Vijayan looks at the factors and actors involved in implementing the new technology. The following has been edited to fit our format. You may find the full article by clicking on this link.

Americans will simply sign

[Unlike] many other countries where EMV cardholders are required to enter a Personal Identification Number (PIN) for in-person transactions, just a signature will be required in the U.S.

In fact, 13 of the 18 banks reviewed by Aite plan to issue EMV cards that require only a signature. Just one bank currently plans to issue EMV cards with a PIN requirement, while four have not decided what route to take, Conroy said.

Implementation timeline

Visa and MasterCard currently require U.S. retailers to implement technology for supporting EMV transactions no later than October 2015. However, they do not require card issuers or merchants to require PINs.

After the October 2015 deadline, merchants that do not have EMV infrastructure in place will face greater liability exposure in the event of a data breach.

The price of EMV

The move to EMV is expected to cost U.S. retailers and banks several billion dollars. An estimated 13 million point-of-sale systems around the country have to be upgraded or replaced to support EMV transactions.

Conroy expects that big banks will spend around $1.30 for each EMV card while smaller banks could pay between $3 and $5 per card. Banks and financial companies will also need to replace or upgrade ATM machines to support EMV.

To PIN or not to PIN

Some retail groups have expressed concern over the lack of a PIN requirement. The National Retail Federation, for instance, argues that the true security benefits of EMV technology can only be realized with a PIN. They have noted that while a signature-based EMV card will help address some kinds of fraud, such as that involving cloned cards, it can’t stop crooks using card-not-present tactics in online or phone transactions.

Not everybody’s onboard

The NRF suggests that instead of spending billions on the current U.S. EMV plan, credit card companies require other approaches, such as end-to-end encryption of card data or a PIN requirement for all transactions.

Migration is well underway

“Aite’s projections provide another important data point that the migration from magnetic stripe to chip technology is well underway,” said Ellen Richey, Visa’s chief enterprise risk officer.

“By the end of next year, chip cards should be very real for consumers, and when widely adopted will have a dramatic impact on counterfeit fraud rates,” she said in an email.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

You Know the EMV Chip That’s Supposed to Make It Nearly Impossible to Fraudulently Use Credit/Debit Cards — Guess What? There Are Flaws.

Posted on June 11th, 2014 by Dan Rampe

EMV

If you like movies, you likely already heard the classic movie tagline for the sequel to Jaws,Just when you thought it was safe to go back in the water…” (Incidentally a great tagline for a lousy movie)

In any case, with a little massaging, the line works for flaws discovered in the EMV chip protocol for credit and debit cards, i.e., “Just when you thought the EMV chip was the solution to most credit and debit card fraud…”

In his piece on darkreading.com, Matthew Schwartz, InformationWeek information security reporter, writes about the flaws that Cambridge University computer security researchers warned about at the IEEE Symposium on Privacy and Security in San Jose, California. The following has been edited to fit our format. You will find the complete article by clicking this link.

[The Cambridge researchers] detailed two major problems with the EuroPay, MasterCard, and Visa (EMV) standard now used to secure more than 1.6 billion cards worldwide.

[The problems came to light after a] British bank, HSBC, refused to refund a series of transactions to a customer [Mr. Gambin] based in Malta…. During related disputed-transaction negotiations, HSBC shared detailed ATM log data with Gambin, which included the date, time, as well as an “unpredictable number” (UN), or “nonce,” generated by the ATM to validate the transactions.

Reviewing the unpredictable number, however, the researchers found that it was, in fact, often predictable. “Some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this nonce [which] exposes them to a ‘pre-play’ attack. [This] is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and…can be carried out even if it is impossible to clone a card physically.”

In some cases, obtaining a legitimate ATM nonce on which to base an attack would also be easy. According to the researchers, for example, the UN is printed on all receipts generated in Italy.

Digging further, the researchers also spotted a deeper flaw in the protocol that attackers could use to compromise transactions, even when an ATM generated a cryptographically strong random number. That flaw is due to the ability of attackers to intercept the unpredictable number via a man-in-the-middle attack and replace it with a different pre-computed one, which would likely pass muster with the authorizing bank. Such an attack could be executed via malware installed on POS devices, even if those devices include tamper-resistant EMV modules.

To date, some of the random-number-generator flaws spotted by the researchers have now been patched. But the EMV alliance has yet to address the deeper flaw in the protocol itself. [Researchers said, “The banks appear to have ignored this, perhaps reasoning that it is difficult to scale up an attack that involves access to specific physical cards and also the installation of malware or wiretaps on specific terminals. We disagree. The Target compromise shows that criminals can deploy malware on merchant terminals widely and exploit it to earn serious money.”

The researchers added that they know of at least one “likely case” of a related skimming attack in the wild, and warned that “the spread of ATM and POS malware is making it ever more of a threat.”

[A] liability shift — scheduled to begin in October 2015, although not until October 2017 for gas station terminals — by Visa seeks to drive more EMV uptake. “The liability shift encourages chip transactions because any chip-on-chip transaction — i.e., a chip card read by a chip terminal — provides dynamic authentication data, which helps to better protect all parties,” Visa explained.

According to the new research, however, that dynamic authentication system is vulnerable to spoofing. Any related liability, however, would rest with the consumer, unless he or she can prove that attackers subverted the EMV security system.

In their paper, the researchers expressed frustration at the EMV alliance failing to address the flaws they exposed more than one year after receiving related security disclosures. “We are now publishing the results of our research so that customers whose claims for refund have been wrongly denied have the evidence to pursue them, and so that the crypto, security, and bank regulation communities can learn [related] lessons.” [The researchers have] also called on banking regulators in the United States and abroad to use their muscle to force merchants, banks, and vendors to put related fixes in place.

[The] researchers called on the payment card industry to take responsibility for keeping the EMV system secure. “Again and again, customers have complained of fraud and been told by the banks that as EMV is secure; they must be mistaken or lying when they dispute card transactions. Again and again, the banks have turned out to be wrong.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

California Senate Takes Up Mandating the Use of EMV Chip Cards Beginning April 1, 2016. Electronic Transaction Association Opposes It.

Posted on May 21st, 2014 by Dan Rampe

California Senate

California’s Senate is taking up a bill, SB 135. According to the legislative counsel’s digest (sans some of the legalese), “This bill would require retailers, starting April 1, 2016, except as specified1 [who] accept a payment card… to provide a means of processing [payment card] transactions involving payment cards equipped with embedded microchips or any other technology that is more secure than microchip technology for card-present fraud prevention.”

1No exceptions were specified. We were left scratching our heads trying to figure out what that meant. Didn’t help. Well, it did sort of. We had an itch.

“The bill would also require specified contracts entered into between a financial institution and a payment card network… to include a provision requiring that a new or replacement payment card issued to a cardholder with a California mailing address have an embedded microchip or any other technology that is more secure than microchip technology for …fraud prevention.”

That’s the gist of the bill. If you want the grist, here’s a link.

An email from the Electronic Transactions Association (ETA), the global trade association that represents more than 500 payments and technology companies, calls on Californians to block the bill.

The ETA’s reasoning, according to its email, is that the legislation would “stifle free market innovation. Passing a single state technology standard will open the floodgate to additional state responses and create an expensive, unsafe, and inefficient myriad of technology standards.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Behind the Plastic Curve. Half of U.S. Retailers to Miss October 2015 Deadline for Upgrading Credit and Debit Card Payment Systems.

Posted on April 21st, 2014 by Dan Rampe

EMV

Credit card networks set an October 2015 deadline for U.S. merchants to upgrade their payment systems to the chip-based smart card standard, EMV. The “E” of EMV stands for Europay and the “M” and “V” stand for MasterCard and Visa, the companies that first backed the technology.

Chips in EMV cards, rather than the magnetic strips on most US credit and debit cards, make it harder to copy account numbers and security codes. And because EMV cards create a unique code for each transaction, they are more difficult to hack or counterfeit.

Since just about everybody agrees EMV cards are an improvement over the cards used in the United States today, what is the problem with converting to them?

That’s what Olga Kharif and Bianca Vazquez Toness explored in their piece on businessweek.com. (Following is an excerpt from that piece that has been edited to fit our format.)

One reason for the delay is the upgrade’s high cost—$500 to $1,000 per payment terminal, according to researcher Javelin Strategy & Research, a division of Greenwich Associates. Retailers are also concerned that the switch will slow checkout times and that it remains unclear how the EMV software will work with debit cards. “It is not a question of just turning it on,” says Margaret Chabris, a spokeswoman for 7-Eleven, “EMV specifications are still being finalized.”

Still, some big retailers, including Wal-Mart Stores, Kroger and Target, have pushed ahead with the upgrade. Wal-Mart started updating its payment terminals in U.S. stores eight years ago. The company says it has progressed slowly because of a lack of industry support, despite the clear benefits. “We saw the fact that it was being implemented in the U.K. and many other countries around the globe; we saw the fraud decrease once this solution was implemented,” says Mike Cook, assistant treasurer at Wal-Mart.

All of Wal-Mart’s 4,838 U.S. stores (including Sam’s Clubs) have the chip-based hardware in place. Of those, 1,000 have turned it on. By year end, Wal-Mart says, the new payment terminals will be running in all of the company’s U.S. locations. “We want to activate early if there are any problems or bugs to be worked out,” Cook says.

For terminals to provide added security, customers must have chip-enabled cards. “Part of the reason we haven’t pushed faster is there’re just no cards out there for acceptance,” Cook says. Today, with about 1 billion cards in use in the U.S., just 20 million chip cards have been issued, according to Smart Card Alliance. Only 20 percent to 30 percent of U.S. card holders will have the new cards by the deadline, says Nick Holland, an analyst at Javelin.

The new cards can cost up to $2 each, compared with pennies for the magnetic-stripe models. “We’ve got 10 million cards in inventory out in the field,” says Mark Putman, a senior vice president for First Data which offers prepaid card services. “At $2, we are probably looking at a $20 million investment, which I am going to defer for as long as possible.”

Retailers are willing to do their part to improve security, the National Retail Federation says, but banks and card companies also have a responsibility to update their systems. That includes making and issuing chip-enabled cards.

The price for not complying could be high. Credit card companies have said most retailers and banks will be liable for some fraudulent in-store transactions if they don’t have the new system. Even so, “merchants aren’t crazy about this migration to EMV, and many of them are fighting it tooth and nail,” says Julie Conroy, an analyst at Aite Group.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.