Credit card

The Security Theater of Chip Cards

About 3 years ago in 2015, chip based credit cards were rolled out in the US. However, the amount of fraud has not decreased in the US. Why is this happening and what can be done? Read on to see…

Feature Image / License / https://informedmag.com/

Credit Card Chips Fail to Halt Fraud

The US has been a late adopter of security chips in credit cards. The EU has had them for over a decade. Yet the differences between our banking systems produce disparate behavior regarding credit card fraud. Cory Doctorow talks about how it was largely a sham implementation.

Security Theater

Through the years there has been an increase in the perceived security of things but often not a substantial concrete change to increase security. Bruce Schneier coined the term “security theater” to describe this phenomenon. In effect this is the presumption of increasing security without the actual results of higher security. The TSA and airport screening in the US is often used as an example of security theater.

In the US we can look back on 3 years since the initial implementation and judge how it has performed. The results are not what you would expect. Meaning – instead of a reduction in credit card fraud we have seen an increase! There are many factors for this we will explore.

don't hack me bro

Gemini Advisory Report

Fortune reported on a a report released from Gemini Advisory detailing the study. Among the key findings:

  • 60 million US payment cards have been compromised in the past 12 months.
  • 45.8 million or 75% are Card-Present (CP) records and were stolen at the point-of-sale devices, while only 25% were compromised in online breaches.
  • 90% of the CP compromised US payment cards were EMV enabled.
  • The US leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records.
  • Financially motivated threat groups are still exploiting the lack of merchant EMV compliance.
  • An imminent shift from card-present to card-not-present fraud is already evident with a 14% increase in payment cards stolen through e-commerce breaches in the past 12 months.

Gemini Advisory reports that 60 million US payment cards have been compromised in the past 12 months.

Yet other countries who have implemented the chip cards have experienced a reduction in credit card fraud. Why is that? The chip sends an encrypted connection between the card and the merchant point of sale terminal. However, security is only as good as its weakest link. Just like with email security the biggest leaks are not MITM but attacking the end point. Here the end point is the POS terminal. Most of the fraud is conducted via either hacking into the POS or installing a skimmer to capture card details.

US Leads the World in Credit Card Fraud

Point of sale terminal
Image / License

The US is the most targeted country for credit card fraud even after implementing security chips in cards.

90% of the CP compromised US payment cards were EMV enabled.

There are 2 primary reasons for why this is the case.

  1. The US uses chip + signature instead of chip + PIN like in Europe
  2. US merchants still accept magnetic stripe cards

Small and medium businesses are the low hanging fruit for attackers. They are more apt to use magnetic stripes and have less budget for security precautions or even detection.

No Silver Bullet

There isn’t a simple fix to this. At a glance you might think forcing US merchants to use chip + PIN (like the EU) would add security; however, credit cards are processed differently in the US than the EU. The key reason why this will not work is because in the US chip credit cards are treated with the same fraud liability as a debit card – which is the say much less liability protection  for consumers. Since the financial institution bears less a burden of these exploits the consume has an uphill walk. Banks won’t change this liability if they can prevent it.

There is no silver bullet – only incremental improvements and evolution

A placebo effect exists with the perceived ease and security of a chip card to get people to spend more. This is another example of security theater. Because of our different banking framework, once the EU migrated to chip cards it left the US as the main player late to the party. That leaves the US to get hit with the low hanging fruit – the easy wins.

NFC and Online Purchases

Other considerations include NFC. Does it even matter if we secure the transmission even more if end point e.g. the POS terminal is so easily breached? How about online purchases? You don’t need a chip to be read for that. Your waiter at the restaurant could surreptitiously take a picture of your credit card info and make online purchases as you. Taking it to the next level – it is easy to generate a fake credit card and write the information to the magnetic stripe. 

When you identify yourself with a credit card there is supposed to be some kind of authentication to verify you are who you say you are. But merchants don’t want to see photo ID for each credit card paying customer. Even so a forgery could likely pass since the scale of the usage is so high.

Multi Factor Authentication

One idea is to implement 2FA on credit card purchases. It could be something you have (the credit card) plus something you know (the PIN or passcode). Assuming our liability laws were reformed this would be a good step in the right direction. Another method could be sending a text confirming each purchase. That way you authenticate with something you have (credit card) plus a code or text on your phone.

Security Through Obscurity

There is no easy way out. What we do now is little better than security through obscurity. Merely obfuscating verifying information or adding a bureaucratic hurdle to jump over isn’t good security. A holistic approach to securing our weakest links in a systematic manner can obviate the side show of security theater we indulge ourselves in.

Thanks for reading!

 


If you liked this post then you might also like: The Prisoners Dilemma of Defect Disclosure

Did you find this helpful? Please subscribe!

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.