A comment to an article by Rob Waugh for WeLiveSecurity - Dozens of car washes leak card details in U.S. money-laundering scam – makes an interesting point about the vulnerability of the traditional credit/debit card format.

“I am incredulous that the magnetic strip is not extinct yet. How is it that we have left 1970s technology at the nexus of our personal financial integrity?”

 Unfortunately, it’s not that unusual for antique technology to survive well past its best-by date, security-wise: dare I mention the much-maligned but still all-too-present static password? But he’s right in that the main advantages of the magnetic stripe (magstripe) card – the ease of reading and writing data from and to a magnetic stripe and the low cost of the necessary hardware – are also a major disadvantage. All things being equal, it’s as easy for a criminal to capture data and duplicate media as it is for a legitimate financial (or other) service provider. The US is the last G-20 country to move to EMV (chip) technology, though providers are leaning towards chip & signature rather than the chip & PIN generally preferred in Europe.

Chip & PIN is usually considered safer because while a signature can be forged, banks usually limit the number of attempts to enter a PIN. So while there’s certainly over-use of certain PINs (e.g. 1234) comparable to the over-use of ‘password’ or ‘123456’ as passwords, the opportunity to guess a PIN is severely restricted. (I wrote a paper a couple of years ago on PIN selection strategies for an EICAR conference, as well as an article for Virus Bulletin, and am presenting a related discussion at CFET in July.) However, it does seem that for the moment providers in the US are focusing on chip and signature rather than chip and PIN.

Some financial providers in the US have actually introduced chip and PIN cards, though they’re largely of interest to international travellers who may have encountered difficulties in regions where chip & PIN is predominant (to the extent that the days of the magnetic stripe are probably numbered). US POS (Point Of Sale) terminals tend not to be PIN-aware, whereas in Europe a PIN is almost always required, where the card is capable of recognizing it.

For that reason, in the US (in my limited experience, living in Europe) a chip & PIN card (even from a US provider) is almost invariably effectively used as a chip & signature card. Where a signature can be used as a second authentication factor, that is: at most ATMs in the US, a chip & PIN card is – like a magstripe card – essentially single factor (i.e. something you have) because they don’t require you to enter something you know (i.e. your PIN).

Conversely (and somewhat unexpectedly, perhaps, to British readers), the 2010 Equality Act apparently mandates that chip & signature cards be available to people in the UK who can’t use or remember a PIN but can write their signature, though signature can’t be used at all terminals (self-service checkout facilities, for instance). I don’t know how common it is for the use of a chip & sig card to be needed in the UK, or what impact it has on card crime statistics, if any. Or indeed, how many are signature-preferred rather than signature-only. (A signature-preferred card is one that has PIN functionality so that it can be used where signature isn’t accepted.)

As it happens, I was asked recently about this rather relevant study*: it concerns the perceptions of users in various regions of their susceptibility to fraud, and ranked the US as fourth in the world in terms of card fraud experienced. Specifically, I was asked whether I’d expect to see card fraud in the US decline as criminals switch to targeting other regions. I don’t think I have enough information on where the US is going with EMV to speculate overmuch, but I’d expect to see some continuing decline in the US as they switch. Probably not as dramatically as happened in Europe and the UK, where the impact on fraud with lost/stolen cards and card-present fraud, even counterfeit fraud, has been considerable. For one thing, US migration to EMV, even in the incarnation currently proposed, doesn’t really leave much in the way of tempting alternatives. And as Lysa Myers explained comprehensively recently, the proposed migration is in several respects less than ideal. Specifically, she said:

“Ideally:

  • A chip is used alone, without also having a magnetic stripe
  • The correct PIN must be entered within a very limited number of attempts
  • A signature must never be accepted in lieu of a PIN
  • Additional measures must be taken to secure card-not-present purchases

In the US, what is being proposed is:

  • A chip and magnetic stripe will both be present
  • A signature may be used in lieu of entering a PIN
  • Additional measures will not be mandated”

Not that there haven’t been issues with EMV chip & PIN: I discussed one as far back as 2010 (more links on that issue here) and there are more recent papers by Ross Anderson in the UK, who has been looking at the EMV protocol for a long time, here and here. Perhaps that last one is the most worrying to consumers, as it suggests that “the EMV protocol – the dominant card payment system worldwide – does not produce adequate evidence for resolving disputes.” It does propose measures for improving security, but mitigation and cost-cutting tend to be uneasy bedfellows.

* According to the report, approximately 300 respondents were questioned from each of the included countries from the Americas (defined by Aite Group LLC in this instance as Brazil, Canada, Mexico and the US), EMEA and Asia-Pacific.

David Harley
ESET Senior Research Fellow