Are Chipped Credit Cards Bad for Consumers?

Credit card fraud is rampant. So U.S. banks will soon be getting serious about upgrading credit cards to incorporate the “chip and PIN” EMV security system that most of the developed world has been using for over ten years. But is it a raw deal for consumers? Read on for the full story…

Who Benefits From Chip and Pin Credit Cards?

My family and I visited Canada recently, and even the smallest Mom & Pop stores in rural areas have EMV-enabled credit card terminals. Just insert your chipped card into the terminal, enter the PIN, and off you go. A few merchants were flummoxed by my American mag-stripe Visa card, and didn’t even have a pen handy for the old-school “swipe and sign” method of payment.
But consumers in the USA will soon be getting new Visa, MasterCard, American Express and Discover cards with embedded microchips, and merchants will have to upgrade their point-of-sale systems by October 2015, or face greater liability for fraudulent transactions. These “chip and PIN” or EMV cards are supposed to reduce credit card fraud, but do they really?
EMV Card Warning
Preventing card fraud is a good thing, in theory. But researchers at the UK’s Cambridge University warn that EMV has not reduced fraud in countries that have implemented it. Instead, they say, banks have used EMV to shift liability for fraud losses onto consumers.
Additionally, the researchers say, point-of-sale terminal makers have implemented EMV in a flawed fashion that makes it easier for criminals to make fraudulent ATM withdrawals even though the card never leaves the cardholder’s possession. The same things could happen to U.S. cardholders, they warn.
EMV is often called “chip and PIN” technology. When a card is inserted into an ATM or point-of-sale terminal, the terminal communicates with the chip on the card and produces a theoretically “unpredictable” number that is transmitted with the transaction data to the transaction processing service, a middleman clearinghouse that completes the transaction with the cardholder’s bank. That “unpredictable” number is supposed to authenticate the transaction; no one should be able to mimic it.
But the researchers found that the number is sometimes predictable, because terminal makers don’t always use “strongly randomized seeds” to generate the number. Instead, “Some EMV implementers have merely used counters, timestamps or home-grown algorithms” to supply the random number, they said. “This exposes them to a ‘pre-play’ attack, which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and [which] can be carried out even if it is impossible to clone a card physically.”

Weaknesses in the EMV System

“Since the introduction of EMV, the banks have operated a “liability shift” as they describe it, which means that when a transaction is disputed, then if a PIN was used the customer is held liable, while if no PIN was used the transaction is charged back to the merchant. Disputed transactions where the bank’s records show a PIN was used are seen by the banks not as frauds AGAINST the customer but as attempted frauds BY the customer…”

In other words, a fraudster who has had brief physical access to your card can read enough data off of it to generate bogus transaction data that will be accepted by your bank as iron-clad proof that you really did authorize the transaction. No refund for you, consumer!
Digging deeper into the EMV protocol, the researchers found a flaw that enables a scammer to intercept even a properly randomized authentication number and replace it with a bogus one that could result in a transfer of funds to the scammer. The interception can be done by malware embedded in a point-of-sale terminal.
Banks have dismissed this fraud possibility, blindly claiming that POS systems are too difficult for hackers to infiltrate. But that’s exactly what happened just a few months ago to Target Corp., with millions of terminals in its stores being infected with malware and 40 million customers’ data being stolen.
The researchers expressed frustration with the EMV Alliance and banks, saying in their research paper: “We are now publishing the results of our research so that customers whose claims for refund have been wrongly denied have the evidence to pursue them, and so that the crypto, security, and bank regulation communities can learn [related] lessons.”
Banks and merchants alike have a vested interest in reducing credit card fraud, but determined criminals will always find a way to sneak past the latest defenses. Shifting the blame to consumers isn’t the answer. That’s why the Cambridge researchers are calling on banking regulators in the United States and abroad to use their muscle to force merchants, banks, and vendors to put related fixes in place.
If you think you have been a victim of EMV card fraud, the researchers recommend that you immediately request logs of the transaction details from the terminal operator and the card acquirer (bank). The unpredictable numbers that each entity recorded should match; if they don’t, you have proof that EMV did not work and you deserve a refund.
The researchers note that log data is supposed to be preserved indefinitely, but many logs are routinely destroyed after 90 to 180 days, even if a transaction is under dispute. So if you suspect your EMV card was used fraudulently, don’t delay in requesting those logs.
Your thoughts on this topic are welcome. Post your comment or question below…


More Posts about Ecommerce:

  • Yes, You Need an Ecommerce Platform

  • New Square Reader Does Apple And Chips

  • Are You Paying For Ads That Nobody Sees?

  • Improve Sales With A/B Testing

  • Are Trust Logos Worth It?

Comments

  1. I have gone to using cash exclusively when out and about. Guess what? It is still accepted.

  2. Here is South Africa we have been using chip and pin cards for a long while now. Very few problems reported, except the usual one of cards given to other people to use (friends and family) with the concomitant fall out and disputes.
    As for CNP (Card not Present) transactions, VISA enforces the validate with PIN which is sent to either your cell phone or email. As good as having your card present.
    Lastly, being kept informed by the bank for every card transaction via SMS speeds up resolution of suspected fraudulent transactions.
    I don’t see the inherent risk of chip and pin as Bob explains it.

  3. luv cash, I can only loose it once, they can only spend it once. Don’t use any electronic payments—-don’t have any problems.

  4. Andrew Hardie says:

    For online purchases in the UK there is an additional level of security using a password that is transmitted to the card issuer rather than to the retailer. I understand that this system is also available in the USA eg American Express Safe Key.

  5. Guess it’s time to go back to cash. Can’t “hack” that….unless they pick my pocket. I think it might be worth the risk.

  6. I am in Canada in the Toronto area. As you know we have had the chip cards for several years. No issues at all. Had plenty of issues with the mag stripe only cards over the years, including someone trying to get another card for my account. The bank caught that one thankfully. What concerns me more at this time is gas stations and other points of sale are implementing “TAP AND GO” method which works with the chip cards as well. I am not confident about the security of tap and go. I will not even use the reader at the pump. I insert my card into the card reader INSIDE the station in front of the human agent. My bank strongly believes these cards are superior to the old mag stripe cards. Of course if you use the mag stripe instead of the chip they are no better. Very few businesses still rely on the mag stripe only. Backward compatibilty or backward insecurity? I suspect that stripe will not be on my next card…chip only.

  7. Bob, thank you for the article and additional resources in the links. The way I see it, it comes down to retailers not fully understanding the dangers that are out there today, and not willing to take (or pay for)the proper steps to secure their business. The last year in cybercrime appears to be the year of the POS systems breach. In my experience, cybercriminals tend to be a bit lazy – they do not like to work hard at cracking or attacking a system. But once they discover a vulnerability, they’ll keep “milking” it for all it’s worth.
    You may find this report by US CERT interesting, as it points to some simple vulnerabilities in the POS system that can be avoided without too much effort – quite simply, DON’T use remote desktop connections to manage your POS system:
    https://www.us-cert.gov/ncas/alerts/TA14-212A

  8. Its easy to stop credit card fraud, just use cash!!! its the safest way to trade, unfortunately young people have cards to buy things which they don’t have the money buy with, they just don’t know the value of money and that is why they get into debt.

  9. Another Canuck calling in. I love these new cards and the ability to just tap the card on the reader. It’s faster than counting change.

  10. EMV is a good way to make the customer liable. At my hospital (UK) one of the staff, while at work, was charged for a transaction he did not carry out. The bank refused to budge and actually accused him of lying because it was “such a secure system” etc etc, but had to back down when he (the Dr) threatened to sue them saying that he would bring in evidence from the hospital in the form of documentation in notes and patient and other doctors witness statement. Not surprisingly, the bank quickly apologised and refunded the money!

  11. Banks learning a lesson??? Consider the “billions” lost to fraud by the banks refusing to make merchants ask for ID that matched the credit card. Every person that ever got robbed cost the bank money and who ultimately pays for this huge blunder by the banks part. Rather than going through all these expensive flawed fraud prevention fiascos, just ask for a damn ID!!!

  12. , the researchers found a flaw that enables a scammer to intercept even a properly randomized authentication number and replace it with a bogus one that could result in a transfer of funds to the scammer instead of the cardholder.
    The word merchant should be used not “cardholder” in the phrase above.
    EDITOR’S NOTE: Corrected, thanks.

Join the Conversation! Leave Your Comment...

*


Free Small Business Tech Support -- The Rankin File
Subscribe to The Rankin File: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.