You may also be interested in:

Articles

AFP Fraudwatch: Just How Safe are Chip Cards?

  • By Andrew Deichler
  • Published: 11/3/2014
With President Obama mandating that all government issued cards be chip-and-PIN-enabled beginning in 2015 and some U.S. banks and retailers accelerating their plans for EMV migration in light of recent breaches, a debate has arisen over whether migration to chip and PIN or chip and signature makes the most sense. Obviously the PIN adds another layer of security, but does it really matter?

Many experts argue that the chip, not the PIN, is what really matters. But a recent fraud trend that exploits chip cards as a whole should serve as a cautionary tale to both banks and retailers as the rollout picks up steam.

During a session at the recent NACHA Payments Innovation Alliance Meeting in New York, a representative of a major retailer voiced his frustration over chip and signature. “The PIN is highly effective at preventing fraud,” he said. “It’s been proven time and time again to work, and we need to remember that we need a multilayer approach to securing transactions. The fact that we are considering going to EMV, and we won’t be doing 100-percent PIN at the same time, is a mistake. It’s something that I think, when we look back on it, we’re going to regret.”

However, other experts argue that the PIN is not a crucial component for securing card transactions. Earlier this year, AFP Fraudwatch spoke with a payments analyst for a credit card company who stressed that the PIN only addresses lost-and-stolen card fraud. “Chip technology addresses counterfeit fraud and that’s the largest type of card fraud,” she said. “There’s nothing that PIN adds, besides eliminating that ‘pickpocket’ threat. Lost-and-stolen card fraud has been low and steady and nowhere near the risk that counterfeit fraud presents.”

Further complicating the gradual chip card rollout has been a string of fraudulent transactions coming from Brazil that have totaled hundreds of thousands of dollars. The charges are targeting card accounts compromised during the Home Depot breach and other retail hacks. These charges were submitted through Visa and MasterCard’s networks as chip-enabled transactions—but the banks that issued the cards had not yet begun to roll out chip cards.

The attackers likely used what is known as a “replay” attack, in which they took control of a payment terminal and manipulated data fields for transactions that passed through that terminal. Once the criminals captured traffic from a real EMV-based card transaction, they could insert stolen card data into the transaction stream.

But why would fraudsters do this instead of just simply cloning the already-intercepted mag-stripe cards? Similar “EMV-spoofing” attacks (also emanating from Brazil) hit Canada several months ago. One of the Canadian banks suffered a substantial loss because it had gotten lax on security. The chips contain “cryptograms” that allow banks to see whether cards or transactions have been altered in anyway, as well as internal counters that can detect data copying and other fraud. The bank wasn’t checking either of these; it was just authorizing the transactions.

“The bad guys knew that if they encoded these as EMV transactions, the banks would loosen other fraud detection controls,” Avivah Litan, fraud analyst with Gartner, told cybersecurity blogger Brian Krebs. “It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it.”

Litan sees a lot of confusion as banks roll out EMV, which could lead to serious problems. “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly,” she said. “They won’t expect the point-of-sale codes to be manipulated by fraudsters. That’s the irony: we think EMV is going to solve all our card fraud problems, but doing it correctly is going to take a lot longer than we thought. It’s not that easy.”

These fraud incidents put banks in a bit of a predicament. Banks are responsible for all fraud costs that occur from any fraudulent use of their customers’ chip-enabled cards, even fraudulent charges disguised as chip transactions, Krebs noted. With the EMV liability shift coming in October 2015, banks could be paying out a lot of money on fraudulent charges if retailers en masse adopt EMV terminals and this type of fraud continues.

Fraud & Cyber Sessions at the 2014 AFP Annual Conference

This week's AFP Annual Conference features multiple sessions on payments fraud and cybersecurity that will provide treasury and finance professionals with insights into how to better protect their organizations.

MONDAY

CTC Breakfast: A Road Map to Cybersecurity
8:00am – 9:30am
General Keith Alexander, former chief of the Central Security Service and head of USCYBERCOM, examines the vulnerability of critical infrastructure; the dependence of the economy on the Internet’s smooth functioning; the imperativeness for the private sector to assume its portion of the responsibility for protecting its infrastructure; and what is likely to be the future strategic challenge in cybersecurity.
 
Effective Fraud Mitigation Tools for Corporates
8:30am – 9:30am         
Payments fraud experts present a snapshot of the current state of payments fraud, highlighting findings from the Federal Reserve’s 2014 Payments Fraud Survey, fraud-related results of the 2013 Federal Reserve Payments Study, and the 2014 AFP Payments Fraud and Control Survey. This includes prevalent fraud schemes that target corporate accounts, accounts payable and accounts receivable.

Cyber Insurance: What Is It? Am I Covered?
1:30pm – 2:45pm    
In this session, industry experts who have experienced breach events and understand the costs incurred as a result provide tips on breach preparedness, incident response, legal obligations and risk transfer mechanisms to provide balance sheet protection.

TUESDAY

Managing Corporate Account Takeover Risk
10:30am – 11:45am
The online account takeover attack is considered one of the biggest threats to businesses. In this attack, cybercriminals obtain access to financial accounts and conduct fraudulent transfers. Learn what options can be instituted within your organization to keep your financial information safe.

Certification Luncheon: What Risks Lie Ahead for Corporate Business

12:30pm – 1:30pm
Serving as FBI director during a critical time in our nation’s history, Robert S. Mueller was a key influencer in shaping our nation’s intelligence operations for decades to come. Mueller shares his critical insights on national security, cybersecurity, global risk and the issues of most concern to corporate business.

Data and Network Security: More Than a Privacy Issue
2:00pm – 3:00pm         
This session discusses “advanced” risks associated with data and technologies used to carry out mainstream business functions.  Get an update on how the card brands tend to address exposures and what the cyber insurance markets think about it.

WEDNESDAY

Securing E-Commerce Transactions in an EMV World
9:45am – 10:45am
This session updates on EMV deployment in the United States. Data shows how countries that have migrated to EMV cards see fraud move to online channels. This discussion explains why this might occur and how online merchants should prepare for this threat.

Showcase Your Expertise
Share your solutions, best practices and big ideas with your treasury and finance community when you lead an educational session at AFP 2019.
Submit Your Proposal

Copyright © 2018 Association for Financial Professionals, Inc.
All rights reserved.