Tag Archives: credit card

EMV Chip cards: Overview

When you shop at a store with a credit card it is typically done by swiping your card to conduct the transaction. The swiping action allows the credit card terminal to read your credit card number off of a magnetic strip on the back of the card. The downside to the magnetic strip technology is that it is very easy and cheap for the bad guys to reproduce. A common way for the bad actor to get your credit card number is to use a skimmer, a small device that goes over the normal reading mechanism, to steal the data. Once this is done, they can then create a new card with the same information and then attempt to use it at a store.

What is an EMV Card?
In an effort to reduce card present fraud, cards are making the switch to EMV (Europay, MasterCard, Visa) cards. EMV cards use a smart chip, rather than the magnetic stripe, to provide the information needed to complete the transaction. Unlike the old magnetic cards that you swipe, the EMV cards are “dipped” by inserting the chip side of the card into the card reader. The card stays in the device for a few seconds until the transaction is complete. One of the features of the chip is that it sends a unique token for use with each transaction making it harder for a malicious user to replicate the data, even if it is retrieved.

The EMV cards are also much more costly to create, which adds to the complexity for a theif creating fraudulent cards.

Two Options: Chip + Pin and Chip + Signature
There are two ways that EMV cards are used. The first way is called Chip and Pin. In this scenario, a user has a numeric pin that has to be input when using the card in person. This is very similar to how a debit card works today. The requirement of the pin helps protect the card from being replicated by a bad actor, or used by someone that may have stolen the actual card from you. Of course this can be a tricky scenario when you have multiple credit cards when trying to remember the pin for each card.

The other way is called Chip and Sign. In this scenario, the card owner doesn’t have a pin, but rather is required to sign for the transaction. This is very similar to how most credit cards still work today. This is actually much easier to bypass because you may be forging just a signature, not trying to come up with a pin number.

Reduces Risk for Card Present Transactions
I mentioned earlier, this only adds security to the Card Present scenario. This doesn’t change anything for the Card Not Present (shopping online) scenario. Also, know that it will be a while before we see chip only cards. For the time being the newer cards will have both a chip and the magnetic stripe. This is because it is going to be a while before every vendor makes the switch to EMV. Keeping the magnetic stripe also reduces the security a bit since there will still be a lot of places that won’t upgrade and will still use the magnetic stripe.

For Consumers
The biggest change is that you will use your card by “dipping” it, rather than swiping for in person transactions. The goal is to reduce your card being replicated by a bad actor and having funds racked up on your account. Most credit cards are zero liability so this may or may not be very noticeable to most consumers. Hopefully it will at least cut down some of the card present fraud that happens. Only time will tell.

For Businesses
The liability is changing with the push for EMV cards. If you are not following the recommended approaches, such as requiring EMV vs. the magnetic stripe, you may find yourself liable for any fraudulent charges. Make sure that you are validating the cards and the card holder when accepting credit cards to help reduce your liability. Update to accepting the EMV chip data vs the magnetic stripe.

Final Thoughts
This won’t solve all of the problems, but it is a step in the right direction. The United States is one of the last countries to adopt the chip technology. Many of the credit cards will be chip and sign, but you may get a few that are chip and pin.

Remember, no matter what technologies get added to protect our credit cards, it is still your responsibility to monitor your statements and report any fraudulent charges. it is part of the responsibility of having a credit card.

What Happens When All SSNs are Breached

Visit any news site or social media outlet and you are bound to see news of some new company getting breached. It is a lot of what we talk about these days. Whether it is passwords, credit card information, health information or social security numbers, if it is breached it is headline news. With the exception of those trying to scam the system and get a quick payday, it is getting to the point where most people outside of the information security industry just write it off and don’t give it much thought.

There is a difference between social security numbers or health information that distinguish them from passwords or credit card numbers. They are much harder to replace. Taking a quick look at passwords we can see that it is easy to change them. If my password gets breached, I create a new one. It is usually a simple process that takes very little time. This is especially true if using different passwords for different sites. Credit cards are also fairly simple to replace and come with zero liability. If my card gets breached and there are fraudulent charges I just report them and they are removed. The bank sends me a new credit card and if I am doing regular monitoring of my statements the biggest hassle is changing the credit card that is stored on the different sites.

With social security numbers it is much more difficult to replace them. While they were not meant to be used as identifiers in all of these systems, they unfortunately are. Countless numbers of sites store your social security number increasing the risk to it. Getting a new number can be very difficult, not just the process of getting the new number but also updating everyplace that has it.

What happens if all of the social security numbers get breached? With under 400 million people in the united states how long will it take with all of these breaches for all numbers to have been breached? I know, we could just create all of the numbers that fit the format of xxx-xx-xxxx, but I am talking number with other identifying information. If all of the numbers get breached, what do we do next? Is it still worth spending so much money trying to protect them in our systems? We can’t get people to encrypt them now, will they continue to do it when they are all in the public domain? Do we finally start moving to a new identifier, albeit probably too late? Maybe it is just a money ticket for identity monitoring and credit monitoring companies. Will the duty to protect this information be removed when it is public domain? As we have seen with other breaches, once something is in public domain, no matter how it got there, it is fair game. It raises an interesting situation when a finite set of data is at risk. Do you know what your company is doing to protect this type of information? Better yet, as a consumer, do you have any concern about your SSN being stolen? Chances are very good it is already out there somewhere.