See my Recent Article in the THE HILL:
Payments technology must keep improving to stay ahead of fraudsters
By Eric O’Neill
On Wednesday, the House Small Business Committee will hold a hearing on the Europay, MasterCard, Visa (EMV) chip payment system which offers a more secure payment system for credit card transactions. But while the new technology is a big improvement, it does not signal an end to credit card fraud. The FBI recently issued a bulletin warning consumers to remain vigilant, despite the new technology.
If you’re unfamiliar with the technology, EMV credit cards include a small microchip that encrypts your card information when you use it at a specially equipped payment kiosk. If the kiosk is appropriately configured, it cannot access the real credit card number, just an encrypted version of it, thwarting a virus, for example, from pilfering it during the transaction.
However, an FBI press release includes a succinct summary of any effort to prevent fraud: “no one technology eliminates fraud and cybercriminals will continue to look for opportunities to steal payment information.” In the case of the EMV technology, this is true for several reasons:
First, because many retailers haven’t upgraded their point-of-sale infrastructure, the cards currently still include a magnetic strip that is more vulnerable to theft. Second, the technology doesn’t necessarily stop thieves from using the information printed on the face of the card for online purchases where only the number is used. Third, as in Europe, thieves can turn to identity theft to work around EMV technology.
The EMV cards are a major improvement, and demonstrate the industry’s dynamic approach to combating fraud. But the FBI’s warning reminds us that a more holistic approach is required to deter thieves.
Preventing fraud isn’t like building a bridge, a one-time task that lives on for decades with minimal maintenance. It’s a never-ending battle, requiring active and constant vigilance.
Criminals, especially Chinese and Russian hackers, are executing increasingly sophisticated efforts that have confounded law enforcement and require a more proactive security approach.
If you introduce technology that makes cards more resistant to fraud for in-person purchases, criminals will increase targeting of online purchases where additional technology is needed to secure payments. If you secure the payments process, hackers will target unsecure data as seen in the massive Target breach, as well as millions of lost card numbers at Home Depot. In both cases, viruses on the computers that process in-store credit card purchases scooped up to 70 million names, mailing addresses, email addresses and phone numbers – everything a spy would need to steal an identity. For these reasons, researches are actively seeking to improve the security of the technology and reduce the chinks in the payment process armor.
Though some are touting chip and pin as a panacea, the credit card of the future likely will contain a cryptographic “token” rather than a four-digit pin. A complex token solves a few flaws in chip and pin technology, namely that thieves can crack a four digit pin, steal it by “shoulder surfing” in the checkout line, or use social engineering to trick a consumer into handing the number over to someone they think they should trust.
On the process side, financial institutions have made great strides to examine “big data,” collected over a vast number of purchases, to identify purchase patterns specific to individuals that may indicate fraud. When a consumer departs from their typical pattern – purchases in Europe for those that do not travel or sudden gasoline purchases by someone who doesn’t own a car – a fraud alert can respond rapidly to the theft and prevent a snowball effect of further fraudulent transactions.
Credit card fraud costs the economy billions of dollars every year. Although banks and other institutions shoulder the lion’s share of the risk, consumers face potentially devastating legal and administrative challenges in recovering from fraudulent transactions and stolen identities.
Policymakers must realize that staying ahead of thieves is an ongoing process. EMV is great technology, but as the FBI warned: “no one technology eliminates fraud.”
O’Neill is a former FBI counterintelligence operative and a cyber security consultant at The Georgetown Group.