New security flaw in credit card chip system revealed
LAS VEGAS (CNNMoney) — Computer researchers claim to have found yet another flaw in the upgrade to the chip-based credit cards in the United States.
The chip on these credit cards have been praised for making them nearly impossible to counterfeit. While the cards also contain a magnetic strip, that strip is supposed to tell the payment machine to use the chip.
But there’s a relatively easy way to knock down that safeguard.
Computer security researchers at the payment technology company NCR demonstrated how credit card thieves can rewrite the magnetic stripe code to make it appear like a chipless card again. This allows them to keep counterfeiting — just like they did before the nationwide switch to chip cards.
They presented their findings at the Black Hat computer security conference on Wednesday.
This claim of a glaring hole in EMV, the chip-based system, is possible because of the way many retailers are upgrading their payment machines: They’re not encrypting the transaction.
“There’s a common misperception EMV solves everything. It doesn’t,” Patrick Watson, one of the researchers, told CNNMoney.
On Thursday, a banking and retail industry group that monitors the EMV system cast doubt on the theory.
“If the data on the magnetic stripe is altered it might fool the terminal,” said U.S. Payments Forum director Randy Vanderhoof. But on the back end, the system would “reject the transaction.”
But the discovery of this possible flaw bolsters the retail industry’s complaints against the upgrade, which was forced upon shops by banks.
The National Retail Federation has long complained about the upgrade, which is estimated to cost American retailers $25 billion.
This latest research shows that retailers could spend millions of dollars upgrading to EMV and still not protect their customers from a massive credit card theft like the Target and Home Depot hacks two years ago.
Adding to the problem, payment terminal makers keep producing machines that don’t have the encryption by default.
And vendors who sell and install these machines at shops don’t simply flip the switch and turn on encryption. Retailers have to pay extra for basic security.
The major machine makers, Verifone and Ingenico, both asserted they offer point-to-point encryption on retailer’s machines — but it’s up to retailers and their partners to turn it on.
Currently, retailers focus on protecting the computer network that support their payment system. But that leaves the actual conversation between your credit card and the machine in plain text, readable to any hacker who breaks into the system.
It’s a mistake, said Mike Weber, vice president at the IT auditing firm Coalfire.
“They’re assuming the environment is okay,” he said. It’s not.
During their presentation, the NCR researchers advised shops to “encrypt everything” in a transaction. They also said consumers should pay with special apps on their phones and watches whenever the high tech option is available.