The Target breach will encourage the US to adopt EMV, but it’s not a magic bullet. However, the breach may have wider implications for the future of retail transactions than EMV adoption.
The fun end-of-year card fraud story was, of course, the infamous Target breach, an epic-scale hack that obtained millions of card details.
Nov. 27-Dec. 15: A data hack at U.S. Target stores exposes as many as 40 million credit- and debit-card customers to potential fraud.[From Target’s Data-Breach Timeline – Corporate Intelligence – WSJ]
The scale of the hack is unusual, but it also noteworthy because of the mechanism employed. If media reports are accurate, then it appear that the retailer’s systems were thoroughly penetrated.
The thieves breached the point-of-sale system (POS) and stole customer magstripe data, including names, credit or debit card numbers, expiration dates and everything else needed to make counterfeit cards.[From Target Admits Massive Credit Card Breach; 40 Million Affected | Threat Level | Wired.com]
Everything else needed to make counterfeit magnetic stripe cards, to be more specific. But we’ll come back to this later on. One notable feature of the breach was that the POS system was compromised so thoroughly that all of the data that the POS handles, including the PINs, were stolen. In the case of the PINs, however, this is unlikely to help the thieves terribly much.
While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.[From Target Data Security Media Update #4 | Target Corporate]
In an odd way, I found the reports of what had happened to the card details after they had been stolen as fascinating as the attack itself, because these reports tell us a lot about the shape and nature of the underground market for card details. Brian Krebs has a series of wonderful stories about the breach over at his “Krebs on Security” blog, which I urge you to read, and which has astonishingly interesting observations on that market. Why, for example, is there a discrepancy in the cost of domestic and international cards?
Hundreds of thousands of cards issued by non-U.S. banks that were used at Target across the United States during the retailer’s 19-day data breach. It’s not clear how quickly the non-U.S. cards are selling, but they seem to be fetching a much higher price than those issued by U.S. banks.[From Krebs on Security]
I guess it might be that international cards have chips on them but that fraud systems have been told to allow stripe transactions but only in the US. Personally, I would prefer my issuers to disallow stipe (and online) transactions for all of my cards unless I specifically tell them others. My Barclays debit card, to give an obvious example, has a stripe on it and is embossed 1950s style. I would prefer it to have neither. But back to the story. Issuing banks have responded in different ways. Some have placed limits on compromised card activity, some have invited customers to ask for new cards if they are worried and so and so forth.
Many banks are taking more of a wait-and-see approach, asking customers to monitor their accounts, and using the banks’ fraud analytics software to monitor transactions for signs of foul play, but not rushing to close accounts and reissue cards.[From Target Breach Raises Questions About Security, Account Limits and EMV – American Banker Article]
Sales at Target stores are supposedly down slightly but I don’t know enough about the figures to know whether this is due to the breach or not. What our clients are more interested in, I’m sure, is looking at what will be the longer term impact of the Target breach. Gartner analyst Avivah Litan, who I always pay attention to, puts it simply:
it’s time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system.[From What can we learn from the Target Breach]
I’m sure everyone agrees that this is the way forward. When Avivah says “smart cards” she means payment cards that use the EMV (“Europay-MasterCard-Visa”) standard that it used almost everywhere else in the entire world. So let’s look at how exactly EMV might have helped. In an EMV scheme, it doesn’t matter if you capture all of the card details that are sent unencrypted from the card to the terminal. That is because you cannot use these details to create either a counterfeit magnetic stripe card (because the ICVV given up by the card chip is not the same as the CVV on the magnetic stripe) or a clone chip card (because you do not have access to the security keys inside the chip – these are used to create the digital signatures passed in the transaction). What’s more, you shouldn’t be able to use those details in a CNP transaction either, because they do not include the CVV2 on the back of the card. However, some retailers — and it is up to them because it is at their own risk — do accept cards for online payments without checking the CVV2 (or even, in some cases, the AVS). If you were able to capture the unencrypted PIN (PIN encryption is not mandatory in EMV) it sill wouldn’t help you unless you could steal the physical card as well.
So what does this all mean?
Well, the Target hack has given us the opportunity to look again at how EMV might help and, just as importantly, how it might not help. Since it looks as if the US Senate might be discussing the subject in the future, I thought it might be friendly and helpful for CHYP USA to provide some background for US lawmakers…
Three US senators have proposed to the Senate Banking Committee that they hold hearings on the issue of customer data security following the Target data breach. They specifically seek to address the adoption of EMV in the hearings.[From US Senators seeking to publicise the EMV debate in US following Target breach | The Bankwatch]
The most important point is that EMV isn’t a magic bullet to fix card fraud and it would be a mistake to try and formulate an industry business case based on that alone. However, if you look at the costs across all of the stakeholders, it seems to me that on balance it still makes sense that the US to proceed with its EMV migration even though everything that has been said about alternative payment technologies is simultaneously true.
Yes, EMV was designed for the offline world of 1994 even though mobile phones and the Internet already existed.
Yes, it is entirely possible to start designing a second-generation “son of EMV” that comes off the drawing board in a world of ubiquitous, pervasive interconnection and industry-wide initiatives in identity and authentication.
Yes, I don’t doubt for a moment that it is possible to make such a son-of-EMV even more secure than EMV is today and, what’s more, make it work in online environments.
Having said all that, we are where we are. Most non-cash payments at retail point of sale are card, and will stay card across the next post replacement cycle. Since all of the bits and pieces that banks need to buy, retailers need to buy, processors need to buy etc are all readily available, along with the expertise needed to make them work cost-effectively, it’s the easiest choice. US cards will them work fine overseas, overseas cards will then work fine in the US and without the pantomime of signing for transactions.
If we want to look at how EMV will change the fraud situation in the US, then the obvious place to look is in France. France has had chip cards longer than any other country and it resembles the US in an important way: it has inefficient payment system that still uses checks. So now that we have had many years to observe the dynamics around the transition to smart cards in retail purchases, what have we learned? Well, here are the basic facts (“French card fraud continues upward trend .
- Card present fraud at retail point-of-sale is about two basis points (2bp).
- Card not present fraud on the Internet is about 299bp (ie, two orders of magnitude worse).
- Mail-order/telephone order fraud is about 338bp.
Here in the UK the criminals have responded to the adoption of EMV in two ways: by inventing ever-more elaborate scams to get hold of cards and PINs and by stepping up their efforts on the internet. Right now, they are doing rather well, as fraud is up again this year. This is why I stress that EMV is not a magic bullet and it will not eliminate fraud.
So what we see in the UK and France is exactly what we would expect to see given what we know about EMV. It leads to a major reduction in card-present (CP) fraud, partly because you cannot counterfeit the chips used in the smart cards and partly because of the off-line PIN verification. It does nothing to help with card-not-present (CNP) fraud and it does nothing to help with mail-order/telephone order (MOTO) fraud. It could, but it doesn’t.
Most banks in Europe decided not to use EMV is the basis for their 3-D Secure (3DS) authentication, so although there are ways to use EMV cards to combat both both CNP and MOTO fraud, they are not used. I can give you a UK example. My bank is Barclays and they sent me a little calculator like device called a “PIN sentry” several years ago. This implements a standard for using offline PIN to provide one-off numbers for authentication (using the MasterCard CAP and Visa DPA protocols). In fact, since both of my sons bank at Barclays as well we have more than one of these devices lying around the house. When I want to log into online banking, I take my debit card and pick up any one of the PIN sentries, insert the card and punch in my PIN. The device displays a one-off number and I type this in to the Barclays web site to log in. It’s easy and I like it.
But if I were to use my debit card to buy something online (which is hypothetical, since I would never do this) then I have to remember a 3DS password. It would be much easier to use the PIN Sentry again. The PIN Sentry is a simple and cheap device because all of the cryptography is inside the EMV chip. I did suggest doing this inside a standardised identity framework a few years ago (we called this “4D Secure”, but it never took off!). So, for various reasons, EMV cards were not used to attack online fraud and now, given the trajectory of mobile transactions, will never be. I say this because it seems obvious that the mobile phone will become the authentication device for transactions across all channels. In the future will be using my mobile to pay in Waitrose and at John Lewis’ web site, and as a consumer i won’t know or care that the protocols used a mundane and virtual POS are different.
One more point.
I see that there has been a traditional American response to the breach.
Just days after acknowledging a massive hack of customer credit card data, Target is facing at least two dozen lawsuits. And more could be on the way.[From Lawsuits piling up on Target over hack – Dec. 23, 2013]
I suspect that there may well be another consequence of the Target breach, once the costs reach a few billion or so. Since class action lawyers are more effective agents of change than consultants or, indeed, the US Senators are, this might be the tipping point for a major change in the use of new retail transaction technologies in the US. Yes, it will provide a kick to implement EMV and transfer liability back to the card issuers, but it may also provide a kick to reduce the dependence on “traditional” card products entirely. Note that the Target hack included the theft of Target’s own Red decoupled debit card details. These are of no use to the criminals because they can only be used in Target. They are, to use the jargon, “tokens”. They point the way forward: the major international payments schemes are involved in a huge effort to move to tokenisation for mobile and online transactions. But the payment schemes will not be the only organisations to have noticed this dynamic as the consequences of the breach unfold. Indeed, observers are already (correctly, in my opinion) noting that retailers will be exploring other possibilities too.
Retailers have a unique opportunity to lower payment liability by shifting consumers to card and mobile ach decoupled debit.[From The Target Breach: what it means to card and mobile ACH payment: | The Competitor’s Code]
I wonder if this may be the long-term legacy of the breach? If the issuers don’t get their act together and accelerate EMV deployment, then the retailers will be tempted to move away from the traditional card schemes altogether and use their own tokens, either via their decoupled debit cards or via their own apps (using HCE/BLE so that standard terminal estate can be used) to both reduce that payment liability and reduce costs.