It’s the latest weapon to combat identity theft in the U.S., but according to the FBI, chip card technology is vulnerable, and a transaction security expert added that the new cards won’t do much to stop billions of dollars of credit card fraud over the next few years.
“With technology advances and the significant increase in data breaches and identity theft from computer intrusions, we continue to see significant increases in credit card theft/fraud,” a representative from the FBI’s Criminal Investigative Division Financial Crime Section told The Washington Times. “The new EMV chip cards were designed to help curtail credit card fraud; however, there are still vulnerabilities with these cards.”
EMV (which stands for Europay, Mastercard, Visa) cards store user data on integrated circuits, or chips, that must be physically inserted into a special reader in order to be accessed.
The integrated circuits, which are nearly impossible to duplicate, provide a layer of security that far surpasses the magnetic-stripe technology that has been in use on credit cards since the 1960s.
Many U.S. businesses have begun switching to the new technology, which has been employed widely in Europe for a decade.
But Al Pascual, director of fraud and security at customer transaction consultant Javelin Strategy and Research, said that until the EMV technology is fully implemented in the U.S., credit card fraud and identity theft will continue to plague American commercial and financial institutions.
“The fraud doesn’t necessarily go away lickety-split,” Mr. Pascual said. “Sometimes it changes, but either way, we’re in for a bit of a ride until about 2018-19,” when full implementation is expected.
U.S. chip cards are vulnerable because they also employ magnetic stripes so that businesses that have not yet made the transition to EMV technology can still access users’ credit data.
Thieves can easily exploit magnetic-stripe security weaknesses to counterfeit credit cards by using someone else’s personal information. They also can acquire account information by installing tiny card scanners inside card-swiping devices.
To prevent such a breach, credit card issuers eventually will have to provide EMV cards that have no stripe or stripe-scanning capabilities.
It’s a challenging transition that Mr. Pascual said is long overdue.
Besides the challenge of updating to the more secure EMV technology, merchants and consumers alike will have to get accustomed to dealing with roughly double the amount of transaction time when using chip cards, something which is sure to add more stress and complaints at checkout this holiday season.
European markets switched to EMV technology about 10 years ago, and consumers there foot the bill for fraud. Before last month, U.S. banks that issued credit cards were responsible for paying for fraud.
“The U.S. is one of the very last markets to go to EMV,” Mr. Pascual said. “We’re on a short list with Papua New Guinea and Mongolia. You start to consider that. Where does that leave criminals to go?”
Some experts say they anticipate an increase in Internet fraud because of the new EMV cards, which are driving criminals to seek out easier fraud opportunities online. However, Mr. Pascual said the new cards have nothing to do with growing e-commerce fraud, which resulted in a $10 billion loss for U.S. businesses in 2014.
Besides the challenge of updating to the more secure EMV technology, merchants and consumers alike will have to get accustomed to dealing with roughly double the amount of transaction time when using chip cards, something which is sure to add more stress and complaints at checkout this holiday season.
Financial institutions had been required to pay for credit and debit card fraud until Oct. 1. Now whoever has the oldest technology when the fraud occurs — the bank or the merchant — determines who covers the cost for the crime.
Meanwhile, e-commerce fraud in coming years is projected to surge by 90 percent over 2014’s mark.
“It’s going to grow to $19 billion by 2018, but it was already on that trajectory,” Mr. Pascual said. “It had nothing to do with EMV. Criminals are very good in that space [e-commerce]. They hide behind a whole lot of legitimate transaction volume.”
For example, card-not-present (CNP) fraud is growing briskly, thanks to the Internet. Such fraud is committed without the physical card in hand. Account information can be gleaned via an online data breach, a card scanner or by someone briefly in possession of a card such as a salesperson. CNP purchases can be made with that information online, on an order form or over the phone.
Complicating efforts to fight online fraud is the fact that growing numbers of hackers and fraudsters are operating overseas. U.S.-based operatives called “runners” do the legwork for their foreign counterparts, such as buying gift cards using counterfeit credit cards.
“Cybercrime can victimize millions of users and originate anywhere in the world, so international cooperation is crucial,” the FBI representative said. “It is an understatement to say that maintaining order in a borderless, virtual world poses substantial challenges for law enforcement organizations limited by national, political and legal boundaries. We face conflicting laws, different priorities and diverse criminal justice systems while combating cybercrime.”
Personal information gleaned from data breaches can be used to open fraudulent credit card accounts. Mr. Pascual said that’s what happened in Britain after it switched to EMV technology 10 years ago.
“We saw an increase in application fraud and account takeovers, because when the criminals couldn’t counterfeit the cards anymore, they started applying for the cards, or they started taking over existing accounts and had [EMV] cards mailed to them,” he said.
Because a consumer’s financial and personal information places them at greater risk for fraud, credit card companies have been testing and implementing biometrics-based transactions.
MasterCard tried a cellphone payment experiment dubbed selfie-pay. A facial recognition app requires users to blink before taking a picture of themselves to prove their identity and complete a transaction through their cellphone.
Apple offers its users Apple Pay, which uses a thumbprint scan to conduct a transaction.
Both VISA and MasterCard announced late last year they will employ more secure transaction technology through 3D Secure 2.0, which will replace an older version of the software that required static passwords through Verified by VISA and MasterCard SecureCode. Since those knowledge-based security measures are less secure, 3D Secure 2.0 will issue authentication codes to a user’s cellphone, which can be used to conduct more secure CNP purchases online.
Proximity payment verification, Mr. Pascual explained, also has been used to authenticate transactions. In this case, a card issuer will use geolocation software to determine the location of the user’s cellphone relative to the location of the computer that’s being used to shop online. Obviously, this poses a challenge if the user, for whatever reason, does not have their cellphone.
With biometrics technology, besides facial and thumbprint scans, a user’s voice can also authenticate a transaction. Critics, however, point out that biometrics software renders algorithms that may be intercepted and duplicated.
Mr. Pascual acknowledges such challenges in the ongoing battles to secure computer-based transactions.”There is no 100 percent security and no 100 percent segregation,” he said. “Even in most businesses that attempt to keep this sensitive information from being transmitted across the web, they’re in some way connected.”
Please read our comment policy before commenting.