Chip-and-PIN Systems in the United States: Too Late, or Just in Time?

Target, Neiman Marcus, Sears, and Goodwill.

Four retailers you’d never expect to be lumped together in the same category, each providing wares and services to wildly different members of the general population, and none of whom would have ever expected to have the credit card details of their customers covertly tracked, hacked, and stolen right off the POS systems we’ve all learned to trust a little too much in the time since they’ve become the primary way we pay for goods and services across the United States.

credit card

Photo: Johan Swanepoel / Shutterstock

At this year’s Defcon 22 hacker conference held in Las Vegas, Nevada, POS scams were the talk of the town, dominating the conversation held between top security researchers, industry analysts, and many of the same members who were a part of the team dedicated to investigating the Target breach back when it was first acknowledged by the big-box company in December of last year.

Hugely lucrative and relatively simple to pull off, this fresh style of attack has become all the rage as hackers continue to scrape the bottom of the billion-buck-lined barrel for new and inventive ways to manipulate the financial system to their will on command. All four of the aforementioned retailers were hit by their own specific flavor of malware designed specifically to exploit the machines they employed at their stores. The only reason any of it was profitable in the first place is due to the inherent weaknesses of what’s become known as the “swipe-and-sign” method of cashier-to-customer credit card verification.

Because current cards only use a magnetic strip and a signature to approve their authenticity, the entire process from the first swipe to the final charge can be spoofed by hackers who have access to card printers, duping machines, and good old fashioned pickpocketing skills right off the street.

Those who are experienced know exactly where they can get away with charging the most to a card without an ID before someone even notices it’s gone, and can often make huge purchases shooting up into tens of thousands of dollars by the time the target realizes something’s amiss.

Credit card companies have had to compensate for this problem by installing blocks on the backend, which are designed to automatically shut a card down if too many purchases are made in a short amount of time, or if something large is bought out of state or far enough away from where most of the transactions on a person’s statement have happened in the past few months.

This is where chip-and-PIN cards comes in. First introduced in the United Kingdom back in 2004, the system has proven itself as a strong, secure way to prevent most types of card fraud which have become increasingly popular in the States. The idea works by attaching an RFID enabled chip to every card that’s distributed within the country, which only activates when a user enters their personalized PIN number into the same machine they’re standing at during the time the transaction is open and active.

“It’s very difficult if not impossible to clone the (chip and PIN) card,” says Andi Coleman, a member of the Accredited Standards Committee X9, which determines standards for the financial industry in the U.S. “If you steal the card out of someone’s wallet, you have to know the PIN in order to be able to use the card in a transaction.”

This effectively nullifies any attempts a crime ring might make on their personal details online, and almost entirely prevents them from being able to make illicit purchases in person unless some very specific requirements are met beforehand.

Target plans to release chip-and-PIN enabled REDCards in mid-2014, Photo: Target

Target plans to release chip-and-PIN enabled REDCards in mid-2014, Photo: Target

However, if what we’ve seen in the UK is any indication of what we can expect in the States, the account protection method isn’t the be-all and end-all solution, though it is a leap in the right direction.

For example, if a person hands over their PIN number either through duress (muggings, robberies, etc), or by leaving the code written down somewhere that the criminals have access to, attackers could then run to the nearest retailer and rack up the charges before the victim has an opportunity to report their card has been reported lost or stolen.

European hackers have also found a variety of inventive ways to circumvent the system since it was first implemented in the region over a decade ago, and while advancements have certainly been made in the time since the technology was implemented that could potentially increase its overall security, some analysts believe it’s only a matter of time before those methods are phased out in favor of even more advanced–albeit expensive–card machines that can’t be accessed by anyone from outside the physical shop where the cashier itself is located.

Barring those exigent circumstances though, the concept has proven itself as a promising method for protecting the average consumer’s financial information both on the web and in the real world, and would effectively stop POS scams in their tracks if implemented on a nationwide scale.

Analysts in the UK have reported a noticeable drop in credit card fraud in the country in the years since chip-and-PIN cards were introduced, from around $350 million in 2004 alone, to a “mere” $160 million only four years later.

If you’ve ever signed a credit card receipt and wondered if anyone actually reads those things to be sure you’re really who you say you are, well, you aren’t alone. American consumers have been raised to believe that the swipe-and-sign method is the safest way that most of us can get around the tedious, at-times inconvenient method of whipping out a debit card that may not have as much cash attached to it as we need to afford another 12 pack of Pampers, but that’s where chip-and-PIN proves the established industry wrong.

That said, the cost of implementing these security measures across the country will be downright staggering. New machines for every major retailer, along with every boutique shop, bodega, and corner store down the street. And who’s going to foot that bill? The credit card companies, small business owners…the banks?

Then there’s the replacement costs of every card in America, which in itself is a massive undertaking. Every address with a registered user must be checked and double checked, so that whoever receives the new card on the other end is a verified owner and not someone who just happened to get someone’s mail who lived in their apartment three years ago. Plus, where a regular card may cost somewhere in the neighborhood of $2 in materials and shipping costs, chip-and-PINS can run anywhere from $15 up to $30 just to get everything programmed and set just right before someone starts making purchases right out of the gate.

Of course, the major savings will come in the long run, both for the financial institutions and the customers they represent. Due to what’s known as a “liability shift”, credit card companies and their insurers will no longer be responsible for fraudulent charges to a user’s account. Instead, that money will be the responsibility of the client, due to the fact that the only way it could have been pulled out of their pocket is if they were somehow irresponsible enough to tell someone the PIN number associated with the card, or wrote it down on a Post-It note that was shoved inside the wallet they lost the same day.

“(Chip and PIN’s) main attraction to banks is the ‘liability shift,’ which is precluded in the U.S. by Regulation E,” writes Ross Anderson, a professor of security engineering at the University of Cambridge, in an e-mail. “This shift means that disputed transactions will be blamed on the customer if a PIN was used and the merchant otherwise. Thus, in theory, the bank would never again be liable. In practice it has not worked. You can’t have a secure system if one party guards it and another party pays the cost of failure.”

But, with Target still feeling the sting of their BlackPOS-based breach, (some estimates put the total cost at over $350 million and counting), it’s clear what the alternative tab might end up looking like if a viable solution isn’t found sometime soon.

Even with all those road blocks laid on the path toward true credit card security, both Visa and Mastercard have pledged to fully phase out the swipe-and-sign method by 2015 in America, and hope that with the largest hurdle cleared, the rest of the straggling countries caught in the past (Australia, New Zealand, and Canada, just to name a few), will catch on to the craze and make the effort at all levels of government to update their own approaches accordingly.

As the POS malware market continues to surge forward with newer, more advanced versions popping up every day (read our latest piece on the Backoff variant here, which makes BlackPOS look like child’s play in comparison), retailers, banks, and customers will all need to work together to prevent these types of problems from snowballing out of control in the future.

Chip-and-PIN may not be infallible, but for now it’s the best shot we’ve got to stem the growing tide of threats that are lying dormant on the machines we’ve blindly trusted with the bulk of our personal and financial information every time we need to pick up another roll of paper towels from down at Target, Sears, or even just the local mini-mart.