New Chip-and-Pin Cards Have Shocking Security Flaw

By Steve Anderson August 11, 2016

Remember the furor over chip-and-PIN cards? How these were so much safer than magnetic strip cards and how we'd all be so much better off once we put them to use? The hype seems to have run just a little farther than the average user might like, as word from NCR says that the chip-and-pin card may have a new security flaw that could render these less safe than previously thought.

Since chip cards still use a magnetic strip, but one that tells the system to turn to the chip instead, the strip is the focus of the flaw. Credit card hackers can change the nature of the magnetic strip, making it seem like a card without a chip altogether, and allowing hackers to gain access to the credit card as if the chip were never there to begin with.

For chip cards, this is a disaster. Already, retailers were complaining about the expensive new infrastructure required to handle chip card systems, along with the delays involved in actually using the cards. The last thing anyone needed to hear was security issues. What's more, vendors are noting that the problem lies at the retailer level, as retailers aren't encrypting transactions made with chip cards.  That burden is being put on the retailer, and word from the National Retail Federation is that just the upgrade to chip cards already costs around $25 billion. Worse, the chip card infrastructure sold to the retailers doesn't have encryption as a default feature, so that's another expense going to the retailer, who's already under fire from online and mobile shopping.

Some new developments are making attacks on such cards even easier. So-called “shimmers,” devices that record transaction data, are being covertly inserted into ATMs and the like by hackers, who can then take that transaction data and put it to use for their own ends. This latest tactic joins others being tested or operating in the field at last report; as far back as 2011, Aperture Labs and Inverse Path were running briefings about harvesting PINs from EMV.

There were already difficulties with getting retailers to switch over to Europay / Mastercard / Visa (EMV) standards, exemplified by the chip-and-PIN system, thanks to the sheer expense and difficulty involved. Now, revelations that the system isn't all that safe unless a whole new set of expenses are taken on may well doom this change before it fully starts, liability shifts aside. If retailers start rebelling against this, they may well consider eschewing cards altogether in favor of a growing array of mobile payment options instead.

That opens up some significant opportunities to cut banks and cards out of the market, and may well end up doing a lot more damage than anyone suspected. This won't be an easily fixed mess, but it's clear that strong tactics are called for in the face of significant potential losses.

Edited by Alicia Young

Contributing Writer

Related Articles

Pai Makes His Case for Title II Repeal

By: Paula Bernier    11/21/2017

FCC Chairman Ajit Pai today made clear his plans to repeal Title II net neutrality rules. The commission is expected to pass his proposal at its Dec. …

Read More

Mist Applies AI to Improve Wi-Fi

By: Paula Bernier    11/9/2017

Mist has created an AI-driven wireless platform that puts the user and his or mobile device at the heart of the wireless network. Combining machine le…

Read More

International Tech Innovation Growing, Says Consumer Technology Association

By: Doug Mohney    11/8/2017

The Consumer Technology Association (CTA) is best known for the world's largest trade event, but the organization's reach is growing far beyond the CE…

Read More

Broadcom Makes Unsolicited $130B Bid for Qualcomm

By: Paula Bernier    11/6/2017

In what could result in the biggest tech deal in history, semiconductor company Broadcom has made an offer to buy Qualcomm for a whopping $130 billion…

Read More

How Google's 'Moonshot' Could Benefit Industrial Markets

By: Kayla Matthews    10/30/2017

The term "moonshot" encapsulates the spirit of technological achievement: an accomplishment so ambitious, so improbable, that it's equivalent to sendi…

Read More