New Chip-and-Pin Cards Have Shocking Security Flaw

By Steve Anderson August 11, 2016

Remember the furor over chip-and-PIN cards? How these were so much safer than magnetic strip cards and how we'd all be so much better off once we put them to use? The hype seems to have run just a little farther than the average user might like, as word from NCR says that the chip-and-pin card may have a new security flaw that could render these less safe than previously thought.

Since chip cards still use a magnetic strip, but one that tells the system to turn to the chip instead, the strip is the focus of the flaw. Credit card hackers can change the nature of the magnetic strip, making it seem like a card without a chip altogether, and allowing hackers to gain access to the credit card as if the chip were never there to begin with.

For chip cards, this is a disaster. Already, retailers were complaining about the expensive new infrastructure required to handle chip card systems, along with the delays involved in actually using the cards. The last thing anyone needed to hear was security issues. What's more, vendors are noting that the problem lies at the retailer level, as retailers aren't encrypting transactions made with chip cards.  That burden is being put on the retailer, and word from the National Retail Federation is that just the upgrade to chip cards already costs around $25 billion. Worse, the chip card infrastructure sold to the retailers doesn't have encryption as a default feature, so that's another expense going to the retailer, who's already under fire from online and mobile shopping.

Some new developments are making attacks on such cards even easier. So-called “shimmers,” devices that record transaction data, are being covertly inserted into ATMs and the like by hackers, who can then take that transaction data and put it to use for their own ends. This latest tactic joins others being tested or operating in the field at last report; as far back as 2011, Aperture Labs and Inverse Path were running briefings about harvesting PINs from EMV.

There were already difficulties with getting retailers to switch over to Europay / Mastercard / Visa (EMV) standards, exemplified by the chip-and-PIN system, thanks to the sheer expense and difficulty involved. Now, revelations that the system isn't all that safe unless a whole new set of expenses are taken on may well doom this change before it fully starts, liability shifts aside. If retailers start rebelling against this, they may well consider eschewing cards altogether in favor of a growing array of mobile payment options instead.

That opens up some significant opportunities to cut banks and cards out of the market, and may well end up doing a lot more damage than anyone suspected. This won't be an easily fixed mess, but it's clear that strong tactics are called for in the face of significant potential losses.




Edited by Alicia Young

Contributing Writer

SHARE THIS ARTICLE
Related Articles

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More

Putting the Flow into Workflow, Paessler and Briefery Help Businesses Operate Better

By: Cynthia S. Artin    9/14/2018

The digital transformation of business is generating a lot of value, through more automation, more intelligence, and ultimately more efficiency.

Read More

From Mainframe to Open Frameworks, Linux Foundation Fuels Up with Rocket Software

By: Special Guest    9/6/2018

Last week, at the Open Source Summit, hosted by The Linux Foundation, the Open Mainframe Project gave birth to Zowe, introduced a new open source soft…

Read More

Unified Office Takes a Trip to the Dentist Office

By: Cynthia S. Artin    9/6/2018

Not many of us love going to see the dentist, and one company working across unified voice, productivity and even IoT systems is out to make the exper…

Read More

AIOps Outfit Moogsoft Launches Observe

By: Paula Bernier    8/30/2018

Moogsoft Observe advances the capabilities of AIOps to help IT teams better manage their services and applications in the face of a massive proliferat…

Read More