Although the EMV system is touted to provide cardholders exemplary security against fraud, by all but eliminating the possibility for card cloning by thieves, it has demonstrated alarming security weaknesses in other areas. Increasingly becoming a global standard, “EMV” stands for: “Euro Pay, MasterCard and Visa” and represents the three companies’ conjoined efforts to “ensure security and global interoperability so that Visa and MasterCard cards can continue to be accepted everywhere,” described in a recent article in the India Times.
It appears that EMV is particularly vulnerable at this point of sale, where a swindler can install an information-snatching device called a “skimmer” to collect people’s private information, transaction by transaction.
Another article appearing on the website Dark Reading, chief security engineer for secure design consultants Inverse Path, Andrea Barisani, says the many flaws apparent in chip-and-PIN technology are easily exploited.
The legacy transaction processing monitors that the chip-and-PIN systems are designed for transmit the password or PIN consumers enter when making a purchase in plain text. That makes the information easy pickings for scammers using skimmers.
“EMV is broken,” Barisani says. “In order to fix the problem, they will have to change the standard and break compatibility with older cards.”
Three different types of cards are supported by EMV: the older, more familiar cards with the magnetic strip across the back, the microchip-embedded cards that are currently in circulation, and the latest incarnation of more secure microchip-embedded cards. However, as published on Dark Reading, Barisani cautions that skimmers can “force transactions to use the least secure transaction method,” and then help itself to the unprotected info.
In May of this year there was an eye-opening reminder of how point-of-sale terminals have long provided an appealing opportunity for credit card crooks to abscond with the details of unwitting consumers. Michael’s, a national chain of craft stores, reported a security breech involving over 70 of their POS terminals had been tempered with by thieves in stores, spanning the country. These compromised terminals may have put many customers’ credit and debit card information into the hands of hackers.
It is practically impossible for card users or store employees to notice which method the terminal used to process specific transactions, especially because the corresponding code printed on receipts are not reliable- as they can be falsely generated by a skimmer.
Again, Barisani to Dark Reading, “It has really taken ages to move away from the magstrip. So if the EMV problems are not fixed in the initial implementation, then the security issues are going to be around for a long time.”