Written by 
How exactly does switching to the “chip and PIN” system used everywhere else in the world (except North Korea, I’m told) stop the kind of thing that’s been going on at Target?
In our corner of the transactions treehouse there is only one topic of conversation. The Target breach and the population-scale violation of the US payment system that means that tens of millions of people have had their card details whisked away to the stripe souks of the hacking underworld where they are even now being bought and sold across the global village by global villains.
The retailer confirmed Thursday that the massive data breach, which occurred between November 27 and December 15, resulted in attackers gaining “unauthorized access” to customers’ names, credit or debit card numbers, card expiration dates, and three-digit CVV security codes. That information is all that criminals would need to make fraudulent transactions online or create working, counterfeit cards in the names of customers.
[From Target Confirms Hackers Stole 40 Million Credit Cards – InformationWeek]
I’ve seen this being reported (puzzlingly) as a failure of PCI-DSS, because under the stringent conditions that it sets out, retailers are not supposed to store (for example) CVVs. But as I understand it, this data was obtained by accessing “storage”. The malfeasants in the middle had wangled their malware into Target’s POS system so the stripe data was spirited away as it was read.
Target is assuring customers that they won’t be held liable for any fraudulent purchases made in their names as a result of the snafu. It’s also offering a year of free credit monitoring and identity theft protection to “all Target guests who shopped our U.S. stores,” which I’m guessing is, well, pretty much everyone in the U.S., except maybe like Mitt Romney.
[From Target data breach grows: 70 million customers’ personal information stolen.]
Oh, wait…
A high-end Dallas-based retailer is the latest victim of a credit card security breach.
[From Credit Card Breach At Dallas-Based Neiman Marcus « CBS Dallas / Fort Worth]
They’ve probably got Mitt’s card as well then. It’s a working assumption, as far as I can see, that to all intents and purposes, all US card details are compromised. Especially as news stories quoting credible experts — saying that more as yet unnamed retailers have been comprised — continue to circulate. Seriously. All US card details are compromised. Chip and PIN to the rescue! But wait…
But security and merchant-acquiring executives caution that EMV cards and compatible point-of-sale terminals alone would not have prevented a Target-style breach.
[From EMV Chip Cards Don’t Provide Data-Breach Immunity, Security Execs Warn]
That’s not quite right. You can read all of the data from a magnetic stripe and use it to create a counterfeit magnetic stripe card. You can read all of the data from an EMV chip but you cannot use it to create a clone EMV card. When EMV cards were first introduced, you could read all of the data from an EMV chip and use it to create a counterfeit magnetic stripe but you cannot do this (at least the UK) any more because the issuers started to use a chip ICVV that is different from the CVV on the magnetic stripe that is glued to EMV cards for legacy purposes. So if you wangle your malware into POS terminals, an EMV environment does prevent a “Target-style” breach.
The malware will harvest data, but that data cannot be used to make transactions: you cannot make a clone EMV card because you don’t have the security keys that never leave the chip, you cannot make a counterfeit magnetic stripe card because you don’t have the CVV and you cannot use the card details online at your favourite porn/guns/soda merchant because you don’t have the CVV2 from the back of the card.
The reality of the proposed EMV implementation in the US is that the card networks and issuers are calling for chip+signature, dual mag stripe and chip cards and a whole host of other nonsense. Plus, EMV doesn’t solve a darn thing for CNP transactions. EMV is an important technology in a holistic solution (along with point-to-point encryption, tokenization for online transactions, etc.) to protect merchants and banks from the kind of “data theft” that we’ve seen Target. But EMV is not a “silver bullet” and merchant’s concerns about how it is to be implemented and who bears the cost are quite valid. Hopefully reasonable solutions will prevail.
I couldn’t care less about card security (this may be hyperbole), I want a card that works wherever I am. Bickering over security of a partially compatible chip and pin/sig card deployment is what infosec does- ignore the customer. Stuff like this is why “they” hate us (for many different definitions of “they”), and they should.
Done properly, EMV could make customers happier, and maybe sneak a little improved security in. That’s the missing part of the conversation.
Big problems for Americans traveling abroad. In the UK most major retailers don’t accept the mag cards