July 1, 2014
EMV: Silver Bullet or Red Herring?
In the wake of the major retail breaches late last year, the card brands (and a few of the larger issuing banks) dumped huge amounts of money into PR campaigns that positioned EMV as the solution to our card-data security troubles. Now, those of you who follow our blog closely will remember that we very quickly spoke out and warned that this is not true and that EMV wouldn’t have stopped the recent breaches.
Yet, for some reason, the issuing banks and card brands continue to promote EMV as a cure-all. Why? Probably because it will allow them to shift billions of dollars in liability for fraudulent charges off of their books and onto merchants. Now, EMV is not totally without merit, but as we told you back then, the claims we’re being sold seem seriously exaggerated.
The University of Cambridge recently released a study on EMV security that suggests the cards are not as foolproof and secure as we’ve been promised. Researchers found a pair of vulnerabilities related to the “nonce,” a 32-digit security code that the card passes to the POS or ATM to prove it’s a valid card. In the most simple sense, hackers figured out how to fake that code or how to determine exactly what the code would be at some future date, allowing them to use a cloned card with a “real” nonce code. They were also able to process transactions without entering the correct PIN.
Keep in mind that this research came out of the U.K., where EMV has been the standard for the last decade; so by the time the U.S. version hits next year, this will likely have been patched. But, it’s not the actual vulnerability that scared us about this report. What was truly frightening was the reaction from the banks:
“We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit,” the report reads.
Yes, you read that right. Consumers are going to their bank to report fraudulent use of their cards and are being told that either they’re wrong or else they must be part of the scam! Can you imagine?
This is the danger of marketing a silver bullet. Those of us who actually understand security recognize that there’s no such thing as a silver bullet, but the average person might just buy it. They might genuinely start to believe that EMV is invincible and that it will stop all card fraud dead in its tracks. They might believe it so much that it becomes the proverbial red herring – the distraction that draws people away from the real solution.
If merchants begin to rely so much on EMV that they fail to implement point-to-point encryption (P2PE), tokenization, and the other security technologies that actually help stop breaches, then we’re really in trouble.
Does EMV play a small part in an effective overall security strategy? Yes; it will likely reduce instances of card-present fraud because it makes it much more difficult (though not impossible) to use duplicated cards. Will it stop breaches like the ones we’ve been plagued with recently? Absolutely not.
Be smart out there, don’t believe everything you’re told, and feel free to contact us at firstname.lastname@example.org if you have any questions.