Tomorrow is the deadline that Visa and MasterCard have set for banks and retailers across the US to roll out a new system for more secure bank cards with microchips embedded in them.
Over the last few years, card issuers have spent between $200 million and $800 million to distribute new debit and credit cards to accountholders, while large retailers like Target, Home Depot and Walmart have spent more than $8 billion to install new card readers capable of reading the chips.
Despite this effort, retailers say the new system is highly flawed because instead of issuing the so-called chip ‘n’ PIN cards that offer two-factor authentication, banks and other card issuers are distributing chip ‘n’ signature cards, which thieves can easily undermine.
“Chip and PIN has been proven to combat fraud dramatically,” says Brian Dodge, executive vice president of the Retail Industry Leaders Association. “But that’s not what American consumers are getting, and thus far banks have gone to great lengths to blur the lines between the two distinctly different transactions.”
Even with PINs, however, the new technology will not eliminate fraud, but will simply shift the type of fraud that occurs.
The Hope of a More Secure System
The new technology—called EMV for Europay, MasterCard and Visa—consists of cards with a microchip that contains data traditionally stored in the card’s magnetic strip. These work with new point-of-sale readers that scan the chip and process payment transactions in a secure manner using encryption.
The chip reduces fraud because it contains a cryptographic key that authenticates the card as a legitimate bank card and also generates a one-time code with each transaction. This means thieves can’t simply take account numbers stolen in a breach and emboss them onto the magnetic strip of a random card, or program them onto the chip of a random chip card, to make fraudulent purchases at stores or unauthorized withdrawals at ATMs.
After unveiling its new credit-card reader at Apple’s Worldwide Developer Conference in San Francisco earlier this month, Square tested this newfangled contraption at a Blue Bottle coffee shop in Mint Plaza, just down the street.
The reader doesn’t accept ordinary credit cards. It takes a newer breed of card equipped with an EMV chip for greater security, and it accepts Apple Pay, that much-hyped means of making card payments via the iPhone or the fledgling Apple Watch. With so many Apple faithful descending on the nearby Moscone Center for WWDC—the centerpiece of Apple’s year—Blue Bottle provided an unusually ripe proving ground for the new reader and the larger push towards Apple Pay and other “contactless” payments systems.
According to Jesse Dorogusker, who oversaw the creation of the new reader as Square’s head of hardware, the tests revealed some “weird” behavior among those paying for some mighty good coffee with their personal Apple gadgets. Some people touched their wrists to the reader with their Apple Watches facing up, before realizing that the Watch doesn’t send a payment unless it’s facing down. “I’ve seen it,” Dorogusker says, shrugging his shoulders. “The new ritual is something we have to fine tune.” And sometimes, when they positioned their phones and Watches in the correct way and a payment went through flawlessly, they’re weren’t quite sure that it had. By the time they looked at their phone or watch display, he says, the notification saying they had paid successfully was already gone. “You have to adapt to the experience being too fast.”
The Blue Bottle trial run was hardly a widespread test—Square kept its reader in the shop for only a week—and it may say more about the Apple Watch than Apple Pay. But it provides a nice metaphor for contactless mobile payments as a whole. Apple Pay and its ilk will take some getting used to. As Dorogusker says: “Changing buyer behavior is hard.”
In fact, many question whether such services are any more desirable than physical credit and debit cards in the first place. “So few people use Apple Pay, and merchant availability isn’t necessarily the reason.” says Sucharita Mulpuru-Kodali, an analyst with Boston-based research firm Forrester. “It’s just not that much easier.”
New travel and trade rules between the US and Cuba are to take effect on Friday, US officials say.
Measures include allowing US citizens to use credit cards in Cuba and for US businesses to export some technologies.
Americans will be able to take home up to $100 (£66) in alcohol and tobacco from Cuba. Correspondents say it means the US ban on Cuban cigars is over.
The move implements last month’s agreement to re-establish ties severed since 1961.
Although the latest moves put a large dent in the US trade embargo against Cuba, only Congress can lift it completely.
Earlier this week, US officials said Cuba had completed the release of 53 political prisoners agreed as part of the historic deal.
Policies ‘out of date’
“Today’s announcement takes us one step closer to replacing out-of-date policies that were not working and puts in place a policy that helps promote political and economic freedom for the Cuban people,” said US Treasury Secretary Jacob Lew in a statement.
Tomas Bilbao: “Failed policy of isolation and confrontation”
White House press secretary Josh Earnest said the changes would “immediately enable the American people to provide more resources to empower the Cuban population to become less dependent upon the state-driven economy”.
While ordinary tourism is still banned, the new regulations will allow US citizens to travel to Cuba for any of a dozen specific reasons without first obtaining a special licence from the government.
US credit and debit cards can be used there and there will be no more limits on how much money US citizens can spend in Cuba each day.
According to a Gallup poll, Americans worry more about getting hacked than they do about any other crime:
69 percent of Americans worry about their credit cards being hacked and 62 percent worry about the theft of data from their computers — far higher than the share who report worrying about more grievous crimes such as burglary and murder.
Americans’ fears aren’t wholly unfounded. There have been a number of large-scale attacks in recent years, compromising millions of user’s data. The chart below shows how many millions of users have been affected by the biggest data breaches on record:
This is the first Gallup poll to ask about hacking worries, and thus the firm has no historical data to show when or how quickly it came to dominate Americans’ fears. But these statistics do reflect the increase in cybercrime and decline in other crimes in recent years. As the rate of violent crime has gradually decreased over the past 20 years, security breaches among businesses have gone up.
85 percent of households earning above $75,000 a year reported worrying about a credit card hack, as opposed to only 50 percent of households earning under $30,000 a year. Hacking typically worries people from higher income groups more because they are likelier to have access to credit cards and cloud computing.
Stolen credit card data is a highly sold item on underground markets, as well as the malware and tools thieves need to steal the data themselves.
Malware is malicious, bad software. It’s the code that cyber-criminals use to steal credit card numbers and bank accounts. As we all saw with that hack against Target, cyber-criminals are getting really good at using malware.
They’re getting so good they’ve built a thriving underground where credit cards go on sale before the rest of us even knew a mega-breach happened.
On a recent day, at a crowded Starbucks in dowtown San Francisco, Tom Pageler powers up his laptop and takes me online shopping — with a twist. We go to the anonymous Tor network, to a website that requires a log in and that he didn’t want to reveal the name.
Pageler doesn’t want to tip off anyone, because being a trusted user on a criminal website takes work. It’s a lot like eBay; you’ve got to visit, buy and sell regularly and get rated and reviewed by your peers.
“When they transact with you, no one’s getting arrested, no one’s getting burned,” Paegeler says. “So every time you make a transaction on the underground, you’re just building your street cred.”
Today, credit cards are on super sale. Pageler says that means a big breach just happened.
Strangely, platinum credit cards on the site are selling for less money than gold cards. Apparently people in the underground don’t just look at credit limits. They do analytics to see, according to the data, what banks have the weakest security.
“For them, they’ll know based on bank ID number which bank it is, and where they’re getting the best return on fraud,” he says.
Pageler is not actually a cyber-criminal. He’s a former Secret Service agent who studied them and is now in the private sector, at DocuSign. Today he’s showing me how a low-level operator would work this site. Say I wanted to launch an attack. Without any specialized coding skills, I could buy the package of services I need: a list of 10,000, customized by age, gender, region; that goes for just $79. To make sure the emails work, there’s a “cleaning price” of $48, Pageler says.
Criminals using fake credit cards, made with data stolen from Target, are already being arrested
The FBI has issued a warning to US shops telling them to beef up defences against cyber-thieves.
The agency included its warning in a confidential report to large retailers that was obtained by Reuters.
In particular, said the FBI, shops need to look for the type of malware used to steal millions of credit card details from shoppers at retailer Target.
The FBI said it had seen about 20 cases in the last year where data was stolen using the same type of malicious code.
That code has been inserted on to credit and debit card swiping-machines, cash registers and other point-of-sale (POS) equipment.
“We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms’ actions to mitigate it,” read the FBI report.
The low cost of the virus code, its wide availability on underground markets and the potential for profit if POS equipment was compromised made it very attractive to thieves, said the agency. One copy of the type of software used to grab data at tills was on sale for only $6,000 (£3,600), said the FBI report.
The report was sent out as more details emerge about the extent of the security breach at US retailing giant Target.
Reports suggest that the attackers who planted malware on Target tills were scooping up card data for 19 days during the busy Christmas season. The thieves are believed to have got away with complete details for 40 million cards and stolen personal data on about 70 million customers.
The attack is believed to have been one of the biggest retail cyber-attacks in history.
Recent arrests suggest the data stolen from Target is already being used to create counterfeit cards. In mid-January two people were arrested at the Texas-Mexico border with 96 fake cards later identified as being from the huge cache stolen from Target.
A cryptographic chip embedded onto a British debit card. America is nearly alone in still relying on magnetic stripes to authenticate purchases.
Christopher Furlong/Getty Images
The credit and debit card data breaches at Target and Neiman Marcus compromised at least 70 million American consumers, and analysts say even more of us are at risk. That’s because the technology we use to swipe for our purchases — magnetic stripes on the backs of cards — isn’t hard for a skilled fraudster to hack.
“It’s totally unprotected and it’s static, so it’s the same data that’s read every single time. It’s just about the worst security that you can put into a payment system,” says Avivah Litan, a security analyst for Gartner, a firm retailers hire to assess their cybersecurity gaps.
Sophisticated cyberthieves got consumer data during the holiday season breaches by injecting a virus into Target’s card payment terminals. From there, the bad guys systematically captured the information found on every card swiped, from Thanksgiving through just before Christmas.
“We’ve seen hacks as big as this before, in fact we’ve seen bigger, but what we haven’t seen before is something this sophisticated and well organized,” Litan says. The data from the cards was turned around and sold on an underground market, where thieves can recreate credit cards using the stolen data and use them to make fraudulent purchases, she says.
Industry leaders know magnetic stripes are outdated and easily exploitable. The rest of the world moved onto a more secure, harder-to-hack payment system based on chip-enabled cards — chip and PIN. Chip-enabled cards are more secure because the data on the chip is hidden behind encryption. So even if criminals intercept what’s on it, they can’t re-use it.
“It’s standardized all over the world and used all over the world, except in the U.S. and perhaps one country in Africa,” Litan says.
“Basically my American credit card is like a second-class citizen here,” Shapiro says. “I can’t use the self-checkout line at the supermarket, I can’t use the automated machine in the subway system or the post office. Some merchants charge me an extra charge just because of my American credit card.”
Shapiro’s new British pal, Ben Thompson, explains how he pays for purchases without swiping — or signing.
After thieves hijacked credit and debit card data belonging to 40 million Target shoppers, many blamed the retail giant for putting them at risk of identity theft.
But some experts are also pointing to a less visible culprit: the credit card industry. Card issuers might not have been able to prevent the recent data breach at Target, but if they had upgraded to more secure technology, they could have deterred thieves from using that stolen information to make counterfeit credit cards.
U.S. banks rely on credit cards with magnetic strips, which can be easily reproduced by thieves, while European banks have issued millions of more modern “smart cards” that are embedded with computer chips. Smart cards encrypt transaction information, require thieves to know the cardholder’s PIN, and can generate one-time-only passwords.
Smart cards would not eliminate credit card fraud entirely. The technology can stop criminals from using stolen credit cards in checkout lines, but it would not prevent thieves from using cards online, where people type their credit card numbers to make purchases.
But if U.S. banks issued smart cards, “you would stamp out counterfeit cards,” said David Robertson, publisher of The Nilson Report, a credit card industry trade publication.
“Anyone can make a counterfeit magnetic strip card, but a chip is far different,” Robertson said. “You’re not going to have crooks making chips.”
The credit card industry plans to transition to smart cards, but the deadline for retailers to accept them or be held liable for fraudulent transactions is still nearly two years away. Some say that card issuers should have switched sooner, given that smart cards have been around for about two decades and credit card breaches have been happening for years.