To hear them tell it, it’s the most secure thing outside of Fort Knox. We don’t have to worry about our credit card information being stolen once we have one of these. That’s the new, reformatted, updated-chip credit cards that are supposed to be in place by October of this year. But are they as secure as they are made out to be? How are they different from the cards we have now with the magnetic strip on the back? Will hackers and other crooks still be able to steal their information?
Many of us have already received new cards in the mail from one or more of our credit card issuers. They look almost the same except for the square chip on the upper left corner. Otherwise the card is no different. It still has the magnetic strip on the back and it still has the place for our signature.
Most of the new cards are EMV, which stands for Europay Mastercard and Visa, also called “chip and pin.” It’s the same system used in many European countries and is supposed to catch us up with the rest of the world. They will work with the new terminals that are supposed to be in place in businesses by October. The way they are used is somewhat different from the magnetic strip cards we have now. With the magnetic strip card, we slide the card in a slot on the side of the card machine. With “chip and pin,” we insert the card into a slot at the bottom of the card processing machine where it stays until we have entered a PIN and a bank completes the rest of the process.
The cards won’t work without a pin entered except for online sales. More about that in a minute. With internet sales, everything is the same process as now.
The other kind of card is the RFID chip card. Those work similarly to the way the EZ-Pass and I-Pass chips work. They are read by a card reader up to six inches away. In fact, they don’t even have to come out of a wallet or purse; the card reader can read them as someone stands at the checkout in a store. Trouble is, so can a crook with an RFID reader that he or she can buy on the internet for under $100. Reportedly, there are also Smartphone apps that will clone a card. Supposedly these cards are safe because every time one is used, it generates a separate authentication code for that transaction, so stealing the card information would only allow one transaction on that card for the crook. Is it that foolproof? Well, not really.
That is the technology that Apple Pay and the like uses. It makes it incredibly easy to buy something. Just wave the card in the vicinity of the reader, and presto, you’ve made the purchase. Of course, that involves a different card reader than the EMV, the other system. So new readers in stores would need to accommodate both systems in order to accept both.
One hang-up is changeover costs. Consensus by the lending institutions is that this is an $8.5 billion bill spread out to retailers. Every business, big and small, will have to buy or rent new card processing machines. That’s just an inconvenience for the Targets, Walmarts, and Home Depots. But for Jayne and Susan’s Deli and Joe and Jim’s Gas Station, it could be a financial killer. They are already operating on the edge of insolvency. Small retailers are worried. One interview I watched with a small art supply store owner warned that she may have to stop accepting credit cards and deal in cash only because of the increase in costs for the new system. Not accepting credit cards is something that will certainly affect their profitability, too.
This changeover isn’t all about our, consumers’, safety and security. One of the reasons Visa, Mastercard, American Express and Discover are so gung ho for these cards is that they can pass “fraudulent transactions” back to the retailer who accepted the card. Now the banks have to eat the fraud. But after October, if a retailer doesn’t install the new equipment and accepts a fraudulent card, when the real card customer disputes the charge, the retailer eats it. The banks are in heaven.
Everything will not be all better even if every brick and mortar retailer adopts this new system. Wired Magazine wrote in 2014 “Internet transactions aren’t made any safer by having a chip on your card, and in the UK, and elsewhere, criminals were able to make up much of what they lost [after the switch to EMV in that country] by doubling down on fraudulent web transactions.” One report from Newstex Financial Accounting blogs quoted the CEO of Smartmetric as saying that even after EMV cards came to the UK, fraud was not eliminated. Rather the reduction in fraud was only 50 percent.
In addition, look at the back of the new card. That magnetic strip is still there. It still has all the same information embedded as before and that strip will still be usable until all the old cards are replaced.
ABC News has already come up with a way that crooks can get around the new system. They reported a comment by Brian Krebs of Credit.com, “The curious part about this spate of credit and debit card fraud is that the fraudsters used account information pilfered from old-school magnetic strip cards skimmed in [the Home Depot] attack and used them as EMV purchases in what’s called a ‘replay’ attack. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.” No, I don’t understand how that works, either, but professional hacker crooks do. And you can bet that right at this moment they have most likely found ways to steal the information on the new credit cards and are lurking in the shadows waiting to pounce.
Plus, there’s human error. So much personal data are stored by various companies and governmental agencies that all hackers have to do in order to get enough personal information to effectively steal the financial life of someone is to hack into the databases of one or more of the companies or governmental agencies. No more evidence is required than the US government’s employee database that was compromised this month. The Washington Post warned on June 16 that it may affect these people for the rest of their lives because the data is stored, just waiting to be used.
Are the new cards as secure as they are made out to be? No. Can they be compromised? Yes because criminals are always on the lookout for ways to accomplish their nefarious goals. Will it be more difficult for hackers and crooks to steal information? Marginally, but they are always alert for every opportunity. The warnings are in unison to watch your credit report. Cash is always good. And to keep your RFID card from being read, wrap it in aluminum foil.
By Robert L. Cain