Our society has surely embraced the convenience of credit and debit cards over cash, but the widespread use of credit card technologies may put us at risk to fraud, identity theft and privacy.
Last fall in Britain, a Cambridge University computer science student wrote a thesis exposing vulnerabilities of an embedded credit card security technology widely adopted in Europe.
The adopted EMV (Europay, Mastercard, Visa) standard is a government-backed standard that uses chip-and PIN technology. A chip in the credit card has the card's PIN number encoded into it. During a transaction, the cardholder types in the matching PIN and the transaction proceeds.
The student, Omar Choudary, invented a device called the Smart Card Detective. A credit card is first inserted into it, then the card is inserted into a merchants chip-and-PIN reader. The Smart Card Detective electronically intercepts communication between the reader and the chip, and the card can then be used without knowing the valid PIN number.
Mr. Choudary published info concerning this vulnerability—and details of the device he built—on a University of Cambridge website. In response, the UK Cards Association, with a membership that includes “major credit, debit, and charge card issuers” sent a letter to the college asking that the research “be removed from public access immediately,” as, among other things, it may “undermine public confidence” in the widely-implemented payment card system.
Cambridge Professor Ross Anderson sent a rebuttal letter addressing the concerns, saying that public confidence in the system would be restored when “banks are frank and honest in admitting its weaknesses...and diligent in effecting the necessary remedies.”
The banks and merchants have obviously invested billions in this technology, backed by a push from the UK government. In addition to the financial risks, Professor Anderson outlined other motives in an email interview published on Bankrate.com.
"(Chip and PIN's) main attraction to banks is the 'liability shift' … This shift means that disputed transactions will be blamed on the customer if a PIN was used, and the merchant otherwise. Thus, in theory, the bank would never again be liable,” Mr. Anderson is quoted.
There is a push to implement the technology in the United States, partly to improve vulnerabilities in the existing magnetic strip technology, such as “ATM skimming,” where false readers are cleverly attached to ATMs to steal the strip's data.
Wal-Mart's director of payment services Jamie Henry, in May of last year, said at a Smart Card Alliance meeting: “It’s time for Chip-and-PIN in the U.S. Let’s get a roadmap and move it forward here in the United States.
“As far as we are concerned, signature is a waste of time. It has to be PIN or nothing,”
RFID technology, widely adopted in the U.S. and found in drivers licenses, credit and debit cards, passports and government IDs, is itself vulnerable to easily-acquired proximity scanners. In late 2008, University of Virginia student Karsen Nohl and his colleagues exposed RFID vulnerabilities, pointing out that chip designers were “operating under the assumption that their world was apart from such scrutiny.”
Continuing, Mr. Nohl took a further jab at RFID security. “Please note that we have not compromised the security of credit cards, as some of the articles suggest. From what we can see, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise.”
With convenience technology comes exposure, unlike anything we've dealt with before.
I don't know about you, but the use of cash is sounding more practical, and safe.