Data breaches at Target, Neiman Marcus and other retail chains left many of us nervous about using our debit and credit cards. Data for 40 million credit cards was stolen from Target's point-of-sale machines in 2013, and another 1.1 million from Neiman Marcus.
What is being done to protect cardholders at checkout -- and what can we do in the meantime to protect ourselves? We asked Slava Gomzin, security and payments technologist at Hewlett-Packard and author of "Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions," published by Wiley in February.
Q: The Target debacle set off a debate about debit cards vs. credit cards. Which is safer in that kind of breach?
A: In theory, a debit card is safer than a credit card because it offers two-part identification. In information security, this is called two-factor authentication. You have to swipe your card then key in your PIN number, which makes it twice as hard for a hacker to replicate and use your card. The problem is most debit cards are dual-purpose, so they can be used as a debit card but processed by the credit card network.
If you have a debit card, you know some places prompt you to enter a PIN number, but in others you just swipe the card without entering the PIN. The cardholder data on the magnetic stripe can be processed without the two-part identification. So hackers can still steal the data from the [point-of-sale] machine, make fake cards and use them.
Q: Will the migration to chip cards protect us from hackers?
A: EMV technology brings some protection. You insert a chip-and-PIN card instead of swiping, then key in your PIN number. So there's that two-factor authentication. There is also an immediate dynamic offline authentication that magnetic stripe cards don't have. The original purpose behind EMV was to fight credit card fraud at point of sale. Chip cards protect the cardholder much better there than magnetic stripe cards.
Q: We're getting mostly chip-and-signature cards in the U.S. Is the two-step process of signing as effective as keying in a number?
A: From the POS perspective, it's the same as chip-and-PIN. It's just less secure from the merchant's perspective. Some people think there's some validation of the signature when you sign on the terminal, but there is no validation. You can put anything instead of your signature. Nobody's validating it.
Q: Could those breaches at Target and Neiman Marcus have been avoided if chip cards were used instead of magnetic-stripe cards?
A: Not necessarily, because EMV was not designed to secure the cardholder's data after the point of sale. With the breaches at Target and Neiman Marcus, cardholder data was stolen after it was entered into the system. It was stolen from the memory of POS machines. At that point, it doesn't matter if it was entered through the magnetic stripe. When someone steals cardholder data through an EMV card, dynamic indication was used so you cannot just replicate the cards and use it for another transaction. The bottom line is that EMV is more secure than magnetic stripe, but it's not really designed to secure the data.
Q: Chip technology has been around for 10 years. Is it still hack-proof?
A: EMV is not new technology. It did significantly reduce the amount of fraud for brick-and-mortar merchants in Europe, but the fraud there moved online. A big problem with EMV is it doesn't provide security to online transactions. When you go to a website to pay for something with an EMV card, you still need to enter the account number and date exactly the same way you do with a magnetic stripe card.
Q: By the time we make the transition to EMV, will hackers have figured a way around it?
A: Hackers are not super smart. They look for the easy way to steal card data. It's much more difficult to steal EMV data than magnetic stripe, so hackers moved to the U.S. The U.S. is the easiest place to steal card data today.
After the transition to EMV, they will try to find new ways to attack the systems. At conferences in recent years, white-hat hackers demonstrated that EMV is vulnerable to attack. Hackers will adapt to the new technology the same way they adapted to PCI after it was introduced seven years ago.
Q: PCI rules -- short for Payment Card Industry Data Security Standard -- were set up in 2004 to protect us from this kind of fraud. Do the recent breaches mean that system failed?
A: PCI reduced the amount of breaches significantly for a couple years and then hackers learned how to avoid it because there were so many holes in PCI -- especially in stores. PCI rules allowed data to be processed in the RAM of point-of-sale machines, then transmitted over the local networks. Hackers learned this quickly and after a couple years, the amount of breaches started to grow. By the end of last year, it was growing exponentially.
Q: You compared the PCI-compliant merchant environment to "a poorly designed nuclear reactor ready for a meltdown."
A: [Laughs.] Of course, it was a good idea to introduce PCI, but PCI is suitable for big payment processors like banks and data centers. It's not suitable at all for the store environment. I think it was a mistake originally to introduce PCI to merchants. Instead of investing a lot of money into PCI compliance, they should have invested in point-to-point encryption and forget about the breaches.
Q: In your book, you advocate for an overhaul of the security system at point of sale. How likely is that to happen?
A: There are technologies today that would solve the problem. Point-to-point encryption is one. It protects the cardholder data from the moment of the card entry ... The problem is that it requires significant investment in [research and development] and hardware. So instead of investing in that, merchants were forced to follow these PCI rules that are not so effective at protecting the cardholder. It's not something we can't stop, but I don't think we are moving in the right direction.
Q: Merchants are already investing a lot in EMV technology in the U.S. If they resist an expensive security overhaul, will we see more Target-style breaches?
A: Even if merchants decided to make a full transition to EMV tomorrow, it would take several years for a full transition and it still doesn't protect online transactions. So we will see more breaches, at least in the near future.
Q: As cardholders, where are we most vulnerable -- in stores or online?
A: Both are vulnerable. As long as there are magnetic stripe cards being used, we're far more vulnerable in stores than we would be with chip cards. Online, there are payment systems in place that introduce some security. Instead of just entering your cards every time, you can use PayPal or Amazon Payments, for example. Both technologies are much safer than entering your credit card number.
Q: I've always wondered if I'm more or less vulnerable using PayPal.
A: If you have a choice on the Web, always select PayPal because it stores your cards' information on special servers in a secure environment. PayPal and Amazon Payments are also PCI compliant, by the way, but PCI compliance works there because both have big data centers with IT professionals and security experts. When you key in your credit card online or use it at a store, you simply don't know what will happen to the number after the transaction.
Q: Some issuers offer virtual credit card numbers you can register for before an online purchase. The numbers expire after 24 hours. Is that an effective way to protect your information?
A: Yes, it offers some protection, but you still have to enter your credit card number to generate this temporary number, so you still expose your data online. The second issue is that it's not a very practical solution because it takes time and consumers don't like to take that extra step. It's definitely much safer than just using your credit card.
Q: So hackers grab our information as we're inputting the credit card number?
A: With an online transaction, they can attack through a plug-in on your browser, something stored in your machine or on the retailer's website. There are a lot of ways to attack online transactions.
Q: Is it similar to the way hackers stole cardholder information at Target and Neiman Marcus?
A: No, the attack vectors are completely different for brick-and-mortar transactions. I can't tell for sure what they did at Target and Neiman Marcus because they don't disclose this information. Based on what we know, I assume it was done by RAM-scraping, where software is installed on point-of-sale machines to scan the memory and look for credit card numbers. It's relatively simple. It collects this data and sends it to the command center, a virtual data center installed somewhere in a different country.
Q: What can we do to protect ourselves while security measures are put in place?
A: It's still very dangerous. I would recommend reducing the risk of losing everything at once. Instead of using one credit card with a $10,000 limit, create two or three card accounts with lower limits. That way, if someone steals your card, they can't steal all your money. Same for debit cards. If you have just one bank account, hackers can withdraw all the money from your account. You'll probably get your money back because the banks have insurance from credit card companies but it will take several days. So I recommend opening a few accounts and using several different cards.
Q: Is that what you do?
A: Yes. To me, it's still much more convenient to use credit cards than to pay with cash, but we can pay a lot for this convenience.