• March 22, 2016

Playing Security Whack-A-Mole: Why Chips Won’t End Credit Card Fraud

Credit card chips are designed to thwart attacks. But thieves are too savvy to be held off for long.

Preventing fraud can sometimes seem like a game of whack-a-mole. A solution comes along to tamp down one form of theft, and another avenue of attack springs up. Such may be the case with chip credit cards that facilitate more secure point-of-sale transactions.

Cards with embedded chips have been used in retail settings in Europe and Canada for over a decade, where they have been employed in tandem with personal identification numbers (PINs) to successfully lower the rates of in-person fraud. But thieves found another way, and these regions have seen a dramatic increase in phone and digital fraud over the same time period.

In the U.S., MasterCard and Visa began requiring banks and retailers to support chip cards in October 2015. According to Wired, card issuers have spent between $200 million and $800 million to distribute new debit and credit cards to account holders, and large retailers have spent more than $8 billion to install new card readers.

Each card’s microchip contains a cryptographic key to authenticate the card and generates a one-time code for each transaction. This technology eliminates the threat of digital bandits taking account numbers stolen in a data breach and embossing them onto the magnetic strip of a card. It’s an added level of security that could have neutralized notable thefts of consumer credit card data from retail outlets like The Home Depot and Target—or at least reduced the incentive for this type of crime.

While chip cards are an advance in network security solutions, U.S. card issuers could have made it even tougher on thieves if they had also required PINs to be used at the point of sale. This is the standard in Europe and Canada. U.S. card issuers may have eschewed this chip-and-PIN model for customer convenience, but in doing so sacrificed an added layer of network security that they may come to regret.

In the U.K., chip-and-PIN cards have reduced incidents of in-person card fraud because thieves can no longer use counterfeit cards with stolen data embossed on them. In-person card theft declined from nearly 40 percent of all card fraud in 2001 to 10 percent in 2012, according to the U.K. Payments Administration. However, that progress has come with an increase in fraud online or via phone, which jumped from 22 percent to 62 percent during the same period. In other words, chip-and-PIN can’t prevent fraud in the digital world.

Thieves Can Work Around Chips

Thieves are determined and sophisticated enough to turn to new methods of digital theft when their original method of choice is closed off. The Wired report also contains an ominous warning about chip cards. Researchers have found a way for attackers to generate the unique transaction code enabled by chip cards. Someday hackers might be able to clone chips. In that case, chip-and-PIN might have to be required to diminish this threat.

Looking at the big picture, retailers and businesses that accept credit and debit card payments must remain vigilant in the fight against card fraud because this threat may never be eliminated. Those responsible for point-of-sale network security solutions can’t rely on chip cards to stop this threat, and any reduction in point-of-sale fraud is likely to spur an increase in online theft.

Like this story? Learn more about disrupting the bad guys.