Your new smart card’s dirty little secret: It won’t stop hackers
If you haven’t yet received a new credit card, the kind with a computer chip visibly embedded in it, you soon will. Card issuers are quickly distributing them to curb credit card fraud.
The little integrated circuit on the front, whose encryption capability makes it nearly impossible to copy or forge the card, is a welcome improvement. Since this redesign of the traditional credit card comes in the wake of massive data breaches at Target and Home Depot, you might think it will prevent breaches like those.
“The information is encrypted on the chip of the card itself,” acknowledges Brandon Benson, a security expert on data breaches. I caught up with him after his presentation at the recent Shmoocon 2015 hackers’ conference, in which he described how criminals use malicious software to break into retailers’ computers. He explained to me how the information on a carefully-encrypted card becomes surprisingly vulnerable once it leaves the card: “When you present the card at a chip-enabled reader, the reader will read the credit card number of the card into clear text and then send that to the POS [point-of-sale terminal] to be processed.”
In other words, even when you shop with the latest, chip-laden credit card, retailers’ computers will still store your card number in easily readable form, leaving it as vulnerable as in the past to criminal theft.
How can that be?
Isn’t encrypting the data on the card supposed to foil card thieves? Technically, yes. And doing so should, in fact, prevent a thief from using or duplicating the card itself.
But the aspect of credit card theft that it won’t thwart is someone stealing your card number by downloading it from a merchant’s computer after having exploited a security flaw in the surrounding information systems. “The Target and Home Depot breaches have to do with an infrastructure vulnerability,” says Benson, Senior Security Analyst at SecurityMetrics, who has consulted with industry on numerous data breaches. “Hackers are getting into their systems and into their environment to be able to steal credit card data.”
Granted, should such a card-number theft occur, a smart card does offer somewhat more protection than an old-style credit card. “It may reduce the fraud that happens on the card, or the replication on the card, in the post-breach,” Benson says, because a criminal who steals a number associated with a chip-enabled card can’t just walk into a brick-and-mortar store and use that number.
But such a criminal can still use that stolen number to shop online at many websites or run up charges on your account in a variety of other ways–such as over the phone–that don’t require a physical card to be present. “I think the attack vector for fraudulent cards will change,” Benson says. “So I may still be able to commit fraud. But I won’t be able to commit fraud in a brick-and-mortar store.”
Given this surprising loophole in smart card security, I urge you not to drop your guard after your new smart card arrives. Follow the advice I gave in my recent report on why major data breaches won’t be stopping anytime soon, which includes regularly monitoring your credit card and financial statements for unauthorized transactions.
What about mobile payments?
While smart credit cards remain saddled with this vulnerability, not so for new, cardless forms of mobile payment such as Apple Pay, according to Benson: “In Apple Pay’s scenario…each transaction has a different token and that token does not equate to your credit card number. So I can’t take that token and use it on an e-commerce site to buy something else, or use it to clone a credit card.”
In other words, when you make a purchase with Apple Pay, while the information about your transaction that’s stored in the merchant’s computer may still be vulnerable to theft, the payment data that a criminal might steal would be useless for running up additional charges. Neither smart credit cards nor new mobile payment systems like Apple Pay, however, will prevent criminals from stealing other customer information, such as e-mail addresses and phone numbers, that a merchant might store but not adequately protect.
The fact that major data breaches have struck merchants repeatedly over the past year is evidence, Benson says, that it may well be years before consumers can rest assured that their personal information is secure in the hands of retailers. “We’re seeing the same malware being used to steal data or the same attack methodology be used to implement malware into merchant environments…Until we can get tools in place to recognize the breaches and the security infrastructure in place at merchants, they [the breaches] will continue to happen.”