Quantcast
Connect with us

Your new smart card’s dirty little secret: It won’t stop hackers

Published

on

If you haven’t yet received a new credit card, the kind with a computer chip visibly embedded in it, you soon will. Card issuers are quickly distributing them to curb credit card fraud.

The little integrated circuit on the front, whose encryption capability makes it nearly impossible to copy or forge the card, is a welcome improvement. Since this redesign of the traditional credit card comes in the wake of massive data breaches at Target and Home Depot, you might think it will prevent breaches like those.

It won’t.

“The information is encrypted on the chip of the card itself,” acknowledges Brandon Benson, a security expert on data breaches. I caught up with him after his presentation at the recent Shmoocon 2015 hackers’ conference, in which he described how criminals use malicious software to break into retailers’ computers. He explained to me how the information on a carefully-encrypted card becomes surprisingly vulnerable once it leaves the card: “When you present the card at a chip-enabled reader, the reader will read the credit card number of the card into clear text and then send that to the POS [point-of-sale terminal] to be processed.”

In other words, even when you shop with the latest, chip-laden credit card, retailers’ computers will still store your card number in easily readable form, leaving it as vulnerable as in the past to criminal theft.

How can that be?

Isn’t encrypting the data on the card supposed to foil card thieves? Technically, yes. And doing so should, in fact, prevent a thief from using or duplicating the card itself.

ADVERTISEMENT

But the aspect of credit card theft that it won’t thwart is someone stealing your card number by downloading it from a merchant’s computer after having exploited a security flaw in the surrounding information systems. “The Target and Home Depot breaches have to do with an infrastructure vulnerability,” says Benson, Senior Security Analyst at SecurityMetrics, who has consulted with industry on numerous data breaches. “Hackers are getting into their systems and into their environment to be able to steal credit card data.”

Granted, should such a card-number theft occur, a smart card does offer somewhat more protection than an old-style credit card. “It may reduce the fraud that happens on the card, or the replication on the card, in the post-breach,” Benson says, because a criminal who steals a number associated with a chip-enabled card can’t just walk into a brick-and-mortar store and use that number.

But such a criminal can still use that stolen number to shop online at many websites or run up charges on your account in a variety of other ways–such as over the phone–that don’t require a physical card to be present. “I think the attack vector for fraudulent cards will change,” Benson says. “So I may still be able to commit fraud. But I won’t be able to commit fraud in a brick-and-mortar store.”

Given this surprising loophole in smart card security, I urge you not to drop your guard after your new smart card arrives. Follow the advice I gave in my recent report on why major data breaches won’t be stopping anytime soon, which includes regularly monitoring your credit card and financial statements for unauthorized transactions.

ADVERTISEMENT

What about mobile payments?

While smart credit cards remain saddled with this vulnerability, not so for new, cardless forms of mobile payment such as Apple Pay, according to Benson: “In Apple Pay’s scenario…each transaction has a different token and that token does not equate to your credit card number. So I can’t take that token and use it on an e-commerce site to buy something else, or use it to clone a credit card.”

In other words, when you make a purchase with Apple Pay, while the information about your transaction that’s stored in the merchant’s computer may still be vulnerable to theft, the payment data that a criminal might steal would be useless for running up additional charges. Neither smart credit cards nor new mobile payment systems like Apple Pay, however, will prevent criminals from stealing other customer information, such as e-mail addresses and phone numbers, that a merchant might store but not adequately protect.

The fact that major data breaches have struck merchants repeatedly over the past year is evidence, Benson says, that it may well be years before consumers can rest assured that their personal information is secure in the hands of retailers. “We’re seeing the same malware being used to steal data or the same attack methodology be used to implement malware into merchant environments…Until we can get tools in place to recognize the breaches and the security infrastructure in place at merchants, they [the breaches] will continue to happen.”

Report typos and corrections to [email protected].
READ COMMENTS - JOIN THE DISCUSSION
Continue Reading

Breaking Banner

Trump’s first term: hits and misses

Published

on

"Promises made, promises kept," goes one of President Donald Trump's main 2020 reelection slogans. Is that true?

Here are some of the key policy hits and misses -- comparing his accomplishments to his promises -- from a tumultuous first term.

- HITS -

Economy:

The economy will be Trump's major selling point.

GDP grew 3.1 percent in the first quarter of 2019 and the last recession was a decade ago. Unemployment is at a 50-year low of 3.6 percent.

Trump's frequent claim that the economy is probably "the best" in US history is an exaggeration, though.

Economists see growing dangers, including exploding government debt and growing backlash from Trump's aggressive trade policies, especially with China.

Continue Reading

Breaking Banner

The racist roots of American policing

Published

on

Outrage over racial profiling and the killing of African Americans by police officers and vigilantes in recent years helped give rise to the Black Lives Matter movement.

But tensions between the police and black communities are nothing new.

There are many precedents to the Ferguson, Missouri protests that ushered in the Black Lives Matter movement. Those protests erupted in 2014 after a police officer shot unarmed 18-year-old Michael Brown; the officer was subsequently not indicted.

Continue Reading
 

Breaking Banner

Ocasio-Cortez: ‘We’re going to fight to repeal the Hyde Amendment’

Published

on

Rep. Alexandria Ocasio-Cortez (D-N.Y.) started a petition Saturday seeking to repeal the Hyde Amendment, which bars the use of federal funds for abortions, arguing the restriction overwhelmingly harms low-income Americans and women of color. AOC emailed her supporters:

“Since 1976, our government has banned federal funding for abortion care — specifically, for Medicaid recipients. Countless studies have shown that due to this amendment, millions of women have been forced to go through with pregnancies that, given the funding, they would have otherwise terminated. "

Continue Reading
 
 

Copyright © 2019 Raw Story Media, Inc. PO Box 21050, Washington, D.C. 20009 | Masthead | Privacy Policy | For corrections or concerns, please email [email protected]

I need your help.

Investigating Trump's henchmen is a full time job, and I'm trying to bring in new team members to do more exclusive reports. We have more stories coming you'll love. Join me and help restore the power of hard-hitting progressive journalism.

TAKE A LOOK
close-link

Investigating Trump is a full-time job, and I want to add new team members to do more exclusive reports. We have stories coming you'll love. Join me and go ad-free, while restoring the power of hard-hitting progressive journalism.

TAKE A LOOK
close-link