Payment Card Vulnerabilities Abound, but what’s the Fix?
There is an important similarity between the 2013 data breach at Target (NYSE:TGT) stores and the 2014 breach that occurred at Home Depot (NYSE:HD): Both cyber attacks targeted the retailers’ point-of-sale systems.
In its third quarter Security Roundup released last week, Trend Micro found the U.S. tops the world in malicious software infections on point-of-sale (PoS) systems. Of worldwide PoS infections, 30% happened in the U.S. during the third quarter of 2014, the report found – 24 percentage points higher than the number two position, which was a three-way tie between the Philippines, Taiwan, and Italy.
For the United States, the reason behind that startlingly high disparity may well be the nation's wide use of magnetic stripe payment cards, according to Trend Micro’s research. The call to ditch magnetic stripe technology is hardly anything new, but these latest findings shed new light on a years-old problem.
There has long been a nationwide push to do away with this technology because of its high susceptibility to cyber theft.
That unprotected magnetic stripe contains all of the cardholder’s financial information, which gets transferred into a retailers’ point-of-sale system once it is swiped at a store. If a retailers’ point-of-sale system is breached, like in the instance of Target and Home Depot, thieves can encode that stolen information onto the magnetic stripe of a new card and swipe it wherever they please – draining the cardholder’s bank account or racking up fraudulent charges in the process.
The solution, as seen by many, including trade organizations like the Retail Industry Leaders Association (RILA), is “chip-and-PIN” technology.
In place of the stripe, chip-and-PIN cards contain an encrypted microchip used for storing financial information. The cards add a second layer of security by requiring the user to enter a personal identification number before making a payment.
“This two-factor authentication technology has been in place for decades in nearly every other G20 nation and has proven to substantially reduce fraud,” Allie Brandenburger, RILA’s Senior Director of Communications, told FOX Business.
In fact, a 2013 study conducted by the Federal Reserve Bank of Kansas City found that if the United States were to adopt chip-and-PIN technology, fraud in the country could be reduced by as much as 40%.
Chip-and-PIN was even the subject of an executive order President Obama put forth back in October. The “BuySecure Initiative” directs government agencies to adopt chip-and-PIN technology for all federal payment cards.
Tech Security Leapfrog
In light of the recent outbreak of data breaches, the U.S. financial industry has begun to take action, phasing out the outdated magnetic stripe technology for new chip-enabled cards. Doug Johnson, senior vice president for payments and cybersecurity at the American Bankers Association (ABA), anticipates 70% of all payment cards in the United States will be chip-enabled by late 2015. Johnson expects a complete migration to chip technology to be completed by 2017.
While the move is a step in the right direction, it has left many to wonder why the U.S. financial industry did not adopt this technology sooner.
Johnson said several factors are behind the delay, chief among those is the idea the technology could soon be “leapfrogged”.
“We never look at one technology as being a destination point,” Johnson told FOX Business. “Threats are always changing.”
In fact, the ABA sees this kind of technology eventually being trumped all together.
"We see this moving past chip technology,” Johnson said. “Apple Pay is clearly an example of something that has a lot of promise – it’s supported by industry representatives and card networks. It makes the breach of card numbers useless because it uses random numbers.”
Apple Pay, a new payment platform designed by Apple (NASDAQ:AAPL), utilizes a method called “tokenization” which replaces the static credit card number with a randomly generated number or “token”. That token can be programmed to expire after a specific purchase, making it useless if it were to fall into the hands of a cyber criminal.
The growing popularity of online commerce versus traditional brick-and-mortar will also factor into the payment security equation, according to the ABA.
“Take into account Cyber Monday’s substantial growth. Chip technology does not address electronic transactions, and tokenization can,” Johnson said. “Every expectation is that ‘card-not-present’ fraud will escalate as we move toward chip [technology] because it is going to be more difficult to accomplish illicit transactions in a point-of-sale environment.”
While there may be no clear cure-all for the United States’ highly vulnerable payment card system, cybersecurity professionals say adaptability is essential to safeguarding consumers’ sensitive data.
“Any technology has vulnerabilities,” cybersecurity expert Brian Finch said. “People should be ready for constant turnover in technology because the hackers will keep breaking security models of introduced systems.”
Other security experts are quick to point out that the issue will not be solved solely with more secure payment mechanisms. Being a collaborative effort, it is also up to the retailers themselves to ensure optimal security of their payment infrastructure.
“Chip-and-PIN would greatly enhance security at retailers however they must invest in application control and breach detection systems to holistically combat the crime wave,” Tom Kellermann, chief cybersecurity officer at Trend Micro said.