In June 2011, Alex Gambin had his wallet stolen while on the Spanish island of Mallorca. A few minutes later, unauthorized charges of more than $1,800 were made to his HSBC credit card, despite the fact that his card contained a security chip designed specifically to prevent that kind of theft and that any transactions should have required a personal identification number.
The bank blamed Gambin, saying he must have kept his PIN recorded somewhere in his wallet, a claim he denies.
"They say that their system is a perfect system without loopholes and refused to refund the money," he said. "But I'm very much a victim of this system, which is not secure at all."
The incident, later investigated and corroborated by researchers from the University of Cambridge, is one of a growing number of cases where so-called Chip and PIN technology has seemingly failed to do its job: Protect the consumer against payment card counterfeiting or unauthorized use. Despite high hopes for Chip and PIN among merchants, credit card brands and payment industry compliance experts, a combination of security vulnerabilities, implementation issues and analytics failures has rendered some payment systems using the technology vulnerable to criminals, and in turn consumers like Gambin remain susceptible to fraud.
Chip and PIN technology: Ready or not, here it comes
With the massive credit card data breaches at Target Corp. and other retailers in the past year, the Europay-Mastercard-Visa (EMV) standard -- the technological underpinnings of the Chip and PIN movement -- has gained new momentum in the U.S., the most significant holdout nation in adoption of the technology. Starting in October 2015, both Visa and Mastercard plan to shift liability from merchants for fraudulent point-of-sale transactions if the retailers have not deployed the latest readers.
U.S. credit card companies have pushed the standard for years. Since 1994 -- when Europay, Mastercard and Visa joined together to create a specification for using smartcard technology to increase the security of payment cards -- credit card firms have promoted the technology as more secure. In 1999, they founded EMVCo LLC to handle licensing, eventually being joined by the other major credit card brands, including American Express, Discover, JCB and UnionPay.
Yet the enormous cost of deploying the technology has caused merchants, banks and payment processors to balk. According to the National Retail Federation, rolling out the infrastructure will require more than $10 billion in investments and require at least five years.
The technology, as envisioned, is more secure than today's magnetic stripe and signature system, but according to Avivah Litan, vice president and distinguished analyst at Stamford, Connecticut-based IT research firm Gartner Inc., that's a low bar.
"It is a more secure technology," Litan said, "but you don't have to be a rocket scientist to make something more secure than the current magnetic-stripe system."
Chip and PIN technology has been credited with reducing certain types of fraud in countries that have adopted it. In the U.K., an early adopter of the technology whose government collects data on fraud trends, counterfeit card fraud has fallen dramatically: losses dropped 74% to approximately $74.2 million in 2013, from a high that topped $290 million in 2008. EMV is primarily designed to protect against counterfeit card fraud, also known as card cloning, but implementations that require a PIN also protect against the use of stolen cards.
EMV specification: Bugs in the system
The EMV specification, however, has not been free of vulnerabilities. At the 2012 Black Hat conference, two researchers from U.K.-based security firm MWR InfoSecurity demonstrated a stack-based buffer-overflow vulnerability in the firmware of two Chip and PIN card readers. The proof-of-concept exploit used an unauthorized card to load malware onto the device that could grab customer-card information, and then write it back to a card subsequently placed in the reader.
Another scenario from the researchers allowed a user with a counterfeit card to cause the vulnerable readers to issue a receipt, seemingly processing the transaction, without sending any information to the card processor.
Nir Valtmanenterprise security architect, NCR Corp.
"We have shown that this can be done and there is no doubt in our minds that criminals are constantly testing these systems," Ian Shaw, managing director of MWR InfoSecurity, said in a 2012 statement. "It is surprising that the manufacturers of these machines have done little to safeguard retailers and Chip and PIN card users."
In May 2014, researchers from the University of Cambridge, who have found numerous security issues in the EMV protocol, presented their latest findings: A major implementation flaw that could allow attackers to create additional transactions that could be sent at a later time and a protocol flaw that allows a man-in-the middle attack to capture the unique number -- or so-called "unpredictable number" or UNs -- used to verify a transaction, allowing additional transactions to be created and used at a later time.
The two vulnerabilities highlighted by the University of Cambridge allow different types of what the researchers called "pre-play" attacks, using a compromised terminal or a man-in-the-middle attack to create several transactions -- instead of just one -- at the time the card is inserted. The transactions can be sent at a later time to charge the account or steal money. While the technique is not simple, it could likely be made practical, said Ross Anderson, a researcher and professor of security engineering at the University of Cambridge.
"The published protection profile for EMV is that is should cost you $25,000 to compromise a terminal," Anderson said. "The problem is that [this attack] costs $10."
Chip and PIN security: A perception problem
The proof that vulnerabilities in Chip and PIN technology are being exploited by real-world criminals poses significant problems for the payment-card ecosystem. Because the use of Chip and PIN should, in theory, mean that only an authorized user can complete a transaction using a Chip and PIN-enabled card, liability for fraudulent transactions is shifting back to the consumer. In many cases, banks are not investigating the claims using forensics on transaction data, the University of Cambridge researchers state, and, in some instances, banks are even deleting records of suspicious transactions.
"Many of these customers are credible witnesses and it is not believable that they are all mistaken or lying," the university researchers stated in an early publication about the flaws. "When we investigate their claims we often find serious vulnerabilities which the industry failed to disclose. It appears that some parties were already aware of the random number deficiencies we describe … but failed to take action."
Even if Chip and PIN technology were foolproof, fraud will not go away, say security experts. Only the largest retailers will likely deploy the technology by the card brands' 2015 liability shift deadline. While the National Retail Federation estimates that deploying the technology will cost $10 billion, other analysts have cited estimates from $2.5 billion to $25 billion. Merchants will have to buy expensive new point-of-sale terminals, banks will need to pay higher issuance fees for cards and processors will have to upgrade their backend systems to deal with the EMV cards.
Nir Valtman, enterprise security architect of retail services at Duluth, Georgia-based NCR Corp., said small and medium-sized businesses will not be able to afford the upgrades required by the technology nor the increased fees, further delaying the rollout of EMV.
"There are still a lot of retailers that work with magnetic stripe readers," Valtman said. "And a lot of smaller retailers will not comply with the requirement by 2015."
The lengthy changeover period, which Valtman and other experts estimate will take seven to 10 years, gives attackers a significant period during which they can seek out the same fraudulent transactions that merchants, banks and card brands struggle to prevent today. The reality is that, if retailers continue to accept magnetic stripe transactions, criminals will continue to abuse that technology's abundant security flaws, Valtman said.
Additionally, payment security experts widely recognize that when one channel is secured, fraud always moves to a less secure environment. Fraud increased, for example, on U.K.-issued cards used abroad from 2011 to 2013, with the overwhelming majority of fraud occurring in the U.S., where magnetic stripe transactions are still standard.
A reality few recognize today is that Chip and PIN technology does not solve the growing problem of online payment fraud. In that realm, where the card is never present, merchants and processors will need to use better analytics to detect suspicious consumer behavior, said Liron Damri, COO of Israel-based antifraud service Forter.
"The main challenge is to prevent the monetization of the data," Damri said. "You have to be able to detect the behavior and stop the transaction."
Learn why Ponemon says continuous monitoring is the key to retail cybersecurity.
Some U.K. retailers are already replacing their Chip and PIN systems with expensive contactless payment systems.