In the ongoing game of one-upmanship between hackers and payment fraud prevention technology, new research presented at the
35th IEEE Symposium on Security and Privacy suggests that the fraudsters have yet another vector to utilize, exploiting new vulnerabilities within existing implementations of EMV/Chip
The new research suggests that cryptographic weakness in some devices implementing
EMV (Chip and PIN) standards and potentially a flaw in the EMV design, could now provide hackers with yet another avenue to compromise card transactions and cause massive headaches to consumers and potential
losses for financial institutions and card issuers.
In the whitepaper
“Chip and Skim: cloning EMV cards with the pre-play attack” prepared by a team at University of Cambridge, researchers identified two observed weaknesses in deployed Chip and PIN terminals. First, terminals with poorly designed random number
generators can create non-random or predictable numbers when “chipped” cards are used to produce a transaction-specific authentication code. With physical access to the devices, or via a compromised network (such as was the case in the Target breach), these
terminals can also be tampered with to influence the random number generator. Second, researchers identified the ability to tamper with the Chip and PIN terminal’s communications back to the bank.
Given the increasing sophistication of today’s criminals, we need to change our approach. As I and others in the payment authentication industry have long advocated, any single technology approach to preventing fraud can be circumvented, by-passed, or exploited,
given time and the will to do so. That is why we cannot simply rely on any particular method (putting all our eggs in one basket as some would say) – when what is really needed is a layered approach.
Multifactor authentication is the key, and it is ready to be deployed in the field. State-of-the-art multi-factored authentication solutions to fight card fraud can now employ “low friction” techniques such as voice biometrics and real-time, invisible checks,
such as proximity correlation (the ability to determine in real-time whether or not the legitimate customer is present at the time the transaction is being performed). With this combination of technology, payment processors, financial institutions and others
within the transaction payment chain can query the authenticity of the customer who is performing the transaction BEFORE the transaction is completed. All that is required is that the customer simply needs to have their cell phone or mobile device with them
and turned on. If the genuine customer is not carrying out the transaction, then the transaction will be aborted BEFORE the fraudster can make off with the goods or money.
While the fraud cost itself is significant, the lost revenue and frustration of customers as a result of False Positives (when a legitimate customer is rejected from making a transaction) also costs the financial institution. Legacy security solutions tend
to focus on trying to prevent every fraud rather than ensuring no legitimate customer gets rejected. By using proximity correlation, it is possible to virtually eliminate fraud, achieve an enhanced customer experience and reduce costs substantially. All in
all, it’s a win, win, win situation.
Importantly, this technology works for all card transactions (credit and debit) and is privacy compliant as the genuine customer’s location is never revealed (it can be used in an opt-out model as well). Suitable for all types of card skimming with mag stripes
today as well as future technologies including RFID, NFC and EMV, infrastructure investments are protected and strong ROIs generated. Furthermore, with the right privacy compliance in place, the Mobile Operators can provide the infrastructure to enable such
advanced fraud prevention, thereby generating good recurring revenues in return for access to their signalling.
If the expectation of the industry is that EMV is infallible then as this article highlights, the fraudsters are only a step away from compromising EMV, in more ways than one. We surely cannot place all our trust in any single fraud prevention technology,
and proximity correlation is the ideal complementary technology to move the fight against fraud to a new level. Countries that have already implemented EMV can protect their investment and inject a high level of future proofing into the fight against fraud,
whilst countries such as the US can press ahead with the implementation of proximity correlation today pending their implementation of EMV. Who knows, in the US alone, the largest single target in the world for card fraud, the savings over the next couple
of years may even pay for EMV!