Category : Chip Shield

As someone who has looked deeply into chip card technology, I found myself a little annoyed at the recent articles that a “flaw” in EMV chip cards had been demonstrated at a recent hackers conference in Las Vegas.

Alleged EMV Flaw Stirs Debate

Despite what some news outlets reported, the hackers only demonstrated that they could hack one brand of card reader and in some cases intercept unencrypted card data.

Stay away from magnetic stripes!

The demonstration does show that if a store card reader has been compromised, your data can still be at risk.  The most common attacks try to get you to “fall back” from using the chip and swiping the card instead.

If you ever insert your chip card into a reader and it asks you to swipe the card instead, the reader may have been hacked.   Better to just pay with cash if you can.

Watch for fake pin entry screens

Another hack that was demonstrated was the ability to show a fake debit card pin entry screen on a compromised store card reader.

They managed to add an extra screen in the payment flow that asked a customer to re-enter their pin # a second time.  Most people they asked to try it assumed they had mistyped their pin the first time and re-entered the data in the fake screen.

This hack might be difficult to spot since we all mistype our pin codes occasionally. 

Might be better to ask the clerk to start over instead of using a re-entry screen when this happens.  If that second screen keeps coming up, there could be a problem with the store reader.

Could there be a flaw in the EMV chip?

If there were a flaw in the EMV chip itself I think someone would have found it in the 15 years since chip cards were first introduced in Europe.

From everything we know right now, there is no practical way to hack into a chip card and revel its hidden security keys.

In 25 years or so, some researches think that a new type of computer utilizing quantum computing power could potentially break the security keys in EMV chips and all of the security used to protect websites on the internet.

Quantum Computers are Coming and the World Might not be Ready

It’s a scary thought that we will have to completely re-think our computer security systems in the not too distant future.

Let’s just hope that our credit cards are expired by then.

A few weeks ago my mom asked me which anti-virus software she should buy for her home PC.  Being a good son, I spent a bit of time looking at independent lab reviews of the most popular products available so I could give an informed answer.

A couple of days later, news broke that a Google research team had uncovered serious flaws in Symantec Antivirus and it looks like millions of customers are at risk of having those flaws exploited.

http://www.zdnet.com/article/symantec-antivirus-product-bugs-as-bad-as-they-get/

Opps.  I guess I shouldn’t have recommended Symantec for my mom.

Unknown Virus Attacks

I went back and re-read the anti-virus reviews after the Symantec story broke and one thing that caught my eye was how well the software detected previously unknown viruses.

Symantec was one of the best and scored above 95% at detecting previously unknown attacks.  Usually, these viruses are just slight modifications of a known threat so you’d expect the software to catch it.

But, the really dangerous stuff is when an entirely new area is attacked and the anti-virus software isn’t even looking for it.

This is why the story about Symantec is so troubling.  Not only have the flaws been around for years but no one was even looking for them.

Symantec couldn’t detect its own flaws and since no one runs more than one anti-virus program on their computer, there’s no way for another program to spot them.

Twitter Hack an “Unknown” Virus?

Last month, news broke that 32 million Twitter account passwords were leaked.  At first, most people assumed it was another company data breach, but Twitter strongly denied that.

A closer look at the leaked passwords revealed they were most likely stolen from 32 million computers compromised with a computer virus.

Yikes!  So, there might be a virus out there that has infected 32 million computers and it’s still on our “Unknown” list?

At Least Protect Your Payments!

We live in a world where millions of computers are already compromised and anti-virus software may or may not detect new threats.

I’ve had many people ask me why we built a hardware device to protect payment information.  “Why don’t you just write a software program, or a mobile app?” is a common question.

If Amazon can build hardware buttons to order diapers and cat litter, we think that a dedicated device to encrypt your payments is a pretty good idea.

I sometimes hear surprised reactions when I tell people that our product focus is on desktop e-commerce.

Many people are convinced that mobile e-commerce accounts for more than desktop and that desktop is rapidly dropping to zero.

Actually, almost 80% of e-commerce transactions are made from the desktop and it’s growing by $10 billion / year.

If you’ve ever tried to type in your credit card on a mobile device it’s not hard to see why.

Didn’t I hear that mobile is 60% of all commerce?

There were a lot of headlines around the rapid growth of mobile commerce during the 2015 holiday season.

Most of the buzz came from a comScore report for the 2015 Nov-Dec holiday season that showed mobile commerce growing by 60% from the previous holiday to a total of $12.6 billion. 

Desktop e-commerce only grew by 6% to $56.4 billion in the same period.

The percentage growth is a bit misleading (but makes good headlines) because mobile started from a much smaller number.

If you look at the raw dollar amounts for the period,  desktop grew by $3.1 billion and mobile grew by $4.7 billion.  Still good, but doesn’t seem quite as impressive looking at the raw numbers.

Mobile Retail or E-commerce?

This news that mobile grew 60% got a lot of people to draw hockey stick graphs and jump to the conclusion that mobile e-commerce would overtake desktop in a few years’ time.

But, one thing that can be misleading about mobile commerce is that it is comprised of both e-commerce (buying goods/services online) and in-store retail like the Starbucks app being used to buy an overpriced latte.

In the same 2 month holiday period last year, about $1.2 billion of “mobile commerce” was from the Starbucks app, and another $1.3 billion was from Apple Pay at places like McDonalds and Whole Foods.

Should we be Excited about the Starbucks app?

Not that I have anything against Starbucks, but I wonder if we should really be including the Starbucks app when we look at the growth of mobile commerce, and using it to make predictions about the future of commerce.

If we didn’t use their app, we would probably still buy the same coffee, at the same store.  Maybe people buy a couple percent more coffee than they used to, but how much has commerce really grown or changed because of it?

Breaking down Mobile Retail and Mobile E-commerce.

A recent survey of Apple Pay users from Phoenix Marketing International showed that 62% of Apple Pay transactions happen in a retail store and the other 38% were for e-commerce.

It’s hard to get an accurate breakdown of the types of mobile commerce, but my best estimate is that only half of the $12.6 billion reported for mobile commerce last holiday season was actually e-commerce.

If desktop e-commerce was $56.4 billion, and mobile e-commerce is closer to $6.3 billion, 80% of e-commerce is still coming from the desktop.

Mobile will catch up some day, but I think we are at least 10 years from mobile breaking even with desktop for e-commerce.

Maybe using Chip Shield to enter payment details into your favorite mobile apps will help to speed up the process!

With the launch of Apple Pay in 2014, banks and merchants were told they were getting a system that would help prevent fraud by requiring fingerprint authentication and providing better security than plastic credit cards.

Apple used this promise to elicit revenue sharing from merchants and banks that supported their system.

What actually happened?

Within 6 months of Apple Pay’s release, rampant fraud had been reported from banks and retail stores supporting Apple Pay, and for some banks, the fraud rates reached 60 times higher than traditional plastic cards.

Ironically, one of the hardest hit retailers were Apple stores themselves.

http://www.theguardian.com/technology/2015/mar/02/apple-pay-mobile-payment-system-scammers

Too Easy to Add Stolen Cards

The problem wasn’t with the encryption or fingerprint security, but the fact that adding stolen cards into Apple Pay was too easy.

Banks want to make it easy to add their cards to the system and Apple prides itself on easy to use products and services.

Apple added neat features like being able to take a picture of your credit card.  So, fraudsters used paint programs to create images of stolen cards and took pictures of the print-outs.

Apple wanted to make it easier for customers who already had their credit card on file with iTunes.  So, fraudsters added stolen cards to iTunes, ran a couple small transactions that wouldn’t be noticed, and then bypassed most of the security checks when adding the cards to Apple Pay.

Banks wanted friendly support groups to help with the process of on-boarding cards.  The support people were so friendly; they even helped activate stolen cards.

Who’s to Blame?

Apple has pointed at the banks for any problems approving stolen cards, but in the end, they created a system with a major security hole and left the banks to pay millions of dollars to cover fraud losses.

I’d love to be a fly on the wall while Apple tries to get reimbursed for losses at their own stores for accepting Apple Pay.

One thing that Apple Pay fraud has shined a light on is the fact that bank’s security verification questions are often woefully inadequate for determining who actually owns a credit card.

The “gold standard” for some banks to verify cardholder identity was to ask for the last 4 digits of your social security number.  Unfortunately, criminals have access to huge databases of security information stolen from previous data breaches.

For a criminal, searching for the last 4 digits of your SSN is about as difficult as finding a bad picture of you on Facebook.

Apple Pay vs. Chip Cards

If you’re a merchant, accepting Apple Pay might sound cool, but it doesn’t look like its promise of reducing fraud will ever be as strong as chip based cards.

Chip cards were specifically designed to prevent counterfeiting, whereas Apple Pay looks to be a counterfeiter’s dream.

Banks have been forced to put up higher and higher walls to prevent stolen cards being added.  It’s still fairly easy too add a card if your phone is already linked to your bank account, but adding cards to tablets and phones with new numbers requires extra verification steps.

One way to streamline the process is to verify the customer’s card with a product like Chip Shield.  It reads the payment information directly from the chip card and validates that the card is legitimate.  If a card was added to a mobile wallet using Chip Shield the risk of fraud at merchants would be greatly reduced. 

Maybe Apple Pay + Chip Shield could live up to the promise of reducing fraud for merchants.