Security Hot Seat: Chip and PIN
The Latest Payment Card Security Technology in this Week's Hot Seat
If you live in the US, you’re probably vaguely familiar with the concept of Chip and PIN—a so called savior to all our credit and debit card security woes. US Banks and Retailers are moving towards a 2015 deadline where they must implement this technology. The technology doesn’t require a swipe of a magnetic strip on a card, which leaves current credit cards open to “skimming” attacks where attackers sit at the POS and grab the card number and PIN to use for future fraudulent purchases.
This week, I’m in the UK and am amazed at the looks I get when I heave my “old school” credit card out of my wallet for purchases. The infrastructure here is set up to use the Chip and PIN cards—that use an embedded microchip on the card to authorize the payment. That way, even if a fraudster gets your card information, they won’t have the digital certificate to authenticate it via the microchip.
But just this week, there are reports out about the ability of hackers to take advantage of one of the main benefits of the card— its contactless payment or no need for a swipe. The scenario plays out where they’d be able to “read” the card while it is still within someone’s wallet because of a flaw in how it validates non-UK currency payments.
So the moral of the story is this — while contactless payments will be in our future, the administrators of those technologies will need to continue to stay ahead of the bad guys.