With the spate of cyber attackers on US retailers recently Coalfire’s European MD, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where Chip and Pin technology is more widely deployed.
Working in both the US and Europe gives us a good perspective on the payment security landscape. The US has a much higher rate of credit card usage than most European countries, loyalty schemes and reward incentives are much more mature and embedded in consumer culture. In Europe card usage is increasing but the type of card varies by country. In the UK credit card use is moving in a similar direction to the US and includes a high rate of debit card usage; cards are quickly replacing cash. The UK now has lots of innovative mobile tech trying to disrupt the card market as well. Germany is very different, credit card usage is very low (consumer culture is quite averse to borrowing) and the debit scheme is a closed system. However both of Europe’s large economies moved away from using the magnetic stripe years ago.
EMV or Chip and Pin as it is more commonly referred to in the UK has been in heavy use since 2006 which has helped lower the impact of brick and mortar retail breaches significantly. It doesn’t rely on sending the full track information to the payment processor meaning that the data is easier to secure.
With retailers adopting more of the security controls detailed in the Payment card industry data security standard and with widespread adoption of Chip and Pin for authenticating customers huge losses from face to face retailers are less common.
Large US retailers are being targeted for smash and grab style payment card data breaches because the data is easier to use fraudulently. If a cyber-attack steals a lot of magnetic stripe data, this can be used to clone cards, which can then be used in stores to make fraudulent purchases.
Where transactions are authenticated using EMV’s Chip and Pin verification method less data is transmitted to the processor. If this data is stolen it is harder to be used fraudulently. It’s not impossible but a lot harder. EMV is not without its flaws and a number of attacks have been demonstrated by Professor Ross Anderson’s research team at Cambridge University. These typically attack the card reader and try to grab the Pin as it is sent to the smart card on the Chip for verification.
For US retailers minimizing exfiltration possibilities should be a high priority, lock down and monitor the outbound connections.
The fraud bubble has been squeezed attackers focus on e-commerce operations in the UK, service providers and other businesses that handle lots of cardholder not present transactions. As the cost of implementing attacks against the smart card declines Europe serves to be a good learning ground for the US. If the US adopts a future EMV model adoption can be considered with lessons learned overseas for more consumer protection.
Article written by Andrew Barratt