Linda Punch
Increasingly sophisticated fraud schemes show that personal identification numbers are more vulnerable than once thought. Bring in the reinforcements.
For the past 40 years, personal identification numbers have built an enviable reputation as a nearly inviolable security feature. They’re much more secure than signatures and, until relatively recently, reports about PIN thefts were rare.
For criminals, PINs represent the golden ring. They can be used to empty a cardholder’s bank account at an ATM, giving the crook access to ready cash. Without the PINs, crooks would have to create fake cards using stolen card-account numbers and purchase goods that must be sold at a discount—a riskier and less profitable proposition.
Early attempts at debit card fraud involved skimming—the placement of a device on a point-of-sale terminal, fuel pump, or ATM to capture the card number as a card is swiped. Certain devices also may automatically record the PIN as the cardholder types it.
Shoulder-surfing, another form of skimming, involved fraudsters obtaining PINs through small hidden cameras placed near a terminal or ATM to record the cardholder’s keystrokes.
But with most of these methods, fraudsters can’t decode encrypted data or lack one or more pieces of critical information, such as cardholder name, to use the card.
“A few years ago, the attitude among banks and most companies was the PIN was almost impossible to steal and if you did steal it, you couldn’t use it,” says Avivah Litan, vice president and analyst at Stamford, Conn.-based Gartner Research.
But over the past few years, increasingly sophisticated skimming devices and data breaches involving debit card credentials are illustrating that PINs might be nearly as vulnerable to compromise by criminals as the mag-stripe, a security feature long viewed as inadequate.
‘Who Can Be More Intelligent?’
In the most recent high-profile breach, crooks placed rigged payment terminals in some Chicago-area Michael’s Stores Inc. locations. The breach, which store officials estimate occurred between Feb. 8 and May 6, involved 90 PIN pads in some of the chain’s 995 stores.
The terminals were capable of capturing information such as name and card account in addition to the PIN—just the type of data crooks need to access a debit account. Michael’s learned of the breach in May after fraudulent debit card transactions were reported to banking and law-enforcement authorities. Just to be sure, the chain replaced more than 700 PIN pads after the breach.
“The notion that PINs could never be breached is now obsolete,” Litan says.
Adds Jacob Jegher, senior analyst at Boston-based Celent LLC: “Are PINs secure? Yes and no. They’re secure as long as there is no interception or type of device installed that will capture it. If someone’s got a skimmer and camera position on that PIN pad and they’ve captured your PIN, well, you’re in trouble.”
Jegher notes that PINs are no different from any other security feature. “If something’s been created by a human, it can be beaten; in other words, broken down by a human,” he says. “Basically, it’s a war of who can be more intelligent or creative. Is it the developers of the technology or is it the fraudsters?”
Despite the flaws revealed by data breaches involving debit credentials, PINs are still viewed as a strong security feature. “Statistics continue to show that PIN debit has lower fraud rates than signature,” Julie Saville, vice president of Atlanta-based processor First Data Corp.’s Star EFT network, said in an e-mail. “Just recently, in its industry survey on debit transaction costs, the Federal Reserve Board found that signature debit fraud losses were approximately four times those of PIN debit.”
A recent identity-fraud study from Pleasanton, Calif.-based Javelin Strategy & Research yielded similar results. “Generally speaking, PINs are more secure than non-PIN transactions,” says Philip Blank, managing director of security, risk, and fraud. “Credit card fraud exceeds debit card fraud, and the primary reason for that is that debit cards have a PIN.”
Because the PIN is more secure than the mag stripe, no one is ready to dismiss it as a security feature.
“PINs have been around for 40 years, and in security that’s pretty remarkable,” says Robert Vamosi, senior analyst at Mocana Corp., a San Francisco startup specializing in security for non-PC devices linked to the Internet, including smart phones. “I don’t see the PIN going away.”
‘Practical First Step’
Nevertheless, there is no shortage of security technology being developed to fill in the chinks found in the PIN’s armor. Heading the list is chip-and-PIN, which secures POS transactions with chip-based encryption routines and by validating the card to the cardholder by means of PIN entry.
Also known as EMV, chip-and-PIN has proved successful in reducing payment fraud in Europe and elsewhere, and is being rolled out in Canada (“Canada Puts Down Chip Card Roots,” June).
However, the introduction of chip-and-PIN has met a major roadblock in the U.S., where credit and debit card security is based on the magnetic stripe. Major players in the payment card industry, including retailers, have balked at what they view as the high cost of replacing the existing system.
But many experts say the U.S. eventually will shift to EMV because of the mag-stripe system’s outdated security.
“Europe and Canada and other parts of the world have moved into the chip-and-PIN environment, which offers arguably a higher rate of security,” says Neil Marcous, president of the NYCE EFT network. “We have not as a country moved in that direction yet, although all of us are making greater and greater preparations for moving in that direction.”
A rollout of chip-and-PIN in the U.S. is just a matter of time, Litan says, noting that major retailers with locations worldwide already are installing systems capable of accepting EMV cards. “They have the same point-of-sale systems globally,” she says. “It’s not a big investment for them any more; they’ve already made the investment.”
In fact, last month Visa Inc. announced three major initiatives to move the U.S. to EMV contact and contactless card payments, as well as contactless mobile payments using near-field communication (NFC) technology (see Trends & Tactics, page 6).
Many new terminals being deployed in the U.S. are capable of accepting chip-and-PIN, Marcous says. And EFT networks are working to set up standards and guidance for upgrading ATMs for chip-and-PIN, primarily in areas frequented by overseas travelers.
“There are cards that come from overseas that have both the stripe and a chip but the issuer on the other end wants to see their authorization via the chip and in some cases may deny the transaction if it doesn’t come back that way,” Marcous says.
And some U.S. financial institutions are now issuing chip-and-PIN cards to customers who frequently travel abroad, where chip-and-PIN is widespread.
NYCE is working with its member issuers to offer a reloadable chip-and-PIN card to frequent travelers. Travelers overseas can load value at their online-banking site. The cards will allow banks to move into chip-and-PIN without making any large-scale change to their card base, Marcous says.
“This seems to be the most practical first step to take,” he says. “You don’t want to reissue 25,000 cards when you have 450 clients who actually need that capability.” NYCE hopes to launch the card in October.
‘Smarter Terminals’
But some contend EMV has its own vulnerabilities. Researchers at the University of Cambridge in 2007 reported they had opened up a supposedly tamper-proof chip-and-PIN terminal and replaced its internal hardware.
“This doesn’t bode well for chip-and-PIN,” Vamosi says.
Notably, Visa said the EMV system it envisages for the U.S. doesn’t necessarily require PINs, though many payment executives believe PINs should remain part of future security solutions. But Vamosi says the payment industry should be looking beyond EMV, whose core technology is about 20 years old, to emerging security technologies that could prevent the type of data breach that occurred at Michael’s.
“One way to stop that is to have smarter terminals to know when a counterfeit terminal has been put into a retail environment,” he says. “That’s a way of authenticating the device to the system that’s doing the point of sale.”
The PCI Security Standards Council last year issued recommendations that store owners write down the serial numbers of devices and periodically verify that terminals and records match, Vamosi says. The PCI Council administers the main Payment Card Industry data-security standard and related sets of rules governing card-processing software and PINs.
“A better solution is to have the chips themselves radio out, ‘I’m supposed to be here, I’m a legitimate terminal,’ so the point-of-sale system can say, ‘wait a minute, something has been swiped out,’” he says. “If we address the skimming problems, once again PINs will be seen as robust.”
The explosive growth of mobile devices also provides a technology that could be easily adapted to secure payments without requiring major infrastructure changes, NYCE’s Marcous says.
Close to 50% of U.S. cell-phone owners possess smart phones capable of running applets, software programs that run within other applications, that could be used for payment at the point of sale or to activate an ATM. Those technologies could be rolled out long before chip-and-PIN takes hold in the U.S., he says.
“We’re moving into a world where an applet, a cell phone, and the point-of-sale location would be able to disassociate data that would be skimmed and taken at the merchant location and never shown at the merchant location, eliminating that problem,” Marcous says.
Determined Fraudsters
Because of the potential offered by mobile, NYCE’s parent company, Jacksonville, Fla.-based processor Fidelity National Information Services Inc. (FIS) and NYCE in August began beta tests with a bank and a credit union on a mobile-phone payment method. Marcous declines to give details on the product, which has been in development for more than two years.
But he says the phone will interact with a common POS device, and the system requires no hardware change to the mobile phone or the merchant’s payment devices. The mobile phone also can be used to make Internet payments.
“It makes things a bit cleaner and easier for the industry to move toward in that it doesn’t require physical change to the point-of-sale device or physical change to the mobile phone,” he says.
Developing technology to prevent the compromise of the PIN and other data is difficult because of the wide variety of methods used by fraudsters. At the point of sale, skimming equipment can range from hand-held skimmers to compromised terminals. At the processor level, fraudsters try to introduce sophisticated malware and spyware into the system to capture the confidential information.
And regardless of the technology, experience has shown that no single security measure, no matter how high-tech, can indefinitely withstand attacks from determined fraudsters. That means that banks, retailers, and processors must cooperate, Jegher says.
“There are multiple partners in the picture and everyone has to come together to augment the security that’s out there,” he says. “The parties are the issuers of the cards, developers of the technology, the merchants and the consumers. But there is nothing that is foolproof.”
Behind the Rise in ATM Skimming
ATM skimming continues to plague the financial industry despite long-time efforts to curb the fraud, which can cost banks millions. Although no one has documented just how widespread the problem is, some believe it is on the rise.
“We’ve seen ATM fraud grow in the last six months,” says Philip Blank, managing director of security, risk, and fraud, Javelin Strategy & Research. Javelin tracks skimming as a general category but is beginning to break out ATM skimming data to get a better handle on just how serious the problem is.
In ATM skimming, fraudsters typically install an inconspicuous device on the machine that secretly records bank-account data when the user inserts a debit card into the machine. Criminals then encode the stolen data onto a new, blank card and use it to drain a customer’s bank account.
The scheme generally involves a hidden camera used in conjunction with the skimming device to record customers typing their personal identification number into the ATM keypad. The skimmer, which is very similar to the original card reader, fits over the card reader.
In another variation, crooks overlay a keypad directly on top of the factory-installed keypad. The device, which takes the place of a concealed camera, stores the actual keystrokes as the customer enters a PIN.
The resulting losses can be staggering. Last fall, two brothers from Bulgaria were charged with using stolen bank-account information to defraud two banks of more than $1 million, according to the Federal Bureau of Investigation.
One factor contributing to the rise in ATM skimming is that the equipment needed can be purchased inexpensively, says Robert Vamosi, a senior analyst at Mocana Corp., a device-security startup.
“The bad guys can buy the equipment on the Internet very cheaply to replicate the card reader, to replicate the keypad,” Vamosi says. “Because those costs are coming down, we’re beginning to see less savvy criminals get involved.”
Meanwhile, financial institutions are stepping up the battle against ATM skimming, adding new technology, Blank says.
“They’re making it more difficult for the skimming devices to be attached, they’re increasing the video surveillance, and they’re also looking at installation patterns,” he says. “They’ve actually been able to make some arrests of people who are doing this.”
But the problem remains. “Does that mean it’s going to go away tomorrow?” Blank says. “No. As the manufacturers of the ATMs bring out more skim-proof ATMs, the fraudsters will find better ways to [skim].”