News

Actions

Researchers find new security flaw in chip-based credit cards

Posted at 9:26 PM, Aug 03, 2016
and last updated 2016-08-03 21:26:47-04

LAS VEGAS — Computer researchers have found yet another flaw in the upgrade to the chip-based credit cards in the United States.

The chip on these credit cards have been praised for making them nearly impossible to counterfeit. While the cards also contain a magnetic strip, that strip is supposed to tell the payment machine to use the chip.

But there’s a relatively easy way to knock down that safeguard.

Computer security researchers at the payment technology company NCR demonstrated how credit card thieves can rewrite the magnetic stripe code to make it appear like a chipless card again. This allows them to keep counterfeiting — just like they did before the nationwide switch to chip cards.

They presented their findings at the Black Hat computer security conference on Wednesday.

This glaring hole in EMV, the chip-based system, is possible because of the way many retailers are upgrading their payment machines: They’re not encrypting the transaction.

“There’s a common misperception EMV solves everything. It doesn’t,” Patrick Watson, one of the researchers, told CNNMoney.

The discovery of this flaw bolsters the retail industry’s complaints against the upgrade, which was forced upon shops by banks.

The National Retail Federation has long complained about the upgrade, which is estimated to cost American retailers $25 billion.

This latest research shows that retailers could spend millions of dollars upgrading to EMV and still not protect their customers from a massive credit card theft like the Target and Home Depot hacks two years ago.

Adding to the problem, payment terminal makers keep producing machines that don’t have the encryption by default.

And vendors who sell and install these machines at shops don’t simply flip the switch and turn on encryption. Retailers have to pay extra for basic security.

CNNMoney reached out to the major machine makers, Verifone and Ingenico, as well as the major credit card companies, Visa and MasterCard.

Ingenico and Verifone both asserted they offer point-to-point encryption on retailer’s machines — but it’s up to retailers and their partners to turn it on. Others did not respond to requests for comment.

Currently, retailers focus on protecting the computer network that support their payment system. But that leaves the actual conversation between your credit card and the machine in plain text, readable to any hacker who breaks into the system.

It’s a mistake, said Mike Weber, vice president at the IT auditing firm Coalfire.

“They’re assuming the environment is okay,” he said. It’s not.

During their presentation, the NCR researchers advised shops to “encrypt everything” in a transaction. They also said consumers should pay with special apps on their phones and watches whenever the high tech option is available.