funsec mailing list archives
Firms prodded to try smarter credit cards
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Thu, 1 Mar 2007 08:35:48 -0500
http://www.boston.com/business/technology/articles/2007/03/01/firms_prodded_ to_try_smarter_credit_cards/ Firms prodded to try smarter credit cards Chip technology new antifraud tool By Ross Kerber, Globe Staff | March 1, 2007 Faced with increasing threats of theft of consumer data, credit-card companies are rolling out higher security plastic. European and Asian banks in recent years have spent billions of dollars to make the switch to credit and debit cards containing a tiny microprocessor chip that store s encrypted customer information and require s a personal identification number, or PIN. American financial institutions also are starting to offer similar so-called smart cards that promise to better protect consumer data following credit- and debit-card theft from retailers such as <http://boston.stockgroup.com/sn_overview.asp?symbol=TJX> TJX Cos. and Stop and Shop Supermarket Cos. So far American companies have been slow to adopt more secure cards because they have better telecommunications links to cash registers that can authenticate information quickly, keeping fraud losses at acceptable levels. But now US card companies are under pressure to upgrade . "The problem is what's on the horizon," said David Robertson, publisher of The Nilson Report, a California newsletter that tracks the payments industry. "If chips and PINs become commonplace everywhere else, then the fraudsters will inevitably move to the US because it will be easier to commit here." US consumers charged $2 trillion last year on credit and debit cards linked to the systems of Visa International, MasterCard Inc., <http://boston.stockgroup.com/sn_overview.asp?symbol=AXP> American Express Co., and Discover Financial Services. Most American banks and card networks use cards with magnetic stripes, which are cheaper -- about 85 cents per card versus $2 for a smart card. The stripes are coded with information, such as customer names and account numbers, and allow merchants to quickly authorize a transaction over phone lines with a single swipe of a card through a computer. But the data on the magnetic stripes is relatively easy for thieves to copy . In contrast, the new card technologies like MasterCard's "PayPass" and American Express's "ExpressPay" use chips and tiny radio antennas. The chips, like those on cards in Europe, store encrypted data to make it harder for thieves to use if the card is lost or stolen. The antennas make it convenient for consumers, allowing them to pay by holding their card near or tapping their card on a special reader at the cash register. The method is known as a contactless payment. "We'll see the adoption of chip cards, but I don't think the magstripe environment will be done away with soon," said Visa senior vice president Brian Triplett. For one thing, it would be hard to replace all 12 million cash-register devices that scan magnetic stripes in the United States, he said. There has also been less demand for smart cards in the United States. Many of the foreign cards' security features are designed to work in places without the extensive telecommunications systems that help American card networks spot questionable purchases in real time, Triplett said. In the United States, Visa and others have tested chip cards but found consumers didn't want to have to remember another PIN code. That's why Visa is promoting a new "contactless" chip card, for its convenience. "There's not one silver bullet," Triplett said. About 15 million contactless cards have been issued in the United States, about 7 million of them by Visa, he said. That's a tiny percentage of the more than 1 billion credit cards circulating in this country. The US card industry has tried simpler technologies, such as including small photos of customers or three digit security codes on cards, but those measures have had a modest effect on fraud. A shift to smart cards would be expensive. In England, a consortium of large banks estimates the industry spent more than $2 billion to issue 138 million smart cards that are being used at 900,000 cash register terminals. But the consortium says the spending cut fraud 13 percent to $861 million in 2005. Networks in France, Sweden, China, and Japan have deployed similar systems. Card companies started using magnetic stripes in the 1980s, upgrading from merchants making copies on carbon paper slips. But weaknesses are being exposed as more thieves target the in-store devices that read the magnetic stripes. On Monday police arrested four suspects in Rhode Island for tampering with the card-reading terminals at various Stop & Shop grocery stores. Authorities believe the suspects stole credit- and debit-card data from the machines to make fake debit or ATM cards and withdraw more than $100,000 from banks. Smart cards also could have helped limited the scope of the TJX theft, said Simon Bennett, a spokesman for the British card consortium. The Framingham retail giant on Jan. 17 disclosed a security breach that potentially exposed the credit- and debit-card data of millions of shoppers dating back to 2003. TJX may have violated an industry guideline against keeping such data on file, but the smart cards are designed so merchants don't need to do that , Bennett said. Instead, customers place their cards in readers at the checkout counter, which check that the information on the chip matches a person's identity and the PIN number they key in. Ted Iacobuzio, managing director of Needham research company TowerGroup, said another reason why US companies are moving toward a more secure card are recent federal guidelines that encourage banks to use biometric factors like fingerprints or voice patterns to improve the security of customers shopping online or using automated teller machines. Chips would be needed for their capacity to store the biometric information. "There has never been a business case for using chips in the US before, but the business case that's emerging is fraud," Iacobuzio said. Ross Kerber can be reached at <mailto:kerber () globe com> kerber () globe com. <http://cache.boston.com/bonzai-fba/File-Based_Image_Resource/dingbat_story_ end_icon.gif>
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Firms prodded to try smarter credit cards Richard M. Smith (Mar 01)