Firms prodded to try smarter credit cards

["Richard M. Smith" <rms () computerbytesman com>]

http://www.boston.com/business/technology/articles/2007/03/01/firms_prodded_
to_try_smarter_credit_cards/

Firms prodded to try smarter credit cards


Chip technology new antifraud tool


By Ross Kerber, Globe Staff  |  March 1, 2007

Faced with increasing threats of theft of consumer data, credit-card
companies are rolling out higher security plastic.

European and Asian banks in recent years have spent billions of dollars to
make the switch to credit and debit cards containing a tiny microprocessor
chip that store s encrypted customer information and require s a personal
identification number, or PIN.

American financial institutions also are starting to offer similar so-called
smart cards that promise to better protect consumer data following credit-
and debit-card theft from retailers such as
<http://boston.stockgroup.com/sn_overview.asp?symbol=TJX> TJX Cos. and Stop
and Shop Supermarket Cos.

So far American companies have been slow to adopt more secure cards because
they have better telecommunications links to cash registers that can
authenticate information quickly, keeping fraud losses at acceptable levels.
But now US card companies are under pressure to upgrade .

"The problem is what's on the horizon," said David Robertson, publisher of
The Nilson Report, a California newsletter that tracks the payments
industry. "If chips and PINs become commonplace everywhere else, then the
fraudsters will inevitably move to the US because it will be easier to
commit here."

US consumers charged $2 trillion last year on credit and debit cards linked
to the systems of Visa International, MasterCard Inc.,
<http://boston.stockgroup.com/sn_overview.asp?symbol=AXP> American Express
Co., and Discover Financial Services. Most American banks and card networks
use cards with magnetic stripes, which are cheaper -- about 85 cents per
card versus $2 for a smart card.

The stripes are coded with information, such as customer names and account
numbers, and allow merchants to quickly authorize a transaction over phone
lines with a single swipe of a card through a computer.

But the data on the magnetic stripes is relatively easy for thieves to copy
. In contrast, the new card technologies like MasterCard's "PayPass" and
American Express's "ExpressPay" use chips and tiny radio antennas. The
chips, like those on cards in Europe, store encrypted data to make it harder
for thieves to use if the card is lost or stolen. The antennas make it
convenient for consumers, allowing them to pay by holding their card near or
tapping their card on a special reader at the cash register. The method is
known as a contactless payment.

"We'll see the adoption of chip cards, but I don't think the magstripe
environment will be done away with soon," said Visa senior vice president
Brian Triplett. For one thing, it would be hard to replace all 12 million
cash-register devices that scan magnetic stripes in the United States, he
said.

There has also been less demand for smart cards in the United States. Many
of the foreign cards' security features are designed to work in places
without the extensive telecommunications systems that help American card
networks spot questionable purchases in real time, Triplett said.

In the United States, Visa and others have tested chip cards but found
consumers didn't want to have to remember another PIN code. That's why Visa
is promoting a new "contactless" chip card, for its convenience.

"There's not one silver bullet," Triplett said.

About 15 million contactless cards have been issued in the United States,
about 7 million of them by Visa, he said. That's a tiny percentage of the
more than 1 billion credit cards circulating in this country.

The US card industry has tried simpler technologies, such as including small
photos of customers or three digit security codes on cards, but those
measures have had a modest effect on fraud.

A shift to smart cards would be expensive. In England, a consortium of large
banks estimates the industry spent more than $2 billion to issue 138 million
smart cards that are being used at 900,000 cash register terminals. But the
consortium says the spending cut fraud 13 percent to $861 million in 2005.
Networks in France, Sweden, China, and Japan have deployed similar systems.

Card companies started using magnetic stripes in the 1980s, upgrading from
merchants making copies on carbon paper slips. But weaknesses are being
exposed as more thieves target the in-store devices that read the magnetic
stripes. On Monday police arrested four suspects in Rhode Island for
tampering with the card-reading terminals at various Stop & Shop grocery
stores. Authorities believe the suspects stole credit- and debit-card data
from the machines to make fake debit or ATM cards and withdraw more than
$100,000 from banks.

Smart cards also could have helped limited the scope of the TJX theft, said
Simon Bennett, a spokesman for the British card consortium. The Framingham
retail giant on Jan. 17 disclosed a security breach that potentially exposed
the credit- and debit-card data of millions of shoppers dating back to 2003.

TJX may have violated an industry guideline against keeping such data on
file, but the smart cards are designed so merchants don't need to do that ,
Bennett said. Instead, customers place their cards in readers at the
checkout counter, which check that the information on the chip matches a
person's identity and the PIN number they key in.

Ted Iacobuzio, managing director of Needham research company TowerGroup,
said another reason why US companies are moving toward a more secure card
are recent federal guidelines that encourage banks to use biometric factors
like fingerprints or voice patterns to improve the security of customers
shopping online or using automated teller machines. Chips would be needed
for their capacity to store the biometric information.

"There has never been a business case for using chips in the US before, but
the business case that's emerging is fraud," Iacobuzio said.

Ross Kerber can be reached at  <mailto:kerber () globe com> kerber () globe com.
<http://cache.boston.com/bonzai-fba/File-Based_Image_Resource/dingbat_story_
end_icon.gif>

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.