Credit Card Data Theft: Stopping the Hackers
By Colin Poitras
In response to a massive security breach that threatened the personal and financial data of nearly one third of U.S. adults last year, retail giant Target is investing more than $100 million to prevent similar thefts by implementing advanced chip-based credit card technology at its point-of-sale terminals.
Researchers from UConn’s Center for Hardware Assurance, Security, and Engineering (CHASE) discuss the credit card hacking problem and the technologies that can help stop it.
Q: Why do American credit cards appear to be particularly vulnerable to these kinds of attacks?
A: The recent attack against Target appears to be based on malicious Trojan software infiltrating the point-of-sale system. The magnetic strip on a traditional U.S. credit card holds a code known as a CVV, for Card Verification Value, that is used when the card is swiped at the point-of-sale terminal. That code is used to authenticate the card. The customer’s “signature” on the back of the card is (unfortunately) very rarely checked by merchants, making the CVV the sole line of defense against counterfeit cards.
By injecting malware in the point-of-sale terminal, the attackers are gaining access to the content of the strip (customer private data, card number, and CVV), giving them all the information they need to create a perfect duplicate of the card.
Q: What is this chip-based credit card system that other countries use and how is it more secure than what we use in the United States?
A: Most of the world is using “smart cards” with a microchip embedded in the card. A customer who has one is now in possessions of two critical pieces of evidence to assert his claim as the card’s rightful owner. The customer possesses the physical card with the chip and he knows a PIN (personal identification number) to unlock the card. This is known as “two-factor authentication.”
The idea is simple: when the card is submitted at the point of sale, the POS terminal asks the customer to enter the PIN, which is passed to the chip on the card to validate the PIN. The PIN does not get sent to the bank. It is sent to the card locally. If the customer loses the card or the credit card is stolen, the thief can’t do anything, as he doesn’t have the PIN. If the customer inadvertently discloses the PIN to a thief, the thief can’t put it to use, as he needs the physical card, which is needed to certify that PIN.
A compromise of the point-of-sale system that transfers information to the thief (say the PIN) is now much harder to exploit. Indeed, the thief would have to forge a smart card with a chip that authenticates the PIN rather than simply printing the CVV on a magnetic strip.
Q: The chip system seems very secure. Why haven’t more U.S. banks and retailers switched over to chip-based credit card systems?
A: One simple answer is cost. In the U.S., it is estimated it will cost $8 billion to upgrade all of the POS terminals and ATMs that are available, and to issue new smart chip cards to consumers. Yet it has been very effective in Europe to reduce fraud, and has been in use for two decades. More than 70 percent of merchants in other parts of the world have adopted smart chip terminals, including nearly 90 percent of Europe.
Q: How do these chip-based cards work when you’re purchasing something online?
A: The idea is that the customer must be able to prove to the online merchant that they are in possession of both the card and the PIN. To this end, banks issue to their customer a “card reader” that looks like a calculator in which you insert the smart card.
The customer uses the smart card and the reader to first authenticate himself to the card. For the online transaction about to take place, the merchant sends a number to the customer (e.g., invoice number, amount) that is known as a “challenge.” The customer enters the challenge on his card reader, along with his PIN, and the chip on the smart card calculates a response (a number) that the customer dutifully reproduces on the online form. When the merchant receives the form with the response, it proves to him that the customer is indeed in possession of both the card and the PIN. This effectively creates “one-time passwords.”
This process is more involved for the user, and requires either the user or bank to pay for the card reader. But the bottom line is that smart card technology is well-established and proven with about two decades of use. It’s a little more cumbersome for users and for online transactions, but it curbs fraud significantly.
Q: UConn’s CHASE labs are dedicated to meeting the computer hardware challenges of the future to protect our country’s financial, commercial, and military systems, as well as its major transportation and utility infrastructure. What is CHASE doing to help protect consumers from credit card fraud?
A: UConn’s CHASE researchers are exploring innovative new technologies to prevent credit card fraud. For instance, we have several researchers looking into physical unclonable functions that could be used in credit cards to generate unique identifiers that are theoretically impossible to duplicate. Our researchers are also investigating the use of biometric techniques, such as heartbeat and electrocardiogram signatures, to uniquely identify a person owning a credit card. Both of these technologies, as well as others being investigated, may someday offer even greater security for consumers.
Thanks to the CHASE researchers who assisted with this article: Mark Tehranipoor, CHASE director and associate professor of electrical and computer engineering; John A. Chandy, CHASE deputy director and associate professor of electrical and computer engineering; and Laurent Michel, associate professor of computer science and engineering.