05-01-2014 06:16 AM
Data-drained Target hurries to adopt chip-and-PIN cards
by Lisa Vaas
Chip and PIN image courtesy of ShutterstockTarget will adopt chip-and-PIN payment card security for its debit and credit cards, it announced on Tuesday, setting itself up to become probably the first major retailer in the US to take the plunge.
Beginning in early 2015, the horrifically hacked, still scrambling retailer will try to strengthen its bludgeoned security by plugging MasterCard's chip-and-PIN security into its entire REDcard portfolio. Chip-and-PIN systems are already widely used in Europe and elsewhere, while the US has been verrrrrrry sloooooooowly inching toward adoption of what's widely considered to be far more fraud-proof payment cards. In fact, the large-scale theft of payment card data from the likes of retailers Target and Neiman Marcus have focused attention on the problem of the US's stubborn refusal to back away from magnetic stripe cards.
Two major credit card companies, MasterCard and Visa, have plans to change to chip and PIN and have both recently set October 2015 as an important deadline in the switch, according to the Wall Street Journal. Chip-and-PIN cards rely on a microchip embedded in the card, as opposed to the magnetic stripe on the back of nearly all cards used in the US.
The data on that magnetic stripe - known as track data - can be used to fairly easily create counterfeit cards by encoding the data onto any card with a magnetic stripe. The chips on chip-and-PIN cards, in contrast, can't be duplicated.
The PIN part of the equation, meanwhile, is also a more secure authentication factor compared with what a card holder scribbles on the bottom of a receipt (a signature that merchants frequently don't even bother to check).
Mind you, chip-and-PIN is by no means a foolproof payment card security system. In 2008, Trojanised chip-and-PIN machines in Europe were reported to have been compromised during the manufacturing process. These Trojanised devices sported additional internal hardware, including a GSM modem, to transmit phished credentials to cybercriminals in Pakistan.
There have also been problems with ATMs and point-of-sale systems (POSes) that process chip-and-PIN cards using random number generators that have proved to be anything but random. Another weak spot is the PIN entry device (PED) - the device into which customers insert cards. Cambridge University has demonstrated that two popular brands of PEDs used in the UK don't encrypt data exchanged between the card and the PED during a transaction.
That means that crooks with "basic technical skills" can record the information and create fake cards that can then be used to withdraw cash from ATMs abroad, as well as at some ATMs in the UK, according to researchers.
Webroot® SecureAnywhere™ Internet Security Complete Beta v18.104.22.168 & VoodooShield Beta v2.23m