Brian Bloom is a staff writer at ComputerWorld Canada. You can find him on Google+. He covers enterprise hardware and software, information architecture and security topics.
With secure chip technology now hardwired into almost all Canadian payment cards, Canadian crooks will find the magnetic stripe-only terminals south of the border mighty … attractive.
Just last week the Interac Association announced that chip technology on debit cards here is paying off: losses due to fraudsters “skimming” information off cards has declined by nearly 40 per cent in 2011 compared to 2010 in Canada, according to the organization. It lauded the now-ubiquitous chip technology as a formidable defence against would-be criminals.
Canadian banks, who issue credit and debit cards, tend to agree. For example, Mike Henry, senior vice-president and head of retail payments, deposits and lending at Scotiabank, said, “to the best of my knowledge, chip hasn’t been compromised anywhere in the world in an actual instance of fraud.”
But now that one avenue for Canadian electronic fraudsters has been blocked, they’ll probably find others. And it seems like most roads lead to the United States – few institutions there have incorporated chip technology into their payment cards. ATMs that cannot read chips will automatically read the magnetic stripe instead.
“Once 100 per cent of Canadian cards and devices are chip-enabled the only opportunity for a criminal is perhaps to get that magnetic stripe and go south of the border to Buffalo [New York] or whatever and perpetrate some fraud there,” says Oliver Manahan, vice president of emerging payments at MasterCard Worldwide.
Even still, taking a Canadian card to a magnetic stripe-only terminal in the U.S. would raise eyebrows back home, he says.
“The neural networks that the banks employ will focus very heavily on non-chip transactions, so it will be difficult going forward for criminals to do that,” says Manahan. “In fact, it will probably be easier for them to just pick up and move to Buffalo.”
Avivah Litan, vice-president and distinguished analyst at U.S.-based Gartner Inc., says she can definitely see such a scenario playing out.
“It was smart for Canada to move to a chip,” says Litan. “I’m sure they’ve lowered the fraud rates and they will continue to lower. So, what happens is the bad guys will take data and come to the U.S. more often.”
However, before we begin to gloat, Litan reminds us that Canada won’t be able to wash its hands completely of card fraud; our criminals will simply gravitate towards other forms of it. “There will be more e-commerce fraud in Canada,” she predicts.
Canada, says Manahan, decided to adopt chip technology soon after European countries started doing so, fearing the country could be left vulnerable to international fraud, particularly if our southern neighbour moved to chip before us.
“Some of that modeling we did was, ‘what if the U.S. migrated to chip before Canada and all of their fraud came to us?’ Well, that would paint a very ugly picture. So, the good news is that we’re definitely there, ahead of the U.S.”
However, he adds that Mastercard has recently endorsed chip technology in the U.S., which he sees as a promising sign.
But what is taking the Americans so long?
“It’s too much of a wild west in the U.S.,” says Litan. “There’s like 8,000 banks and millions of merchants. In Canada, you only have like five really big banks that count. So, they can kind of make these decisions much more centrally.”
The cost of upgrading the infrastructure for card payments is enormous and besides, she says, the U.S. already has some very good fraud detection measures in place.
That said, with chip technology making inroads all over the world, the U.S. is clearly trailing behind. “We’re like the only country except little countries in Africa that haven’t [adopted it],” says Litan.
The security offered by chip over magstripe is enormous, explains Manahan, and that is why it has seen widespread adoption around the world. Magstripes contain data that can be copied with a magnetic card reader/writer, whereas a chip is essentially a piece of hardware with strong encryption – much harder to “clone.”
“You actually need to have that person’s physical piece of plastic with you,” he says. “It’s no longer just a matter of can you hack into a database or can you do some systemic way of copying magstripes, whether an ATM or something like that. You actually need to steal that card or find a lost card somewhere.”
And cracking the chip technology, while not impossible, is so highly impractical that criminals aren’t likely to even bother trying, he adds. Last year, two European security consulting firms, Aperture Labs Ltd. and Inverse Path S.r.l., published a study titled, ‘Chip and PIN is definitely broken,’ complete with pictures of custom-designed electronics built into ATMs that could skim information from chip cards.
Litan says while she considers it “a valid study,” in practical terms the “impact of that type of vulnerability is virtually nothing.”
Manahan, who has also seen the study, agrees and notes that one key thing it didn’t address was the economic viability of performing that kind of chip fraud. The difficulty and danger involved in breaking into an ATM to install the new card-skimming devices would be enough of a deterrent to the kind of organized criminals involved in the card racket. “In terms of economic viability to the criminal, they just look at it and say, ‘no, not worth our while.’”
But Manahan adds that Mastercard [NYSE: MA] does keep up to date with the latest information security research. He welcomes attempts to expose flaws in chip technology and says there are regular efforts to come up with stronger encryption for it.
“There’s always that raising of the bar, which is one of the nice things about the technology. With magnetic stripe, which is really just static information, you really couldn’t do upgrades to the security sort of on-the-fly. But now we can with this technology.”