Researchers from CHASE Center Discuss the Credit Card Hacking Problem and the Technologies That can Help Stop It.
Credit Card Data Theft: Stopping the Hackers
By: Colin Poitras
In response to a massive security breach that threatened the personal and financial data of nearly one third of U.S. adults last year, retail giant Target is investing more than $100 million to prevent similar thefts by implementing advanced chip-based credit card technology at its point-of-sale terminals.
Researchers from UConn’s Center for Hardware Assurance, Security, and Engineering (CHASE) discuss the credit card hacking problem and the technologies that can help stop it.
Q: Why do American credit cards appear to be particularly vulnerable to these kinds of attacks?
A: The recent attack against Target appears to be based on malicious Trojan software infiltrating the point-of-sale system. The magnetic strip on a traditional U.S. credit card holds a code known as a CVV, for Card Verification Value, that is used when the card is swiped at the point-of-sale terminal. That code is used to authenticate the card. The customer’s “signature” on the back of the card is (unfortunately) very rarely checked by merchants, making the CVV the sole line of defense against counterfeit cards.
By injecting malware in the point-of-sale terminal, the attackers are gaining access to the content of the strip (customer private data, card number, and CVV), giving them all the information they need to create a perfect duplicate of the card.
Q: What is this chip-based credit card system that other countries use and how is it more secure than what we use in the United States?
A: Most of the world is using “smart cards” with a microchip embedded in the card. A customer who has one is now in possessions of two critical pieces of evidence to assert his claim as the card’s rightful owner. The customer possesses the physical card with the chip and he knows a PIN (personal identification number) to unlock the card. This is known as “two-factor authentication.”
The idea is simple: when the card is submitted at the point of sale, the POS terminal asks the customer to enter the PIN, which is passed to the chip on the card to validate the PIN. The PIN does not get sent to the bank. It is sent to the card locally. If the customer loses the card or the credit card is stolen, the thief can’t do anything, as he doesn’t have the PIN. If the customer inadvertently discloses the PIN to a thief, the thief can’t put it to use, as he needs the physical card, which is needed to certify that PIN.
A compromise of the point-of-sale system that transfers information to the thief (say the PIN) is now much harder to exploit. Indeed, the thief would have to forge a smart card with a chip that authenticates the PIN rather than simply printing the CVV on a magnetic strip.
More at UCONN Momentum