Musings on Chip & PIN – or – Don't Cry for Me, Argentina

As part of the technical support team at Sherpa Software, I often receive calls asking how to use our eDiscovery tools to scan for Payment Card Industry (PCI) data, whether it’s located in email messages or attachments or on file shares.

In the past, I’ve written extensively about the recent rash of credit and debit card fraud, namely the theft of consumer information from such retailers as Marshall’s, DSW, and Target. Fortunately, despite frequenting all three of these stores, I myself (to my knowledge) never had my own accounts or personal information hacked. I’ve been blissfully able to write about a subject with no firsthand experience of the pain suffered by those actually affected by it.

That changed for me while travelling in Argentina earlier this year. While viewing my checking account online, I noticed 3 withdrawals that would have been impossible for me to have made. Impossible because:

a) they each greatly exceeded the amount of cash Argentine banks allow to be withdrawn in a single transaction, and
b) I would not have had access to an ATM at the time the cash was actually withdrawn.

Quite bewildering since I still had the card in my possession and I had never shared my PIN with anyone. I notified my bank, who immediately cancelled the card. I was reimbursed for my loss within a matter of days but I was still upset… and mystified.

I initially assumed my information had been stolen at the ATM I had used the previous day – at the local Banco de Santa Cruz. The truth is actually more complicated. My card may have been cloned while using an ATM in Argentina, but it just as likely may have been “skimmed” here at home. Typically, a device is inserted into a legitimate card reader or ATM which copies the data contained on the card’s magnetic strip. A second device may be inserted under or overlaying the keypad to capture your PIN as you type it, or someone merely clandestinely observes you as you enter your PIN. For more on skimming, including photographs of the devices used, look here.

There’s no way to know for sure how/when this happened, since (according to my bank) the criminals often possess the card data for some period before actually withdrawing cash. So, just because the withdrawal from my account occurred while I was out of the country, the origin of the compromise may have been stateside. Interestingly, my bank was able to identify that the cash from my account was actually withdrawn from an ATM in the Philippines (which was how they managed to exceed the Argentine withdrawal limit – it was never an issue to begin with).

Shortly upon my return, it was with great excitement when I discovered I had been mailed new “Chip and PIN” credit cards. These cards replace the familiar magnetic strip with a small chip that authenticates with a merchant’s card reader. Not only is the chip harder for crooks to replicate, but it also encrypts the data about the transaction as it occurs. Even if the data were to be hacked, any data captured applies only to that particular transaction and not to the card as a whole. This makes it much harder for criminals to breach your security.

Can I now feel secure knowing that I carry the ultimate secure credit card in my wallet? Well, not quite, or at least not yet. The cards currently being issued in the United States are not true Chip and PIN, but rather the “Chip and Signature” variety. An improvement over the old-style cards, yes, but lacking a secondary security feature used in cards that have been issued in Europe and other developed parts of the world over the past decade or so.

In addition to the new chip technology, true Chip and PIN cards also require the consumer to enter a PIN in order to complete a transaction. The cards currently being distributed in the U.S. require only a signature, not a PIN. Granted, from a purely technological standpoint, replacing the magnetic strip with the new chip is a great first line of defense as long as the card remains in your physical possession. However, I’m bewildered that major credit card providers aren’t requiring PIN usage as well, foremost to guard against unauthorized usage of stolen cards, but also to ensure that U.S.-issued cards will be accepted while travelling overseas.

According to Aite Group fraud analyst Julie Conroy, the reason for this is somewhat nuanced. One reason is that physically stolen credit cards make up only a small fraction of total credit card fraud. Moreover, card issuers feel that consumers will be slower to adopt the new technology if it’s perceived as being more complicated. Consider also that most merchants will require time to convert to the new technology, so for now, the new chip cards – regardless whether they’re of the PIN or signature variety – still have a magnetic stripe for backwards compatibility. My new card has performed flawlessly but I’ve noticed I’m still swiping the card in the traditional manner – I have yet to insert it into a chip reader. And the complete obsolescence of magnetic stripes in favor of chip-only cards and readers isn’t expected until 2018.

It’s a positive sign to see the industry finally embracing the new technology to combat what’s been called the fastest growing crime in America. Magnetic stripes aren’t going away overnight, and the PIN vs. Signature debate has yet to be settled, but anything that makes life harder on the bad guys is fine by me.

To learn more about this topic, email information@sherpasoftware.com or visit us on the web at www.sherpasoftware.com

Leave a Reply

Your email address will not be published. Required fields are marked *