After Target Breach, Push Toward More Secure Credit Cards Seen As Inadequate
By technology editor Ian Bush
PALO ALTO, Calif. (CBS) — Months after the data breach that exposed credit card numbers and other details of tens of millions of holiday shoppers, Target has announced it will change its store-issued payment cards to those fitted with a microchip activated by a PIN.
But some security analysts wonder if the push toward that technology is already too little, too late.
Much of Europe has been using chip-and-PIN (called “EMV” by a consortium of payment companies) for well over a decade. It’s more secure than the magnetic stripe found most American credit cards, and retailers and banks here are trying to agree on a conversion strategy.
“They make it seem like moving to EMV is going to fix problems,” says Adam Dolby, with Encap Security of Palo Alto, Calif. “While it will fix some, the vast majority of fraud — and especially if EMV is deployed — is going to take place online.”
Dolby says concern over this growing “card-not-present” theft — where someone, say, uses your credit card number to shop at Amazon — led the firm to create a mobile app triggered when your card details are used in an online checkout.
“When you enter your credit card number, you receive a push notification,” explains Dolby. “It awakens a TD Bank app or any other bank app, presents you with the context of your transaction: do you want to spend $25 on whatever at Amazon? And you enter your PIN that you selected when you created it. Type in that PIN, tap ‘accept,’ and the transaction’s approved. And it’s done so in a way where the security is incredibly strong yet very simple for the user to figure out.”
The app also can consider behavioral biometrics as part of its risk mitigation.
“That includes how long you press down a PIN number, and the flight time between each number press,” notes Dolby. “You can make a determination to a degree of confidence that the way you enter your PIN is different from the way I would enter your PIN. So you can have some degree of assurance that I have not somehow stolen your phone in trying to enter a transaction. It’s a good layer of defense, though it’s never the only layer of defense.”
Stopping card-not-present fraud, he says, would free up a lot of money for retailers to fund the expensive chip-and-PIN migration.
“So even if they do steal the card, you’ve made it a worthless series of numbers to those people because you can stop the crime yourself,” Dolby says.
Encap is working with banks to deploy the app. Dolby says it also could be used by call centers, shipping services, and for replacing that pesky-but-critical confirmation email for online password changes.