Downside of EMV Adoption: Hackers May Shift Focus to Banks

Register now

For more than a year, hackers have found easy pickings at large retailers: 110 million records stolen from Target; 1.6 million from Staples; 56 million from Home Depot; 45.6 million from TJ Maxx; the list goes on.

The U.S. shift to EMV chip-and-PIN cards next fall will surely make retailers a less compelling target for such attacks. So will Apple Pay's tokenization scheme, which, like EMV, reduces the amount of sensitive cardholder data stored by merchants.

All well and good, but now some bankers are worrying that when retailers are no longer such fruitful targets, the hackers will redouble their efforts to break into banks.

"How is that [hacking activity] going to stop now that we've got Apple Pay and EMV coming along? It's not going to stop, it's just going to move to the next likely target," said James Gordon, chief technology officer at Needham Bank in Needham, Mass.

"Who has the numbers the hackers want? The banks," Gordon said. "Before, it was the banks and the retailers, retailers just happened to be an easier target. Bankers need to be especially aware that this is just a shift in focus [on hackers' part] to banks, front and center."

Banks have not been completely bypassed by cybercriminals, of course. According to the Identity Theft Resource Center, 42 data breaches were carried out against banks in 2014. But other than the massive JPMorgan Chase breach, most of these have been smaller-scale breaches that have fallen under the general public's radar.

MasterCard and Visa have told retailers they must accept cards embedded with computer chips that comply with the Europay, MasterCard and Visa standard by Oct. 15 or take greater liability for fraud losses.

Hackers currently use stolen card data to create fake debit and credit cards, which they then use to withdraw cash from ATMs and make purchases in stores and online. It's much harder to create fake chip cards from stolen data than it is to create fake magnetic stripe cards. And EMV point-of-sale terminals that require a PIN as well as read a chip are harder to game than terminals that require only a stripe swipe and a meaningless signature that no one really looks at.

At the $1.6 billion-asset Needham Bank, Gordon is preparing for EMV in two ways. One is by trying to limit the bank's exposure to hackers.

"This is easier said than done, but if there are things that can get shut off that aren't critical to the operation, shut them off," he said. "If you have less exposed, you have less to watch." For instance, he's double-checking firewall rules to make sure nothing's slipping through the cracks.

He's also stepping up security training and education. "We need to stop telling people what's going on and start showing them examples of [phishing] emails that look spot on, show people how easy it is to put an ATM skimmer on a device, show them videos, don't just tell them it's a 'grave' threat. We should stop using adjectives and start showing."

Another common concern about the shift to EMV is that cybercriminals will direct their activity at online, card-not-present fraud.

Neither EMV nor Apple Pay appears to protect online purchases where the consumer must enter her credit card information, pointed out Philip Smith, director of information technology at the $221 million-asset Harvard State Bank in Harvard, Ill.

"Since online transactions and card-not-present transactions cannot take advantage of the chip or tokenization, we will most likely see an increase in hacking and fraud in these transactions," he said. "Hackers will continue to attack online merchants and online credit card wallets."

For example, hackers have already attacked CurrentC, a merchant-backed rival to Apple Pay, stealing the email addresses of early participants, he noted. "These email addresses can then be utilized for directed phishing attacks against those users in attempts to gain their confidential information," he said.

Smith recommends to customers that they use only one or two credit cards online.

"This should be separate from the card that they use to buy gas or go out to eat with," he said. "Then if a breach or hack is announced, they can cancel the potentially affected card and still get gas for the vehicle or go out to eat while waiting for their new card to come in. Additionally, consumers should keep their limits low on their cards."

Al Pascual, director of fraud and security at Javelin Strategy & Research, also sees online and e-commerce fraud becoming a bigger risk with EMV adoption.

But the threat he envisions is more around new account opening and account takeover fraud.

"If you can't steal card data at the point of sale, then the next best option is to go out and get the cards directly from the bank," he said. "You either take over an existing account, and get cards mailed to you from that account, or you steal an identity and apply for an account."

There was a dramatic rise in fraudulent new accounts and account takeovers in the U.K. when it adopted the EMV standard, Pascual said. "Certainly banks are going to want to be concerned about that, and improving their customer identity programs for new accounts." They should also be taking advantage of advanced authentication technology, he said.

"If I was as banker, I would really focus on existing account holders, because we've already seen this huge increase in account takeovers in the past few years," he said.

Account takeover isn't that different from what fraudsters are doing now, he said. "It's more work and a slightly different MO but it doesn't require any new tactics or a change in skill sets."

If hackers retrain their focus on banks, most would agree that financial institutions are better braced for attack than retailers have been.

"I'd say based on regulations and our fiduciary responsibility," banks are more secure, Gordon said. He noted that in's visualization of the world's biggest data breaches, only one bank is associated with a major breach - JPMorgan Chase. 

"The track record speaks for itself," he said.

For reprint and licensing requests for this article, click here.