On the heels of the recent barrage of payment card theft, banks are scrambling to roll out EMV-based solutions. But is it enough?
Sure, two-factor authentication is better than one. But in many cases, point-of-sale-based malware could still snap up customers' information and steal their money. And until stealing money is no longer profitable, the black market will continue steaming forward.
On the deep web, European cards typically sell for around 30% more than their U.S. counterparts, depending on the vendor, and there's still plenty of supply. This means that EMV cards abroad get stolen all the time.
Meanwhile, a deluge of new EMV cards filled U.S. mailboxes in the fall. But credit card theft headlines haven't subsided. There's still more to the security puzzle than any single silver bullet, including EMV.
One of the points of failure lies in how EMV information is initially captured and authenticated. If hackers tamper with the hardware or associated software on merchants' EMV-enabled equipment, they can silently spirit off the data to print fake cards for resale.
This data is typically exfiltrated slowly so as to avoid tripping network sensors or other defenses, so businesses wouldn't even necessarily know about a breach. Once this happens and information is harvested, the bad news has just begun. So regardless of how seriously you believe that your local corner shop takes security, current generations of point-of-sale malware are sophisticated enough to challenge the most serious of cyber defenses.
Many smaller organizations are delaying their efforts to swap out legacy point-of-sale systems in pursuit of EMV-compliant equipment due to cost. They're more likely to take a wait-and-see approach, adding further delays to securing the payment ecosystem. The payments industry has been pushing for greater liability to businesses falling behind the security curve. But how many small businesses in your town accept EMV cards so far?
EMV cards are a great step, sure. But they are only one of many necessary steps to secure the whole ecosystem, as evidenced by continued theft at numerous other links in the chain. So while EMV cards are certainly moving payments in the right direction, the safety of the whole process is far from totally secure. And if customers have their money stolen, they don't much care where or how they just care that their funds have been placed at risk. Now, about that mobile payment app you just downloaded.
Cameron Camp is a security researcher at ESET, a security software company. This post originally appeared on paymentssource.com.