On the heels of the recent barrage of payment card theft, banks are scrambling to roll out EMV based solutions, but is it enough?
Sure, two-factor authentication is better than one factor, but in many cases, point of sale-based malware could still snap up your information and steal your money. And until stealing your money is no longer profitable, the black market will continue steaming forward.
On the deep web, European-based cards typically sell for around 30% more than their U.S. counterparts (depending on the vendor) and theres still plenty of supply, which means stealing EMV cards happens all the time. The European Union (EU) has had EMV for some time, which youre well aware of if youve traveled there with U.S. magnetic stripe only cards.
Even after the deluge of new EMV cards filled the mailboxes in the U.S., the credit card theft headlines havent subsided, so theres still more to the security puzzle than any single magic bullet, including EMV.
One of the points of failure lies in how the information is initially captured and authenticated. If either the hardware or associated software has been tampered with, information can be silently spirited off to bad actors to print fake cards for resale.
This data is typically exfiltrated slowly enough to not trip network sensors or other defenses, so the business wouldnt even necessarily know. Once this happens and information is harvested, the bad news is just starting. So regardless of how seriously you believe your local corner shop takes security, current generations of POS malware are sophisticated enough to challenge the most serious of cyber defenses.
For smaller organizations, efforts to swap out legacy point-of-sale systems in the pursuit of stronger security lag due to cost. Theyre more likely to take a wait-and-see approach, adding further delays in securing the payment ecosystem. This means even the lowest common denominators, the small businesses that cant afford to upgrade the equipment to begin with, are waiting even longer to follow their mainstream counterparts.
Upgrade efforts have been bolstered by stronger pressure elsewhere in the payments ecosystem to drive liability to those lagging behind the security curve, but how many small businesses in your town require EMV so far?
EMV is a great step, sure, but it's only one of many necessary to secure the whole ecosystem, as evidenced by continued theft at numerous other links in the chain. So while its certainly a step in the right direction, the safety of the whole payment process is far from totally secure, and if your money gets stolen you dont much care where or how -you just care that youve been placed at risk. Now about that mobile payment app you just downloaded.
Cameron Camp is a security researcher at ESET, a security software company.