Posts

My EMV for a Week Challenge is DONE!

This week I worked with Gemalto, as part of Gemalto’s #ChipAwayAtFraud campaign. I was tasked with using my “chip” card when making a bunch of every day purchases like getting coffee and shopping. Gemalto, one of the world’s leaders in digital security, wanted a real-world take on the EMV card experience, which includes the security benefits EMV cards presents. You know EMV; it’s the “chip” credit card that, by now, you should have.

1CHere’s what I learned:

A significant portion of the retailers I frequented didn’t have the chip terminals in place. The ones that did afforded more security and a seamless transaction. At this point in EMVs rollout, the biggest issue, or frustration, I think, is its lack of deployment. For instance, you may have to redo a transaction when a chip card is inserted opposed to swipe and then to be told by the cashier “We don’t accept chip cards yet, please swipe”. The opposite happens too, but less frequently.

Otherwise, chip cards are a no brainer. The “learning curve” for EMV or Chip is learned in the first transaction. Once done, you’ll be able to do it every time, and there are no delays or issues with the transaction.

Overall, we are collectively more secure because of EMV/Chip technology. Over time, there will be 100% adoption of this method as magnetic striped cards are phased out along with magnetic striped “swipe” point of sale terminals. For now, and really, forever, a consumer’s first line of defense is to pay close attention to their card statements.

I always recommend signing up for your bank or card company’s mobile app and receiving alerts and notifications with each transaction. This way you’ll be able to dispute fraudulent charges in real-time, if needed.

Meanwhile, your chip cards are here to stay. Embrace the technology, as its primary purpose is security and convenience. As more and more retailers get up to speed, we will see fewer and fewer news reports of huge credit card data breaches because of EMVs full scale deployment.

Banks and Credit Card Issuers Move Toward Chip and PIN

EMV, which stands for Europay, MasterCard, and Visa, refers to the chip and PIN credit card technology commonly used in Europe and elsewhere around the world. Credit cards that incorporate an embedded microprocessor chip are far more secure than any other form of credit card currently available, including the standard magnetic striped cards that are all too easy to skim at ATMs and point of sale terminals.

Major banks and retailers are now pushing very hard to make EMV the new standard in the United States. Visa recently announced plans to expand their Technology Innovation Program to the U.S., which will encourage retailers to support cards with microchips by “[eliminating] the requirement for eligible merchants to annually validate their compliance with the PCI Data Security Standard for any year in which at least 75% of the merchant’s Visa transactions originate from chip-enabled terminals.” This will go into effect October 1, 2012 for merchants whose point-of-sale terminals accept both contact and contactless chips.

Meanwhile, Citi has announced the launch of its own Citi Corporate Chip and PIN card, which is designed for U.S. cardholders who travel abroad. Bank of America has made a similar announcement of its expanded credit card technology aimed at international travelers. And Wells Fargo is already testing EMV cards in the United States, with its Visa Smart Card, which includes the traditional magnetic stripe as well as a microprocessor chip, in order to make the cards flexible and useable around the world. Wells Fargo’s pilot program includes 15,000 customers who travel regularly.

With all these major players making significant strides to embrace EMV chip technology, it’s only a matter of time before full adoption becomes inevitable.

Consumers would be smart to take advantage of any pilot program available to them. EMV chip and PIN technology is more secure, and it also works better internationally than the old-school magnetic stripe.

For more information on the benefits of EMV chip technology and to show your support, visit www.GetFluentC.com, from JustAskGemalto, to let your voice be heard and share your stories.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

 

Top 5 Vishing Techniques

“Vishing” occurs when criminals call victims on the phone and attempt to lure them into divulging personal information that can be used to commit identity theft.

The name comes from “voice,” and “phishing,” which is, of course, the use of spoofed emails designed to trick targets into clicking malicious links. Instead of email, vishing generally relies on automated phone calls, which instruct targets to provide account numbers.

Vishing techniques include:

Wardialing: This is when the visher uses an automated system to call specific area codes with a message involving local or regional banks or credit unions. Once someone answers the phone, a generic or targeted recording begins, requesting that the listener enter bank account, credit, or debit card numbers, along with PIN codes.

VoIP: Voice over Internet Protocol, or VoIP, is an Internet-based phone system that can facilitate vishing by allowing multiple technologies to work in tandem. Vishers are known to use VoIP to make calls, as well as to exploit databases connected to VoIP systems.

Caller ID Spoofing: This is the practice of causing the telephone network to display a false number on the recipient’s caller ID. A number of companies provide tools that facilitate caller ID spoofing. VoIP has known flaws that allow for caller ID spoofing. These tools are typically used to populate the caller ID with a specific bank or credit union, or just with the words “Bank” or “Credit Union.”

Social Engineering: Social engineering is a fancier, more technical form of lying. Social engineering (or social penetration) techniques are used to bypass sophisticated security hardware and software. The automated recordings used by vishers tend to be relatively professional and convincing.

Dumpster Diving: One time and tested “hack” is simply digging through a bank’s dumpster and salvaging any lists of client phone numbers. Once the visher has the list, he can program the numbers into his system for a more targeted attack.

To protect yourself from these scams, educate yourself. Knowledge is the key to defending yourself from vishing. The more you understand it, the better off you’ll be, so read up on vishing incidents, and if your bank provides information about vishing online or in the mail, sit up and pay attention. As this crime becomes more sophisticated, you’ll want to be up to date.

If you receive a phone call from a person or a recording requesting personal information, hang up. If the call purports to be coming from a trusted organization, call that entity directly to confirm their request.

Don’t trust caller ID, which can be tampered with and offers a false sense of security.

Call your bank and report any fraud attempts immediately. The sooner you do, the more quickly the scam will be squashed.

Document the call, noting what was said, what information was requested, and, if possible, the phone number or area code of the caller, and report this to your bank.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

How Much Longer Does the Magstripe Have?

Every U.S.-based credit card has a magnetic stripe on the back. This stripe can be read and rewritten like a rewritable burnable CD, using card burners that are easily available online.

The simplicity of the magstripe’s design, coupled with the availability of card reading and writing technology, results in billions of dollars in theft and fraud.

EAST, the European ATM Security Team, recently released European ATM crime statistics for January through June of 2010. Apparently, skimming at European ATMs increased by 24%, with 5,743 attacks reported in the first six months of 2010, compared with 4,629 during the same period in 2009. There haven’t been so many skimming attacks since EAST began measuring these statistics in 2004.

During this same time frame, however, while incidents of skimming have risen, the associated financial losses have dropped. This is because the cards being skimmed have an additional layer of security known as chip and PIN technology, or EMV, which stands for Europay MasterCard Visa.

But because these cards still have magnetic stripes, they are still being skimmed. The stripe is there for the convenience of cardholders who travel to the United States or the handful of other countries that still rely on the magstripe technology. Chip and PIN cards without magstripes are standard in Europe.  As skimming continues, the issue of whether to discontinue the magstripe is bound to come to a head. The European Central Bank’s most recent progress report states:

“In line with Europol’s stance on the future of the magnetic stripe and in support of the industry’s efforts to enhance the security of cards transactions by migrating from the “magnetic stripe” to “EMV chip” cards, the Eurosystem considers that, to ensure a gradual migration, from 2012 onwards, all newly issued SEPA cards should be issued, by default, as “chip-only” cards.”

In the United States the United Nations Federal Credit Union has adopted  chip and PIN technology and Walmart is demanding it. Further, Travelex, the world’s largest non-bank foreign exchange currency provider, introduced America’s first prepaid foreign “currency cards” available in Euros and British Pounds that utilizes chip & PIN technology.  And based on what is happening in Europe, change is in the air.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit card fraud on NBC Boston. (Disclosures)