Monthly Archives: April 2015

New chip credit cards called 'a joke' — lessons from Europe offer the punchline

Bob Sullivan

Bob Sullivan

The way Americans spend money is on the verge of its biggest change in decades, but the drumbeat of doubters continues to get louder.  New chip-enabled credit cards are slowly getting into consumers’ hands in advance of a looming deadline later this year. But a Walmart executive recently told CNN that U.S. chip cards are a “joke,” and a new report examining other countries’ changeovers suggests criminals around the globe merely switched tactics and kept right on stealing from consumers’ accounts.

The switch to chip cards goes by the shorthand EMV, which stands for Europay, Mastercard and Visa.  In Europe, when banks implemented the change, government rules forced consumers to start using credit cards like debit cards – requiring that PIN codes be entered each time a card is used. The change adds two important levels of security, or two-factor security.  To complete a transaction, buyers need to have in their hands a chip card, which is incredibly challenging to counterfeit. And they must know something — a PIN — that’s not on the card.

The U.S. is poised to implement only half this system.  Chip cards must be accepted by merchants by the fall deadline, but not PINs.  The so-called “chip & signature” system is a half-measure, according to  Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president.

“The fact that we didn’t go to PIN is such a joke,” Cook told CNNMoney.com.

For example, a criminal who physically steals a chip & signature credit card will have no trouble using it to commit fraud in a store by faking the consumers’ signature.

Meanwhile, a report issued recently by analyst firm Mercator raises even more concerns that the switch to chip cards might not reduce fraud, but simply nudge criminals towards different fraud.

“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report says.

Why?  So-called “card-not-present” fraud is on the rise in places that adopted EMV long ago, according Mercator’s Tristan Hugo-Webb, who is Associate Director of the Global Payments Advisory Service.

For example, the United Kingdom was one of the first countries in the E.U. to complete the switchover to EMV back in 2006.  While counterfeit card fraud has shrunk — from 27 percent of all fraud in 2003 to 13 percent in 2013 — other kinds of fraud have soared.  Card-not-present fraud, which includes online and telephone sales, has climbed from 29 percent of fraud in 2003 to 67 percent in 2013.  Chip cards have no impact on online or telephone sale fraud because the chips cannot be used for authentication.

So as e-commerce has risen, online fraud has risen right along with it. In the U.K., there has been a sharp increase since 2011, Hugo-Webb says.

New technologies that would add a layer of authentication to online purchases, such as electronic tokens that help verify consumers remotely, have been invented but have not been implemented.

“The hope is that with the creation of new security technologies like tokenization, the industry can begin to play offense rather than always having to play defense against payment fraud attacks,” Hugo-Webb says.

The trickiest part of the migration is that the U.S. is so far behind – at least a decade behind the U.K, for example – that new payment forms, such as mobile payments, may have overtaken old-fashioned plastic cards by the time the EMV adoption is complete.  To some observers that lessons the urgency of the changeover.

But Hugo-Webb says the U.S. must still migrate, even if the step doesn’t reduce fraud. It’s more a matter of holding serve, he said.

“If the U.S. decided to skip EMV….it would be more of a target than it is today,” he said.  “There is still value in migrating….it’s going to take a lot longer than people expect for mobile payments to really become commonplace. ”

Because of the decade-long delay, however, the value of the upgraded security will be less in the U.S. than it was in Europe, however, where banks enjoyed at least a few years of reduced fraud before criminals caught up.   Here in the U.S., criminals already have quite a head start on their EMV workarounds.

That fact should help inform banks and merchants as they consider how much to invest in new forms of security for the coming generation of payment systems.

Sign up for Bob Sullivan’s free email newsletter. 

 

New chip credit cards called ‘a joke’ — lessons from Europe offer the punchline

Bob Sullivan

Bob Sullivan

The way Americans spend money is on the verge of its biggest change in decades, but the drumbeat of doubters continues to get louder.  New chip-enabled credit cards are slowly getting into consumers’ hands in advance of a looming deadline later this year. But a Walmart executive recently told CNN that U.S. chip cards are a “joke,” and a new report examining other countries’ changeovers suggests criminals around the globe merely switched tactics and kept right on stealing from consumers’ accounts.

The switch to chip cards goes by the shorthand EMV, which stands for Europay, Mastercard and Visa.  In Europe, when banks implemented the change, government rules forced consumers to start using credit cards like debit cards – requiring that PIN codes be entered each time a card is used. The change adds two important levels of security, or two-factor security.  To complete a transaction, buyers need to have in their hands a chip card, which is incredibly challenging to counterfeit. And they must know something — a PIN — that’s not on the card.

The U.S. is poised to implement only half this system.  Chip cards must be accepted by merchants by the fall deadline, but not PINs.  The so-called “chip & signature” system is a half-measure, according to  Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president.

“The fact that we didn’t go to PIN is such a joke,” Cook told CNNMoney.com.

For example, a criminal who physically steals a chip & signature credit card will have no trouble using it to commit fraud in a store by faking the consumers’ signature.

Meanwhile, a report issued recently by analyst firm Mercator raises even more concerns that the switch to chip cards might not reduce fraud, but simply nudge criminals towards different fraud.

“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report says.

Why?  So-called “card-not-present” fraud is on the rise in places that adopted EMV long ago, according Mercator’s Tristan Hugo-Webb, who is Associate Director of the Global Payments Advisory Service.

For example, the United Kingdom was one of the first countries in the E.U. to complete the switchover to EMV back in 2006.  While counterfeit card fraud has shrunk — from 27 percent of all fraud in 2003 to 13 percent in 2013 — other kinds of fraud have soared.  Card-not-present fraud, which includes online and telephone sales, has climbed from 29 percent of fraud in 2003 to 67 percent in 2013.  Chip cards have no impact on online or telephone sale fraud because the chips cannot be used for authentication.

So as e-commerce has risen, online fraud has risen right along with it. In the U.K., there has been a sharp increase since 2011, Hugo-Webb says.

New technologies that would add a layer of authentication to online purchases, such as electronic tokens that help verify consumers remotely, have been invented but have not been implemented.

“The hope is that with the creation of new security technologies like tokenization, the industry can begin to play offense rather than always having to play defense against payment fraud attacks,” Hugo-Webb says.

The trickiest part of the migration is that the U.S. is so far behind – at least a decade behind the U.K, for example – that new payment forms, such as mobile payments, may have overtaken old-fashioned plastic cards by the time the EMV adoption is complete.  To some observers that lessons the urgency of the changeover.

But Hugo-Webb says the U.S. must still migrate, even if the step doesn’t reduce fraud. It’s more a matter of holding serve, he said.

“If the U.S. decided to skip EMV….it would be more of a target than it is today,” he said.  “There is still value in migrating….it’s going to take a lot longer than people expect for mobile payments to really become commonplace. ”

Because of the decade-long delay, however, the value of the upgraded security will be less in the U.S. than it was in Europe, however, where banks enjoyed at least a few years of reduced fraud before criminals caught up.   Here in the U.S., criminals already have quite a head start on their EMV workarounds.

That fact should help inform banks and merchants as they consider how much to invest in new forms of security for the coming generation of payment systems.

Sign up for Bob Sullivan’s free email newsletter. 

 

The Cyber Security Leap: From Laggard to Leader

Larry Ponemon

Larry Ponemon

If your company is like most, security has risen to the top of the agenda amongst C-suite executives and boards of directors. Rapidly evolving security threats pose an ongoing, central challenge, as companies and governments face an increasingly sophisticated threat environment. Large global organizations with industry presence and value may be of special interest for adversaries, whether they be individuals, organized crime or nation states. Forrester predicts that at least 60 percent of enterprises will discover a breach in 2015, but says the actual number of breached entities will be much higher–80 percent or more.

Accenture, in collaboration with the Ponemon Institute LLC, conducted a study to identify the success factors of companies that demonstrated a dramatic increase in security conditions during the past two years — the “leapfrogs” — to see what helped them move from laggard to leader.  The study unearthed six trends:

1. Security innovation is valued

Leapfrog companies have made significant increases to their level of security innovation, seeking out new approaches to emerging problems.
Leapfrog companies are more likely to have an officially sanctioned security strategy, and this strategy is more likely to be the main driver to their organization’s security
program.

2. Leapfrog organizations are proactive in addressing major changes to the threat landscape

They recognize that persistent attacks should change the company’s approach to IT security and adapt their security posture in response to threats. Different security threats continue to emerge—the research evaluated the level of impact those threats had on the organizations’ security ecosystem and how the organizations responded.
3. The CISO is important and influential

Both Leapfrog and Static organizations have a CISO; the important differences lie in how that role is viewed and executed. Across all organizations studied, the CISO has hiring/firing authority, holds responsibility for enforcing security policies and has authority over budget and investment decisions.  Within Leapfrog organizations, the CISO is more likely to directly report to a senior executive, set the security mission by defining strategy and initiatives, and have a
direct channel to the CEO in the event of a serious security incident.

4. Leapfrog companies excel in governance

Both groups of companies identified the importance of appointing a CISO for the organization, recruiting expert IT security personnel and background checks for all privileged users as critical to achieving a strong security posture. However, the Leapfrog companies believe disaster recovery and business continuity management practices are important. Static companies, on the other hand, are more likely to cite clearly defined IT security policies and standard operating procedures (SOP) than Leapfrog companies.

5. Certain technologies separate the two groups
Leapfrog companies exceed Static companies in viewing the following features of security technologies as very important: pinpointing anomalies in network traffic; prioritizing threats, vulnerabilities and attacks; curtailing unauthorized sharing of sensitive or confidential data; and enabling adaptive perimeter controls. In contrast, Static companies exceed Leapfrog companies in believing the following are more important features of security technologies: controlling insecure mobile devices including BYOD, limiting access for insecure devices and enabling efficient backup functionality.

6. Security budgets in Leapfrog companies include funding for innovations in information technologies

Leapfrog companies are more likely to have a dedicated budget for its security programs and have allocated more money toward security over the past few years (Figure 8). They also have a fund dedicated to innovations in information technologies.  These companies are more positive about having enough funding to meet their mission and objectives.

Methodology

To estimate the security posture of organizations, we used the Security Effectiveness Score (SES) as part of the survey process. The SES was developed by The Ponemon Institute in its annual encryption trends survey to define the security effectiveness of responding organizations. We define an organization’s security effectiveness as being able to achieve the right balance between efficiency and effectiveness across a wide variety of security issues and technologies. The SES is derived from the rating of 48 security features or practices. This method has been validated by more than 60 independent studies conducted since June 2005. The SES provides a range of +2 (most favorable) to -2 (least favorable). A result for a given organization greater than zero is viewed as net favorable, which means the organization’s investment in people and technology is both effective in achieving its security mission and efficient. Hence, they are not squandering resources and are still being effective in achieving their security goals. A negative SES has the opposite meaning.

For this research, we evaluated hundreds of companies that were previously benchmarked so that changes in the organizations’ SES scores could be measured and evaluated. Based on that
analysis, we divided the sample into the following groups:
Leapfrog sample: 110 companies that experienced a 25 percent or greater increase in their SES over a two-year period. The average increase in SES for these companies was 53 percent.

Static sample: 137 companies that experienced no more than a 5 percent net change in their SES over a two-year period, with an average change of 2 percent. This sample was matched to the Leapfrog sample based on industry, size and global footprint.

To read the full report, click here.