Ten years ago this month, credit card companies deployed “chip and pin” technology in Europe, helping keep millions of consumers safer from fraud and identify theft – at least for a while.
The technology, which utilizes that small computer chip visibly embedded in a debit or credit card, was at the time a major breakthrough in the fight to secure financial transactions. But preventing fraud is a constantly evolving arms race. Over the past decade thieves both here in the U.S. and abroad have adopted to the technology rendering it – and our policy debate over the issue – out of date.
Consider the past decade from a technology perspective. Ten years ago, a new HDTV cost an astonishing $7,000. YouTube and Twitter were Internet babies. The iPhone didn't exist - you couldn't pay for your Starbucks with just a wave of the app.
Imagine walking into Best Buy in today only to find a huge display case showing off the very first Nintendo Wii (released TEN years ago - November 2006). The idea is absurd - technology and consumer demand moves much too quickly for any retailer to do that.
And yet when you go to swipe your card at check out, many of the big box stores likely will just recently have installed a machine with a chip reader slot - a technology that has been in use around the globe longer than the iPhone has been in use. In fact, many of retail locations would prefer consumers avoid using the chip reader and continue simply swiping their cards.
Isn't your bank account important enough to expect technology that's newer than George W. Bush's second inaugural? Isn’t it the first rule of security NOT to use the same PIN (password) at multiple locations? Why should consumers be forced to use the same PIN that the debit card uses to prior direct access to their checking account?
Europe's experience shows why officials must stay vigilant to the evolving techniques of criminals. When chip and pin was widely adopted in 2006, it was very successful in reducing fraud for a few years. But then around 2011, police began finding cases where criminals had hacked the chips, including one crime ring in Belgium that utilized a “man in the middle” attack to bypass the PIN requirement altogether. But it wasn’t until last year that security experts determined how this was accomplished. In 2013, credit card fraud in Britain spiked 17 percent, and has been rapidly increasing. In addition to technological attacks, fraudsters have perfected more traditional, low-tech cons to circumvent chip-embedded cards, whether posing as tellers over the phone, using pin-hole cameras or simply number pad overlays.
Meanwhile, here in the U.S. credit card fraud has received new interest following the recent round of settlements for the embarrassing security breaches at Target and Home Depot.
In nearly all the large-scale U.S. cases, hackers were able to penetrate security by installing computer viruses on loosely secured networks connected to cash registers. The viruses invisibly relayed card details – from tens of millions of Americans – back to computers controlled by the hackers.
Stung by these and other widely reported breaches, retailers have begun clamoring for chip and PIN in the U.S. as well, which is unfortunate and less than forward thinking.
First, the retailers are ten years too late to be employing a technology that is at about the end of its lifespan in the rapidly evolving Internet-age security landscape. The total number of possible combinations from four numbers is limited to only 10,000 discrete numbers, which a home computer with a simple program can easily "crack" in short order. The need for increased security is understood by consumers who know that the PINs in "chip and pin" are typically passwords composed of only four numbers - while even the new iPhone uses six!
Second, the retailers' fixation on a nearly defunct technology unfortunately keeps the focus away from the need to constantly improve cybersecurity and embrace next-gen technologies such as tokenization, encryption and other techniques designed to thwart attacks such as “the man in the middle” and "shimmers". These tools would replace the consumers card PIN with a much more complicated, computer-strength password. Best yet, the card holder won't have to memorize this PIN - making it inherently more secure.
Third, it is unfortunate that this debate skims over the most important factor from a consumer point of view. When using debit cards in retail settings, “chip and PIN” forces consumers to enter the same PIN tied directly to their bank account. Any breach effects them much more directly. Something policymakers seem willing to blithely ignore.
Finally, there are a number of reports suggesting retailers have a hidden political motivation for their chip and PIN push: leverage for an entirely separate political debate over “interchange”. These are the fees which retailers pay to credit card companies to process the payments in their stores. Senator Dick Durbin (D-Illinois), who authored the eponymous amendment capping interchange fees on debit cards, recently attacked card companies for not encouraging “Chip and PIN”. It seems that Senator Durbin is avoiding concerns over increasing consumer protection. Durbin and the retailers are hoping that they can mandate the "PIN" in chip and PIN and somehow achieve lower interchange fees.
Personally, preventing my bank account from being looted by a criminal is more important than whatever political board game the retailers' lobbyists are playing, and it's honestly outrageous that we have to debate outdated technology because of a completely unrelated issue.
To summarize: back in the day, chip and PIN was great technology. It worked for a number of years to help consumers in Europe. If policymakers want to push solutions, give us “chip with tokenization” or mobile payments with biometric authentication. At this point, however, it does more harm than good to mandate a security standard that is the security equivalent of the iPod classic.