Skip to main content

Seeking Security with New Credit Card Technologies

RFID chip pulled from new credit card
RFID chip pulled from new credit card (Photo credit: Wikipedia)
Visalia Direct: Virtual Valley
October 5, 2015 Deadline
November 2015 Issue

This summer, I had a credit card “cloned” while driving along the Interstate 76 Tollway. Because I check my credit card statements online after any trip, I noticed the fraudulent charges and cancelled the card. Credit cards remain one of the easiest targets for criminals and no easy solution seems likely. Two years ago, I had another credit card number stolen by a waiter. Local police informed me that such thefts remained the most common form of credit card fraud.

In both instances, I did everything “right” and was still a victim of thieves.

The waiter stealing card numbers asked to see my driver’s license before walking away from the table. He was writing down numbers, expiration dates and card verification values while standing behind a low wall. With these data, another criminal ran charges at a convenience store, listing charges as gas purchases.

When a credit or debit card leaves your sight, there’s little you can do to protect yourself from such simple, old-fashioned fraud. Before electronic credit card processing, unscrupulous cashiers would double-imprint cards to steal numbers. Today, there are smartphone apps that use the phone camera to capture card numbers and security codes. Stealing cards in person is easy… and difficult to prevent.

The card that was cloned on the I-76 Tollway was likely stolen at a gas pump, my credit union determined. For those unfamiliar with tollways, a common part of driving in the Midwest and Northeast, there are Tollway Plazas with food courts and other services. The gas stations are franchises of major convenience chains and the plazas are small shopping malls.

Without anyone detecting it, a “card skimmer” was installed by an employee or contractor at one of the gas pumps. The card skimmer reads magnetic strips as cards pass into the pump’s card reader. Data are retrieved by removing the skimmer or by using an external wireless device.

Because I know skimmers are most commonly found in non-bank ATMs, I only use bank ATMs and I carry cash for small purchases. Cash remains the safest form of currency, but I can’t recall the last time I paid cash for gasoline. If anything, that one person going inside to pay a cashier and then returning to collect change annoys most of us waiting in line at the pump island. It turns out, gas pumps are ideal places for credit and debit card theft.

Credit card issuers, processing companies, retailers and banks began a national migration to what’s being called the “Chip, Dip, PIN and Sign” solution to retail security. New cards have small chips embedded in them. These chips will replace the magnetic strip with a more secure, harder-to-clone technology. This new standard is known as “EMV Chipping,” which stands for Europay, MasterCard and Visa, the companies that collaborated to promote the new security. One problem with the new cards, however, is that the transaction must have an online connection for the security features to work properly.

The old strip has data embedded. Card readers access the data encoded in the strip, which includes the card number and any card access codes, such as a personal identification number (PIN). The strip never changes, which is how skimmers can clone a code.

The EMV chip contains encryption key values and other data. Instead of swiping an EMV card through a terminal, you “dip” the card into a slot. The chip reader transmits the encryption key to the payment processor and a one-time “transaction number” that looks similar to a credit card number is generated. No two transactions are ever associated with the same transaction number.

Not only does the transaction number change, but EMV cards expect a PIN and a signature. Unlike the PIN with magnetic strip cards, the PIN and your ZIP code are not stored on the card chip. These data are confirmed via the network, another reason the security requires an active network connection.

One of the gas stations I frequent has implemented EMV readers. To purchase gasoline with an EMV card, you dip the card into the reader and enter both the PIN and ZIP code. No signature is required, but the transaction is far more secure than in the past.

EMV card accounts also support automatic transaction alerts via text message or email. I have set my credit and debit card accounts to chime my iPhone with alerts. I often receive the alert before a waiter returns with my credit card. If my phone ever signals an unexpected charge, I will be able to take action immediately.

ApplePay turns an iPhone into a virtual EMV credit card. Most EMV cards include near-field communication (NFC) allowing you to tap or wave the card near a terminal instead of inserting the card into a slot. Newer iPhones and Android phones also have EMV-compatible NFC. Because the phones include additional security, such as their own access codes and fingerprint readers, credit card processors would like us to all switch to phones for purchases.

Companies like Target, which was the victim of a complex skimming attack, are rushing to implement EMV technologies. European merchants switched to EMV chips during the last three years. Credit card issuers have vowed to hold merchants without EMV terminals responsible for thefts and fraudulent charges.

You should ensure every card you carry is an EMV-enabled card. The cards have visible chips, making it easy to recognize. You can also switch to using ApplePay and other EMV-compatible services with a phone. That’s the most secure way to shop in person. Also, be sure you have registered a PIN for each EMV card or device. Some EMV cards have two PINs: one for cash machines and one for purchases.

Online purchases remain a weak-link for credit card security. Always use a credit card, not a debit card. If your card offers online double-verification, sign up for that service. Sometimes called two-step verification, the card processor sends a message to your phone or computer when a retailer requests payment. You must acknowledge the message, usually by entering a numeric code, before a charge is processed. A data thief is unlikely to have your credit card number and your phone.

Criminals will always be racing to beat current security technology. If you seek security for your financial transactions, EMV chip cards and two-step security are welcomed improvements to a familiar shopping experience.

Comments

Popular posts from this blog

Slowly Rebooting in 286 Mode

The lumbar radiculopathy, which sounds too much like "ridiculously" for me, hasn't faded completely. My left leg still cramps, tingles, and hurts with sharp pains. My mind remains cloudy, too, even as I stop taking painkillers for the back pain and a recent surgery.

Efforts to reboot and get back on track intellectually, physically, and emotionally are off to a slow, grinding start. It reminds me of an old 80286 PC, the infamously confused Intel CPU that wasn't sure what it was meant to be. And this was before the "SX" fiascos, which wedded 32-bit CPU cores with 16-bit connections. The 80286 was supposed to be able to multitask, but design flaws resulted in a first-generation that was useless to operating system vendors.

My back, my knees, my ankles are each making noises like those old computers.

If I haven't already lost you as a reader, the basic problem is that my mind cannot focus on one task for long without exhaustion and multitasking seems…

MarsEdit and Blogging

MarsEdit (Photo credit: Wikipedia) Mailing posts to blogs, a practice I adopted in 2005, allows a blogger like me to store copies of draft posts within email. If Blogger, WordPress, or the blogging platform of the moment crashes or for some other reason eats my posts, at least I have the original drafts of most entries. I find having such a nicely organized archive convenient — much easier than remembering to archive posts from Blogger or WordPress to my computer.

With this post, I am testing MarsEdit from Red Sweater Software based on recent reviews, including an overview on 9to5Mac.

Composing posts an email offers a fast way to prepare draft blogs, but the email does not always work well if you want to include basic formatting, images, and links to online resources. Submitting to Blogger via Apple Mail often produced complex HTML with unnecessary font and paragraph formatting styles. Problems with rich text led me to convert blog entries to plaintext in Apple Mail and then format th…

Screenwriting Applications

Screenplay sample, showing dialogue and action descriptions. "O.S."=off screen. Written in Final Draft. (Photo credit: Wikipedia) A lot of students and aspiring writers ask me if you "must" use Final Draft or Screenwriter to write a screenplay. No. Absolutely not, unless you are working on a production. In which case, they own or your earn enough for Final Draft or Screenwriter and whatever budget/scheduling apps the production team uses.

I have to say, after trying WriterDuet I would use it in a heartbeat for a small production company and definitely for any non-profit, educational projects. No question. The only reason not to use it is that you must have the exclusive rights to a script... and I don't have those in my work.

WriterDuet is probably best free or low-cost option I have tested. It is very interesting. Blows away Celtx. The Pro version with off-line editing is cheaper than Final Draft or Screenwriter.

The Pro edition is a standalone, offline versio…