Skip to main content

Seeking Security with New Credit Card Technologies

RFID chip pulled from new credit card
RFID chip pulled from new credit card (Photo credit: Wikipedia)
Visalia Direct: Virtual Valley
October 5, 2015 Deadline
November 2015 Issue

This summer, I had a credit card “cloned” while driving along the Interstate 76 Tollway. Because I check my credit card statements online after any trip, I noticed the fraudulent charges and cancelled the card. Credit cards remain one of the easiest targets for criminals and no easy solution seems likely. Two years ago, I had another credit card number stolen by a waiter. Local police informed me that such thefts remained the most common form of credit card fraud.

In both instances, I did everything “right” and was still a victim of thieves.

The waiter stealing card numbers asked to see my driver’s license before walking away from the table. He was writing down numbers, expiration dates and card verification values while standing behind a low wall. With these data, another criminal ran charges at a convenience store, listing charges as gas purchases.

When a credit or debit card leaves your sight, there’s little you can do to protect yourself from such simple, old-fashioned fraud. Before electronic credit card processing, unscrupulous cashiers would double-imprint cards to steal numbers. Today, there are smartphone apps that use the phone camera to capture card numbers and security codes. Stealing cards in person is easy… and difficult to prevent.

The card that was cloned on the I-76 Tollway was likely stolen at a gas pump, my credit union determined. For those unfamiliar with tollways, a common part of driving in the Midwest and Northeast, there are Tollway Plazas with food courts and other services. The gas stations are franchises of major convenience chains and the plazas are small shopping malls.

Without anyone detecting it, a “card skimmer” was installed by an employee or contractor at one of the gas pumps. The card skimmer reads magnetic strips as cards pass into the pump’s card reader. Data are retrieved by removing the skimmer or by using an external wireless device.

Because I know skimmers are most commonly found in non-bank ATMs, I only use bank ATMs and I carry cash for small purchases. Cash remains the safest form of currency, but I can’t recall the last time I paid cash for gasoline. If anything, that one person going inside to pay a cashier and then returning to collect change annoys most of us waiting in line at the pump island. It turns out, gas pumps are ideal places for credit and debit card theft.

Credit card issuers, processing companies, retailers and banks began a national migration to what’s being called the “Chip, Dip, PIN and Sign” solution to retail security. New cards have small chips embedded in them. These chips will replace the magnetic strip with a more secure, harder-to-clone technology. This new standard is known as “EMV Chipping,” which stands for Europay, MasterCard and Visa, the companies that collaborated to promote the new security. One problem with the new cards, however, is that the transaction must have an online connection for the security features to work properly.

The old strip has data embedded. Card readers access the data encoded in the strip, which includes the card number and any card access codes, such as a personal identification number (PIN). The strip never changes, which is how skimmers can clone a code.

The EMV chip contains encryption key values and other data. Instead of swiping an EMV card through a terminal, you “dip” the card into a slot. The chip reader transmits the encryption key to the payment processor and a one-time “transaction number” that looks similar to a credit card number is generated. No two transactions are ever associated with the same transaction number.

Not only does the transaction number change, but EMV cards expect a PIN and a signature. Unlike the PIN with magnetic strip cards, the PIN and your ZIP code are not stored on the card chip. These data are confirmed via the network, another reason the security requires an active network connection.

One of the gas stations I frequent has implemented EMV readers. To purchase gasoline with an EMV card, you dip the card into the reader and enter both the PIN and ZIP code. No signature is required, but the transaction is far more secure than in the past.

EMV card accounts also support automatic transaction alerts via text message or email. I have set my credit and debit card accounts to chime my iPhone with alerts. I often receive the alert before a waiter returns with my credit card. If my phone ever signals an unexpected charge, I will be able to take action immediately.

ApplePay turns an iPhone into a virtual EMV credit card. Most EMV cards include near-field communication (NFC) allowing you to tap or wave the card near a terminal instead of inserting the card into a slot. Newer iPhones and Android phones also have EMV-compatible NFC. Because the phones include additional security, such as their own access codes and fingerprint readers, credit card processors would like us to all switch to phones for purchases.

Companies like Target, which was the victim of a complex skimming attack, are rushing to implement EMV technologies. European merchants switched to EMV chips during the last three years. Credit card issuers have vowed to hold merchants without EMV terminals responsible for thefts and fraudulent charges.

You should ensure every card you carry is an EMV-enabled card. The cards have visible chips, making it easy to recognize. You can also switch to using ApplePay and other EMV-compatible services with a phone. That’s the most secure way to shop in person. Also, be sure you have registered a PIN for each EMV card or device. Some EMV cards have two PINs: one for cash machines and one for purchases.

Online purchases remain a weak-link for credit card security. Always use a credit card, not a debit card. If your card offers online double-verification, sign up for that service. Sometimes called two-step verification, the card processor sends a message to your phone or computer when a retailer requests payment. You must acknowledge the message, usually by entering a numeric code, before a charge is processed. A data thief is unlikely to have your credit card number and your phone.

Criminals will always be racing to beat current security technology. If you seek security for your financial transactions, EMV chip cards and two-step security are welcomed improvements to a familiar shopping experience.

Comments

Popular posts from this blog

Comic Sans Is (Generally) Lousy: Letters and Reading Challenges

Specimen of the typeface Comic Sans. (Photo credit: Wikipedia) Personally, I support everyone being able to type and read in whatever typefaces individuals prefer. If you like Comic Sans, then change the font while you type or read online content. If you like Helvetica, use that.

The digital world is not print. You can change typefaces. You can change their sizes. You can change colors. There is no reason to argue over what you use to type or to read as long as I can use typefaces that I like.

Now, as a design researcher? I'll tell you that type matters a lot to both the biological act of reading and the psychological act of constructing meaning. Statistically, there are "better" and "worse" type for conveying messages. There are also typefaces that are more legible and more readable. Sometimes, legibility does not help readability, either, as a type with overly distinct letters (legibility) can hinder word shapes and decoding (readability).

One of the co…

Let’s Make a Movie: Digital Filmmaking on a Budget

Film camera collection. (Photo credit: Wikipedia) Visalia Direct: Virtual Valley
June 5, 2015 Deadline
July 2015 Issue

Every weekend a small group of filmmakers I know make at least one three-minute movie and share the short film on their YouTube channel, 3X7 Films.

Inspired by the 48-Hour Film Project (48hourfilm.com), my colleagues started to joke about entering a 48-hour contest each month. Someone suggested that it might be possible to make a three-minute movie every week. Soon, 3X7 Films was launched as a Facebook group and members started to assemble teams to make movies.

The 48-Hour Film Project, also known as 48HFP, launched in 2001 by Mark Ruppert. He convinced some colleagues in Washington, D.C., that they could make a movie in 48 hours. The idea became a friendly competition. Fifteen years later, 48HFP is an international phenomenon, with competitions in cities around the world. Regional winners compete in national and international festivals.

On a Friday night, teams gathe…

Edutainment: Move Beyond Entertaining, to Learning

A drawing made in Tux Paint using various brushes and the Paint tool. (Photo credit: Wikipedia) Visalia Direct: Virtual Valley
November 2, 2015 Deadline
December 2015 Issue

Randomly clicking on letters, the young boy I was watching play an educational game “won” each level. He paid no attention to the letters themselves. His focus was on the dancing aliens at the end of each alphabet invasion.

Situations like this occur in classrooms and homes every day. Technology appeals to parents, politicians and some educators as a path towards more effective teaching. We often bring technology into our schools and homes, imagining the latest gadgets and software will magically transfer skills and information to our children.

This school year, I left teaching business communications to return to my doctoral specialty in education, technology and language development. As a board member of an autism-related charity, I speak to groups on how technology both helps and hinders special education. Busin…