Data breaches at Target, Neiman Marcus and other retail chains
left many of us nervous about using our debit and credit cards.
Data for 40 million credit cards was stolen from Target's
point-of-sale machines in 2013, and another 1.1 million from Neiman
What is being done to protect cardholders at checkout -- and
what can we do in the meantime to protect ourselves? We asked Slava
Gomzin, security and payments technologist at Hewlett-Packard and
author of "
Hacking Point of Sale: Payment Application Secrets,
Threats, and Solutions
," published by Wiley in February.
The Target debacle set off a debate about debit cards vs.
credit cards. Which is safer in that kind of breach?
A: In theory, a debit card is safer than a credit card because
it offers two-part identification. In information security, this is
called two-factor authentication. You have to swipe your card then
key in your PIN number, which makes it twice as hard for a hacker
to replicate and use your card. The problem is most debit cards are
dual-purpose, so they can be used as a debit card but processed by
the credit card network.
If you have a debit card, you know some places prompt you to
enter a PIN number, but in others you just swipe the card without
entering the PIN. The cardholder data on the magnetic stripe can be
processed without the two-part identification. So hackers can still
steal the data from the [point-of-sale] machine, make fake cards
and use them.
Will the migration to chip cards protect us from
technology brings some protection. You insert a
instead of swiping, then key in your PIN number. So there's that
two-factor authentication. There is also an immediate dynamic
offline authentication that magnetic stripe cards don't have. The
original purpose behind EMV was to fight credit card fraud at point
of sale. Chip cards protect the cardholder much better there than
magnetic stripe cards.
We're getting mostly chip-and-signature cards in the U.S.
Is the two-step process of signing as effective as keying in a
A: From the POS perspective, it's the same as chip-and-PIN. It's
just less secure from the merchant's perspective. Some people think
there's some validation of the signature when you sign on the
terminal, but there is no validation. You can put anything instead
of your signature. Nobody's validating it.
Could those breaches at Target and Neiman Marcus have been
avoided if chip cards were used instead of magnetic-stripe
A: Not necessarily, because EMV was not designed to secure the
cardholder's data after the point of sale. With the breaches at
Target and Neiman Marcus, cardholder data was stolen after it was
entered into the system. It was stolen from the memory of POS
machines. At that point, it doesn't matter if it was entered
through the magnetic stripe. When someone steals cardholder data
through an EMV card, dynamic indication was used so you cannot just
replicate the cards and use it for another transaction. The bottom
line is that EMV is more secure than magnetic stripe, but it's not
really designed to secure the data.
Chip technology has been around for 10 years. Is it still
A: EMV is not new technology. It did significantly reduce the
amount of fraud for brick-and-mortar merchants in Europe, but the
fraud there moved online. A big problem with EMV is it doesn't
provide security to online transactions. When you go to a website
to pay for something with an EMV card, you still need to enter the
account number and date exactly the same way you do with a magnetic
By the time we make the transition to EMV, will hackers have
figured a way around it?
A: Hackers are not super smart. They look for the easy way to
steal card data. It's much more difficult to steal EMV data than
magnetic stripe, so hackers moved to the U.S. The U.S. is the
easiest place to steal card data today.
After the transition to EMV, they will try to find new ways to
attack the systems. At conferences in recent years, white-hat
hackers demonstrated that EMV is vulnerable to attack. Hackers will
adapt to the new technology the same way they adapted to PCI after
it was introduced seven years ago.
rules -- short for Payment Card Industry Data Security
Standard -- were set up in 2004 to protect us from this kind of
fraud. Do the recent breaches mean that system failed?
A: PCI reduced the amount of breaches significantly for a couple
years and then hackers learned how to avoid it because there were
so many holes in PCI -- especially in stores. PCI rules allowed
data to be processed in the RAM of point-of-sale machines, then
transmitted over the local networks. Hackers learned this quickly
and after a couple years, the amount of breaches started to grow.
By the end of last year, it was growing exponentially.
You compared the PCI-compliant merchant environment to "a poorly
designed nuclear reactor ready for a meltdown."
A: [Laughs.] Of course, it was a good idea to introduce PCI, but
PCI is suitable for big payment processors like banks and data
centers. It's not suitable at all for the store environment. I
think it was a mistake originally to introduce PCI to merchants.
Instead of investing a lot of money into PCI compliance, they
should have invested in point-to-point encryption and forget about
In your book, you advocate for an overhaul of the security system
at point of sale. How likely is that to happen?
There are technologies today that would solve the problem.
is one. It protects the cardholder data from the moment of the card
entry ... The problem is that it requires significant investment in
[research and development] and hardware. So instead of investing in
that, merchants were forced to follow these PCI rules that are not
so effective at protecting the cardholder. It's not something we
can't stop, but I don't think we are moving in the right
Merchants are already investing a lot in EMV technology in the
U.S. If they resist an expensive security overhaul, will we see
more Target-style breaches?
A: Even if merchants decided to make a full transition to EMV
tomorrow, it would take several years for a full transition and it
still doesn't protect online transactions. So we will see more
breaches, at least in the near future.
As cardholders, where are we most vulnerable -- in stores or
A: Both are vulnerable. As long as there are magnetic stripe
cards being used, we're far more vulnerable in stores than we would
be with chip cards. Online, there are payment systems in place that
introduce some security. Instead of just entering your cards every
time, you can use PayPal or Amazon Payments, for example. Both
technologies are much safer than entering your credit card
I've always wondered if I'm more or less vulnerable using
A: If you have a choice on the Web, always select PayPal because
it stores your cards' information on special servers in a secure
environment. PayPal and Amazon Payments are also PCI compliant, by
the way, but PCI compliance works there because both have big data
centers with IT professionals and security experts. When you key in
your credit card online or use it at a store, you simply don't know
what will happen to the number after the transaction.
Some issuers offer virtual credit card numbers you can register
for before an online purchase. The numbers expire after 24 hours.
Is that an effective way to protect your information?
A: Yes, it offers some protection, but you still have to enter
your credit card number to generate this temporary number, so you
still expose your data online. The second issue is that it's not a
very practical solution because it takes time and consumers don't
like to take that extra step. It's definitely much safer than just
using your credit card.
So hackers grab our information as we're inputting the credit card
A: With an online transaction, they can attack through a plug-in
on your browser, something stored in your machine or on the
retailer's website. There are a lot of ways to attack online
Is it similar to the way hackers stole cardholder information at
Target and Neiman Marcus?
A: No, the attack vectors are completely different for
brick-and-mortar transactions. I can't tell for sure what they did
at Target and Neiman Marcus because they don't disclose this
information. Based on what we know, I assume it was done by
, where software is installed on point-of-sale machines to scan the
memory and look for credit card numbers. It's relatively simple. It
collects this data and sends it to the command center, a virtual
data center installed somewhere in a different country.
What can we do to protect ourselves while security measures are
put in place?
A: It's still very dangerous. I would recommend reducing the
risk of losing everything at once. Instead of using one credit card
with a $10,000 limit, create two or three card accounts with lower
limits. That way, if someone steals your card, they can't steal all
your money. Same for debit cards. If you have just one bank
account, hackers can withdraw all the money from your account.
You'll probably get your money back because the banks have
insurance from credit card companies but it will take several days.
So I recommend opening a few accounts and using several different
Is that what you do?
A: Yes. To me, it's still much more convenient to use credit
cards than to pay with cash, but we can pay a lot for this
Data breaches turn spotlight on EMV cards
Attorney General Holder calls for data breach
Has your credit report been viewed illegally?