The recent security breach at Target – where hackers made off with 40 million credit and debit card numbers as well as encrypted PIN data — has focused renewed attention on the vulnerability of U.S. credit card security systems.
Security experts say the United States lags far behind many other countries in adopting readily available technology that can provide stronger protection for consumers.
In Europe, “smart cards” have been the standard for at least a decade. Smart cards – also known as EMV or “chip and PIN” cards – have a tiny microchip embedded in the card that generates a unique code every time the card is used. Experts say that offers a much higher level of encryption and security than the magnetic strip cards most Americans carry.
Countries where smart cards are widely used have seen a dramatic decrease in fraud. In Britain, the UK Cards Association reports that credit and debit card fraud dropped 36 percent between 2008 and 2012.
Visa, MasterCard, American Express and Discover have all begun rolling out smart card technology for the U.S. market, although so far only a small percentage of American customers have upgraded to smart cards. The credit card companies say it will take several more years to transition a majority of U.S. retailers and customers to the new technology.
Once that happens, “it’s going to solve a big part of the fraud problem we have in the United States,” Randy Vanderhoof, director of the EMV Migration Forum, told CBS News.
In the meantime, Americans continue to be victimized by credit and debit card hackers who exploit weaknesses in our less-than-state-of-the-art security. Vanderhoof estimates the cost of such fraud at about a $5 billion a year.
Smart cards—cards with embedded integrated circuits that can process information—offer a number of features that provide or enhance privacy protection in an access-control system. Smart card technology offers a number of features that can be used to provide or enhance privacy protection in systems. The following is a brief description of some of these features and how they can be used to protect privacy.
- Authentication. Smart card technology provides mechanisms for authenticating others who want to gain access to the card or device. These mechanisms can be used to authenticate users, devices, or applications wishing to use the data on the card’s or device’s chip. These features can be utilized by a system to protect privacy by, for example, ensuring that a banking application has been authenticated as having the appropriate access rights before accessing financial data or functions on a card.
- Secure data storage. Smart card technology provides a means of securely storing data on the card or device. This data can only be accessed through the smart card
operating system by those with proper access rights. This feature can be utilized by a system to enhance privacy by, for example, storing personal user data on the card or device rather than in a central database. In this example, the user has better knowledge and control of when and by whom their personal data is being granted access.
- Encryption. Smart card technology can provide a robust set of encryption capabilities including key generation, secure key storage, hashing, and digital signing. These capabilities can be used by a system to protect privacy in a number of ways. For example, system based on smart card technology can produce a digital signature for the content in an email, providing a means to validate the email authenticity. This protects the email message from subsequently being tampered with and provides the email recipient with an assurance of where it originated. The fact that the signing key originated from a smart card or device adds credibility to the origin and intent of the signer.
- Strong device security. Smart card technology is extremely difficult to duplicate or forge and has built-in tamper-resistance. Smart card chips include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks. For example, the chips are manufactured with features such as extra metal layers, sensors to detect thermal and UV light attacks, and additional software and hardware circuitry to thwart differential power analysis.
- Secure communications. Smart card technology can provide a means of secure communications between the card/device and readers. Similar in concept to security protocols used in many networks, this feature allows smart cards and devices to send and receive data in a secure and private manner. This capability can be used by a system to enhance privacy by ensuring that data sent is not intercepted or tapped into.
- Biometrics. Smart card technology can provide mechanisms to securely store biometric templates and perform biometric matching functions. These features can be used to improve privacy in systems that utilize biometrics. For example, storing fingerprint templates on a smart card or device rather than in a central database can be an effective way of increasing privacy in a single sign-on system that uses fingerprint biometrics as the single sign-on credential.
- Personal device. A smart card is, of course, a personal and portable device associated with a particular cardholder. The smart card plastic is often personalized, providing an even stronger binding to the cardholder. These features, while somewhat obvious, can be leveraged by systems to improve privacy. For example, a healthcare application might elect to store drug prescription information on the card instead of in paper form to improve the accuracy and privacy of a patient’s prescriptions. Smart card technology is also built into other portable personal devices, such as mobile phones and USB devices.
- Certifications. Many of today’s smart cards and devices have been certified that they comply with industry and government security standards. They obtain these certifications only after completing rigorous testing and evaluation criteria by independent certification facilities. These certifications help systems protect privacy by ensuring that the security and privacy features and functions of the smart card hardware and software operate as specified and intended.