Remember your old mag stripe credit card? Do you think your newer credit card with a shiny gold chip might be more secure? It’s supposed to be much better by preventing thieves from using your stolen credit card. And it was until security became botched. This article outlines how and why security got dropped. The takeaway is not to finger-point or blame, but to underscore that when you implement a smart card project, you must understand what abilities you really have. Don’t circumvent security for marketing hype.
In October 2015, the United States officially switched from magnetic stripe credit cards to smart cards. The U.S. was finally catching up to the European and Asian markets with respect to EMV and “Chip ‘n ‘PIN” security. Or, were we?
On October 3, 2015, I had a brief conversation with California Assemblymember Matt Dababneh of the 45th District about the new chip cards. He asked me if we (Congress) had made a mistake by removing the PIN function with regards to credit cards. My answer was a resounding yes, and here’s why.
- The credit card industry still treats the smart card as a single-function, magnetic stripe replacement and not as a multi-function, multi-factor authentication token for the digital age. Can you do anything else with the chip, such as add multiple credit card numbers, include loyalty points or use it to log into computers without a password?
- Credit card companies and retail stores that issue their own cards want to protect their branding more than offering their customer’s convenience. They do this by not allowing multiple accounts to all be stored on one card, and especially not on their card.
- Now that you have your new chip cards, has the number of cards in your wallet decreased? Probably not. Recently I had to look into my wife’s purse to find her car keys. (I like to tease her that I need someone to tie a rope around my waist before going in, just in case I get lost.) It was during my search that I found a four-inch plastic brick in her purse. It was all her loyalty and membership cards held together with a rubber band. One single smart card could hold all of those and many more.
- Card issuers often refuse to allow customers to change the chip’s PIN to something they can remember. They use the argument that PINs would be set to easy numbers like phone numbers or birthdays that thieves could figure out. Probably true, but chips are way more sophisticated than the old magnetic stripe cards. They can be programmed to self-destruct if the wrong PIN is entered a predetermined number of times. When issuers set your PINs for you, that leaves the user having to remember a different PIN for every card. Here comes the user password management nightmare all over again.
- So instead of card issuers utilizing chip cards to increase security and tackle fraud (your high-interest rates pay for their losses), they recommended to legislators that the PIN requirement in the U.S. be dropped so customers would not have the burden of managing PINs. Our representatives went along with it.
- Instead of getting a more secure “Chip ‘n’ PIN” technology, all we got was “Card ‘n’ Nothing.”
- All Congress did was kick the can down the road. Our new high tech credit cards have a vulnerability that the industry decided to ignore: authenticating the user to the credential. Your card is the “something you have” and your PIN is the “something you know.” Strangely, Congress turned off the security feature they mandated!
Allowing individuals to utilize the amazing capabilities of smart cards would put an end to issuer and store logos on cards. Imagine purchasing a blank card at any grocery store, custom printing it with your favorite images, and uploading the vast majority of account numbers on all those cards you currently carry in your wallet or purse. Having them all in one place, you could protect them all by memorizing one very secure PIN.
The smart card is not a migration of magnetic stripe card technology. It’s a migration of the computer. I believe if we are ever going to break away from single-function cards and go to multi-function cards, it will take the computer industry to do it. After over 25 years in the smart card industry, watching how poorly financial institutions have implemented smart card technology, I do believe their brand is more important to them than their customers’ convenience or security. As for me, I’ll stick with my old fashioned ATM card that still requires a PIN instead of the debit card without a PIN.
Dovell Bonnett has been creating computer security solutions for over 25 years. He passionately believes that technology should work for humans, and not the other way around. This passion lead him to create innovative solutions that protect businesses from cyberattacks, free individual computer users from cumbersome security policies and put IT administrators back in control of their networks. He solves business security needs by incorporating multiple applications onto single credentials for contact or contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions. His premiere product, Power LogOn, combines Multi-Factor Authentication and Enterprise Password Management on a government-issued ID badge (CAC, PIV, PIV-I, CIV, etc.).