Kudos to Walmart for standing up for better security options for their customers. To put it bluntly, signature is not a security feature. Pin should be an option for retailers to deploy and require as a security feature. EMV deployment is not optional, so why shouldn’t a secure implementation be on the table for retailers that want to enforce good practices.
This article is an excellent reminder of why it is very important for retailers to move forward with the implementation of EMV/Chip-Pin card readers and the necessary associated Point-of-Sale software. Far too many retailers have hardware in place, but that the software to leverage this new technology.
It is also important to remember that value of timely patching of all systems, regardless of the card handling mechanisms in place.
Anyone who has supported retail or has dealt with the complexities of POS saw this coming. Frankly in the absence of pin to go along with all those chips, we are still not here we need to be from a security perspective. This author will stick to Apple Pay when available. I love a good Near Field tokenized transaction.
For those of you not lost in the world of credit card transactions and security measures, EMV is the standard for moving branded credit cards from swipe and sign technologies to chip and pin. Though sad, the results detailed in this article are in no way surprising. Many retailers simply do not understand the value of EMV or do not care enough for their customers relative to the potential cost for new pin pads.
Ladies and gentlemen, this is only the beginning. The research presented in this article presents just one of what is apt to become dozens of attack methodologies designed to leverage NFC-based transactions, with or without EMV (chip and pin) protections. IT Security professionals need to stay as far ahead of this curve as possible if we are going to salvage the trustworthiness of financial transactions in the US and abroad.
According to Krebs, there has been a spike in cloned card fraud for chip-based transactions from banks that have not issued EMV cards as of yet. It is a bit disturbing for this type of spoof attack given that EMV hasn’t really penetrated the US.