How Smart Card Security Has Evolved, and Which Threats Remain

In most retailers today, customers don’t swipe a credit card’s magnetic stripe and sign a receipt to pay for goods and services. They now insert the card’s embedded chip into a point-of-sale terminal. In some cases, they also input a personal identification number. For credit card companies and banks, this is the world as it should be.

As of Oct. 1, 2015, U.S. merchants are now liable for any fraud that results from transactions on systems that are not EMV capable. EMV stands for “Europay, MasterCard and Visa,” the three companies that created the international standard to authenticate transactions. It’s been in place in the European Union since 2005.

As of the end of 2017, there were 7.1 billion EMV-enabled cards in circulation worldwide, 1 billion more than the previous 12 months, according to an April report from EMVCo, the global technical body that facilitates worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV specifications and related testing processes. Further, 63.7 percent of all card-present transactions conducted across the world in 2017 used EMV chip technology, up from 52.4 percent in 2016.

While smart card adoption is growing, it is still lagging in the United States. The U.S. had 785 million EMV-enable cards in circulation at the end of 2017, up from 675 million in 2016, and nearly double the number at the end of 2015, Digital Transactions notes. EMV technology is incorporated into 58.5 percent of all cards in the U.S.

Smart card technology is intended to increase security for card issuers, banks, merchants and consumers by adding another layer of cybersecurity protection. Yet they still remain vulnerable to attack. That’s why credit card and authentication technology companies are developing more secure authentication methods than just the EMV chip, adding biometric authentication tools to the mix.

Such tools may help retailers and financial institutions cut down on credit card fraud, which persists despite efforts to boost security. In February, Javelin Strategy & Research revealed that the number of identity fraud victims increased by 8 percent in the last year (16.7 million U.S. consumers), a record high since the research firm started tracking identity fraud in 2003. “The study found that despite industry efforts to prevent identity fraud, fraudsters successfully adapted to net 1.3 million more victims in 2017, with the amount stolen rising to $16.8 billion,” the firm says in a statement.

Here is a primer on what smart card technology is, how EMV card security has evolved, the threats that remain to smart cards and the new technologies being used to combat ongoing threats.

SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!

What Is a Smart Card?

Smart cards are any pocket-sized card with embedded integrated circuits that serve as a security token. The cards are usually the size of a driver’s license.

The Secure Technology Alliance (STA) notes that the embedded circuit “can be either a secure microcontroller or equivalent intelligence with internal memory or a memory chip alone.” Many smart cards include metal contacts to electrically connect to the embedded chip, while others are contactless and some are both.

As TechTarget notes, smart cards “connect to a reader either by direct physical contact (also known as chip and dip) or through a short-range wireless connectivity standard such as Near Field Communication (NFC).”

With an embedded microcontroller, STA notes, “smart cards have the unique ability to store large amounts of data, carry out their own on-card functions (e.g., encryption and mutual authentication) and interact intelligently with a smart card reader.”

Smart cards can be used for personal identification, authentication, data storage and application processing. The technology sits at the heart of mobile phone SIM cards, public transit fare cards, ID cards for building security, and, of course, credit cards.

Importantly, from a security perspective, TechTarget adds, smart cards “are designed to be tamper-resistant and use encryption to provide protection for in-memory information.”

What Is the State of Smart Card Authentication?

EMV cards use technology based on different technology standards: ISO/IEC 7816 for contact cards and ISO/IEC 14443 for contactless cards.

Contact EMV cards “support cryptographic functions to prevent counterfeiting of cards and additional functions that make them more secure than traditional magnetic-stripe cards,” EMVCo notes.

In contrast, a contactless smart card “includes an embedded smart card secure microcontroller or equivalent intelligence, internal memory and a small antenna and communicates with a reader through a contactless radio frequency (RF) interface,” according to STA.

Contactless smart card technology is used in cases where personal information needs to be protected and secure transactions need to be delivered quickly. These include not just credit cards, but personal identification cards and transit fare payment cards.

Contactless smart cards can implement a variety of industry-standard cryptographic protocols (e.g., AES, 3DES, RSA, ECC). STA notes that contactless smart card–based devices can verify that the card reader is authentic and can prove its own authenticity to the reader before starting a secure transaction. Further, contactless smart cards can be encrypted, as can communication between the card and the reader.

Both contact and contactless smart cards have built-in security features. “Smart card chips include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks,” STA notes. “For example, the chips are manufactured with features such as extra metal layers, sensors to detect thermal and UV light attacks, and additional software and hardware circuitry to thwart differential power analysis.”

Users can also counter unauthorized access by using a PIN, making the system akin to one of multifactor authentication.

What Are the Current Smart Card Security Vulnerabilities?

Despite the many security features built into smart cards, they are not foolproof.

As CreditUnions.com notes, fraudsters will steal identifying information, such as a user’s ZIP code, then when attempting to make a purchase using a dummy EMV smart card, they will provide information to validate the stolen identity and claim the chip is defective.

Indeed, Javelin reports that EMV is “driving more fraudsters to seek online channels for fraud,” and that “Card Not Present Fraud” is now 81 percent more likely than fraud at POS terminals. This is the greatest gap Javelin has observed.

TechCrunch reports that devices called shimmers can be placed inside ATM terminals to read card numbers, and in some cases, access the credit card’s embedded chipset. “Because Shimmers are so thin they can disappear inside of an ATM or card reader,” TechCrunch notes. “The data read when the chip is activated cannot be used to create a chip-based card but because some of the magnetic data is passed during the read process you can use Shimmers to easily recreate dumb magnetic cards.”

Meanwhile, if the data on the smart card is not encrypted, malicious actors can more easily capture it. According to TechTarget, “The small size of the chips on the cards only allows a limited amount of memory, which also limits the size of the encryption keys the card can hold, which in turn weakens the strength of the encryption of the card.”

Can Biometric Authentication Alleviate Smart Card Security Issues?

Authentication technology companies and credit card issuers are turning to technology solutions, including biometric solutions, to bulk up security for smart cards.

In April 2017, Mastercard started testing a smart card with biometric authentication technology in South Africa, Wired reports. The card has a small biometric scanner in the top right-hand corner, where users place a finger during transactions. The fingerprint is verified against a stored template. If the biometric authentication is successful and the transaction is authenticated, there is no need for the user to provide a signature or PIN.

Mastercard says that the solution requires no changes to merchant hardware or software, because it is compatible with any type of EMV-enabled terminal that has satisfactorily completed the Mastercard Terminal Integration Process. The technology is now being tested in Bulgaria and will be trialed elsewhere in the world this year, according to Wired.

In January, Gemalto announced that the Bank of Cyprus had selected it to supply what it touted as the world’s first EMV biometric dual interface payment card for both chip and contactless payments.

Users must enroll their fingerprints at a local branch. During the enrollment process, ZDNet reports, a fingerprint template is captured and securely stored on the card. “When a customer places their fingerprint on the credit card sensor in a store, a comparison is performed between the enrolled fingerprint and the reference data stored in the card,” the site notes.

Visa is involved in the pilot program and notes that “a green or red light on the card indicates a successful or unsuccessful match.”

Meanwhile, in February, Ingenico announced that it developed a new payment solution for micro-merchants based on a technology generally called PIN on Glass or PIN on Mobile. The technology enables customers to use both a chip and a PIN on the merchant’s personal mobile device. The solution is comprised of a compact secure card reader for both EMV and contactless bank cards, a mobile PIN entry application on the merchant’s device, and a back-end Trust Service to analyze and verify that the execution environment of the device is secure before the customer enters the PIN.