NPR had a segment this morning about the recent Target hack, and how this could never have happened if the issuing companies (Visa, MasterCard, Discover, American Express, etc.) had update their systems in the US from magstripe to what is called "Chip & PIN" in Europe. The idea being that users in Europe have to insert their card so a chip on the card is read, and then provide a PIN that replace the signature of the current credit model in the US. This is all well and good, except they are forgetting a key component of this exploit, static data.

Magnetic Stripes

Magstripes have their own set of problems, they are static, they wear out, and ... they can be skimmed. The data on your magstripe is plain text. If you recall the Redbox fiasco a few years back, people put card skimmers on Redbox kiosks and as a user swiped their card they were also giving away the information on the card. Your card number and expiration date among other data is stored in that little strip.

What can we do to avoid skimming, and plain text? Encrypt the data on a chip!

Chip & PIN

As they are called in Europe the Chip & PIN card is basically a credit card where the magnetic strip is removed, and replaced with a micro chip that has to be read by the computer system. You can not simply skim this card because you have to willing put your card in a machine that reads it.

Basically this only replaces your signature with a PIN code. The static data on your card is still collected, the static PIN you enter is still collected and it is all bundled up and sent off to the bank to verify you are you, and you are allowed to use that card. Secure right? Wrong.

The Problem

As the Target exploit shows us even the Chip & PIN system would have fallen pray to this exploit. The reason is because the data is only encrypted on the card. Before the retailer can charge you they have to use a provided key set to decrypt the data and pass it along with your PIN to the bank. Because the data on your card is static, and your PIN is static, simply capturing the data on the card is enough to fake the presence of the card later. Insert the same static data, same static PIN, and the bank doens't know the difference.

A Solution

I am not all gloom and doom today. I have a suggestion, though I am sure the banks and retailers will ignore it because it is sure to be expensive. The solution: Two Factor Authentication.

a process involving two stages to verify the identity of an entity trying to access services

Let me give you a great example of how this works:

You head into retailer X and head to the POS with your goods. You hand them your credit/debit card, and they ask you to enter a PIN. Instead of pulling a 4 digit code from your brain, you pull out your smart phone and open your banks Authenticator app. You plug in your password and up pops a 6 (or more or less) digit code that is only valid for the next 60 (or less) seconds. You read the code on your phone, plug it in as your PIN and the transaction is done.

How is that any different than the static PIN? It isn't static anymore. Let's say the Target hack happens again at retailer X. You don't have to worry about your PIN being captured, because it will never exists agin.

Implementation

Obviously the biggest factor to any change in the way the system works is the change. Adding Two-Factor Authentication (TFA) will require the banks and retailers to change the way the credit game is currently played, but all for the better really.

First, banks and retailers will have to communicate in real time. There will be no more batching credit cards and running them through all together at night. The TFA PIN expires within minutes. It has to be verified in real time. This has the added bonus of reducing float fraud. Float fraud is when you leverage the time it takes for banks to lock your funds to over spend the funds. Real time transactions stops this practice.

Second, POS systems will have to allow for longer PINs to be entered into the system. Most TFA systems have 6 or more digits instead of 4. This is a simple change.

Third, and the most difficult really, is that banks will have to educate and prepare users with the right technology for the practice of TFA. Customer will have to be issued either RSA tokens or smart phone apps that keep track of the codes to be used. The cost of the tokens can be quite hefty, but if you were to offer customers the choice of a $10-20 RSA token or a free smart phone app, you can rest assured the smart phone app wins every time. Those without smart phones will complain to the cost, but when told their money would have been secure from the Target hack, they will gladly toss out $10-20 for the security.

The Pressure

Talk to your financial institutions today, find out what they are doing to make your money safer. Don't let your bank sit on their butts and be inactive to these matters. This is not a problem for just Visa and Mastercard to sort out, your banks are their customers and they need to demand more security for your money.