The recent exploit of Signature Systems terminals, used by Jimmy John's restaurants and other clients, shows that the point of sale is still a key target for hackers. And the addition of EMV-chip technology won't scare them off.
A stark reminder of this threat came at the Black Hat conference in Las Vegas in August, where researchers at U.K.-based MWR InfoSecurity demonstrated how to breach an EMV mobile card reader to steal account data and the cardholder's PIN. This would allow hackers to create a cloned card that could be used for magnetic-stripe transactions at terminals that do not require EMV.
EMV-chip cards are meant to be resistant to counterfeiting, but they typically include a magnetic stripe to remain compatible with older payment systems. The U.S. is in the process of migrating to EMV, and the card networks have set a deadline of October 2015 for most companies.
Under this new attack, hackers use rogue EMV cards to install malware on the device, allowing the copying of details of every card it processes. The attacker would return later with another card to extract the information, the researchers said.
Researchers at Black Hat noted that, to date, there were no actual hacks on the EMV devices. But if researchers could do it, so could hackers.
Any payment system that includes digital data will have vulnerabilities, said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
However, fraudsters have not put much energy into the type of exploit the researchers demonstrated, Conroy says.
"We've haven't seen a big incentive for criminals to spend the time and effort to try to break EMV because the U.S. remains such a rich and easy target as long as it depends on mag stripe," Conroy added.
The methods revealed at Black Hat capitalized on vulnerabilities in the device that were addressable by a security patch, Conroy said. "It will be important for merchants to be diligent in uploading these patches to all of their devices that touch payment card data," she added.
Reports of weaknesses in EMV hardware should not discourage U.S. merchants from preparations for adopting the technology, said Jacob A. Ansari, a Payment Card Industry forensic investigator at 403 Labs, the security and compliance division for Sikich LLP.
"There are a handful of attacks that focus on EMV transactions or the infrastructure that supports EMV, but it's hardly all doom and gloom," Ansari said. "There may be imperfections or security vulnerabilities, but using EMV would probably drastically reduce card-present fraud in the U.S."
Acquirers and merchants must remember that using an EMV card does not mean all card data is protected from interception, said Al Pascual, security and fraud senior analyst for Javelin Strategy & Research.
"It only means that the EMV card itself cannot be cloned and used to commit fraud at an EMV terminal," Pascual said.
Hackers cannot emulate the dynamic data used for authenticating chip-card transactions, Pascual said, but any static data can be reproduced on mag-stripe cards.
That said, as EMV spreads in the U.S., locations where only mag-stripe cards can be used will become few and far between, Pascual added. "Card breaches at the POS will become less relevant of a threat."