As early reports of EMV skimming surface, the industry is realizing that simply replacing a dumb card with a smart card doesn’t solve the “who are you” problem.
Bad guys always attack the weakest link in the chain, so a complete payment card solution must include both security and identity authentication, whether on cards or, increasingly, on mobile devices.
EMV has built security into today’s payment cards, but without biometrics, there is no way to perform identity authentication. As EMV cards move to phones, “on-device” biometrics will deliver a combination of convenience, security and privacy protection.
Skimmers are slurping up the Track 2 data on chip cards and using it to create fake cards used in two primary places: ATMs that may not yet support chip and PIN, and regions that have not yet adopted EMV technology in their ATM infrastructure.
Consider Brazil, where card-plus-fingerprint solutions using HID Global Lumidigm biometrics technology authenticate over 50 million bank customers for roughly two billion ATM transactions annually at four of the country’s top five institutions. Fraud has flowed away from these ATMs to those that don’t feature biometrics technology or to other applications such as point of sale terminals and web commerce.
Beyond asset theft, EMV skimming also increases vulnerability to identity theft.
Until now, people haven’t considered card skimming a legitimate attack on their true identity (nor have they felt the pain yet). They don’t understand that a person’s unique identity can’t be replaced by a card, token or application.
Any solutions for combatting EMV skimming must also protect this identity through a mechanism for proving identity claims. Biometrics is the best solution, as long as it is used in a trusted way. One approach is to store an encrypted biometric identity in the EMV card, allowing only the legitimate user to execute transactions. This ensures that the EMV card (or token or app) could authenticate the card and that it belongs to the person presenting it.