Several electronic and mobile payment options have become available, but most of us in the U.S. are still using plain-vanilla credit and debit cards with magnetic stripes. They use technology that dates to the first Nixon administration. That’s not a problem in itself; I have no problem with time-tested security measures that work effectively. But just look around: Data breaches are everywhere, and those magnetic-stripe cards are often implicated.
Personally, my credit card accounts have been compromised no fewer than three times. Those compromises included fraudulent purchases charged to my account. That experience has made me an early adopter of some of the newer mobile payment options, because I desperately want to use systems that are more secure than the old-fashioned credit cards I keep in my wallet.
From a security architecture standpoint, traditional credit cards are a nightmare. Among other things, they often:
- Store account numbers on servers
- Expose account numbers to clients
- Only encrypt data in transit (like SSL/TLS)
- Expose account numbers to merchants
- Reuse the same payment/account number
That’s quite a list of failures.
And how do credit cards’ more modern counterparts measure up? Let’s look at three of them and see.
Credit card readers on mobile devices. These systems, which include Square, started popping up a few years ago and have become moderately popular with small-to-medium-sized merchants, because they’re easy to deploy. But they also hold benefits for those merchants’ customers. The readers (typically they are simply smartphones or tablets) are not just point-of-sale (POS) terminals. In most cases, the card reader devices encrypt the customer’s credit/debit card information. The encrypted data is decrypted back on the server side at Square (and the other companies operating in this space), but nonetheless the encryption in transit effectively removes an entire threat agent from the equation —the merchant.
These systems are more widely used than the other two technologies I will discuss, and that’s probably because they are beautifully simple, supporting existing technology (mag-stripe credit cards) while reducing opportunities to exploit the payment data. (Card reader systems are moving into card-less transactions as well, such as with Square’s Wallet app, which goes further toward reducing such opportunities.)
But these systems do not eliminate opportunities for mischief. The customer’s payment data is still stored on the service provider’s systems. Should a provider like Square suffer a major server breach, there’s always the chance your payment account information will be compromised.
Verdict: All the convenience of credit cards, but more secure. Why aren’t more people using them?
The Europay MasterCard and Visa (EMV) system. EMV cards contain a smart chip and/or a contactless (RF-based) chip. They’re typically used in either “chip and PIN”or “chip and signature”configurations. (You either have to enter a PIN or sign to complete a transaction.)
EMV is the metric system of payment systems: It’s widely deployed around the world, with the notable exception of the U.S. Current plans are to roll out EMV in the U.S. in 2015 or 2016, but we’ve been waiting a long time.
I’ve used EMV cards for years, because I do a lot of international travel for work. Early on, I had great hopes that they would solve a lot of security problems, but I have come to see their shortcomings. Yes, EMV cards are more secure than traditional credit cards, but many of them still retain a magnetic stripe, for purposes of backwards compatibility. So an unscrupulous merchant can swipe an EMV card through the reader, and there you are, back at square one. If you have an EMV card, remember that there is no reason for the merchant to swipe it, so just refuse to hand it over.
Another problem is that the chip itself can present POS terminals with your account number. That means that a POS terminal infected by malware could harvest account data. Combine that with a static PIN, and it’s quite possible to compromise an EMV card. In fact, it happened to me in Singapore last year.
Verdict: EMV is far better than mag-stripe, but it sure isn’t a silver bullet.
Google Wallet and Apple Pay. These contactless payment systems use near-field communication (NFC) technology for communication between a smartphone and a POS terminal. And both systems use a technique called tokenization, whereby the actual account number is not presented to the merchant. One-time tokens are used so that eavesdroppers, including malware on a smartphone or POS terminal, will not be able to reuse any information they may be able to collect.
But Google Wallet and Apple Pay treat account data very differently. Google Wallet stores account data at the back end, in Google’s cloud service, while Apple Pay doesn’t present account data to either the merchant or Apple itself. The account itself is held only by the card issuers.
Verdict: Both Google Wallet and Apple Pay are substantially more secure than mag-stripe systems, and arguably more secure than EMV. Why isn’t everyone on the planet using them?
Well, for starters, they both require current or recent model smartphones to function. That makes the cost of entry pretty high.
And not all merchants are supporting Google Wallet or Apple Pay yet. That situation is improving pretty rapidly. A vast array of banks have lined up to support one or both systems, and new merchants promising support seem to be popping up weekly (including, notably, the U.S. government). Square, whose Wallet app I already mentioned, has announced that it will be coming out with Apple Pay support later this year. That could be a huge boost for Apple Pay, since small-to-medium-sized merchants will be able to support the system without having to buy expensive new POS terminals.
But all of that is the story in the U.S. Google Wallet and Apple Pay are sort of the converse of EMV: supported in the U.S. to some extent but virtually nonexistent elsewhere.
None of these options is perfectly secure. But all of them are more secure than magnetic-stripe cards. As far as I’m concerned, the only reason to stick with mag-stripe is to do business with a merchant that only supports payment technology that predates the Watergate scandal.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
This story, "Rating the Payment Options" was originally published by Computerworld.