Sunday, April 17, 2016

EMV in the United States: Chip and Confusion

A little over a year ago, I wrote a post detailing the upcoming transition to EMV chip cards in the United States. Well now, six months after the October 1, 2015, liability shift that the media latched on to as "the day the US would start using EMV" (even though there were places where it could be used for at least a year prior), I've come to a conclusion on the current state of affairs. While many countries have "Chip and PIN", and a handful of other countries have "Chip and Signature", in the United States, we have "Chip and Confusion".

Before I get to far into this (seeing as my previous post worked out to be twelve pages long), I'll give my advice to ease the confusion up front: Don't overthink it. Whether you're a customer or a cashier, just do what the little screen says. If the screen says "insert", insert. If it doesn't, swipe. If it asks for a PIN, enter it. The other bit of advice I can give is that this confusion should be temporary. I've seen comments by people in other countries like Canada that already went through the transition to chip cards, and they indicate that there was confusion at first, but within a year or so people got used to dipping cards instead of swiping them.

I also made a flow chart of how the card payment process is currently working in the US. Without a chip card, things are fairly straight forward with not to many complications. But now, with the introduction of chip cards, sporadic merchant acceptance, and complications from debit cards, things are a lot more complicated.



So the biggest point of confusion for customers seems to be what they're supposed to do with the chip cards. Either they never use the chip, or they're never sure if they're supposed to use the chip or swipe, and seem to always do the wrong thing first. The crux of this problem is that while many places have chip readers, they don't all have the chip reader enabled. There are a variety of reasons for this, but for retailers with customer-facing terminals, it generally boils down to the software part isn't ready yet. Most of these retailers have point of sale systems that integrate payment handling with the rest of their systems, and so those systems need to be upgraded to support EMV transactions. Not only do the software changes have to be made, they also have to be certified, and there are backlogs in getting that completed.

I think most of that confusion can be avoided just by paying attention to the screen. With only a couple of exceptions that I've run into, if the screen says "insert", then the chip reader is enabled and I insert the card and the transaction is completed. If it doesn't, then I swipe. The more problematic case when this didn't work for me was at Vons, the brand used by Safeway in Southern California. There, I've run into terminals that say "swipe or insert", even though they don't have EMV enabled, and in one case I saw that prompt on a terminal that didn't have a card reader at all. What made this frustrating is that when I did insert, nothing happened. At another place where the terminal prompted to insert even though the chip reader didn't work, I got an error and was prompted to swipe, which is a more reasonable behavior since it at least instructs the customer what to do.

The other option would be to swipe first, then insert if prompted. This will work since a properly programmed EMV terminal will detect the card has a chip (there's a code included in the magnetic stripe that indicates this) and instruct the customer to insert the chip instead. The problem with doing this is that it exposes the customer to having the magnetic stripe on their card read and copied by a compromised terminal.

The second point of confusion seems to be signature versus PIN. Most US-issued cards are, at least for now, keeping things the same as they were before the arrival of EMV. Credit cards require a signature, while debit cards can either require a signature if run as "credit" or a PIN if run as "debit". The source of confusion seems to be primarily debit cards; I'll get to those in a moment.

Credit cards don't seem too bad; all of the major card issuers are issuing Chip and Signature cards so the customer is asked to sign in the vast majority of cases, just like they did with magnetic stripe credit cards, so there's not much change. Some do support PIN as well, for those places that can't handle a PIN. I haven't heard of any places like that in the US, though the PIN could be asked for at places like train ticket kiosks and self-service gas pumps in Europe. Barclaycard US does a good job of describing this on their web site:

In most cases, you’ll then be prompted to sign for your transaction. But at self-service terminals like ticket kiosks and some gas pumps, you may need to enter your 4-digit PIN.
A handful of US banks are issuing Chip and PIN cards, meaning that the card is configured to prefer PIN over signature. Ones I know of include Target's REDcard, Santander Bank, First Niagara Bank, United Nations Federal Credit Union, and First Tech Federal Credit Union. While I don't have any first-hand experience with them, their websites do emphasize that the customer should expect to be prompted for their PIN in most cases, such as this example from First Niagara:

First Niagara is committed to preventing fraud and fraud losses by requiring a PIN on most credit and debit card transactions performed in person. While some financial institutions are not requiring a PIN, we have taken this additional step to ensure our customer's card information is as secure as possible. If a PIN is not requested, you may be asked to sign a receipt, as you do today.
It seems like the biggest point of confusion, or at least complication, related to this in the US comes from merchants not expecting Chip and PIN credit cards. I've heard reports of cashiers canceling the transaction when prompted for a PIN; presumably these merchants normally just process debit cards as "credit" so they aren't used to seeing a PIN prompt, and think "that's not right, we don't do debit". Chalk that up to poor training, since the right way to do this is to ask the customer to enter their PIN. The bigger problem is restaurants. As long as they continue with the model of the server taking the card away from the table to process the card in "the back", Chip and PIN cards will be quite a hassle since the customer will need to follow the server to enter their PIN. The right way to do this is to shift to "pay at the table" where the cashier brings a handheld portable credit card terminal to the table to allow the customer to pay, or use a tabletop kiosk. This has the additional advantages of removing the opportunity to have the card details copied while the card is out of the customer's sight, as well as the opportunity to fraudulently increase the amount of the tip after the customer has left the restaurant. Alternatively, restaurants could shift to the model of having customers pay at a cashier's station by the restaurant's exit, though I don't think many places will make this change as it tends to be associated more with lower-end, diner-type restaurants like Denny's.

One thing to keep in mind about the problem with Chip and PIN cards for merchants that aren't expecting them is that it's not limited to the handful of smaller banks issuing them. Visitors from many other countries will be using Chip and PIN cards. Before this wasn't an issue since when a Chip and PIN card was swiped in the US, it was treated just like an American card and the customer would be asked to sign. But as American merchants begin dipping these cards in the chip reader, the customer will be prompted to enter a PIN just as they would in their home country.

But the big problem is debit cards. US law requires that debit cards offer merchants the choice of routing transactions over at least two different unaffiliated networks. In practice, this commonly ended up giving the customer a choice of having their card processed as "credit" (signature) or "debit" (PIN), though there were exceptions. Restaurants typically would process only as credit to avoid the hassle of dealing with getting the customer's PIN, and some stores such as WinCo, Costco, and ARCO chose to keep costs down by accepting only (or primarily) debit cards.

Not only is this routing requirement unique to the US, it's compounded by the lack of a single national dominant debit processing network like Interac in Canada or EFTPOS in Australia and New Zealand. So it took a while for the industry to agree on a standard on how to get this to work with EMV, and as a result many of the first stores to implement EMV could only process EMV debit cards as "credit". This resulted in customers thinking their new EMV chip debit cards were less secure than their old magnetic-stripe only cards, since instead of being asked for a PIN, they were instead being asked to sign, or even do nothing at all since many retailers aren't required to collect a signature for small purchases. But now that retailers have EMV debit working, things have swung the other way. Some merchants, notably Kroger, have taken advantage of the switch to EMV and have taken away the "credit" or "debit" choice from customers using debit cards. While credit cards will be processed as they always have, debit cards at these merchants are now processed only as "debit" and a PIN is required. This is causing problems for a whole other set of customers who are used to selecting "credit" and signing with their debit cards, and either don't know or don't want to have to enter their PIN.

I don't want to dwell too much on yet another area of confusion, and that is knowing how to use card in the chip reader. Customers have gotten used to ATMs and self service machines where they insert the card into a reader, not unlike a chip reader, but instead of leaving it in the reader, they insert and remove it quickly in one motion. So the first time a customer attempts to use a chip reader, they may attempt the same thing, inserting and removing the card right away. However, the card needs to be left in the reader in order for the chip to do its thing, so this insert and remove motion doesn't work. Similarly, customers may not push the card all the way into the reader, even though they do leave it in. Fortunately, it seems like this is more of a problem of simply getting used to doing something different. I can imagine similar things happened (swiping too fast or too slow, or swiping the card such that the magnetic stripe doesn't even come in contact with the reader) when customers began swiping their own cards, rather than the cashier doing it.

So what do we have? Customers who don't know whether to dip or swipe. Cashiers who have never heard of credit card PINs. Customers not having the expected choice of "credit" or "debit" for debit cards. And very few people who even seem to know why these chip cards exist in the first place.

Or, to put it another way, Chip and Confusion.

Sunday, January 31, 2016

A Response to Cambridge's Video on Chip and PIN Fraud

Frequently, I see people referring to this video from Cambridge University explaining several Chip and PIN fraud possibilities as evidence that Chip and PIN is broken. I would like to take this opportunity to post my thoughts on this video and explain how, in the context of the current rollout of EMV in the United States, this isn't necessarily a huge deal.

The first thing to keep in mind is that, as I wrote previously, the United States is mostly transitioning to Chip and Signature, rather than Chip and PIN. Since my last post, a couple more banks and credit unions have come out with Chip and PIN credit cards, but the majority of EMV credit cards in the United States remain Chip and Signature, and one of the issuers that was Chip and PIN when I wrote that post has changed to Chip and Signature. Whether issuers transition to Chip and PIN in the US at some point in the future remains to be seen.

The attacks described in the video fall into three basic types, and I'll go over them one by one:

The first attack describes tampering with the card reader such that the flow of information in the link between the card reader and the card itself is intercepted, allowing someone to read off the card details and PIN. This certainly is a possible attack, but has been mitigated in a couple of ways. The first is to encrypt the PIN before sending it to the card. This means that the attacker wouldn't be able to read the PIN. The second is to have the PIN verified, not by the card itself, but by the bank that issued the card. This sort of over-the-network PIN verification is always encrypted, so the attacker would not have access to it. This is also how magnetic stripe debit card PINs in the US have been verified for many years. There are still cards and terminals out there that support unencrypted PIN verification by the card, so the attack possibility remains, but keep in mind that this still is only a disclosure of the PIN, and not the private keys on the card that would be needed to manufacture a clone of a chip card.

In the United States, this attack is mostly irrelevant. With nearly all US-issued cards being signature-preferring, if they support PIN at all, the PIN would rarely be needed by the customer and thus there is no PIN to capture. In the case of debit cards, which require a PIN when run as "debit" and may use a PIN when run as "credit", the PIN is always encrypted and sent over the network to be verified by the bank. It doesn't make sense to me for an attacker in the US to focus on PIN collection in this manner, since most transactions would not use a PIN in the first place so there would be nothing to capture.

The second attack uses a device between the card and the terminal that makes the terminal think the PIN was accepted by the card while the card thinks its doing a Chip and Signature transaction.  This allows an attacker to use a stolen card without knowing the actual PIN, since the card thinks it's performing a signature transaction, while the intermediary chip returns a "correct PIN" response to the terminal in all cases. The problem is that there is nothing that verifies that the card and the terminal have the same view of the transaction. Fortunately, an improved method of authenticating that the card itself is legitimate, called "Combined Data Authentication" or "CDA", includes a way for the terminal or payment processing network to detect this inconsistency. As noted by SecurityWeek, CDA prevents this sort of attack.

Like the first attack, attack also doesn't seem to make much sense in the United States. With the majority of cards being issued as Chip and Signature instead of Chip and PIN, the attacker doesn't need to perform this attack to use a stolen card without knowing the PIN. Instead the attacker simply forges a signature on the receipt or PIN pad.

The third attack uses a terminal that displays a small transaction amount to the user while processing a large transaction amount. I don't really consider this a Chip and PIN attack at all, since I don't see why this attack couldn't be done with a magnetic stripe or Chip and Signature card. The solution here is to get a receipt, since the receipt would either show the large transaction amount and be immediately noticed by the cardholder, or the receipt would show the small transaction amount and thus would differ from the processed transaction amount, providing evidence that would allow the cardholder to more successfully dispute the transaction with their bank.

Ultimately, there's not a lot a cardholder can do to reduce the risk from these attacks. The first two aren't immediately relevant in the US since few US issuers are issuing Chip and PIN cards anyway. We can only hope that if they do start to, they take advantage of the latest enhancements to EMV technology, avoiding unencrypted PINs and using CDA. As for the third, that's really about good cardholder practices and doesn't have anything to do with Chip and PIN specifically.

Tuesday, January 05, 2016

Why Larry Ellison Doesn't Need Island Air Anymore

Let's travel back in time. All the way back to January 2013. Larry Elison, CEO of Oracle, had recently spent a bunch of money buying the island of Lanai and wanted to make sure visitors would still be able to get to the two Four Seasons hotels on the island. Island Air was in bad shape, with not a lot of money and Dash 8-100s that were running out of cycles and working on replacing them with worn out ex-American Eagle ATR 72s. While technically possible, jet service to the island had never been a fiscally sound thing to do (I remember Aloha advertising it at one point and Hawaiian ran a triangle route with load restricted DC-9s between Honolulu, Molokai, and Lanai) so Hawaiian 717s were unlikely to show up anytime soon. Mokulele's tiny 9-seat Cessna Caravans were likely the type of experience he wanted for the guests of his high end resorts.

So buying Island Air made some sense. The ATRs, while not a large jet, would at least provide the familiar experience of flying a regional airliner on the short interisland hop. Trying to position itself as the #2 airline probably didn't seem like a bad idea either after the failure of the much-loved Aloha and much-despised Go, a position in which Island Air pretty much was in whether they wanted it or not. A lower cost/lower fare turboprop alternative to the mainline jets had been tried before, but there was the potential to be more successful with just one big competitor (Hawaiian) rather than two (Aloha and Hawaiian). But Island Air was never seemingly able to shake the poor reputation they developed when they didn't have enough Dash 8s left to fly the schedule and once the ATRs arrived couldn't keep them flying either, resulting in delays and cancelled flights.

So Hawaiian smelled an opportunity. Go was gone, Island Air had a poor reputation, and Mokulele was too small to be relevant. They bought some ATR 42s from Europe, contracted Empire to fly them, and reentered the Molokai and Lanai markets they hadn't been able to viably serve since retiring the Dash 7. Almost immediately, freed from the obligation of providing the only regional airliner sized service to the island, Island Air dropped service to Molokai to focus on Ellison's Lanai. But with Island Air continuing to lose money and Hawaiian's ATRs not seemingly going anywhere and able to bring guests to the resorts, it makes sense for him to stop pouring money into the airline and let someone else figure out what to do with it.