EMV Chip cards: Overview

September 21, 2015 by · Comments Off on EMV Chip cards: Overview
Filed under: Security 

When you shop at a store with a credit card it is typically done by swiping your card to conduct the transaction. The swiping action allows the credit card terminal to read your credit card number off of a magnetic strip on the back of the card. The downside to the magnetic strip technology is that it is very easy and cheap for the bad guys to reproduce. A common way for the bad actor to get your credit card number is to use a skimmer, a small device that goes over the normal reading mechanism, to steal the data. Once this is done, they can then create a new card with the same information and then attempt to use it at a store.

What is an EMV Card?
In an effort to reduce card present fraud, cards are making the switch to EMV (Europay, MasterCard, Visa) cards. EMV cards use a smart chip, rather than the magnetic stripe, to provide the information needed to complete the transaction. Unlike the old magnetic cards that you swipe, the EMV cards are “dipped” by inserting the chip side of the card into the card reader. The card stays in the device for a few seconds until the transaction is complete. One of the features of the chip is that it sends a unique token for use with each transaction making it harder for a malicious user to replicate the data, even if it is retrieved.

The EMV cards are also much more costly to create, which adds to the complexity for a theif creating fraudulent cards.

Two Options: Chip + Pin and Chip + Signature
There are two ways that EMV cards are used. The first way is called Chip and Pin. In this scenario, a user has a numeric pin that has to be input when using the card in person. This is very similar to how a debit card works today. The requirement of the pin helps protect the card from being replicated by a bad actor, or used by someone that may have stolen the actual card from you. Of course this can be a tricky scenario when you have multiple credit cards when trying to remember the pin for each card.

The other way is called Chip and Sign. In this scenario, the card owner doesn’t have a pin, but rather is required to sign for the transaction. This is very similar to how most credit cards still work today. This is actually much easier to bypass because you may be forging just a signature, not trying to come up with a pin number.

Reduces Risk for Card Present Transactions
I mentioned earlier, this only adds security to the Card Present scenario. This doesn’t change anything for the Card Not Present (shopping online) scenario. Also, know that it will be a while before we see chip only cards. For the time being the newer cards will have both a chip and the magnetic stripe. This is because it is going to be a while before every vendor makes the switch to EMV. Keeping the magnetic stripe also reduces the security a bit since there will still be a lot of places that won’t upgrade and will still use the magnetic stripe.

For Consumers
The biggest change is that you will use your card by “dipping” it, rather than swiping for in person transactions. The goal is to reduce your card being replicated by a bad actor and having funds racked up on your account. Most credit cards are zero liability so this may or may not be very noticeable to most consumers. Hopefully it will at least cut down some of the card present fraud that happens. Only time will tell.

For Businesses
The liability is changing with the push for EMV cards. If you are not following the recommended approaches, such as requiring EMV vs. the magnetic stripe, you may find yourself liable for any fraudulent charges. Make sure that you are validating the cards and the card holder when accepting credit cards to help reduce your liability. Update to accepting the EMV chip data vs the magnetic stripe.

Final Thoughts
This won’t solve all of the problems, but it is a step in the right direction. The United States is one of the last countries to adopt the chip technology. Many of the credit cards will be chip and sign, but you may get a few that are chip and pin.

Remember, no matter what technologies get added to protect our credit cards, it is still your responsibility to monitor your statements and report any fraudulent charges. it is part of the responsibility of having a credit card.

Application Logging: The Next Great Wonder

August 2, 2014 by · Comments Off on Application Logging: The Next Great Wonder
Filed under: Security 

What type of logging do you perform in your applications? Do you just log exceptions? Many places I have worked and many developers I have talked to over the years mostly focus on logging troubleshooting artifacts. Where did the application break, and what may have caused it. We do this because we want to be able to fix the bugs that may crop up that cause our users difficulty in using the application.

While this makes sense to many developers, because it is directly related to the pain the face in troubleshooting, it leaves a lot to be desired. When we think about a security perspective, there is much more that should be considered. The simplest events are successful and unsuccessful authentication attempts. Many developers will say they log the first, but the latter is usually overlooked. In reality, the failed attempts are logged most likely to help with account lockout and don’t server much other purpose. But they do. Those logs can be used to identify brute force attacks against a user’s account.

Other events that are critical include logoff events, password change events and even the access of sensitive data. Not many days go buy that we don’t see word of a breach of data. If your application accesses sensitive data, how do you know who has looked at it? If records are meant to be viewed one at a time, but someone starts pulling hundreds at a time, would you notice? If a breach occurs, are you able to go back into the logs and show what data has been viewed and by who?

Logging and auditing play a critical role in an application and finding the right balance of data stored is somewhat an art. Some people may say that you need to just grab everything. That doesn’t always work. Performance seems to be the first concern that comes to mind. I didn’t say it would be easy to throw a logging plan together.

You have to understand your application and the business that it supports. Information and events that are important to one business may not be as important in another business. That is ok. This isn’t a one-size-fits-all solution. Take the time to analyze your situation and log what feels right. But more thought into it than just troubleshooting. Think about if a breach occurs how you will use that stored data.

In addition to logging the data, there needs to be a plan in place to look at that data. Whether it is an automated tool, or manual (hopefully a mix of the two) you can’t identify something if you don’t look. All too often we see breaches occur and not be noticed for months or even years afterward. In many of these cases if someone had just been looking at the logs, it would have been identified immediately and the risk of the breach could be minimized.

There are tools out there to help with logging in your application, no matter what your platform of choice is. Logging is not usually a bolt on solution, you have to be thinking about it before you build your application. Take the time up front to do this so when something happens, you have all the data you need to protect yourself and your customers.