Modernizing Authentication — What It Takes to Transform Secure Access
Credit cards are not secure. That has been the case for a long time, and it remains the case today. It is why point-of-sale malware has been so popular among hackers and their dark Web customers, and it is why major retailers like Target, Home Depot and Michael's, and other businesses like Anthem and Adobe have suffered so many headline-snagging breaches.
Some blame traditional U.S. credit-card technology, the magnetic "swipe-the-stripe" cards popularized by IBM decades ago. Today, most countries favor EMV ("Europay, Mastercard and Visa") credit cards that use a computer chip. EMV cards uniquely encrypt transaction data on a per-use basis, arguably making them much more secure. For these reasons, banks and credit card companies in the U.S. are pushing to make EMV the standard stateside.
Yet EMV cards are full of their own security flaws – including a lack of actual authentication during PIN verification – making them similarly vulnerable to the kind of card skimming hacks to which magnetic stripe cards can fall prey (albeit with different technology). Making matters worse, many EMV card fraud victims have had to deal with a disputatious customer service department refusing to accept that fraud occurred because their records show – erroneously – that the cardholder's PIN was verified.
Indeed, many of the EMV vulnerabilities are part and parcel of a poor security culture in which banks, credit card companies and retailers assume that EMV is impenetrable. As any information security expert knows, no system is impenetrable.
…except, possibly, a quantum computing system.
Credit Card Encryption You Cannot Crack
New credit card encryption research based upon quantum computing may make all of these problems go away – by making both magnetic stripes and EMV obsolete. Researchers have proposed a solution for a truly unhackable credit card that utilizes quantum cryptography, which some boast is truly uncrackable.
The proposed security arrangement, dubbed "quantum-secure authentication" ("QSA"), would employ "a strip of nanoparticles" attached to a credit card instead of a magnetic stripe or a traditional embedded computer chip. The nanoparticles would be zapped with a laser to create an inimitable pattern.
Because the system would use the unique qualities of quantum mechanics by making use of multiple simultaneous states of the qualities of light, the laser-created pattern could never be observed – let alone copied. This, researchers say, creates a huge advantage over traditional credit cards of both the magnetic stripe and EMV variety because the sensitive data stored on the credit card becomes effectively inaccessible to deconstruction – even if the encryption key is known.
The system works upon the principles of what is known as blind quantum computing, which presents exciting opportunities to make information systems more secure because of its reliance upon the quirky, quarky nature of quantum physics.
At the subatomic quantum level, matter can exist in multiple states simultaneously – and, by extension, the presence of light can exist in multiple states simultaneously. This lends itself well to the binary manner in which computing is conducted fundamentally – e.g., "0" versus "1" or "on" versus "off." Because of the observer effect, the mere fact of somebody actually observing or recording these quantum states will change those quantum states – theoretically making it impossible to compromise quantum computing-based security, and – therefore – QSA-protected credit cards.
High Cost of Credit Card Fraud
The QSA solution, if widely adopted, could have major worldwide economic impact. There is a great deal of money at stake when it comes to solving the credit card security problem. Credit card fraud costs the world about $14 billion annually, U.S.-based credit card fraud accounting for half of that figure. Target's 2014 data breach alone, which compromised about 40 million payment cards, carried gross costs in excess of $250 million.
A substantial credit card breach can net a bundle for enterprising hackers. According to a 2013 Dell SecureWorks report, basic credit card information (including cardholder name, credit card number, expiration date and CVV code) alone is typically worth a dollar or two per card – more in the case of a non-U.S. credit card, and much more (up to 12 percent of the verified available balance, in some cases) in the case of prestige credit cards such as platinum, diamond or black cards. Additional credit card data – including PINs and full Track 2 credentials on magnetic stripe cards – can reportedly yield a premium as well. (Again, this highlights the importance to hackers of POS malware, which can effectively swipe this data en masse.)
In addition to the notion of permanently stemming the tide of credit card fraud, researchers suggest that QSA could also be used to secure other forms of identification, such as passports. For now, however, quantum computing research is still relatively nascent.
In the interim, digital security company Oberthur Technologies has developed a solution called dynamic CVV that is based upon combining a security token with credit cards. Oberthur's solution – which, admittedly, is 10 to 50 times more expensive than existing credit cards – involves placing in the card a lithium ion battery-powered random number generator in lieu of a permanently printed CVV code. By generating new three-digit values for a CVV code more than once an hour, Oberthur's dynamic CVV would prevent hackers and criminals from being able to make use of any compromised customer CVV data from a retailer's systems.
While this will only help to prevent online credit card fraud (there's not much you can do if a criminal has physical possession of your actual credit card), dynamic CVV – which could enter the market as early as 2017 – presents a good and highly attainable start on the secure credit card of the future. If combined with QSA, a truly unhackable credit card might be a reality within our lifetimes.
Joe Stanganelli is a writer, attorney and communications consultant. He is also principal of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.