Robin Miller for Slashdot: Okay. So I’m going to start off by saying, today we have Jerry Irvine with us. He is a member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council and he is the CIO of Pre-scient Solutions in Chicago. Now, Jerry, did I pronounce that company name right?
Jerry Irvine: It’s actually Press-cient.
Slashdot: Oh, okay, Prescient.
Jerry Irvine: Yeah.
Slashdot: Chicago. At least we got the right city, right?
Jerry Irvine: That’s correct.
Slashdot: Okay. So we were talking about credit cards which have been a problem -- as you may know if you or anyone you know has been a Home Depot or Target customer. But you know we've heard this before. Over and over again. ‘This is going to be secure blah blah blah.’ So how is this new technology different from what has gone before, what makes it better?
Jerry Irvine: Well, the existingtechnology is that magnetic strip on the back of your credit card.
Jerry Irvine: That magnetic strip has been around since the 1950s and contains all of your personally identifiable information for that credit card in an unencrypted manner. So if anybody gets a copy of your credit card, they can swipe it into a device and they can read your name, your information, the bank account number, all of that information on that credit card and create another one for you.
Slashdot: Oh good.
Jerry Irvine: Now the new chip, what that does is it encrypts that information so all of that information is still on the card, but it's in the chip as opposed to being available unencrypted on a magnetic strip. So it's encoded, so that even if somebody had a reader, they wouldn't be able to decrypt that information. The other thing that occurs is rather than having a credit card that is an unlimited number of transactions, you know, if somebody gets your credit card, they can go on and buy different things at different stores.
Jerry Irvine: If they get information that's on that chip, every purchase creates a separate token. It doesn't actually have the credit card information on there. So it's all tokenized. Every time it gets used, it goes to the bank and a separate token is created that then it is allowed for you to make a purchase. So if anybody stole that information, they would only be able to use it that one time for that one purchase, and actually, they wouldn’t even be able to use it as that; the purchase would already be null and void.
Actually, if they had the credit card itself and were going in and using it, they could probably still do the same thing. There are going to be methods that would keep that from happening. So all of this really comes down to multiple form factors of authentication right. So right now that chip is a single form of identification where you put it in at Target or you put it in at another store, it's not asking you for a pin number or anything like that right or a fingerprint or any other type of authentication. The next step will be to add a secondary form of authentication so that would either be some type of a biometric, a PIN or something like that. So once the technology is in place and moving forward, the idea would be they'd have to have the card with the chip in it, so something you HAVE. They would also have to have either something you KNOW like a user ID or PIN and then finally they could have something you ARE, which is a third form of authentication and that could be a biometric facial recognition and things like that.
Slashdot: So if they know things, I have this vision of people with guns standing in front of ATM saying, “What's your PIN?”
Jerry Irvine: Right.
Slashdot: “Give me your PIN, or I will do blah, blah, blah,” and it could be on my mother's maiden name too.
Jerry Irvine: That's correct, that’s correct. So you will have to make it complex, a four-digit PIN really isn't the most secure method even for bank cards and things of that nature. So having some type of biometric facial recognition or something like that in addition to a smart card like the chip would be a better means of authentication.
Slashdot: So basically this is something that the encrypted information on a chip, rather than on a magnetic strip, this is something that it won’t care. That's still going to be there. And something else: are they new? This is a real question: Are there new and exciting security flaws coming in with the chip cards?
Jerry Irvine: Well, so we’re going from 1950s technology with a magnetic strip to 1970s technology with the chip. It's been around since the 70s and so there are, you know there are some forms that can be used. So while the tokenization does help for people stealing information from point-of-sale systems directly, the theft of the card really doesn't help. I mean, if you leave your card at the table, I can walk away with it and I can still use it until you turn it off. There is still the ability for hackers to get into the point-of-sale systems or into the databases in the back and grab all the information. You know that Target incident wouldn’t have been helped with this new chip, because they actually stole user names, passwords, credit card information, social security numbers directly from the database server, not from the individual cards. So while the cards will help for an individual device they are not really going to help for back-end security.
Slashdot: I PR email from companies that make secure wallet so that RFID readers can’t grab the info on your RFID credit cards, you have a tempested wallet. By the way, I could make one with a little bit of foil but I'm not going to tell these people who want $20 for special wallets. They don't want to hear that, do they?
Jerry Irvine: You can go to Best Buy or Staples or OfficeMax, any of the Office stores, and you can buy the RFID sleeves – just a little packet that you put your credit card in, you put it in your wallet, you don't need the whole wallet, just a little sleeve
Now the back-end attacks obviously are more difficult. Hackers generally don't go in and attack directly to a server or directly to a firewall or some type of authentication device.
Jerry Irvine: What they do is they hack the users, right, so they send a phishing scam that then gives them a valid user ID and password, now they're able to get into the system as a person and they can copy the information, totally unencrypted and unscathed from any type of security detection device. Hacking the individual boxes, while you see that on TV and it's really cool, you get the hacker with the little zeros and ones going on the screen--that really doesn't happen that often. Not that it’s impossible, but it's a lot harder. And just like everybody else, the hackers want to do the things the easy way.
Jerry Irvine: Well, the biggest one right out the gate with the new introduction of the chip on all our credit cards is the fact that all of these credit cards that you are getting still have the magnetic strip on them. So it’s ridiculous. You have this really cool encrypted chip that's going to save all your information back anyway just – you know, so you have it in case you need it, so until that strip is gone, these credit cards are worthless, they really are.
Slashdot: So, we could use the title for this video, “Security Theater”, just like TSA. Just to use language, Security Theater, it makes everybody feel good, but as long as a magnetic strip is there.
Jerry Irvine: Yeah, it just doesn't matter, and today I went to the drugstore and got my meds and everything and my card has a chip on it, but it's got the stripe as well, so I swiped it because I didn't know they had the reader and it came up and said, “No, you've got to use your chip.” So then I go and use the chip. Well, evidently the chip on my card is bad, right? So now I can’t even use my credit card because you've got to do, it senses that you've got a chip on the card you won’t use it. So there's a lot of snags and snafus going on, the whole idea of companies now having to go in and buy this new equipment. They are spending millions of dollars to retrofit their point-of-sale systems with these EC chip readers. And it's okay. But there are other ways to do it. I mean the UPC codes that you can get on your phone. Apple Pay or Google Pay, or now Mastercard is coming up with a Mastercard Pass and all of these different things. There's going to be a number of different technologies out there. The EC is better than the magnetic strip, but electronic payment within your cards or Apple or your phone rather your Apple Pay and Google Pay and things... those can actually provide higher levels of security than the chip.