CONTINUE TO SITE »
or wait 15 seconds

Article

The dumb thing about smart cards: EMV’s identity problem at the ATM

Replacing a dumb card with a smart card doesn't solve the problem of knowing the cardholder's identity. Only with identity authentication can EMV provide a full solution for combatting fraud.

September 16, 2016

by Phil Scarfo, Vice President of Worldwide Marketing for Biometrics, HID Global

Contrary to expectations, EMV has suffered from early reports of card skimming. But shoring up EMV skimming defenses isn't the only issue facing these cards

Of greater importance is an understanding that simply replacing a dumb card with a smart card doesn't solve the problem of knowing the cardholder's identity. Only with identity authentication can EMV providers achieve a full solution for combatting fraud and — of equal if not greater importance — protecting a user's true identity.  

People don't see card skimming as a legitimate attack on their true identity (nor do they feel the pain just yet). As a result, they will continue to see an EMV card as a smart version of a dumb card that's been around a long time. While these cards will continue to be sold by the banks and card vendors as being "non-skimmable," fraudsters will continue to steal card data, creating implications for a person's true identity. 

A basic fact is that fraud flows to places where there are weaknesses. As the worldwide ATM infrastructure is upgraded to EMV, ATM skimmers will continue to slurp up the EMV track 2 data and use it to create fake cards for use in ATMs that don't yet support chip and PIN. Some regions don't yet support chip cards at all, so fraudsters will also use the fake cards there. 

One example of this phenomenon is the recent large-scale fraud in Japan using international cards. Also illuminating is the way fraud has flowed in Brazil. In this region, a card-plus-fingerprint solution using biometrics technology is authenticating more than 50 million bank customers for an estimated 2 billion ATM transactions annually at four of the country's top five financial institutions.

The fraud protection with this solution is so great that the bad guys have turned their attention to non-biometric ATMs and other applications such as point-of-sale terminals and web commerce. 

The key issue is that identity matters. It cannot be replaced by a card, token or application. It also must be protected. Each of the planet's 7.4 billion people has a unique and personal identity, which is at the core of who that person is, and the one thing that belongs exclusively to that individual. It is something to pay special attention to, to make sure it doesn't get abused by the bad guys. 

Biometrics is the best solution for solving EMV's identity problem. It is the only technology capable of protecting privacy while proving an authentication claim (i.e., that the person making an identity claim is really who he or she claims to be).

This is only true, however, if it is used in a trusted way that protects this identity. One potential approach is to have an encrypted biometric identity stored in the EMV card that allows only the legitimate cardholder to use it.

The EMV card (or token or app) could authenticate the card, and that it belongs to the person presenting it. This would fight the current direction that EMV deployments are taking, and help move the industry toward an understanding that the EMV card (or a token or app) can only authenticate the card — it can't authenticate that the card belongs to the person presenting it.

Mandates should also be in place for what data is captured, as well as where this data will be kept, who can access it, and what happens when it is hacked. Deciding what is safe to share in today's world continues to be redefined with the growing use and popularity of social media. 

The bad guys will continue to attack the weakest link in the chain, so a complete EMV solution must include both security and identity authentication. Yes, security must be built into the card, as has been attempted with EMV, but identity authentication should also be performed, and this requires some form of biometric.

As EMV cards move to phones, "on-device" biometrics will deliver a combination of convenience, security and privacy protection. Users will then have the choice of cards and mobile devices, and we will see the same concept used not only for ATM and other banking transactions, but also for similar applications such as insurance ID cards and other forms of identity that are faked for illegal gain.

graphic istock

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Eurasian Bank selects Diebold Nixdorf's self-service software
First National Bank to open 30 branches
Replacing the ATM: Pros and cons of new vs. remanufactured
Romanian man arrested for alleged cash trapping ATM scheme
Chase partners with The Points Guy for Make-A-Wish sweepstakes


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'