Embed Size (px)
Citation preview
Conference Section A11Paper 238
Disclaimer — This paper partially fulfills a writing requirement for first year (freshman) engineering students at the University of Pittsburgh Swanson School of Engineering. This paper is a student, not a professional, paper. This paper is based on publicly available information and may not be provide complete analyses of all relevant data. If this paper is used for any purpose other than these authors’ partial fulfillment of a writing requirement for first year (freshman) engineering students at the University of Pittsburgh Swanson School of Engineering, the user does so at his or her own risk.
SMART CARDS: A STEP FORWARD IN DATA SECURITY
David Preiss, [email protected], Mahboobin 10:00, Christian Armistead, [email protected], Lora 3:00
Abstract---Americans have enjoyed the ease of swiping cards to pay for their purchases for a long time. However, such an ingrained action may become outdated with the widespread adoption of smart card technology, specifically EMV smart cards. In 2014, the transition to this technology was initiated to reduce fraud. The smart card does an effective job of covering the weaknesses of the obsolete magnetic stripe. Whereas the magnetic stripe simply holds information, the smart card has a microchip that enables it to communicate with the reader, rather than just be read, allowing it to confirm a transaction is secure. Currently, the biggest weakness of smart cards is their backwards compatibility; they still have magnetic stripes to be used on older readers, which can still be exploited. Once this technology has fully been applied and the magnetic stripe removed, fraud is expected to decrease significantly. However, this transition comes with a great cost, a liability shift from banks to retailers in the event of fraud, and possibly increased time to complete a transaction. With the transition process from magnetic stripes to EMV chips almost complete, now is a good time to reflect on the process so far, and make predictions of the long-term benefits of EMV chips.Key Words – EMV, PINs, Magnetic stripes, Chips, CAP, Encryption
THE DOWNFALL OF MAGNETIC STRIPES
Traditional Magnetic Stripe
Magnetic stripes were originally used on paper tickets by the London Transit authority in the 1950s [11]. They were then repurposed for identification purposes by the CIA. Magnetic stripe equipped bank cards were first introduced in 1970 by American Express to decrease the time required to complete a transaction. It previously took days via a Zip-Zap machine, a machine which imprinted the numbers on a card onto carbon copy sheets to create multiple receipts, which were then delivered to a bank [11]. Being as this was a long multistep process, there were multiple opportunities for fraud to take place. As the price to make these magnetic stripe cards decreased to reasonable rates of roughly five cents a card in the 1980s, Visa and MasterCard switched to magnetic stripe based cards [11]. With these new magnetic
stripes, transactions took seconds rather than days, and account balances could be checked and cards rejected [11].
How magnetic stripes work
FIGURE 1 [4]Example of F2F Encoding on a Magnetic Stripe
The magnetic stripe on a typical bank card contains the owner's name, account number, card number, expiration date and CVC (card verification code). Information in the magnetic stripe in a card is stored by altering the polarity of particles in the stripe to define a bit [9]. There are multiple encoding schemes that can be employed. In F2F encoding, a bit is a set length of particles, and the binary values are determined by the presence or absence of a polarized particle in the center. There will be roughly 200 bits per square inch of the magnetic stripe [9]. How the bits are used to store data depends greatly on the type of data stored and the method used to read it. This is because an integer value, as large as 2.1 billion can be stored in 4 bytes, or 32 bits, while a single character value component of a string variable is a whole 2 bytes of memory, or 16 bits. Because of the limited storage space, encryption of data on a magnetic stripe is not commonly applied. A typical card has three tracks, or rows, of data. Track one holds all data related to the account, stored in 7 bit characters. Track 2 contains the same data, but in 5 bit characters. Track three was intended to store account balance and be rewritten after every transaction, but it is seldom used. [10] Since this stripe contains all the information needed to make a purchase, a criminal simply needs to make a copy of your card to make fraudulent purchases, and with how elementary the magnetic stripe is, criminals can and do copy cards.
Weaknesses of the Magnetic Stripe
University of Pittsburgh, Swanson School of Engineering 1Submission date: 03.31.2017
David PreissChristian Armistead
FIGURE 1 [10]The Disguised Shell of a Card Skimmer
FIGURE 3 [10]The Internals of a Card Skimmer Within its Shell
Although the magnetic stripe was such a massive improvement over its predecessor, the magnetic stripe system is in need of replacement because of its age and simplicity. Simplicity itself is not inherently a problem, but because the technology is all old and primitive, criminals can cheaply commit fraud for large gain. One such practice criminals utilize is card skimming. Card skimming is the practice of hacking or rigging card reading infrastructure to collect account information. A cheap prebuilt card reader can be purchased online and can be simply modified to be a skimmer. All that must be done to have a functional card skimmer is removing the internal components from the prebuilt scanner, adding a small power source, and a small flash storage unit. With the widespread use of 3D printing technology, all that some scheming criminal needs to do is print out an inconspicuous cover for their device, and attach it to an ATM, gas pump, self-checkout station, or anything else that people would use a bank card for. Some more elaborate devices may even have fake keypad that records keystrokes to capture PINs, or contain tiny cameras that record PINs. In addition to simply modifying prebuilt readers, a makeshift card reader such as the one shown in
figures 2 and 3, can be created out of a pair of audio read heads that read the differences in magnetic fields on the stripe and convert it into audio files to be decoded into account information later. One does not even have to have this small amount of technical knowledge to steal account information; anyone can buy pre-built devices that only need installed on the black market. Or, they could simply buy stolen account information from another criminal. Another stratagem to compromise consumer accounts is working at high end restaurants and swiping client’s cards before returning them. In 2011 a gang of 28 was indicted for a similar ploy. Seven waiters at a classy steakhouse in New York City extracted data from “black cards,” credit cards with high or no limit, by swiping them with miniature portable card readers that were kept in their pockets. Members of the ring then manufactured copies of the cards and fake IDs to use them. When this gang was finally busted, authorities seized more than 1.2 million dollars in cash, and over 1 million worth of goods from them [12]. Once the account information has been stolen, the perpetrator has a variety of options to get money. If they collected the data themselves, they could sell it as mentioned previously, or they could make clones of the card like in the steakhouse scheme. Because of how simple a magnetic stripe is to manufacture, this is quite easily accomplished. Once they have these cloned cards, they are tested on small purchases that are unlikely to trigger any alert. Once they are confirmed to work, they are used to make expensive fraudulent purchases; these luxury items are then resold. In addition, once they have the account holder's information, they may attempt to take out new credit cards in the victim’s name [13]. Even a fraudster without the knowledge to make a counterfeit card can still engage in CNP (card not present) fraud by making online purchases with stolen purchases. Credit and debit card fraud has almost entirely replaced bank robbery. According to Doug Johnson, the vice president of risk management policy for the American Bankers Association, the average haul for a bank robbery is between $3,000 and $4,000 [10]. Another estimate from the FBI in 2010 is an average of $7500 [13]. The money is recovered from 22% of successful bank robberies in the United States. Bank robberies were down significantly between 2004 and 2010, from over 7500 to 5500 [13]. While ordinary bank robbery has been declining, banks are being robbed even more through skimming practices; in 2011, the average skimmer brought home $50,000. Since banks do not guard every single ATM, the odds of getting caught are far smaller, the payout is larger, the amount of planning is lower, and the prison sentences are lower, if the fraud does not cross state lines.
The Final Straw
While the costs of random fraud were cheap enough for banks to put off upgrading infrastructure, large scale data
2
David PreissChristian Armistead
breaches such as those inflicted upon Target, Home Depot, and Sony, may have been enough to cause banks to switch. In the Target hack alone, estimates of how many customers may have had their information stolen were as high as 70 million [1]. Target provided affected customers with one year of free credit monitoring and theft protection to attempt to make up for the actions of the hackers. According to a Target financial statement, the data security gap cost 252 million, but insurance coverage paid out 90 million, and tax deductions reduced the total loss to 162 million [14]. This is 0.1% of Target’s 2014 sales [14]. Since the main burden of the losses fell upon customers and banks, rather than Target, companies are not as greatly incentivized to have strong security. However, following these cyberattacks, the attention of Congress was drawn towards data security. Legislation proposed would require organizations to inform their customers of data breaches and penalize them for breaches, which would cause them to prioritize data security [4].
THE RISE OF SMART CARDS
History of smart cards
While EMV smart cards may seem new, the technology has been around and in use for decades. The invention of the smart card is difficult to attribute to a specific time or person, with claims all pointing to multiple similar patents all being filed at in the late 1960s and early 70s. However, most sources agree that a lot of the credit lies with Roland Moreno, a French engineer who came up with the idea in his sleep. He filed for the patent on March 23 1974, marking the most important invention of his career [17]. While there were companies such as Motorola developing smart cards within a few years, it wasn’t until the 1980’s that they started seeing use. In 1986, the first standard for financial smart cards was the Carte Bancaire M4 from Bull-CP8 deployed in France. Jumping forward to 1994 is the publication of a new standard for smart cards called EMV for the three companies that authored it, Europay, MasterCard, and Visa. The code was written to be backwards compatible with preexisting systems such as the French Carte Bancaire and the German Geldkarte [17]. Over the next decade interest and use of EMV smart cards exploded across Europe, with these cards quickly becoming the standard for digital transactions. Other continents adopted the technology more slowly, with many Asian, African, and South American countries making the switch in the early 2000’s. The US has used the technology for small scale closed financial and security systems but is only now seeing widespread use as a banking standard. Today, the EMV standard is managed by EMVCo LLC, which is
equally owned by American Express, JCB, MasterCard, and Visa [17].
How smart cards work
When swiping a magnetic stripe card, the action was nearly instantaneous, because there is virtually no security. The magnetic stripe is quickly and completely read like a bar code. However, when using an IC chipped EMV smart card, you might notice that the card must stay inserted for a couple of seconds before it can be removed. This is because unlike the magnetic stripe, there is a direct and complete transfer of information, like a person reading a book, there is a back and forth interaction between the card and the reader. This is conceptually more akin to a conversation between two people who do not fully trust each other. Let’s take this systematically. First the chipped card is inserted into the terminal. It then performs a risk assessment based on how the issuer has programed the chip. The terminal responds with its own risk assessment. The two risk assessments are compared. Then there is the determination to go online. When it goes online, the data is put into what is referred to as field 55, in that one new field in the messaging all the EMV related data is inserted and that data is passed all the way up through the authorization system [17]. Now in the authorization system, the issuer has new dynamic data that is generated for every transaction. The issuer then sends the terminal instructions that will vary from card to card [17]. Unlike magnetic stripes, which all have the same basic format, to make processing easier, EMV chips do not all share the same information or storage method. The bank and manufacturer suddenly have a large amount of influence on the contents of the chip. Now, in order for the terminal to read the chip, it has to analyze the contents and format, since these chips can store a massive variety of types of information in drastically different ways. This leads to a longer process to build software and hardware. Whenever an entity such as a payment network like MasterCard wants to create a smart card-based application, they need to register for an Application ID (AID). This accomplishes a few goals. Firstly, it establishes an international recognition for the ownership of that application. In addition, it also registers the application logic on the card. The role of the AID is to recognize what application is on the card and what operation rules it can follow based on that AID. That way if a terminal identifies an AID on a card that matches one that is stored in its database, it initializes the procedure to process that card. Each corporate entity/application type has its own AID. Terminals for reading EMV chips come with a specific set already loaded onto them to ensure ability to read common AIDs [17].
The AID is merely the gateway to the large amount of data stored on the chip. While these chips have far larger storage capacities than magnetic stripes, there isn’t any
3
David PreissChristian Armistead
additional personal information stored on the chip; the extra space is just used for security purposes [17].
The formatting of information in the magnetic stripe of either a normal card or a smartcard is called CVC1 or CVV1 and is different from that of the chip which is called Chip CVC. This means that if an inserted chip transaction is skimmed and printed to a fake magnetic stripe, it won’t work at all, but rather will trigger an alert [17].
Thus, the EMV standard provides what is called card stock security, in that it works to prevent the creation of functional counterfeit cards. Card stock refers the physical card itself along with the default architecture and programs it has before being issued to a user. Even if a profiteering hacker got a hold of an already manufactured chip card that they wanted to copy a different card’s information onto, they’d first have to get past the security within the card itself before they could alter any of the programs on it. They would need a security key; These are keys that must be submitted to the memory of the chip before it can even be programed. Even if an unissued card is stolen, it’s still completely useless without corresponding data keys. [17] Online card authentication method (CAD) is a cryptographic shared key between card and issuer. The terminal generates a random number which both the issuer and the card use their keys to convert into another number, the cards answer is sent to the issuer to compare to the issuer’s answer. If they match, the issuer can trust that the card is legitimate. Then the process is repeated with the issuer sending its answer to the card so that the card can trust that the issuer is legitimate. The issuer may also send additional commands back to the card along with this code, since they both confirmed to be authentic to each other at that point. As a result of this mechanism, anytime an EMV smart card is successfully used in a transaction, it will download any and all post issuance card updates from the issuer. This will help to rapidly respond if any bugs, exploits, or other flaws in the software of the card are detected. The fact that there is more space on the IC chip means that new EMV smart cards can send more information about the transaction back to the issuer. This includes date, time, and place of the transaction as well as the properties and capabilities of the terminal being used. This is perfectly safe because once the smart card is plugged in and is being run, it is in complete control, like a brain. The terminal is merely acting as a source of power and internet connection, like the rest of the body. In order to be anything more than that, the terminal would have to have the secret security key that both the card and the issuer have. This extra information is vastly important because it allows issuers to accept more transactions that would otherwise have to be declined based on the smaller amount of information, it also gives issuers more insight to make sure that there are not more signs of potential risks that would lead to the transaction being declined. This extra data can also be used to track fraudulent purchases more easily.[17]
This system of a shared secret between the EMV smart card and the issuer is called symmetric key technology. However, if the terminal doesn’t have a connection to the internet, and thus a connection to the issuer, how would it be able to verify the EMV smart card without knowing the secret? The answer is Asymmetric Key technology. The issuer would have a public key that would be sent out to all the retailers to put into their terminals. The card would also have the public key, but would use its private key to “sign” the public key. That way the terminal can verify the card’s authenticity without contacting the issuer.[17]
Benefits and limitations of Smart cards
In the transition from the magnetic swipe card to the new chipped EMV smart cards, there will be both benefits and limitations. Overall, it will be a net positive, but the introduction of a completely new way to do something so ubiquitous is bound to cause some trouble. Thankfully most of the issued come from the transition itself and not the actual smart cards. Some of the limitations in this transition will be monetary cost, time cost, and security cost.
The monetary costs of the switch to smart cards will include the manufacturing of the actual cards themselves, as they have what is essentially a miniature computer built into now. While large factories and mass production lower the cost, it's still more expensive than not switching at all, at least, at face value. Retailers will also have to get expensive new card readers cutting into their costs. Another thing that will affect retailers is the time cost of the transition.
While using a smart card only takes around 30 seconds, it’s still considerably longer than the single second taken to use an old magnetic stripe card. These seconds could add up, making lines longer. Retailers might not want to be known as having slow service in comparison to their competitors, and could potentially lose business because of it. This extra time has also caused american issuers such as chase to avoid implementing PIN authentication, instead opting for a signature in order to keep overall time to complete transaction down. This is a bit of an issue because a signature can be easily forged, but a PIN is secret by nature. There also other security concerns.
While the switch to IC chip EMV smart cards won’t introduce any new security liabilities it will continue to have some of the same problems that magnetic swipe cards had. If the new smart card utilizes its backwards compatibility and is used as a magnetic stripe card, it can be skimmed, copied, and fraudulently used just like a magnetic stripe card. If the card itself is stolen, it can still be fraudulently used if it is tied to a signature instead of a Personal Identification Number (PIN). However, this can be avoided if a user reports a lost or stolen card to their issuer as soon as possible.
4
David PreissChristian Armistead
Sustainability
The transition to smart cards also brings an increase in efficiency and sustainability in addition to increased security. In computer engineering, sustainability is not so much about preserving, improving, or minimizing impact to the environment, but rather about increasing efficiency and lifespan, and decreasing cost and man-hours for a task. In this form of sustainability, smart cards are a huge improvement over traditional magnetic stripe cards. While the cost to produce a smart card is higher than the cost to make a magnetic stripe card, they lower business costs for the issuers. A smart card reader is both more reliable, and has a longer life span [19]. This drastically lowers system maintenance costs. With the threat of “man-in-the-middle” or Trojan horse security breaches significantly reduced, larger balances can safely be kept in personal or business accounts, decreasing the amount of transfers. In addition, smart cards increase trust in the security of an account. Smart cards tend to have a longer life span than magnetic stripe cards, not only because of fewer account breaches requiring the cards to be replaced, but also because magnetic stripe cards are not as vulnerable to strong magnets as the magnetic stripe. Every time a card must be replaced, it must be replaced at the expense of the cost of a new card, and an employee’s time spent issuing and activating a card. In addition, it is an inconvenience to the client. Even a slight reduction in card replacements represents a substantial amount of savings for card issuers. When massive amount of money saved from preventing fraudulent charges is taken into account, the savings from the switch to the EMV standard is massive. Unfortunately, due to the nature of the mandated transition to EMV chips, the abandonment of magnetic stripes and their infrastructure as the primary transaction method cost a huge amount of time and money, and most of it at the expense of retailers. In addition, with transactions taking longer to complete, checkout lines are longer in EMV compliant stores. However, Visa and MasterCard are planning to address this issue by improving the certification progress, and further developing their EMV terminal software [15]. While these updates are expected not to happen quickly, once implemented, they should reduce the time to complete a transaction down to acceptable levels.
IMPLEMENTATION AND EXPECTED OUTCOME
Implementation
The implementation of smart card infrastructure has been poor at best. The cost of replacing every ATM and card
reader has been amazingly high, costing between $100 and $600 per machine, and since the United States has only recently switched to the EMV standard, there are a large amount of card readers that still are not compatible with chip and PIN. In an attempt to accelerate this, a liability swap was mandated. After October first 2015, merchants and banks that accept transactions from smart cards and are unable to service the new microchip can be held liable for fraudulent transactions that are the result of unsecure terminals. “To be clear, old magnetic stripe cards still work, and EMV-enabled point-of-sale (POS) terminals will continue to accept them, but if a noncompliant merchant is confronted with a fraudulent transaction, the financial consequences of continuing to use old magnetic stripe technology could be steep. [2]” This is meant to incentivize retailers to upgrade their card reading infrastructure sooner rather than later. However, this policy is not perfect, small businesses may struggle with the cost of replacing readers which may even be new and fully operational. This plan is not without other flaws; it is often hard to determine where the information from a card may have been stolen from. To make matters even worse, many vendors that are already EMV compatible request customers to swipe rather than dip their cards. The biggest mistake that the banks made was waiting so long to even begin switching to the EMV standard, since banks in the United States were still deploying non-EMV machines and scanners long after other countries were fully reliant on chip and PIN. This hesitation combined with the rather poor compliance has resulted in an inability to fully benefit from the added security the chip adds. The process was further delayed, since at each step of the process, each organization was looking out for their own bottom line. Because of these delays, all of the current cards are all still backwards compatible; they have the weaknesses of both the magnetic stripe and the chip and pin system, and will until all the machines are updated. The magnetic stripe cannot be removed, or customers may be unable to use their bank cards at some locations that have not yet updated their machines [7]. The United States failure to switch from chip and signature to chip and PIN also greatly handicaps the ability of the smart card to have a noticeable effect, since the signature is not nearly as secure as a PIN is for verifying identity of the user. However, it is possible that the United States will gradually shift to PINs as the EMV system is fully installed. Europe’s system is not perfect either; the customers are held responsible for all fraudulent charges, rather than the banks or retailers. This requires consumers to be far more vigilant of their accounts. In 2014, “globally, card fraud amounts to some $11 billion annually, with the U.S. accounting for roughly half that total even though the country only produces about one-third of all card transactions [8].” Once the EVM system has been applied, the United States is expected to drop down to around the one-third of global card fraud that would be expected, although it may still be a bit higher because of less vigilant consumers. It is estimated that by the end of 2017, 90% of
5
David PreissChristian Armistead
EMV terminals will be ready to be used, which means that by 2018 or 2019 we should expect to see full implementation and removal of the magnetic stripe [7].
Ethics
Our progress towards the switch to the EMV standard has not been without controversy. “According to the industry group EMV Migration Forum, there are roughly 5 million EMV-ready terminals at U.S. stores right now, but only 1 million have started accepting chips [16].” This means that the majority of EMV-ready terminals are still not even working, despite the new hardware already being in place. “While it might seem obvious to blame stores for not enabling the devices, some merchants are blaming the banking industry, and a lawsuit filed last week in a California federal court claims that the banking industry collaborated to hand the bill for fraud to store owners [16].” This alleged liability dump is possible, since the retailers not only need new EMV compliant hardware, they also need new software. "Getting the terminal to accept EMV cards is a two-part process. First, the merchant either needs to load newly developed software or integrate new software from a third party into its back-office systems to allow the terminal to accept EMV. Second, then the new terminals and the merchant need to undergo a certification process with each of the card networks, typically done in combination with its merchant acquiring bank. The certification queue is currently very long as you can imagine that there are several merchants seeking to roll out EMV at the same time," says Michael Moeser, director of payments at Javelin Strategy and Research [16]. The banks are not motivated to quickly certify each merchant, but rather are incentivized to bog down the process, since until the merchants are certified, they are held liable for fraud rather than the bank reclaiming liability. Since it has been over a year since the liability swap took place, it is inexcusable for vendors to still be waiting on the banks to certify them and reassume liability. An air of suspicion is raised because large companies such as Target or Walmart that have the money and lawyers to take on the banks were quickly certified. When businesses are found liable, they not only have to pay for the chargebacks, but often the bank will actually impose another fee on them, ranging from 5 to thirty dollars. However, in all fairness to the banks, “federal law designed to promote competition in debit card processing requires that merchants have a choice of networks for processing payments, but that made writing software for EMV debit cards much more complex [16].” Every card issued must be capable of operating with at least two separate processing networks, which does greatly lag the installation process for the EMV system. Terry Crowley, CEO of TranSend (a company that produces EMV software), said “software code for card-accepting devices was historically simple enough to be written on the back of a business card. Now with EMV, that
same software wraps around the walls of a room three times ... hundreds of thousands of lines of code.” With the Liability Shift deadline having passed, Crowley says, suddenly there is a 'fire drill' to replace all of this simple software, compounded by the facts that the EMV code is hard to write, harder to certify and that few EMV software developers understand the U.S. market [16]. The banks are certainly getting the better end of the deal. Merchants must replace far more machines than banks do, and they now can be held liable for fraud. Despite these snags, as implementation reaches complete saturation, these EMV chips will reduce fraud, and that was the ultimate goal of the transition.
SOURCES
[1] M McGrath. “Target Data Break Spilled Info On As Many As 70 Million Customers.” Forbes Magazine. 1.10.2014. Accessed 1.12.2017.http://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#3b22231e6bd1.[2] E Marshall, Lattin Maayan. “Understanding the Payment Card Fraud Liability Shift” American Bar Association Section of Litigation. 11.3.2015. Accessed 1.12.2017.http://apps.americanbar.org/litigation/committees/commercial/articles/fall2015-1115-understanding-payment-card-fraud-liability-shift.html[3] “About Smart Cards: Introduction: Primer.” Smart Card Alliance. No Date. Accessed 1.12.2017.http://www.smartcardalliance.org/smart-cards-intro-primer/?redirect=http%3A%2F%2Fwww.smartcardalliance.org%2Fsmart-cards-intro-primer[4] B Fung. “The bright side to the Target hack? It’s getting Congress moving.” The Switch. 1.10.2014. Accessed 1.12.2017.https://www.washingtonpost.com/news/the-switch/wp/2014/01/10/the-bright-side-to-the-target-hack-its-getting-congress-moving/[5]C Medich, S Swaminathan, K Urban. “Maturity of Smart Card Chip Technology andIts Application to Web Security.” W3.org. No Date. Accessed 1.12.2017. https://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers/webcrypto2014_submission_3.pdf[6] A Nguyen. “Smart Card Security” SmartCardBasics. Accessed 1.12.2017 http://www.smartcardbasics.com/smart-card-types.html[7] T Quimby. “FBI warns new chip cards insecure among growing fraud.” The Washington Times. 11.15.15. Accessed 1.26.2017. http://www.washingtontimes.com/news/2015/nov/15/credit-card-chip-technology-not-more-secure-than-m/
6
David PreissChristian Armistead
[8] P Sabatini. “'Smart cards': Chipping away at credit card fraud” Pittsburgh Post Gazette. 5.10.2014. Accessed 2.26.2017. http://www.post-gazette.com/business/finance/2014/10/05/Smart-cards-Chipping-away-at-credit-card-fraud/stories/201410050061[9] S Halliday. “Introduction to Magnetic Stripe & Other Card Technologies.” High Tech Aid. 4.24.1997. Accessed 2.19.2017. http://www.hightechaid.com/tech/card/intro_ms.htm[10] S Gallagher. “Automated robbery: how card skimmers (still) steal millions from banks.” Ars Technica. 6.27.2012. Accessed 2.19.2017. https://arstechnica.com/security/2012/06/automated-robbery-how-card-skimmers-still-steal-millions-from-banks / [11] M Frelick. “The rise and fall of the magnetic strip card.” CreditCards.com. 6.12.2011. Accessed 2.26.2017. http://www.creditcards.com/credit-card-news/history-credit-card-magnetic-stripe-1273.php [12] N Rosenberg. “28 Indicted in Theft of Steakhouse Patrons’ Credit Card Data.” The New York Times. 11.18.2011. Accessed 2.26.2017. http://www.nytimes.com/2011/11/19/nyregion/28-indicted-in-theft-of-credit-card-data-at-steakhouses.html[13] J Koebler. “What You Should Know Before Robbing a Bank.” US News. 5.11.2012. Accessed 2.26.2017. https://www.usnews.com/news/articles/2012/06/11/what-you-should-know-before-robbing-a-bank[14] M Kassner. “Data breaches may cost less than the security to prevent them.” TechRepublic. 4.9.2015. Accessed 2.26.2017. http://www.techrepublic.com/article/data-breaches-may-cost-less-than-the-security-to-prevent-them/[15] I Kar. “The chip card transition in the US has been a disaster.” Quartz. 7.29.2016. Accessed 2.26.2017. https://qz.com/717876/the-chip-card-transition-in-the-us-has-been-a-disaster/[16] “Retailers have chip card readers -- why aren't they using them?” CBS News. 3.12.2016. Accessed 3.1.2017. http://www.cbsnews.com/news/retailers-have-chip-card-readers-why-arent-they-using-them/[17] “How EMV (Chip & PIN) Works - Transaction Flow Chart” Level2kernel. Accessed 3.2.2017 https://www.level2kernel.com/emv-guide.html [18] “Glossary of EMV Terms.” Level2kernel. Accessed 3.2.2017. https://www.level2kernel.com/emv-guide.html [19] “Smart Card Overview.” Smart Card Basics. Accessed 3.29.2017. http://www.smartcardbasics.com/smart-card-overview.html
ACKNOWLEDGEMENTS
We would like to thank our Co-Chair Samuel Birus, and our Chair Adam Balawejder for all their help and feedback.
We would also like to thank our writing instructor Janine Carlock for all of her feedback on each revision.
7
David PreissChristian Armistead
8
