The successful hacking by the National Security Agency and its United Kingdom counterpart to obtain encryption keys for SIM cards and EMV chips shows that “all of this stuff can be hacked.”
So said Aite Group research director and fraud expert Julie Conroy in an American Banker article Friday. The piece was in response to a report published Thursday by The Intercept, that the United States and U.K. spy agencies five years ago hacked into the network of Dutch manufacturer Gemalto and stole keys used to encrypt conversations, messages, and data traffic. The report was based on documents provided by the former NSA staffer Edward Snowden.
The stolen keys were for “point-to-point” encryption, in which the payments industry is developing standards reportedly “vital” to protecting EMV transactions, according to the American Banker.
However, Greg Coogan, president and CEO of West Bay Partners, an information technology consulting company, told the newspaper that payment companies would have some protections in the case of a Gemalto hack, because financial institutions and merchants would never get email access to tokens under Visa and MasterCard security protocols.
The incident “doesn’t really [directly] address tokenization and EMV and the types of standards expected out of the people who provide those services,” Coogan told the American Banker.
Still, the government agencies’ hacking serves as a wake up call to provide more security, he said.
“We are hoping they were doing this for a reason, in an attempt to keep us safe,” Coogan told the newspaper. “But that doesn’t preclude [someone] from causing chaos with information about EMV chips or other data.”
EMV (Europay, MasterCard and Visa) is a global standard for inter-operation of integrated circuit cards (or “chip cards”) and IC-card capable point of sale (POS) terminals ATMs. The system authenticates credit and debit card transactions.
With EMV, the party (card issuer or merchant) that has invested in EMV deployment is protected from financial liability for card-present counterfeit fraud losses. That part of the standard takes effect in October 2015.
Gemalto reportedly responded to The Intercept’s report with a public statement that similar companies were also targeted by the government agencies, and that the breach was part of an “attempt to try and cast the widest net possible to reach as many mobile phones as possible to monitor mobile communications without mobile network operators and users consent.”
The company also reportedly told its customers in a statement that it has dealt with other breach attempts and is “especially vigilant against malicious hackers,” according to the American Banker.
Featured image: Thinkstock