The Internet of Things (IoT)

Image credit to Neil Hughes

IoT (or the Internet of Things) is a new acronym you may be hearing about lately.  What does it mean?  Simply it is physical objects with the capability of being accessed through the Internet.  The objects could be part of a complex system (manufacturing floors, energy grids, healthcare devices, transportation systems) all the way down to simple devices such as your phone, wrist watch, Nest home thermostat, smart TV, streaming video device, etc.

We live in an exciting time with useful the new devices that allow us to access and monitor or manage remotely.  Unfortunately many of these cool new devices are configured with little or no security or privacy controls to prevent others from accessing data or the device out of the box.  Devices may be configured with insecure passwords (such as "password" or "1234"), security services turned on (such as telenet) or apps that allow any user to bypass authentication.  Instructions may be written without regard for controls that must be applied, installers aren't configuring them or consumers do no have the knowledge/skills to make changes. 

The problem is that developers of the new IoT devices want a piece of the pie.  If they make their devices too complicated to install or use consumers will pass by them for a device that is simple.  Also, they want their product to hit the shelves quickly.  Bottom line is that each time information, data or equipment is compromised by hackers we all pay.  We've probably all heard about baby monitors being accessed by hackers as well as the recent breach of celebrity images.  It's a big problem that will only get larger as time goes on.

Most consumers want the technology today and they don't want to learn something new to make it work.  The obvious solution is for the developers to build their devices securely before the product hits the market.  An organization called OWASP has developed a guide called the "Top 10 Web Vulnerability" list as well as a resource site "BuildItSecure.ly" that provides security best practices. 

The problem is developers can't fix the problem with code alone, they need consumers to meet them half way.  A few steps consumers need to follow include:

1. Install and configure a firewall on your home network.  Change the default login password (these passwords are accessible with a simple google search) on the router. 
2. Install a full service virus protection program that includes malware protection, a software firewall and a website advisor.  
3. Never install pirated software.  Beware of sites like downloads.com where software may be laced with malware. 
4. Be conscious of clicking on email messages with attachments.  Malware is often installed from email attachments.  Take a few minutes to think about the validity of the information in an email message.   
5. Be careful about using public wi-fi hotspots.  Many devices exist that allow a bad guy to capture your information from a public hotspot without you even knowing about it.  (Check out this website to learn more about the Wi-Fi Pineapple:  https://hakshop.myshopify.com/products/wifi-pineapple)  
6. NEVER click on a pop-up window that tells you that your computer is infected with a virus. 
7. Report phone calls from strangers who tell you your computer is infected.  This is a SCAM!  
8. Be very selective about the kinds of information you share on social media.  The internet never forgets.  Privacy controls change regularly without your knowledge on several social media sites.  Really, you don't need to share everything!  
9. Keep your computer operating system updated.  Review the software installed on your computer and connected devices.  Do not install programs you don't need and keep them updated. 
10. Be careful about the Internet sites you visit.  Pay attention to your internet website advisor.

Identity theft costs consumers thousands of dollars every year in addition to millions to banks and retailers who end up eating profits from identity theft.  It will take effort from each one of us.

Should the Government host free wi-fi?

Wouldn't it be great if the Federal Government provided free wi-fi in federal buildings?  There are several considerations that should be made before allowing unrestricted access by the public.  Below you will find several acts that should be evaluated or assessed before providing unrestricted Wi-Fi access:

The Computer Fraud and Abuse Act (18 US Code § 1030) criminalizes certain acts involving unauthorized internet access prohibits unauthorized persons from accessing government computers without permission.   See http://www.law.cornell.edu/uscode/text/18/1030.   To prevent this from happening it's important that any public internet access provided is separated from the governments internal business network.  

The Children's Internet Protection Act (CIPA) of 2000 addresses children's access to obscene or harmful content over the Internet.  This act applies specifically to schools and libraries but it could impact federal agencies (in my opinion).  The implementation of software to restrict or filter access that peddle obscene information or child pornography should be implemented.  http://www.fcc.gov/guides/childrens-internet-protection-act

The Child Pornography Prevention Act (CPPA) of 1996 is related to CIPA.  The Surpreme Court struck down CPPA in 2002 as a violation of the First Amendment.  It seems like a wise decision to prevent child porn from moving across any wireless network the public uses from government sites, regardless of this act begin struck down.

Collection of user information.  Google and other entities have gotten into trouble all over the world related to the information they have collected from wifi.  (http://epic.org/privacy/streetview/)  We need to be careful about collecting and using information from public wifi users.

Preventing the FBI from knocking on our doors.  Allowing unrestricted wifi access 24 x 7 could allow people to access content that the FBI watches for.  It's best to restrict the hours the Wi-Fi is available.  Here's an example of a problem that resulted in child porn being accessed through someone else's wifi network.  See:  http://arstechnica.com/tech-policy/2011/04/fbi-child-porn-raid-a-strong-argument-for-locking-down-wifi-networks/

Preventing Piracy.  The Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) are cracking down on piracy over the internet.  RIAA and the MPAA have agreements with many large ISPs to encourage suspected internet pirates to stop downloading pirated information.  If we manage this ourselves we need to prevent piracy as businesses can be fined up to $150,000 for contributing to illegal content being downloaded through their Internet connections.  http://mikeyounglaw.com/internet-privacy-wifi/

Many hotels require users to log in for service and agree to terms of service.  This certainly seems prudent.  Also passwords should be changed regularly.  Reference:  http://www.owendunn.com/enterprise-risk-management-blog/pros-cons-offering-free-wifi-customers/ 

ON THE OTHER HAND

The respected Security guru Bruce Schneier and the Electronic Frontier Foundation (EFF) recommend allowing open wifi.  Read more at:  https://www.eff.org/deeplinks/2011/04/open-wireless-movement.  Note the footnotes at the bottom of the article.  I'm not sure if government agencies would be considered an ISP related to Section 230 of the CDA (Communications Decency Act) or exempt from Section 512 of the DMCA (Digital Millennium Copyright Act).  The EFF recommends specific actions be taken to ensure that an entity providing free wi-fi is not liable for the activity of users related to copyright infringement.  Read more at:  https://www.eff.org/files/2014/06/03/open-wifi-copyright.pdf.

It's important that the Federal Government considers how it can provide wifi and restricts access carefully. 

What do you think?

Patriot or Traitor?

What is a patriot?  My 1996 edition of my Merriam Webster’s Collegiate dictionary describes a patriot as “one who loves his or her country and supports its authority and interests”.  What is a traitor?  My handy dictionary defines a traitor as “one who betrays another’s trust or is false to an obligation or duty.”   Is Snowden a patriot or a traitor?  During the televised interview with Brian Williams Snowden said that he was a patriot.  My personal definition and that of my dictionary certainly don’t jive with Snowden's assessment.    

Looking back a bit at the facts…  Snowden exceeded his authority to access and retrieve information that he did not have authority to access or possess.  Snowden didn’t just take them home, he gave this classified and sensitive information to foreign governments.  In May of 2013 Snowden packed his bags and took all the information he gathered and went to Hong Kong where he met with journalists to reveal his treasure trove of documents.  When the information was made public the U.S. Department of Justice charged Snowden with two counts of violating the Espionage Act and the State Department revoked his passport.  He ended up in Russia, where he sits today hoping to return to the United States.

Snowden remarked that his definition of a patriot was someone who regards him or herself as a defender of individual rights against presumed interference by the federal government.  This must be a new age definition.  It’s a mangled definition and one that defies the oath that members of the military and federal employees take.  When problems arise there are ways to find resolution.  I won’t pretend that every reaction ends in a manner that every party finds 100% happiness from.  The fact is that providing classified data to other countries would never meet my definition of a patriot.

Is Snowdens dilemma unique?  No.  Look at Nelson Mandella.  Mandella fought against apartheid (where the basic rights of nonwhite were unfairly restricted) using non-violent means including boycotts, strikes and civil disobedience.  He was arrested, tried and spent 27 years in prison for his effort.  I see Nelson Mandella’s efforts to be more heroic.

It should come as no surprise that every country performs intelligence gathering.  Why?  To determine where threats are within their borders.  It may not be surprising to many that these countries also use electronic means to gather intelligence about what other countries are doing.  They also send spies to other countries to live, side by side with other citizens to gather information.  The work of the NSA is no different from what goes on in any other country.

Should the US stop gathering intelligence?  No.  Without a doubt there are threats to the well- being of our country and her citizens.  The day we lay down our arms and stop defending our borders we lose. 

Snowden is a traitor.  IF he was a patriot he would never have considered giving our secrets away and he would be here to face the music.

Treasures on the Web

The Internet is a wonderful tool to find information and learn about topics.  People share so much information about themselves on Twitter, Facebook and other social media sites.  We expect to people to let it all hang out here.  You might be amazed at how exposed many companies are.  It's likely they don't realize how much information is available to social engineers who thrive on the data.

Where is all this information?  Websites are the standard vehicle to disseminate information.  Generally these websites are well designed to provide specific information to a diverse audience in a way that most people can understand.  Generally visitors of these websites aren't going to find an employee directory or find the names of departments here.  Organizations might be surprised to find that they are emitting sensitive pieces of information in the caverns of the site.  Where?  Let me count the places... 

Many companies that are technical in nature provide technical forums where the troubleshooters of the world look for solutions to common problems.  Generally the forum moderator is a highly skilled technician who can provide answers to the answer seekers.  This person may provide his or her name when responding.  If the technician has an impressive certification, he or she might provide that number with his response to a customer's question.  Posts to online forums provide not only employee names, email addresses, corporate structure and environment and other information that allows hackers to target individuals with spear-phishing campaigns

Microsoft Office documents are a wonderful source of information.  Have you ever looked at the meta-data on a Word document?  If the document isn't cleansed, it can provide information about an organization to a knowledgeable person.  Do you know how?  Open a Word document that you created.  Click File review the information on the Info Page (generally on right hand side of the screen).  Your name should be listed as the author.  If the document was modified on another person's computer, their name will also be listed as someone who modified the document.  Now click on the option "Show All Properties" in the lower right hand corner.  You might not have a "manager" at home, but your manager's name might show up on a corporate document.  Finally, click the Open File Location -- this information might provide information about the directory structure in an organization.  Bitta bing. 

Websites that allow users to download information from their website might be exposing the type of software used at the organization.  That doesn't seem very dangerous....unless the software is outdated.  Hackers use a combination of methods to gather information.  Knowing that an organization doesn't run current software is a pretty nice clue to a hacker that he might be able to retrieve information easily.

Some organizations post sensitive information on corporate websites.  Research shows that searching for terms such as 'temp', 'data' and 'admin' provided access or data that many corporations probably didn’t think hackers would try to access.  
 

What should organizations do?  Perform a risk assessment against your “digital estate” by completing the following steps:  first, assess the Internet presence to determine the kind of information available to the public; second, cleanse meta-data from the web and patch all corporate devices; third, educate all employees about the value of the data they manage and provide clear instructions on how to protect it; and fourth, ensure corporate policies exist to minimize accidental information leaks.

Microsoft Word provides a means to cleans an Office document of personal information.  It's quick and easy.   Open an existing Word document.  Click File then select the "Check for Issues" next to  Inspect Document.  Several choices will appear.  Select "Inspect Document".  Leave all the items checked then click "Inspect".  Read the results.  You can choose to remove potentially sensitive information.  Word even allows you to reinspect the document before posting the document to assure that you aren't exposing yourself or corporate secrets.

An Interesting Diversion

Last Saturday I worked in my yard for a few hours during the nice part of the day.  I left the garage door open while I was working in the backyard.  Unbeknownst to me, while the door was open, a raccoon got in the garage then up into the attic.    

I heard something strange Saturday night while I was working on my homework - the noise scared the heck out of me.  I wasn’t able to figure out initially where the noise was coming from.  I turned on every light in and outside the house hoping to scare away a would-be intruder.  My adrenaline was pumping as I braced myself for what I thought might be a fight to the death.  I made a call to alert a friend so at least my corpse wouldn't rot for days.  As my friend drove up the drive, I heard small paws overhead and insulation being moved around.  Saturday night was a long night listening to the rodent moving around and thinking about the potential for damage up there.

How do you get varmints out of your attic?  I called the Humane Society Sunday morning to get some advice.  The lovely woman said it was likely a raccoon in my attic.  She recommended I send a portable radio into the attic tuned to Z-92.  I laughed.  Z-92??  Do raccoons have a discriminating ear for music?  No she said, Z-92 plays long sets of music.  She told me to turn it up as loud as possible since raccoons are nocturnal; this would keep the raccoon awake during the day so it would be anxious to leave.  Sold!  I found a radio and found myself some ear phones (so I could put up with the noise).  So much for finishing my homework!

Sunday night I heard noises that sounded like a kitten coming from the attic.  The internet said that must mean there are babies up there.  Eye-yie-yie!!!  Internet resources say that raccoons are protective of their young - so much that they are capable of killing to protect their young.  Lots of stories of violent behavior when dealing with raccoons on the internet.  Perfect!  Now I learn that frigging Ricky Raccoon is dangerous and I've potentially got a family living above my kitchen.

I contacted a pest control company first thing on Monday and begged them to drop all their appointments and come to my house.  They said their first appointment was Wednesday morning.  DRAT!  I was not sure I could deal with this for two more days!!!

The mama raccoon must have slipped out at some point Tuesday morning while the car was warming up.  I was relieved that I didn't hear anything in the attic Tuesday night when I got home.  I thought I had been through the worst already.   That joy was soon destroyed.   About 9:30 p.m. the mama raccoon began clawing my garage doors and the nearby siding trying to get inside.  She was as big as a cat and her back was arched.  I saw the videos on YouTube of angry raccoons.  This one looked like the other angry animals.   Rats!  I don't want my house to be destroyed!  I got her attention by banging on the windows (from the inside of the house - I am not a fool!).  She stopped clawing the door and scampered right up to the window and  looked at me.  We played that game for awhile until she got bored with me.  She ripped some of the siding off on side of the garage wall then attempted to climb up the garage siding.   It was surreal!  I had no idea a raccoon could scale siding.  What to do…what to do??!!!  I called the non-emergency number for the local police department to ask for advice.  The officer was wonderful, he called me "dear" and connected me to the dispatcher after he gave her my story.   Two of Omaha's finest showed up in front of my house about 11 p.m.  I made them come in my house to spare them from the evils of the crazy rodent.  They seemed slightly amused by my concern.  It was obvious they hadn't seen the same YouTube video I had!  Their bright flashing lights probably scared the raccoon away but they searched for the raccoon around my house without success.  As soon as they left she was back, trying to get back into my garage.  She chewed through the rubber molding at the bottom of the garage doors so I called "911" again.  About 25 minutes later three officers returned.  (Must have been a good story since their numbers were growing.)   They cornered her in the tree where she remained for at least an hour.  The Humane Society arrived close to 1 a.m.  The raccoon wouldn't budge from the tree, the officers and Humane Society person left at 1:30.  Not long after the raccoon resumed her attack on my garage doors.  It was already a long night and I couldn't begin to live with it getting any longer.  I got the portable radio and positioned it behind the garage doors that now had clear air holes now so she got a full dose of heavy metal and "Todd n Tyler".  The lethal dose of heavy metal  kept her away from the garage doors that night.

Wednesday  morning the pest control man came, evaluated the damage and listened to my story.  He took my ladder and made his way up to the attic and took a quick look at the attic.  It was clear something had been up in the attic but there was no adult raccoon up there.  Apparently they will attack if they feel threatened, so this could have been even more interesting.  Since coast was clear he crawled in.  He found six kits (baby raccoons) right where I heard the insulation being moved around.  He grabbed them with gloved hands and put them in a cardboard box lined with a car wash towel.  The box went outside the garage and the opening to the attic was re-sealed.  I thought it was finally over.

Thursday night the raccoon was back.  This time she got on the roof and started dismantling the siding, ripping up the shingles and trying to remove the exhaust vent on the outside of the house.  Holy mackerel!  She was actually shaking the side of the house.  I was ready this time.  The babies were 20 feet away from me and I had a powerful flashlight.  My honey came over and removed the towel from the open box to expose the kits while I kept the flashlight on the mama.  We waited for mama to find the babies and hoped she would find a new home far away from this house.  Within a half hour she discovered them and took them away.

I learned more about raccoons than I ever expected this past week!  From here on out, I will NOT leave the garage door open any longer than the time to get the car in and out and to completely seal the attic opening from the garage.  Life lesson of the week -- (check).
 

Russia vs Ukraine

The media has been abuzz with the conflict between Russia and Ukraine over the past month.  An article in the Washington Post on March 16 mentioned that Putin has 60,000 troops waiting just outside the border of Ukraine.  The physical war may not have begun, but the cyber war has...

The soldiers of cyber war can be anyone, anywhere.  These soldiers of war don't necessarily wear a uniform and may not have sworn allegiance to one country or another.  These soldiers don't carry traditional weapons, these soldiers have tools to inflict denial of service attacks or website defacement.  Their goal is to stop the operation of critical web servers and cause panic to the masses.  The internet sites of the Russian Kremlin, foreign ministry, central bank and Ria Novosti (the press agency) were targeted and attacked.


The real problem with cyberwarfare is that the attackers.   The soldiers can be anyone.  There are tools on the internet (such as TOR) that anonymizes the attacker.  When the attacker's identity and location are hidden the entity being attacked doesn't know who is responsible.  Furthermore, attackers can use bots to carry out denial of service attacks.

Cyberwarfare has great potential to impact innocent bystanders and those who should not be impacted.   The Geneva Convention and Hague Conventions provide for humanitarian law that is designed to limit armed conflict which is known as International Humanitarian Law.  Specific requirements:

 "Parties to a conflict and members of their armed forces do not have an unlimited choice of methods and means of warfare. It is prohibited to employ weapons or methods of warfare of a nature to cause unnecessary losses or excessive suffering."

 "Parties to a conflict and members of their armed forces do not have an unlimited choice of methods and means of warfare. It is prohibited to employ weapons or methods of warfare of a nature to cause unnecessary losses or excessive suffering."

Are civilians impacted by cyberwar?  Undeniably, yes. 


References:  http://www.icrc.org/eng/war-and-law/overview-war-and-law.htm

We took an oath...

I was reminded today by a fellow federal employee that I took an oath when I started my federal career.  That oath from 5 U.S.C. §3331 follows...

 I, [name], do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; that I take this obligation freely, without any mental reservation or purpose of evasion; and that I will well and faithfully discharge the duties of the office on which I am about to enter. So help me God.

The history of the Oath for Federal employees can be traced to the Constitution, where Article II includes the specific oath the President takes - to "preserve, protect, and defend the Constitution of the United States."  The wording of the oath was originally called the Ironclad Test Oath which was  developed during the Civil War.  The oath is required for government officials from all three branches, the military, and the States.

If you are an employee paid by the funds collected from all taxpayers I urge you to remember that oath to pursue the best interests of the government.

Ch-ch-ch-changes to the NSA program

The White House has suggested four possible options to fix the NSA spying issue according to an article in the Wall Street Journal on February 26.  The options have been presented to the U.S. Intelligence Agencies and the Attorney General with a March 28 deadline.   Three of the options deal involve restructuring the collection process and the fourth is a drastic move.  The options involve:

Option 1:  Require phone companies to retain the collected data.

Option 2:  Require a government agency other than the NSA to retain the collected data.

Option 3:  Require an organization other than phone companies or a government agency to retain the collected data.

Option 4:  Scrap the entire NSA collection process and rely on other intelligence gathered to determine threat vectors.

I don't like any of the options myself. Option 1 is foolish.  Why would valuable and potentially sensitive data be held by an entity outside the government.  Does anyone think they would willingly deploy adequate security measures to protect this data?  Does anyone think they have the funds to retain the volume of data?  The next issue would involve the public accusing the phone companies of meddling with personal information.

Option 2 is better than option 1 but not very practical.  The article suggests that the FBI or the Foreign Intelligence Surveillance Court retain the data.  In theory this sounds good.  The problem is the FBI would need to beef up staff, equipment and storage capacity.  Sounds good on paper until you consider the issues I mentioned.  Then there is the final issue... getting the data from the collection points to the FBI.  I can't imagine how much bandwidth would be needed to transfer the data to a new collection site.  It sounds like a bad idea.  Next, considering the Foreign Intelligence Surveillance Court.  Hmmm -- this where the judges sit.  I would never suggest corruption against any federal judge - but I can see how this could occur when the data and the man with the stick are in the same area.  The data and the ruler need to be separated to ensure that no corruption can take place.


Option 3.  Nice try on this but this imagine the costs of implementing this solution.  Someone (that means you and me) would have to pay for this middleman to coordinate data between the two entities.  The number of processes would increase to accomplish the same task.  This would involve more people as well.  Adding more individuals working on the process.  The end result would not be an increase of security.  In fact, expecting the level of privacy to increase is like thinking that reducing the number of soldiers in the Army will improve our nations security.

Option 4.  I don't know how viable an option this truly is.  I have no idea how we are gathering intelligence.  In theory, we are already doing this by utilizing the NSA intelligence with other information gathered by other sources to identify targets.  It seems like we would be cutting intelligence sources from valuable data.

We must protect this country.  I don't like the changes being suggested and implemented.  Reducing the efficiency of the NSA and the Army are not wise.  I would rather see citizens be asked to man up instead of leaning back and reducing our protection strategy.

This week marks my last week of my current class.  I enjoyed another valuable semester of learning from my professor and fellow students. 

Korea's Best of the Best Program

An RSA conference chair, Hugh Thompson described a program in Korea designed to create cyber warriors at the Korean Information Technology Research Institute (KITRI) in an article in SC Magazine.  Note:  the full article is available at:  http://www.scmagazine.com//security-gangnam-style/article/332080/.  KITRI is a government funded research institute that offers a program called the “Best of the Best” (also known as BoB) that allows the best and brightest students from local high schools and colleges to participate in this highly selective cyber security program to defend South Korea from cyber hackers and cyber threats.  

South Korea has suffered from a growing number of cyber-attacks over the past few years.  The combined number of cyber-attacks from domestic and foreign sources are up from 24,000 in 2008 to 40,000 cases in 2012 according to the Korean Internet Security Agency.  One attack targeted financial institutions in South Korea that impacted millions of bank customers from using their credit cards or ATMs for more than a week.  The increasing trend has increased the importance of protecting resources in Korea.

In the SC Magazine article Mr Thompson described the KITRI program to be very thorough.  “Walking around you quickly notice a large room in the corner that looks more like a television studio than a workspace for the cyber elite. There's a podium, television cameras and a press-conference-like arrangement of seats. “What's that?” I asked, after giving a lecture to the students, expecting to hear about some leasing arrangement they had with a local broadcaster. But instead, I learned that the Best of the Best are expected to be expert communicators as well as expert researchers. They are taught how to express their ideas in front of a crowd, how to handle media interviews and how to communicate the value of security to business and government leaders. Some of the participants are sent to international cyber security gatherings like RSA Conference to get a global perspective. KITRI is not only training the next generations of security leaders, its creating ambassadors for the field. KITRI's first crop of students are preparing to make their way into South Korean businesses and government agencies – the idea being that securing large South Korean businesses is critical to ensuring the growth and prosperity of the nation.”

The KITRI program might offer Universities in the United States other focus areas that cyber security professionals should be well versed in to deal with a rapidly changing environment.  Let's make more BoBs in the United States!!  

The Seoul South Korea skyline.  Image credit:  http://www.exploringkorea.com/population-of-south-korea/seoul-city-skyline/

Good News on the Credit Card Front

Has the credit card fiasco recently made famous by Target, Nieman Marcus, Michaels and several hotel chains made you nervous about using the credit card in your wallet?  It has certainly heightened my concern! 

Probably the only good thing to come from the problem is that a credit card security improvement may come to the United States faster than originally expected.  The technology is called EMV (EuroPay, MasterCard and Visa).  EMV is designed to improve the security of the credit card transaction. EVM was designed in 1994 and implemented in Europe 2002.  Currently more than 80 countries around the world use this technology to process credit cards securely. CNN announced Tuesday, February 4, that Target's CFO announced that Target is investing $100 million to migrate to the chip technology.  Target expects to implement the technology early in 2015 which is months before the mandated implementation (October 2015).  Read the article at:  http://money.cnn.com/2014/02/04/technology/security/target-senate/index.html?iid=SF_T_River.  

EVM is generally known as “chip and PIN” or “chip and signature” by most people. This technology is credited for reducing payment card fraud losses to a 10-year low in the United Kingdom in 2011 according to a First Data Corporation white paper.  Read the paper by browsing to:   http://www.firstdata.com/downloads/thought-leadership/EMV-Encrypt-Tokenization-WP.PDF   

Chip and PIN cards include an embedded microprocessor (or chip) inside the card.  The consumer enters a PIN to authorize a purchase.  In contrast, chip and signature cards uses the chip along with the consumer’s signature to authorize a purchase.  An example of a credit card with the EVM chip is shown below:   

Image credit:  creditcards.com

Are you wondering how the chip and PIN technology works behind the scenes? According to a White Paper written by First Data, “A chip-based payment transaction occurs when a microprocessor (smart chip) embedded in a plastic card or a personal device such as a key fob or mobile phone connects to an EMV-enabled POS terminal. …The smart chip in the payment instrument securely stores information about the cardholder’s account and the issuer’s payment application, and it performs cryptographic processing for validating the integrity of the card number and certain static and dynamic data used in the transaction. This provides a strong form of card authentication, validating the legitimacy of the payment type being used”.   In essence, the chip cards encrypt data for each transaction which makes it almost impossible to use fraudulently.

Seems simple, doesn't it.  You may be wondering why it the technology has not been implemented yet.  First, it is expensive to implement.  All retailers will need to purchase new card readers.  According to an eWeek report, each new reader will cost a business between several hundred dollars to as much as two thousand dollars.  That can add up quickly for a large organization.  The eWeek article is available at:  http://www.eweek.com/security/implementing-emv-chip-and-pin-cards-can-be-costly-but-not-difficult-2.html.  Second, this will cost merchants a lot to implement this technology.  Current credit card processes do not encrypt transactions.  The US will benefit from the processes in place in other countries.  There will be costs however.  Finally, consumers will need to learn how to use the new cards.  Merchants are concerned about the learning curve.  Consumers in the United States average four to five cards.  If a consumer enters the wrong PIN, the transaction will be rejected.  It might be reasonable to conclude that some people will write their PIN on their card to keep from forgetting the information. 

I am excited about the chip and PIN technology.  If you would like to read more about the technology, go to the EMV Connection webpage at:  http://www.emv-connection.com.