One good thing about Target's massive data breach is that even the most powerful security systems can be hacked. By all accounts, Target isa typical multi-tier system with defenses that exceed the already stringent safeguards required by Visa and MasterCard. But the hack succeeded anyway, prompting an immediate outcry over why credit card transactions in the US are so insecure and calls for contactless cards that do not require the physical touch of "swiping" through a card reader. To quell such protests, Visa, MasterCard and American Express have been insisting that retailers install smart card readers by October 2015 or face the full burden of fraud losses.

After all, smart cards (cards with embedded ics that contain encrypted information and secure processing power but still require contactless swiping) have been widely used in developed countries since 1983 and have greatly reduced theft. It's taken the US so long to get here, and while fraud cost retailers and banks more than $12bn in 2013, it's clearly cheaper than the cost and complexity of updating retail POS systems. But Target's hack opened a Pandora's box, and even if the cards themselves were not targets' tools, and the information obtained may have been encrypted with 128-bit passwords (and thus useless to hackers), the trend toward more advanced payment technologies is unstoppable.

But even a big step towards the widespread use of smart cards will not bring retail into the 21st century as technology evolves. Today's standard is a contactless smart card that uses wireless communication, eliminating the need to "swipe" the card in physical contact between the card and the reader, while smartphone-based near field communication (NFC) technology eliminates the need for a physical card altogether. But one key fact that few have mentioned in the furor over the Target breach is that there was nothing wrong with the cards themselves.

It's not the cards

The Target attackers installed malicious software on the POS terminals of Target stores and used a "memory grab" tool to capture data temporarily stored on the terminals during transactions. But the malware was installed on Target's terminals through the company's Web server, which granted the hacker access to Target's terminals. Once installed on a terminal, the malware sets up its own control server on Target's network, storing all stolen data in Target's own data repository until the hacker can uninstall it.

Of the more than 40 antivirus tools Target uses to scan its network for malware, none found it or deemed it malicious when found. The software, called BlackPOS, can be bought on cybercrime forums for about $2,000 and is designed to be installed on POS terminals around firewalls. So, in simple terms, the thief got in from the "back end" of the POS terminal, not the front end, and the enterprise server was the point of entry, not the POS terminal.

All POS terminals collect data, whether or not a contact swipe is required. The question is: what makes contactless cards safer than standard cards? Do they have a big impact on credit card theft? Probably not much for systems like Target, but for most of the more common terminal thefts, it's certainly a significant improvement over the current system, since thefts against the terminals themselves are much more frequent. To illustrate the state of payment security in the United States, let's take a look at the current viable alternatives to magnetic stripe cards -- smart cards, contactless cards, near field communication, and RFID, which is different from all three.

Less intelligent options

In passive RFID systems (the most common type), the card reader emits a weak signal, which is captured by an annular antenna on the card (Figure 1) and calibrated to respond to the reader's query with the generated tiny power for identification. The control system matches the identity code with information in the database for authentication. In this respect, RFID and contactless payment have two basic things in common: they both use wireless technology, do not require a physical connection between the POS reading device and the target being read, and combine IC and memory for data storage. But that's where the similarities end. It's more about the differences, for example:

Passive RFID tags are cheap (typically less than 10 cents), making them ideal for mass tracking of anything that can be placed or inserted with an RFID tag. Active RFID tags have batteries inside them so they can send bursts of signals, but they are much more expensive and have limited applications.

RFID tags have little "IQ", while both contactless and contactless "smart" cards have important security features, including secure microprocessors, memory and password processing.

The distance between RFID tags and card readers can be about 15cm(passive) or even 192m(active), while contactless cards can only be read from about 0.6m for security reasons.

Picture keywords

Figure 1: RFID tags use the fewest components, the largest of which is a ring antenna that captures weak signals from a card reader

RFID has naturally evolved into applications where its power gives it an edge, such as passports that include the owner's photo. In 2005 wal-mart launched a scheme requiring its top 100 suppliers to put RFID tags on boxes and pallets shipped to its distribution centres, and later expanded the scheme to include all suppliers. The company reports that out-of-stock items with RFID tags are being restocked three times faster than before the program. The U.S. Department of Defense and many other companies followed suit, and passive RFID is now widely used in many industries.

In short, while RFID systems are ubiquitous in tracking applications, they are generally not smart enough and have limited security capabilities to be used for transaction processing, except in a few cases.

The smart card

Smart cards (Figure 2) must be mentioned here, as they were the first cards designed for transaction processing to overcome the security limitations of "dumb" magnetic stripe cards. Smart cards provide important security features, including active encrypted authentication using symmetric DES(Data Encryption Standard), 3DES(triple DES), or public key RSA encryption (key length up to 1024 bits).

Picture keywords

Figure 2: A universal smart card that displays contacts accessing internal electronic devices

The smart card uses an embedded IC containing memory and microprocessor, with eight exposed metal pads terminating dc power, POS reader reprocessing, clock signals, grounding and serial I/O. The onboard processor (currently typically a 32-bit RISC processor running up to 32MHz) executes instructions, while the controller manages the flow of data in and out of the card and reader. Smart cards also contain three types of memory: ROM for permanent storage of instructions, RAM for temporary storage, and e-PROM for running applications.

Contactless cards

The contactless card retains the components and security features of the card described above, but it replaces the card's electrical contacts with radio frequency functions similar to those found in RFID, and it does not require physical contact with the POS reader. It also improves security by eliminating the need to enter a PIN for every transaction, but by asking for it after a certain number of transactions.

There is also a limit on the amount of money per transaction, which is currently quite low. Contactless cards were first used for electronic ticketing in South Korea in 1995, and many in the US may remember Exxon's Speedpass system, which was deployed in the late 1990s and is still used by many Exxon gas stations. Since then, MasterCard, Citibank, JPMorgan Chas, American Express and many other organizations have embraced contactless technology. Current systems using contactless technology include Visa's PayWave, American Express's ExpressPay and MasterCard's PayPass.