Theoretical Technique To Abuse EMV Cards Detected Used In The Real World

stack-credit-cards.jpg

Two weeks ago, ZDNet reported on the results of a very interesting experiment that analyzed how banks implemented EMV (chip) cards on their networks.

In the experiment, researchers from Cyber R&D Lab signed up for EMV (chip) cards at 11 banks from the US, the UK, and the EU.

The research team then used tools similar to the ones used by criminal gangs to copy the information stored on EMV cards and their magnetic stripes.

Researchers took the data from the EMV card and created a magnetic stripe version of the same card, but without the actual chip.

This is possible because all EMV cards also come with a magnetic stripe, for fallback purposes, in case the user travels abroad to non-EMV countries, or has to use an older point-of-sale terminal.

The fact that you could create a magstripe version from EMV cards has been known since 2008; however, fears that it could be abused have been dismissed, as banks expected to move all users to EMV cards and eliminate magstripe cards from the market altogther.

But until that happened and all magstripe versions were removed, banks were supposed to follow a series of security checks before approving inter-technology payments.

This hasn't happened, however, and the loophole first described in 2008 has remained. Case and point, the Cyber R&D Labs experiment, during which researchers said they were able to make valid transactions using four of the EMV-to-magstripe cloned cards.

cyber-rd-table.png
Image: Cyber R&D Lab

Researchers blamed banks for failing to follow security checks when approving transactions. However, two weeks ago, the issue was thought to have remained a theoretical problem only.

More than a theoretical threat

But in a report published yesterday, security firm Gemini Advisory said it tracked down two instances on cybercrime forums where hackers had collected EMV card data and were offering it for sale.

This included EMV card data stolen from US supermarket chain Key Food Stores Co-Operative Inc. and US wine and liquor store Mega Package Store, Gemini said.

Furthermore, a Visa alert [PDF] sent out this month also seems to confirm that criminals are now targeting EMV card data. Visa said that that POS malware strains like Alina POS, Dexter POS, and TinyLoader had been updated to collect EMV card data, something they hadn't done before, primarily because the data couldn't be monetized.

Gemini says that both of these incidents -- the ads posted on cybercrime forums and the Visa alert -- suggest that hackers have figured out they could abuse EMV card data.

Gemini now believes that the method criminals are using is the one described many years ago, and the subject of Cyber R&D Labs' recent research -- a method they named EMV-Bypass Cloning.

Blocking this type of fraud should be easy, though, as banks only need to implement more thorough checks when processing magstripe transactions from cards previously associated with EMV technology.

As the Cyber R&D Labs research showed, some banks do, but some do not.

RECENT NEWS

How Fintech Is Revolutionizing Traditional Banking

How fintech is revolutionizing traditional banking is a topic that is garnering positive and immense discourse within th... Read more

Blockchain And Its Impact On Fintech Industry

Blockchain and its impact on Fintech Industry has become a hot topic in the current digital era. The amalgamation of blo... Read more

The Rise Of Fintech In The Digital Era

In the heart of the digital revolution, we've observed a term termed as "fintech" creating a substantial and transformat... Read more

Role Of Fintech In Transforming Retail Banking

The role of fintech in transforming retail banking is producing significant changes in the financial services industry. ... Read more

Fintech Innovations In Asset Management

Financial technology, or FinTech, refers to the blending of financial services with technology. The importance of FinTec... Read more

Exploring The Future Of Accounting Software: Unveiling The Power Of AI

The revolutionary ignition sparked by artificial intelligence (AI) cannot be understated in contemporary business ecosys... Read more