Chip-and-PIN cards are here to stay in the U.S. — despite some pushback from banks and retailers alike. While the switch means better protection for consumers and companies at point-of-sale (POS) terminals, there are new security threats on the horizon as scammers shift their efforts from brick-and-mortar stores to online transactions and more aggressive chip-and-PIN fraud. Here’s a look at the new face of credit crime.
Clear and Not-Present Danger
Looking for evidence of new fraud formats? Start with the U.K., where chip-and-PIN cards, also known as Europay, MasterCard and Visa (EMV) cards, have been the retail standard for more than a decade. According to Wired, cybercriminals have moved away from POS terminals to target online shoppers by leveraging the inherent insecurity of card-not-present transactions.
By compromising user profiles or accounts online, attackers get access to stored credit data and personal information, which they then use to make purchases that don’t require a physical card — anything ordered online or over the phone, for example. So long as they provide the right credit type, number and name on the card, there’s nothing else to stand in their way; no signatures or PINs are required.
The numbers don’t lie: Between 2004 and 2014, the volume of card-not-present (CNP) fraud rose from 30 percent to 69 percent of total credit transactions. CNP losses are on track to reach $7 billion in the U.S. by 2020. With online shopping quickly ramping up, those loss estimates may be conservative.
The trend should come as no surprise. Criminals have shown a willingness to adopt and pursue valuable credit data, no matter how security professionals try to keep it safe. First, attackers grabbed card data stored on local servers, then tried to intercept the data in transit or at POS machines directly. The move to chip-and-PIN hasn’t defeated their efforts — it simply shifted their focus to a new location.
Old Tricks, New Tactics
Attackers are also looking for ways to exploit existing problems and uncovering new options for chip-and-PIN fraud. According to CNBC, for example, some criminals are looking to exploit the magnetic stripe data they already have by selling it online or using it at POS machines that haven’t been upgraded to use chip cards. Others are doubling down on application fraud to open new credit accounts and defraud victims using physical cards that still rely on magnetic stripes and signatures. The result is approximately $14 billion in fraud before the switch to EMV is complete.
Despite the fundamental security improvements offered by chip-and-PIN cards, security experts have already discovered ways to compromise these cards and defraud victims. According to Ars Technica, researchers from ATM hardware provider NCR Corporation recently demonstrated two EMV breaches at this year’s Black Hat conference.
First, they showed it was possible to hijack information from an external PIN pad and create a duplicate EMV card with altered Track 2 data. When presented, this new card convinces the POS system that the chip card is actually only mag stripe and reads it as such, bypassing the need for a PIN.
They also demonstrated how to compromise the security between PIN entry and POS terminals. This involved prompting users to re-enter their PIN or other data, which attackers could then grab and use to compromise future chip transactions.
Researchers from Rapid7, meanwhile, found that POS devices can be used to intercept one-time key and account data used by chip cards and then transmit this data to a compromised ATM. A second transaction is made with the compromised data, which causes the ATM to dispense cash from victim accounts. What’s more, it’s often possible for criminals to hide these ATMs in plain sight by placing “out of order” signs on them and then waiting for a convenient time to grab their ill-gotten gain.
The Future of Chip-and-PIN Fraud
Will the switch to EMV cards mean the end of credit fraud? Unlikely. Along with increased CNP crime, expect cybercriminals to embrace the challenge of chip-and-PIN fraud to compromise user data at the point of sale.
For retailers, the shift away from mag stripes is a reminder that security starts at home. Regardless of card type or credit issuer expectation, solid data protection from the POS to approval authority and back again remains the single best way to protect business interests and dodge the wrath of defrauded consumers.
Read the IBM X-Force research report on security trends in the retail industry