August 24, 2016 By Douglas Bonderud 3 min read

Chip-and-PIN cards are here to stay in the U.S. — despite some pushback from banks and retailers alike. While the switch means better protection for consumers and companies at point-of-sale (POS) terminals, there are new security threats on the horizon as scammers shift their efforts from brick-and-mortar stores to online transactions and more aggressive chip-and-PIN fraud. Here’s a look at the new face of credit crime.

Clear and Not-Present Danger

Looking for evidence of new fraud formats? Start with the U.K., where chip-and-PIN cards, also known as Europay, MasterCard and Visa (EMV) cards, have been the retail standard for more than a decade. According to Wired, cybercriminals have moved away from POS terminals to target online shoppers by leveraging the inherent insecurity of card-not-present transactions.

By compromising user profiles or accounts online, attackers get access to stored credit data and personal information, which they then use to make purchases that don’t require a physical card — anything ordered online or over the phone, for example. So long as they provide the right credit type, number and name on the card, there’s nothing else to stand in their way; no signatures or PINs are required.

The numbers don’t lie: Between 2004 and 2014, the volume of card-not-present (CNP) fraud rose from 30 percent to 69 percent of total credit transactions. CNP losses are on track to reach $7 billion in the U.S. by 2020. With online shopping quickly ramping up, those loss estimates may be conservative.

The trend should come as no surprise. Criminals have shown a willingness to adopt and pursue valuable credit data, no matter how security professionals try to keep it safe. First, attackers grabbed card data stored on local servers, then tried to intercept the data in transit or at POS machines directly. The move to chip-and-PIN hasn’t defeated their efforts — it simply shifted their focus to a new location.

Old Tricks, New Tactics

Attackers are also looking for ways to exploit existing problems and uncovering new options for chip-and-PIN fraud. According to CNBC, for example, some criminals are looking to exploit the magnetic stripe data they already have by selling it online or using it at POS machines that haven’t been upgraded to use chip cards. Others are doubling down on application fraud to open new credit accounts and defraud victims using physical cards that still rely on magnetic stripes and signatures. The result is approximately $14 billion in fraud before the switch to EMV is complete.

Despite the fundamental security improvements offered by chip-and-PIN cards, security experts have already discovered ways to compromise these cards and defraud victims. According to Ars Technica, researchers from ATM hardware provider NCR Corporation recently demonstrated two EMV breaches at this year’s Black Hat conference.

First, they showed it was possible to hijack information from an external PIN pad and create a duplicate EMV card with altered Track 2 data. When presented, this new card convinces the POS system that the chip card is actually only mag stripe and reads it as such, bypassing the need for a PIN.

They also demonstrated how to compromise the security between PIN entry and POS terminals. This involved prompting users to re-enter their PIN or other data, which attackers could then grab and use to compromise future chip transactions.

Researchers from Rapid7, meanwhile, found that POS devices can be used to intercept one-time key and account data used by chip cards and then transmit this data to a compromised ATM. A second transaction is made with the compromised data, which causes the ATM to dispense cash from victim accounts. What’s more, it’s often possible for criminals to hide these ATMs in plain sight by placing “out of order” signs on them and then waiting for a convenient time to grab their ill-gotten gain.

The Future of Chip-and-PIN Fraud

Will the switch to EMV cards mean the end of credit fraud? Unlikely. Along with increased CNP crime, expect cybercriminals to embrace the challenge of chip-and-PIN fraud to compromise user data at the point of sale.

For retailers, the shift away from mag stripes is a reminder that security starts at home. Regardless of card type or credit issuer expectation, solid data protection from the POS to approval authority and back again remains the single best way to protect business interests and dodge the wrath of defrauded consumers.

Read the IBM X-Force research report on security trends in the retail industry

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today