August 24, 2016 By Douglas Bonderud 3 min read

Chip-and-PIN cards are here to stay in the U.S. — despite some pushback from banks and retailers alike. While the switch means better protection for consumers and companies at point-of-sale (POS) terminals, there are new security threats on the horizon as scammers shift their efforts from brick-and-mortar stores to online transactions and more aggressive chip-and-PIN fraud. Here’s a look at the new face of credit crime.

Clear and Not-Present Danger

Looking for evidence of new fraud formats? Start with the U.K., where chip-and-PIN cards, also known as Europay, MasterCard and Visa (EMV) cards, have been the retail standard for more than a decade. According to Wired, cybercriminals have moved away from POS terminals to target online shoppers by leveraging the inherent insecurity of card-not-present transactions.

By compromising user profiles or accounts online, attackers get access to stored credit data and personal information, which they then use to make purchases that don’t require a physical card — anything ordered online or over the phone, for example. So long as they provide the right credit type, number and name on the card, there’s nothing else to stand in their way; no signatures or PINs are required.

The numbers don’t lie: Between 2004 and 2014, the volume of card-not-present (CNP) fraud rose from 30 percent to 69 percent of total credit transactions. CNP losses are on track to reach $7 billion in the U.S. by 2020. With online shopping quickly ramping up, those loss estimates may be conservative.

The trend should come as no surprise. Criminals have shown a willingness to adopt and pursue valuable credit data, no matter how security professionals try to keep it safe. First, attackers grabbed card data stored on local servers, then tried to intercept the data in transit or at POS machines directly. The move to chip-and-PIN hasn’t defeated their efforts — it simply shifted their focus to a new location.

Old Tricks, New Tactics

Attackers are also looking for ways to exploit existing problems and uncovering new options for chip-and-PIN fraud. According to CNBC, for example, some criminals are looking to exploit the magnetic stripe data they already have by selling it online or using it at POS machines that haven’t been upgraded to use chip cards. Others are doubling down on application fraud to open new credit accounts and defraud victims using physical cards that still rely on magnetic stripes and signatures. The result is approximately $14 billion in fraud before the switch to EMV is complete.

Despite the fundamental security improvements offered by chip-and-PIN cards, security experts have already discovered ways to compromise these cards and defraud victims. According to Ars Technica, researchers from ATM hardware provider NCR Corporation recently demonstrated two EMV breaches at this year’s Black Hat conference.

First, they showed it was possible to hijack information from an external PIN pad and create a duplicate EMV card with altered Track 2 data. When presented, this new card convinces the POS system that the chip card is actually only mag stripe and reads it as such, bypassing the need for a PIN.

They also demonstrated how to compromise the security between PIN entry and POS terminals. This involved prompting users to re-enter their PIN or other data, which attackers could then grab and use to compromise future chip transactions.

Researchers from Rapid7, meanwhile, found that POS devices can be used to intercept one-time key and account data used by chip cards and then transmit this data to a compromised ATM. A second transaction is made with the compromised data, which causes the ATM to dispense cash from victim accounts. What’s more, it’s often possible for criminals to hide these ATMs in plain sight by placing “out of order” signs on them and then waiting for a convenient time to grab their ill-gotten gain.

The Future of Chip-and-PIN Fraud

Will the switch to EMV cards mean the end of credit fraud? Unlikely. Along with increased CNP crime, expect cybercriminals to embrace the challenge of chip-and-PIN fraud to compromise user data at the point of sale.

For retailers, the shift away from mag stripes is a reminder that security starts at home. Regardless of card type or credit issuer expectation, solid data protection from the POS to approval authority and back again remains the single best way to protect business interests and dodge the wrath of defrauded consumers.

Read the IBM X-Force research report on security trends in the retail industry

More from Fraud Protection

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today